trabajo-afectivo/app/models/token.rb

# Copyright (C) 2012-2022 Zammad Foundation, https://zammad-foundation.org/

class Token < ApplicationModel
  include CanBeAuthorized

  before_create :generate_token
  belongs_to    :user, optional: true
  store         :preferences

=begin

create new token

  token = Token.create(action: 'PasswordReset', user_id: user.id)

returns

  the token

create new persistent token

  token = Token.create(
    action:     'api',
    persistent: true,
    user_id:    user.id,
    preferences: {
      permission: {
        'user_preferences.calendar' => true,
      }
    }
  )

in case if you use it via an controller, e. g. you can verify via "curl -H "Authorization: Token token=33562a00d7eda2a7c2fb639b91c6bcb8422067b6" http://...

returns

  the token

=end

=begin

check token

  user = Token.check(action: 'PasswordReset', name: '123abc12qweads')

check api token with permissions

  user = Token.check(action: 'api', name: '123abc12qweads', permission: 'admin.session')

  user = Token.check(action: 'api', name: '123abc12qweads', permission: ['admin.session', 'ticket.agent'])

returns

  user for who this token was created

=end

  def self.check(data)

    # fetch token
    token = Token.find_by(action: data[:action], name: data[:name])
    return if !token

    # check if token is still valid
    if !token.persistent &&
       token.created_at < 1.day.ago

      # delete token
      token.delete
      token.save
      return
    end

    user = token.user

    # persistent token not valid if user is inactive
    return if !data[:inactive_user] && token.persistent && user.active == false

    # add permission check
    return if data[:permission] && !token.permissions?(data[:permission])

    # return token user
    user
  end

=begin

cleanup old token

  Token.cleanup

=end

  def self.cleanup
    Token.where('persistent IS ? AND created_at < ?', nil, 30.days.ago).delete_all
    true
  end

  def permissions
    Permission.where(
      name:   Array(preferences[:permission]),
      active: true,
    )
  end

  def permissions?(names)
    return false if !effective_user.permissions?(names)

    super(names)
  end

  # allows to evaluate token permissions in context of given user instead of owner
  # @param [User] user to use as context for the given block
  # @param block to evaluate in given context
  def with_context(user:, &block)
    @effective_user = user

    instance_eval(&block) if block
  ensure
    @effective_user = nil
  end

  private

  def generate_token
    loop do
      self.name = SecureRandom.urlsafe_base64(48)
      break if !Token.exists?(name: name)
    end
    true
  end

  # token owner or user set by #with_context
  def effective_user
    @effective_user || user
  end
end
Maintenance: Update copyright header. 2022-01-01 13:38:12 +00:00			`# Copyright (C) 2012-2022 Zammad Foundation, https://zammad-foundation.org/`
Code reformattingand code layout beautying. 2013-06-12 15:59:58 +00:00
Maintenance: All models should inherit from ApplicationModel. 2019-10-15 10:15:58 +00:00			`class Token < ApplicationModel`
Fixes #3111 - admin.user token permission doesn't allow fetching details of specific user 2020-08-14 11:12:41 +00:00			`include CanBeAuthorized`

Added little documentation. 2015-08-21 13:33:06 +00:00			`before_create :generate_token`
Bumps [rails](https://github.com/rails/rails) from 5.1.7 to 5.2.3. - [Release notes](https://github.com/rails/rails/releases) - [Changelog](https://github.com/rails/rails/blob/master/CHANGELOG.md) - [Commits](https://github.com/rails/rails/compare/v5.1.7...v5.2.3) 2019-07-04 11:16:55 +00:00			`belongs_to :user, optional: true`
Moved from to new permission management. 2016-08-12 16:39:09 +00:00			`store :preferences`
Init version pf password reset. 2012-04-23 06:55:16 +00:00
Added little documentation. 2015-08-21 13:33:06 +00:00			`=begin`

			`create new token`

Added email verify feature for self signup accounts. 2016-06-01 14:58:11 +00:00			`token = Token.create(action: 'PasswordReset', user_id: user.id)`
Added little documentation. 2015-08-21 13:33:06 +00:00
			`returns`

			`the token`

			`create new persistent token`

			`token = Token.create(`
Moved from to new permission management. 2016-08-12 16:39:09 +00:00			`action: 'api',`
Added little documentation. 2015-08-21 13:33:06 +00:00			`persistent: true,`
			`user_id: user.id,`
Moved from to new permission management. 2016-08-12 16:39:09 +00:00			`preferences: {`
			`permission: {`
			`'user_preferences.calendar' => true,`
			`}`
			`}`
Added little documentation. 2015-08-21 13:33:06 +00:00			`)`

			`in case if you use it via an controller, e. g. you can verify via "curl -H "Authorization: Token token=33562a00d7eda2a7c2fb639b91c6bcb8422067b6" http://...`

			`returns`

			`the token`

			`=end`

			`=begin`

			`check token`

Added token attributes last_used_at and expires_at. 2016-08-30 14:26:27 +00:00			`user = Token.check(action: 'PasswordReset', name: '123abc12qweads')`
Added little documentation. 2015-08-21 13:33:06 +00:00
Moved from to new permission management. 2016-08-12 16:39:09 +00:00			`check api token with permissions`

Added token attributes last_used_at and expires_at. 2016-08-30 14:26:27 +00:00			`user = Token.check(action: 'api', name: '123abc12qweads', permission: 'admin.session')`
Moved from to new permission management. 2016-08-12 16:39:09 +00:00
Fixed issue #902 - Can't use PUT on Organizations REST API with token. 2017-04-11 06:33:08 +00:00			`user = Token.check(action: 'api', name: '123abc12qweads', permission: ['admin.session', 'ticket.agent'])`

Added little documentation. 2015-08-21 13:33:06 +00:00			`returns`

			`user for who this token was created`

			`=end`
Init version pf password reset. 2012-04-23 06:55:16 +00:00
Added email verify feature for self signup accounts. 2016-06-01 14:58:11 +00:00			`def self.check(data)`
Init version pf password reset. 2012-04-23 06:55:16 +00:00
			`# fetch token`
Added email verify feature for self signup accounts. 2016-06-01 14:58:11 +00:00			`token = Token.find_by(action: data[:action], name: data[:name])`
Init version pf password reset. 2012-04-23 06:55:16 +00:00			`return if !token`
Code reformattingand code layout beautying. 2013-06-12 15:59:58 +00:00
Init version pf password reset. 2012-04-23 06:55:16 +00:00			`# check if token is still valid`
- Added Token unit tests. - Added Token attribute 'persisten'. - Added auth function 'authentication_check_action_token'. 2015-02-22 18:10:54 +00:00			`if !token.persistent &&`
Corrected with rubocop cop 'Style/MultilineOperationIndentation'. 2015-05-01 12:27:57 +00:00			`token.created_at < 1.day.ago`
Added auto login after password reset. 2013-01-03 12:00:55 +00:00
Init version pf password reset. 2012-04-23 06:55:16 +00:00			`# delete token`
			`token.delete`
			`token.save`
			`return`
			`end`
Added auto login after password reset. 2013-01-03 12:00:55 +00:00
Disable valid permanent tokens if user is inactive. 2016-07-28 12:43:31 +00:00			`user = token.user`

Added token attributes last_used_at and expires_at. 2016-08-30 14:26:27 +00:00			`# persistent token not valid if user is inactive`
Maintenance: Updated rubocop(-* gems) to latest version (0.92.0). 2020-09-30 09:07:01 +00:00			`return if !data[:inactive_user] && token.persistent && user.active == false`
Moved from to new permission management. 2016-08-12 16:39:09 +00:00
			`# add permission check`
Maintenance: Updated rubocop(-* gems) to latest version (0.92.0). 2020-09-30 09:07:01 +00:00			`return if data[:permission] && !token.permissions?(data[:permission])`
Disable valid permanent tokens if user is inactive. 2016-07-28 12:43:31 +00:00
Improved comment. 2015-06-23 12:27:17 +00:00			`# return token user`
Disable valid permanent tokens if user is inactive. 2016-07-28 12:43:31 +00:00			`user`
Init version pf password reset. 2012-04-23 06:55:16 +00:00			`end`

Added token cleanup job. 2015-08-24 10:09:04 +00:00			`=begin`

			`cleanup old token`

			`Token.cleanup`

			`=end`

			`def self.cleanup`
Maintenance: Bump rubocop-rails from 2.12.4 to 2.13.0 Bumps [rubocop-rails](https://github.com/rubocop/rubocop-rails) from 2.12.4 to 2.13.0. - [Release notes](https://github.com/rubocop/rubocop-rails/releases) - [Changelog](https://github.com/rubocop/rubocop-rails/blob/master/CHANGELOG.md) - [Commits](https://github.com/rubocop/rubocop-rails/compare/v2.12.4...v2.13.0) 2022-01-03 09:47:32 +00:00			`Token.where('persistent IS ? AND created_at < ?', nil, 30.days.ago).delete_all`
Added token cleanup job. 2015-08-24 10:09:04 +00:00			`true`
			`end`

Fixes #3111 - admin.user token permission doesn't allow fetching details of specific user 2020-08-14 11:12:41 +00:00			`def permissions`
			`Permission.where(`
			`name: Array(preferences[:permission]),`
			`active: true,`
			`)`
			`end`

			`def permissions?(names)`
Fixes #3186 - Endpoint api/v1/ticket_articles/by_ticket ignores X-On-Behalf-Of 2020-09-14 06:34:42 +00:00			`return false if !effective_user.permissions?(names)`
Refactoring: Replaced home-rolled authorization logic in Controllers with Pundit. 2020-03-19 09:39:51 +00:00
Fixes #3111 - admin.user token permission doesn't allow fetching details of specific user 2020-08-14 11:12:41 +00:00			`super(names)`
Refactoring: Replaced home-rolled authorization logic in Controllers with Pundit. 2020-03-19 09:39:51 +00:00			`end`

Fixes #3186 - Endpoint api/v1/ticket_articles/by_ticket ignores X-On-Behalf-Of 2020-09-14 06:34:42 +00:00			`# allows to evaluate token permissions in context of given user instead of owner`
			`# @param [User] user to use as context for the given block`
			`# @param block to evaluate in given context`
			`def with_context(user:, &block)`
			`@effective_user = user`

Maintenance: Updated rubocop(-* gems) to latest version (1.4.1). 2020-11-24 16:20:57 +00:00			`instance_eval(&block) if block`
Fixes #3186 - Endpoint api/v1/ticket_articles/by_ticket ignores X-On-Behalf-Of 2020-09-14 06:34:42 +00:00			`ensure`
			`@effective_user = nil`
			`end`

Init version pf password reset. 2012-04-23 06:55:16 +00:00			`private`
Corrected with rubocop cop 'Style/EmptyLinesAroundAccessModifier'. 2015-05-01 12:31:46 +00:00
Code reformattingand code layout beautying. 2013-06-12 15:59:58 +00:00			`def generate_token`
Corrected with rubocop cop 'Lint/Loop'. 2015-05-05 10:32:25 +00:00			`loop do`
Added api setting to admin interface and tokens to user preferences. 2016-07-28 10:09:32 +00:00			`self.name = SecureRandom.urlsafe_base64(48)`
Added email verify feature for self signup accounts. 2016-06-01 14:58:11 +00:00			`break if !Token.exists?(name: name)`
Corrected with rubocop cop 'Lint/Loop'. 2015-05-05 10:32:25 +00:00			`end`
Improved tests (do not break on before/after callbacks). 2017-06-16 22:53:20 +00:00			`true`
Code reformattingand code layout beautying. 2013-06-12 15:59:58 +00:00			`end`
Fixes #3186 - Endpoint api/v1/ticket_articles/by_ticket ignores X-On-Behalf-Of 2020-09-14 06:34:42 +00:00
			`# token owner or user set by #with_context`
			`def effective_user`
			`@effective_user \|\| user`
			`end`
Code reformattingand code layout beautying. 2013-06-12 15:59:58 +00:00			`end`