11453: Check HTTP method of token validation request.

[arvados.git] / services / api / app / middlewares / arvados_api_token.rb

diff --git a/services/api/app/middlewares/arvados_api_token.rb b/services/api/app/middlewares/arvados_api_token.rb
index be6bf0463c5168bd0efaa0e84aad078256e9732b..105b00faa4dc4d108737949381f9f5c40d8c17ca 100644 (file)
--- a/services/api/app/middlewares/arvados_api_token.rb
+++ b/services/api/app/middlewares/arvados_api_token.rb
@@ -26,20 +26,26 @@ class ArvadosApiToken
       env["HTTP_AUTHORIZATION"].andand.
         match(/(OAuth2|Bearer) ([-\/a-zA-Z0-9]+)/).andand[2]
 
+    if params[:remote] && request.get? && (
+         request.path.start_with?('/arvados/v1/groups') ||
+         request.path.start_with?('/arvados/v1/users/current'))
+      # Request from a remote API server, asking to validate a salted
+      # token.
+      remote = params[:remote]
+    else
+      # Normal request.
+      remote = false
+    end
     auth = ApiClientAuthorization.
-           validate(token: Thread.current[:supplied_token], remote: false)
+           validate(token: Thread.current[:supplied_token],
+                    remote: remote)
+
     Thread.current[:api_client_ip_address] = remote_ip
     Thread.current[:api_client_authorization] = auth
     Thread.current[:api_client_uuid] = auth.andand.api_client.andand.uuid
     Thread.current[:api_client] = auth.andand.api_client
     Thread.current[:user] = auth.andand.user
 
-    if auth
-      auth.last_used_at = Time.now
-      auth.last_used_by_ip_address = remote_ip.to_s
-      auth.save validate: false
-    end
-
     @app.call env if @app
   end
 end