Use POST for token generation
parent
260bfdc071
commit
60681e4385
|
@ -16,25 +16,20 @@ module AuthApiDoc
|
||||||
|
|
||||||
swagger_path '/api/v1/auth/generate-token' do
|
swagger_path '/api/v1/auth/generate-token' do
|
||||||
# Swagger documentation for /api/v1/auth/generate-token GET
|
# Swagger documentation for /api/v1/auth/generate-token GET
|
||||||
operation :get do
|
operation :post do
|
||||||
|
|
||||||
key :description, 'Return a valid Authorization Bearer token.'
|
key :description, 'Return a valid Authorization Bearer token.'
|
||||||
key :tags, [ 'auth' ]
|
key :tags, [ 'auth' ]
|
||||||
|
|
||||||
parameter do
|
parameter do
|
||||||
key :name, :username
|
key :in, :body
|
||||||
key :in, :query
|
key :name, :body
|
||||||
key :description, 'The username for the user you want to authenticate.'
|
key :description, 'Login credentials for the user who will be generating a token.'
|
||||||
key :required, true
|
key :required, true
|
||||||
key :type, :string
|
schema do
|
||||||
end
|
property :username, type: :string, required: true
|
||||||
|
property :password, type: :string, required: true
|
||||||
parameter do
|
end
|
||||||
key :name, :password
|
|
||||||
key :in, :query
|
|
||||||
key :description, 'The password for the user you want to authenticate.'
|
|
||||||
key :required, true
|
|
||||||
key :type, :string
|
|
||||||
end
|
end
|
||||||
|
|
||||||
response 200 do
|
response 200 do
|
||||||
|
|
|
@ -16,15 +16,19 @@ module Authentication
|
||||||
# Check if request contains valid data and should be authenticated.
|
# Check if request contains valid data and should be authenticated.
|
||||||
# @return [Boolean] true if strategy should be run for the request; otherwise, false.
|
# @return [Boolean] true if strategy should be run for the request; otherwise, false.
|
||||||
def valid?
|
def valid?
|
||||||
params['username'] && params['password']
|
body = JSON.parse(request.body.read, symbolize_names: true)
|
||||||
|
request.body.rewind # Reset the StringIO buffer so any further consumers can read the body
|
||||||
|
body[:username] && body[:password]
|
||||||
end
|
end
|
||||||
|
|
||||||
# Authenticate the request.
|
# Authenticate the request.
|
||||||
def authenticate!
|
def authenticate!
|
||||||
|
body = JSON.parse(request.body.read, symbolize_names: true)
|
||||||
|
request.body.rewind # Reset the StringIO buffer so any further consumers can read the body
|
||||||
db_manager = env['msf.db_manager']
|
db_manager = env['msf.db_manager']
|
||||||
user = db_manager.users(username: params['username']).first
|
user = db_manager.users(username: body[:username]).first
|
||||||
|
|
||||||
if user.nil? || !db_manager.authenticate_user(id: user.id, password: params['password'])
|
if user.nil? || !db_manager.authenticate_user(id: user.id, password: body[:password])
|
||||||
fail("Invalid username or password.")
|
fail("Invalid username or password.")
|
||||||
else
|
else
|
||||||
success!(user)
|
success!(user)
|
||||||
|
|
|
@ -31,7 +31,7 @@ module AuthServlet
|
||||||
app.post AuthServlet.api_login_path, &post_login
|
app.post AuthServlet.api_login_path, &post_login
|
||||||
|
|
||||||
app.get AuthServlet.api_logout_path, &get_logout
|
app.get AuthServlet.api_logout_path, &get_logout
|
||||||
app.get AuthServlet.api_generate_token_path, &get_generate_token
|
app.post AuthServlet.api_generate_token_path, &post_generate_token
|
||||||
app.post "#{AuthServlet.api_unauthenticated_path}/?:scope?", &post_unauthenticated
|
app.post "#{AuthServlet.api_unauthenticated_path}/?:scope?", &post_unauthenticated
|
||||||
end
|
end
|
||||||
|
|
||||||
|
@ -75,7 +75,7 @@ module AuthServlet
|
||||||
end
|
end
|
||||||
|
|
||||||
# Generate a new API token for the current user
|
# Generate a new API token for the current user
|
||||||
def self.get_generate_token
|
def self.post_generate_token
|
||||||
lambda {
|
lambda {
|
||||||
# change action to drop the scope param since this is used
|
# change action to drop the scope param since this is used
|
||||||
# by XMLHttpRequest (XHR) and we don't want a redirect
|
# by XMLHttpRequest (XHR) and we don't want a redirect
|
||||||
|
@ -103,4 +103,4 @@ module AuthServlet
|
||||||
}
|
}
|
||||||
end
|
end
|
||||||
|
|
||||||
end
|
end
|
||||||
|
|
Loading…
Reference in New Issue