PonyMirrors/philomena
1
0
Fork 0
mirror of https://github.com/philomena-dev/philomena.git synced 2024-11-30 14:57:59 +01:00
Code Issues Projects Releases Packages Wiki Activity

ensure the authenticated user is never persisted as a further safeguard against API CSRF

Browse source
This commit is contained in:
byte[] 2019-12-24 12:14:58 -05:00
parent cff7b9386f
commit 18798d2e99
1 changed files with 4 additions and 11 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

15
lib/philomena_web/plugs/api_token_plug.ex
View file

@ -1,30 +1,23 @@
defmodule PhilomenaWeb.ApiTokenPlug do defmodule PhilomenaWeb.ApiTokenPlug do
alias Philomena.Users
alias Philomena.Users.User
alias Philomena.Repo
alias Pow.Plug alias Pow.Plug
import Ecto.Query
def init([]), do: [] def init([]), do: []
def call(conn, _opts) do def call(conn, _opts) do
conn conn
|> maybe_find_user(conn.params["key"]) |> maybe_find_user(conn.params["key"])
|> maybe_assign_user() |> assign_user()
end end
defp maybe_find_user(conn, nil), do: {conn, nil} defp maybe_find_user(conn, nil), do: {conn, nil}
defp maybe_find_user(conn, key) do defp maybe_find_user(conn, key) do
user = user = Users.get_by(authentication_token: key)
User
|> where(authentication_token: ^key)
|> Repo.one()
{conn, user} {conn, user}
end end
defp maybe_assign_user({conn, nil}), do: conn defp assign_user({conn, user}) do
defp maybe_assign_user({conn, user}) do
config = Plug.fetch_config(conn) config = Plug.fetch_config(conn)
Plug.assign_current_user(conn, user, config) Plug.assign_current_user(conn, user, config)