// If we did this, the login cluster would call back to us and then
// reject our response because the user UUID prefix (i.e., the
// LoginCluster prefix) won't match the token UUID prefix (i.e., our
- // prefix). The anonymous token is OK to forward, because it gets
- // mapped to the local anonymous token automatically on the login
- // cluster.
+ // prefix). The anonymous token is OK to forward, because (unlike other
+ // local tokens for real users) the validation callback will return the
+ // locally issued anonymous user ID instead of a login-cluster user ID.
+ // That anonymous user ID gets mapped to the local anonymous user
+ // automatically on the login cluster.
return nil, httpErrorf(http.StatusUnauthorized, "cannot use a locally issued token to forward a request to our login cluster (%s)", remoteID)
}
salted, err := auth.SaltToken(token, remoteID)
secret = token
end
- # the anonymous token could be specified as a full v2 token in the config
- case Rails.configuration.Users.AnonymousUserToken[0..2]
- when 'v2/'
- _, anon_token_uuid, anon_secret, anon_optional = Rails.configuration.Users.AnonymousUserToken.split('/')
- unless anon_token_uuid.andand.length == 27 && anon_secret.andand.length.andand > 0
- # invalid v2 token
- return nil
- end
- else
- # v1 token
- anon_secret = Rails.configuration.Users.AnonymousUserToken
- end
-
- salted_secret = OpenSSL::HMAC.hexdigest('sha1', anon_secret, remote)
+ # Usually, the secret is salted
+ salted_secret = OpenSSL::HMAC.hexdigest('sha1', secret, remote)
+ # The anonymous token could be specified as a full v2 token in the config,
+ # but the config loader strips it down to the secret part.
# The anonymous token content and minimum length is verified in lib/config
- if secret.length >= 0 && (secret == anon_secret || secret == salted_secret)
+ if secret.length >= 0 && (secret == Rails.configuration.Users.AnonymousUserToken || secret == salted_secret)
return ApiClientAuthorization.new(user: User.find_by_uuid(anonymous_user_uuid),
uuid: Rails.configuration.ClusterID+"-gj3su-anonymouspublic",
api_token: secret,