From 9546fddb9e575b4dd96da410d94590a11e17c6a7 Mon Sep 17 00:00:00 2001 From: cmrd Senya Date: Sat, 13 Aug 2016 01:25:32 +0300 Subject: [PATCH] [API] don't store ID tokens in DB fix #6857 --- .../authorizations_controller.rb | 1 - .../api/openid_connect/authorization.rb | 3 +- db/migrate/20160813115514_remove_id_tokens.rb | 7 +++++ db/schema.rb | 13 +-------- .../api/openid_connect/id_token.rb | 29 +++++++++---------- 5 files changed, 23 insertions(+), 30 deletions(-) create mode 100644 db/migrate/20160813115514_remove_id_tokens.rb rename {app/models => lib}/api/openid_connect/id_token.rb (77%) diff --git a/app/controllers/api/openid_connect/authorizations_controller.rb b/app/controllers/api/openid_connect/authorizations_controller.rb index f95f86817..7103ad95e 100644 --- a/app/controllers/api/openid_connect/authorizations_controller.rb +++ b/app/controllers/api/openid_connect/authorizations_controller.rb @@ -53,7 +53,6 @@ module Api def reset_auth(auth) return unless auth auth.o_auth_access_tokens.destroy_all - auth.id_tokens.destroy_all auth.code_used = false auth.save end diff --git a/app/models/api/openid_connect/authorization.rb b/app/models/api/openid_connect/authorization.rb index 6c72da734..41c6c0e6f 100644 --- a/app/models/api/openid_connect/authorization.rb +++ b/app/models/api/openid_connect/authorization.rb @@ -12,7 +12,6 @@ module Api serialize :scopes, JSON has_many :o_auth_access_tokens, dependent: :destroy - has_many :id_tokens, dependent: :destroy before_validation :setup, on: :create @@ -50,7 +49,7 @@ module Api end def create_id_token - id_tokens.create!(nonce: nonce) + IdToken.new(self, nonce) end def self.find_by_client_id_user_and_scopes(client_id, user, scopes) diff --git a/db/migrate/20160813115514_remove_id_tokens.rb b/db/migrate/20160813115514_remove_id_tokens.rb new file mode 100644 index 000000000..36689d688 --- /dev/null +++ b/db/migrate/20160813115514_remove_id_tokens.rb @@ -0,0 +1,7 @@ +require_relative "20150714055110_create_id_tokens" + +class RemoveIdTokens < ActiveRecord::Migration + def change + revert CreateIdTokens + end +end diff --git a/db/schema.rb b/db/schema.rb index b1333a8cd..d78733848 100644 --- a/db/schema.rb +++ b/db/schema.rb @@ -11,7 +11,7 @@ # # It's strongly recommended that you check this file into your version control system. -ActiveRecord::Schema.define(version: 20160810230114) do +ActiveRecord::Schema.define(version: 20160813115514) do create_table "account_deletions", force: :cascade do |t| t.string "diaspora_handle", limit: 255 @@ -160,16 +160,6 @@ ActiveRecord::Schema.define(version: 20160810230114) do add_index "conversations", ["author_id"], name: "conversations_author_id_fk", using: :btree add_index "conversations", ["guid"], name: "index_conversations_on_guid", unique: true, length: {"guid"=>191}, using: :btree - create_table "id_tokens", force: :cascade do |t| - t.integer "authorization_id", limit: 4 - t.datetime "expires_at" - t.string "nonce", limit: 255 - t.datetime "created_at", null: false - t.datetime "updated_at", null: false - end - - add_index "id_tokens", ["authorization_id"], name: "index_id_tokens_on_authorization_id", using: :btree - create_table "invitation_codes", force: :cascade do |t| t.string "token", limit: 255 t.integer "user_id", limit: 4 @@ -661,7 +651,6 @@ ActiveRecord::Schema.define(version: 20160810230114) do add_foreign_key "conversation_visibilities", "conversations", name: "conversation_visibilities_conversation_id_fk", on_delete: :cascade add_foreign_key "conversation_visibilities", "people", name: "conversation_visibilities_person_id_fk", on_delete: :cascade add_foreign_key "conversations", "people", column: "author_id", name: "conversations_author_id_fk", on_delete: :cascade - add_foreign_key "id_tokens", "authorizations" add_foreign_key "like_signatures", "likes", name: "like_signatures_like_id_fk", on_delete: :cascade add_foreign_key "like_signatures", "signature_orders", name: "like_signatures_signature_orders_id_fk" add_foreign_key "likes", "people", column: "author_id", name: "likes_author_id_fk", on_delete: :cascade diff --git a/app/models/api/openid_connect/id_token.rb b/lib/api/openid_connect/id_token.rb similarity index 77% rename from app/models/api/openid_connect/id_token.rb rename to lib/api/openid_connect/id_token.rb index 7fdcd7af0..cb6653176 100644 --- a/app/models/api/openid_connect/id_token.rb +++ b/lib/api/openid_connect/id_token.rb @@ -25,15 +25,12 @@ require "uri" module Api module OpenidConnect - class IdToken < ActiveRecord::Base - belongs_to :authorization - - before_validation :setup, on: :create - - default_scope { where("expires_at >= ?", Time.zone.now.utc) } - - def setup - self.expires_at = 30.minutes.from_now + class IdToken + def initialize(authorization, nonce) + @authorization = authorization + @nonce = nonce + @created_at = Time.current + @expires_at = 30.minutes.from_now end def to_jwt(options={}) @@ -42,6 +39,8 @@ module Api end end + private + def to_response_object(options={}) OpenIDConnect::ResponseObject::IdToken.new(claims).tap do |id_token| id_token.code = options[:code] if options[:code] @@ -54,17 +53,17 @@ module Api @claims ||= { iss: AppConfig.environment.url, sub: sub, - aud: authorization.o_auth_application.client_id, - exp: expires_at.to_i, - iat: created_at.to_i, - auth_time: authorization.user.current_sign_in_at.to_i, - nonce: nonce, + aud: @authorization.o_auth_application.client_id, + exp: @expires_at.to_i, + iat: @created_at.to_i, + auth_time: @authorization.user.current_sign_in_at.to_i, + nonce: @nonce, acr: 0 } end def build_sub - Api::OpenidConnect::SubjectIdentifierCreator.create(authorization) + Api::OpenidConnect::SubjectIdentifierCreator.create(@authorization) end end end