From c51112b45afa41e3fb133ffdbd542797812031c8 Mon Sep 17 00:00:00 2001 From: kjgarza Date: Fri, 27 Mar 2020 17:19:29 +0100 Subject: [PATCH 1/3] rejects blacklisted JWT --- app/controllers/application_controller.rb | 4 ++-- config/application.rb | 2 ++ 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/app/controllers/application_controller.rb b/app/controllers/application_controller.rb index 694f033cc..c1db1766b 100644 --- a/app/controllers/application_controller.rb +++ b/app/controllers/application_controller.rb @@ -3,7 +3,6 @@ class ApplicationController < ActionController::API include Authenticable include CanCan::ControllerAdditions include ErrorSerializable - require "facets/string/snakecase" # include helper module for caching infrequently changing resources @@ -74,6 +73,7 @@ def authenticate_user_with_basic_auth! def authenticate_user! type, credentials = type_and_credentials_from_request_headers return false if credentials.blank? + raise JWT::VerificationError if (ENV['JWT_BLACKLISTED'] == credentials) @current_user = User.new(credentials, type: type) fail CanCan::AuthorizationNotPerformed if @current_user.errors.present? @@ -98,7 +98,7 @@ def authenticated_user unless Rails.env.development? rescue_from *RESCUABLE_EXCEPTIONS do |exception| status = case exception.class.to_s - when "CanCan::AuthorizationNotPerformed", "JWT::DecodeError" then 401 + when "CanCan::AuthorizationNotPerformed", "JWT::DecodeError","JWT::VerificationError" then 401 when "CanCan::AccessDenied" then 403 when "ActiveRecord::RecordNotFound", "AbstractController::ActionNotFound", "ActionController::RoutingError" then 404 when "ActionController::UnknownFormat" then 406 diff --git a/config/application.rb b/config/application.rb index ef92425a5..52c3d7313 100644 --- a/config/application.rb +++ b/config/application.rb @@ -59,6 +59,8 @@ ENV['MG_DOMAIN'] ||= "mg.datacite.org" ENV['HANDLES_MINTED'] ||= "10132" ENV['REALM'] ||= ENV['API_URL'] +ENV['JWT_BLACKLISTED'] ||= ENV['JWT_BLACKLISTED'] + module Lupo class Application < Rails::Application From cfc9d3e347ebc9c79d078ad8dcbec886c3385d84 Mon Sep 17 00:00:00 2001 From: kjgarza Date: Fri, 27 Mar 2020 17:44:47 +0100 Subject: [PATCH 2/3] added feedback --- app/controllers/application_controller.rb | 2 +- config/application.rb | 2 -- 2 files changed, 1 insertion(+), 3 deletions(-) diff --git a/app/controllers/application_controller.rb b/app/controllers/application_controller.rb index c1db1766b..35ecfe299 100644 --- a/app/controllers/application_controller.rb +++ b/app/controllers/application_controller.rb @@ -73,7 +73,7 @@ def authenticate_user_with_basic_auth! def authenticate_user! type, credentials = type_and_credentials_from_request_headers return false if credentials.blank? - raise JWT::VerificationError if (ENV['JWT_BLACKLISTED'] == credentials) + raise JWT::VerificationError if ENV["JWT_BLACKLISTED"].split(",").include?(credentials) @current_user = User.new(credentials, type: type) fail CanCan::AuthorizationNotPerformed if @current_user.errors.present? diff --git a/config/application.rb b/config/application.rb index 52c3d7313..ef92425a5 100644 --- a/config/application.rb +++ b/config/application.rb @@ -59,8 +59,6 @@ ENV['MG_DOMAIN'] ||= "mg.datacite.org" ENV['HANDLES_MINTED'] ||= "10132" ENV['REALM'] ||= ENV['API_URL'] -ENV['JWT_BLACKLISTED'] ||= ENV['JWT_BLACKLISTED'] - module Lupo class Application < Rails::Application From 8832ce18e4a3c88a6965f4cbdcd23e799979a40a Mon Sep 17 00:00:00 2001 From: kjgarza Date: Fri, 27 Mar 2020 18:12:10 +0100 Subject: [PATCH 3/3] hanlde empty --- app/controllers/application_controller.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/app/controllers/application_controller.rb b/app/controllers/application_controller.rb index 35ecfe299..91ee69fb4 100644 --- a/app/controllers/application_controller.rb +++ b/app/controllers/application_controller.rb @@ -73,7 +73,7 @@ def authenticate_user_with_basic_auth! def authenticate_user! type, credentials = type_and_credentials_from_request_headers return false if credentials.blank? - raise JWT::VerificationError if ENV["JWT_BLACKLISTED"].split(",").include?(credentials) + raise JWT::VerificationError if (ENV["JWT_BLACKLISTED"] || "").split(",").include?(credentials) @current_user = User.new(credentials, type: type) fail CanCan::AuthorizationNotPerformed if @current_user.errors.present?