diff options
author | Timothy Andrew <mail@timothyandrew.net> | 2016-11-22 14:34:23 +0530 |
---|---|---|
committer | Timothy Andrew <mail@timothyandrew.net> | 2016-12-16 16:29:31 +0530 |
commit | 7fa06ed55d18af4d055041eb27d38fecf9b5548f (patch) | |
tree | d2565cdc70269e5f244e7cf542170b0d5d8cf7aa /app/services/access_token_validation_service.rb | |
parent | 6c809dfae84e702f7a49d3fac5725745264e0ff9 (diff) | |
download | gitlab-ce-7fa06ed55d18af4d055041eb27d38fecf9b5548f.tar.gz |
Calls to the API are checked for scope.
- Move the `Oauth2::AccessTokenValidationService` class to
`AccessTokenValidationService`, since it is now being used for
personal access token validation as well.
- Each API endpoint declares the scopes it accepts (if any). Currently,
the top level API module declares the `api` scope, and the `Users` API
module declares the `read_user` scope (for GET requests).
- Move the `find_user_by_private_token` from the API `Helpers` module to
the `APIGuard` module, to avoid littering `Helpers` with more
auth-related methods to support `find_user_by_private_token`
Diffstat (limited to 'app/services/access_token_validation_service.rb')
-rw-r--r-- | app/services/access_token_validation_service.rb | 34 |
1 files changed, 34 insertions, 0 deletions
diff --git a/app/services/access_token_validation_service.rb b/app/services/access_token_validation_service.rb new file mode 100644 index 00000000000..69449f3a445 --- /dev/null +++ b/app/services/access_token_validation_service.rb @@ -0,0 +1,34 @@ +module AccessTokenValidationService + # Results: + VALID = :valid + EXPIRED = :expired + REVOKED = :revoked + INSUFFICIENT_SCOPE = :insufficient_scope + + class << self + def validate(token, scopes: []) + if token.expired? + return EXPIRED + + elsif token.revoked? + return REVOKED + + elsif !self.sufficient_scope?(token, scopes) + return INSUFFICIENT_SCOPE + + else + return VALID + end + end + + # True if the token's scope contains any of the required scopes. + def sufficient_scope?(token, required_scopes) + if required_scopes.blank? + true + else + # Check whether the token is allowed access to any of the required scopes. + Set.new(required_scopes).intersection(Set.new(token.scopes)).present? + end + end + end +end |