Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add server signed response #163

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Add server signed response #163

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
24 changes: 24 additions & 0 deletions README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -248,6 +248,30 @@ def api_authenticate
end
```

### Server signing response

The server can perform a validation of the response.
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think you're trying to say the server can sign the content of the response, right?

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

done


You can add the validation in the controller :

```ruby
class ApplicationController < ActiveController::Base
validation_with_api_auth(access_id: 'test', secret_key: 'test', options: { digest: 'sha256' } )
end
```

or specified at every render

```ruby
class ApplicationController < ActiveController::Base
validation_with_api_auth()

def index
render json: @users, api_auth: { access_id: 'test', secret_key: 'test', options: { digest: 'sha256' }}
end
end
```

## Development

ApiAuth uses bundler for gem dependencies and RSpec for testing. Developing the
Expand Down
2 changes: 2 additions & 0 deletions lib/api_auth/headers.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -30,6 +30,8 @@ def initialize_request_driver(request)
GrapeRequest.new(request)
when /ActionDispatch::Request/
ActionDispatchRequest.new(request)
when /ActionDispatch::Response/
ActionDispatchRequest.new(request)
when /ActionController::CgiRequest/
ActionControllerRequest.new(request)
when /HTTPI::Request/
Expand Down
33 changes: 33 additions & 0 deletions lib/api_auth/railtie.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -13,7 +13,40 @@ def api_authenticated?(secret_key)
end
end

module ClassMethods
def validation_with_api_auth(api_auth_options = nil)
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can we call this something like api_auth_sign_response

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

done

ActionController.add_renderer(:json) do |json, options|
api_auth_options ||= options[:api_auth]
options.delete(:api_auth)

json = json.to_json(options) unless json.is_a?(String)

if options[:callback].present?
self.content_type = Mime[:js] if content_type.nil? || content_type == Mime[:json]

"/**/#{options[:callback]}(#{json})"
else
self.content_type ||= Mime[:json]

# API AUTH addition headers
if api_auth_options
response.headers['CONTENT-MD5'] ||= Digest::MD5.base64digest(json)
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is this needed because the response object won't have a body for ApiAuth to inspect yet?

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

In fact, the body is the json variable. I keep the same code as the classic JSON renderer. It's just a .to_json of the variable passed in the controller.

The source code is here : https://github.com/rails/rails/blob/master/actionpack/lib/action_controller/metal/renderers.rb#L156

I add a comment in the code for memory.

response.headers['Authorization'] ||= ApiAuth.sign!(
request,
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We'd want to pass in the response object here right?

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I know that is strange, but we need to pass the request object because we need to access to the request.fullpath.
Secondly, we can use the already defined ActionDispatchRequest without any changed.

api_auth_options[:access_id],
api_auth_options[:secret_key],
api_auth_options[:options] || {}
).env['Authorization']
end

json
end
end
end
end

ActionController::Base.send(:include, ControllerMethods::InstanceMethods) if defined?(ActionController::Base)
ActionController::Base.send(:extend, ControllerMethods::ClassMethods) if defined?(ActionController::Base)
end # ControllerMethods

module ActiveResourceExtension # :nodoc:
Expand Down