From 18798d2e99f4d9b51109149b58c0c208480e96bb Mon Sep 17 00:00:00 2001
From: "byte[]" <byteslice@airmail.cc>
Date: Tue, 24 Dec 2019 12:14:58 -0500
Subject: [PATCH] ensure the authenticated user is never persisted as a further
 safeguard against API CSRF

---
 lib/philomena_web/plugs/api_token_plug.ex | 15 ++++-----------
 1 file changed, 4 insertions(+), 11 deletions(-)

diff --git a/lib/philomena_web/plugs/api_token_plug.ex b/lib/philomena_web/plugs/api_token_plug.ex
index 9bac8696..5d61c67f 100644
--- a/lib/philomena_web/plugs/api_token_plug.ex
+++ b/lib/philomena_web/plugs/api_token_plug.ex
@@ -1,30 +1,23 @@
 defmodule PhilomenaWeb.ApiTokenPlug do
-
-  alias Philomena.Users.User
-  alias Philomena.Repo
+  alias Philomena.Users
   alias Pow.Plug
-  import Ecto.Query
 
   def init([]), do: []
 
   def call(conn, _opts) do
     conn
     |> maybe_find_user(conn.params["key"])
-    |> maybe_assign_user()
+    |> assign_user()
   end
 
   defp maybe_find_user(conn, nil), do: {conn, nil}
   defp maybe_find_user(conn, key) do
-    user =
-      User
-      |> where(authentication_token: ^key)
-      |> Repo.one()
+    user = Users.get_by(authentication_token: key)
 
     {conn, user}
   end
 
-  defp maybe_assign_user({conn, nil}), do: conn
-  defp maybe_assign_user({conn, user}) do
+  defp assign_user({conn, user}) do
     config = Plug.fetch_config(conn)
 
     Plug.assign_current_user(conn, user, config)