1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
|
# frozen_string_literal: true
module TokenAuthenticatableStrategies
class Base
attr_reader :klass, :token_field, :options
def initialize(klass, token_field, options)
@klass = klass
@token_field = token_field
@expires_at_field = "#{token_field}_expires_at"
@options = options
end
def find_token_authenticatable(instance, unscoped = false)
raise NotImplementedError
end
def get_token(instance)
raise NotImplementedError
end
def set_token(instance, token)
raise NotImplementedError
end
def token_fields
result = [token_field]
result << @expires_at_field if expirable?
result
end
# If a `format_with_prefix` option is provided, it applies and returns the formatted token.
# Otherwise, default implementation returns the token as-is
def format_token(instance, token)
prefix = prefix_for(instance)
prefixed_token = prefix ? "#{prefix}#{token}" : token
instance.send("format_#{@token_field}", prefixed_token) # rubocop:disable GitlabSecurity/PublicSend
end
def ensure_token(instance)
write_new_token(instance) unless token_set?(instance)
get_token(instance)
end
# Returns a token, but only saves when the database is in read & write mode
def ensure_token!(instance)
reset_token!(instance) unless token_set?(instance)
get_token(instance)
end
# Resets the token, but only saves when the database is in read & write mode
def reset_token!(instance)
write_new_token(instance)
instance.save! if Gitlab::Database.read_write?
end
def expires_at(instance)
instance.read_attribute(@expires_at_field)
end
def expired?(instance)
return false unless expirable? && token_expiration_enforced?
exp = expires_at(instance)
!!exp && exp.past?
end
def expirable?
!!@options[:expires_at]
end
def token_with_expiration(instance)
API::Support::TokenWithExpiration.new(self, instance)
end
def self.fabricate(model, field, options)
if options[:digest] && options[:encrypted]
raise ArgumentError, _('Incompatible options set!')
end
if options[:digest]
TokenAuthenticatableStrategies::Digest.new(model, field, options)
elsif options[:encrypted]
TokenAuthenticatableStrategies::Encrypted.new(model, field, options)
else
TokenAuthenticatableStrategies::Insecure.new(model, field, options)
end
end
protected
def prefix_for(instance)
case prefix_option = options[:format_with_prefix]
when nil
nil
when Symbol
instance.send(prefix_option) # rubocop:disable GitlabSecurity/PublicSend
else
raise NotImplementedError
end
end
def write_new_token(instance)
new_token = generate_available_token
formatted_token = format_token(instance, new_token)
set_token(instance, formatted_token)
if expirable?
instance[@expires_at_field] = @options[:expires_at].to_proc.call(instance)
end
end
def unique
@options.fetch(:unique, true)
end
def generate_available_token
loop do
token = generate_token
break token unless unique && find_token_authenticatable(token, true)
end
end
def generate_token
@options[:token_generator] ? @options[:token_generator].call : Devise.friendly_token
end
def relation(unscoped)
unscoped ? @klass.unscoped : @klass.where(not_expired)
end
def token_set?(instance)
raise NotImplementedError
end
def token_expiration_enforced?
return true unless @options[:expiration_enforced?]
@options[:expiration_enforced?].to_proc.call(@klass)
end
def not_expired
Arel.sql("#{@expires_at_field} IS NULL OR #{@expires_at_field} >= NOW()") if expirable? && token_expiration_enforced?
end
end
end
|
