PonyMirrors/philomena
1
0
Fork 0
mirror of https://github.com/philomena-dev/philomena.git synced 2024-11-23 20:18:00 +01:00
Code Issues Projects Releases Packages Wiki Activity

ensure the authenticated user is never persisted as a further safeguard against API CSRF

Browse source
This commit is contained in:
byte[] 2019-12-24 12:14:58 -05:00
parent cff7b9386f
commit 18798d2e99
1 changed files with 4 additions and 11 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

15
lib/philomena_web/plugs/api_token_plug.ex
View file

@ -1,30 +1,23 @@
defmodule PhilomenaWeb.ApiTokenPlug do
alias Philomena.Users.User
alias Philomena.Repo
alias Philomena.Users
alias Pow.Plug
import Ecto.Query
def init([]), do: []
def call(conn, _opts) do
conn
|> maybe_find_user(conn.params["key"])
|> maybe_assign_user()
|> assign_user()
end
defp maybe_find_user(conn, nil), do: {conn, nil}
defp maybe_find_user(conn, key) do
user =
User
|> where(authentication_token: ^key)
|> Repo.one()
user = Users.get_by(authentication_token: key)
{conn, user}
end
defp maybe_assign_user({conn, nil}), do: conn
defp maybe_assign_user({conn, user}) do
defp assign_user({conn, user}) do
config = Plug.fetch_config(conn)
Plug.assign_current_user(conn, user, config)