Add OAuth scopes

https://github.com/foodcoops/foodsoft/issues/582#issuecomment-442513237
2019-02-05 20:53:02 +01:00 · 2019-02-05 20:53:02 +01:00 · e9be38b3e9
commit e9be38b3e9
parent 02f1940694
12 changed files with 162 additions and 32 deletions
--- a/app/controllers/api/v1/base_controller.rb
+++ b/app/controllers/api/v1/base_controller.rb
@ -1,4 +1,6 @@
 class Api::V1::BaseController < ApplicationController
+  include Concerns::AuthApi
+
  protect_from_forgery with: :null_session

  before_action :skip_session
@ -11,16 +13,6 @@ class Api::V1::BaseController < ApplicationController

  private

-  def authenticate
-    doorkeeper_authorize!
-    super if current_user
-  end
-
-  # @return [User] Current user, or +nil+ if no valid token.
-  def current_user
-    @current_user ||= User.undeleted.find(doorkeeper_token.resource_owner_id) if doorkeeper_token
-  end
-
  # @return [Ordergroup] Current user's ordergroup, or +nil+ if no valid token or user has no ordergroup.
  def current_ordergroup
    current_user.try(:ordergroup)
@ -28,7 +20,9 @@ class Api::V1::BaseController < ApplicationController

  def require_ordergroup
    authenticate
-    raise Api::Errors::PermissionRequired unless current_user.ordergroup.present?
+    unless current_ordergroup.present?
+      raise Api::Errors::PermissionRequired.new('Forbidden, must be in an ordergroup')
+    end
  end

  def skip_session
@ -42,13 +36,18 @@ class Api::V1::BaseController < ApplicationController
  end

  def not_acceptable_handler(e)
-    render status: 422, json: {error: 'not_acceptable', error_description: e.message || 'Data not acceptable' }
+    msg = e.message || 'Data not acceptable'
+    render status: 422, json: {error: 'not_acceptable', error_description: msg}
  end

  def doorkeeper_unauthorized_render_options(error:)
    {json: {error: error.name, error_description: error.description}}
  end

+  def doorkeeper_forbidden_render_options(error:)
+    {json: {error: error.name, error_description: error.description}}
+  end
+
  def permission_required_handler(e)
    msg = e.message || 'Forbidden, user has no access'
    render status: 403, json: {error: 'forbidden', error_description: msg}
@ -58,5 +57,4 @@ class Api::V1::BaseController < ApplicationController
  def show_user(user = current_user, **options)
    user.display
  end
-
 end
--- a/app/controllers/api/v1/configs_controller.rb
+++ b/app/controllers/api/v1/configs_controller.rb
@ -1,5 +1,7 @@
 class Api::V1::ConfigsController < Api::V1::BaseController

+  before_action ->{ doorkeeper_authorize! 'config:user', 'config:read', 'config:write' }
+
  def show
    render json: FoodsoftConfig, serializer: ConfigSerializer, root: 'config'
  end
--- a/app/controllers/api/v1/user/users_controller.rb
+++ b/app/controllers/api/v1/user/users_controller.rb
@ -0,0 +1,9 @@
+class Api::V1::User::UsersController < Api::V1::BaseController
+
+  before_action ->{ doorkeeper_authorize! 'user:read', 'user:write' }
+
+  def show
+    render json: current_user
+  end
+
+end
--- a/app/controllers/api/v1/users_controller.rb
+++ b/app/controllers/api/v1/users_controller.rb
@ -1,7 +0,0 @@
-class Api::V1::UsersController < Api::V1::BaseController
-
-  def show
-    render json: current_user
-  end
-
-end