# If there are too many reader tokens, assume the request is malicious
# and ignore it.
if request.get? and params[:reader_tokens] and
- params[:reader_tokens].size < 100
+ params[:reader_tokens].size < 100
+ secrets = params[:reader_tokens].map { |t|
+ if t.starts_with? "v2/"
+ t.split("/")[2]
+ else
+ t
+ end
+ }
@read_auths += ApiClientAuthorization
.includes(:user)
.where('api_token IN (?) AND
(expires_at IS NULL OR expires_at > CURRENT_TIMESTAMP)',
- params[:reader_tokens])
- .all
+ secrets)
+ .to_a
end
@read_auths.select! { |auth| auth.scopes_allow_request? request }
@read_users = @read_auths.map(&:user).uniq
end
def api_token(api_client_auth_name)
- api_client_authorizations(api_client_auth_name).api_token
+ api_client_authorizations(api_client_auth_name).token
end
def auth(api_client_auth_name)
- {'HTTP_AUTHORIZATION' => "OAuth2 #{api_token(api_client_auth_name)}"}
+ {'HTTP_AUTHORIZATION' => "Bearer #{api_token(api_client_auth_name)}"}
end
def show_errors model
end
def authorize_with api_client_auth_name
- authorize_with_token api_client_authorizations(api_client_auth_name).api_token
+ authorize_with_token api_client_authorizations(api_client_auth_name).token
end
def authorize_with_token token
t = token
- t = t.api_token if t.respond_to? :api_token
+ t = t.token if t.respond_to? :token
ArvadosApiToken.new.call("rack.input" => "",
- "HTTP_AUTHORIZATION" => "OAuth2 #{t}")
+ "HTTP_AUTHORIZATION" => "Bearer #{t}")
end
def salt_token(fixture:, remote:)