1 # Copyright (C) The Arvados Authors. All rights reserved.
3 # SPDX-License-Identifier: AGPL-3.0
5 # Perform api_token checking very early in the request process. We want to do
6 # this in the Rack stack instead of in ApplicationController because
7 # websockets needs access to authentication but doesn't use any of the rails
8 # active dispatch infrastructure.
11 # Create a new ArvadosApiToken handler
12 # +app+ The next layer of the Rack stack.
13 def initialize(app = nil, options = nil)
14 @app = app.respond_to?(:call) ? app : nil
18 request = Rack::Request.new(env)
19 params = request.params
20 remote_ip = env["action_dispatch.remote_ip"]
22 Thread.current[:request_starttime] = Time.now
26 if params["remote"] && request.get? && (
27 request.path.start_with?('/arvados/v1/groups') ||
28 request.path.start_with?('/arvados/v1/api_client_authorizations/current') ||
29 request.path.start_with?('/arvados/v1/users/current'))
30 # Request from a remote API server, asking to validate a salted
32 remote = params["remote"]
33 elsif request.get? || params["_method"] == 'GET'
34 reader_tokens = params["reader_tokens"]
35 if reader_tokens.is_a? String
36 reader_tokens = SafeJSON.load(reader_tokens)
40 # Set current_user etc. based on the primary session token if a
41 # valid one is present. Otherwise, use the first valid token in
46 params["oauth_token"],
47 env["HTTP_AUTHORIZATION"].andand.match(/(OAuth2|Bearer) ([!-~]+)/).andand[2],
51 try_auth = ApiClientAuthorization.
52 validate(token: supplied, remote: remote)
53 if try_auth.andand.user
60 Thread.current[:api_client_ip_address] = remote_ip
61 Thread.current[:api_client_authorization] = auth
62 Thread.current[:api_client_uuid] = auth.andand.api_client.andand.uuid
63 Thread.current[:api_client] = auth.andand.api_client
64 Thread.current[:token] = accepted
65 Thread.current[:user] = auth.andand.user
projects / arvados.git / blob