mirror of
https://github.com/philomena-dev/philomena.git
synced 2024-12-17 22:47:59 +01:00
ensure the authenticated user is never persisted as a further safeguard against API CSRF
This commit is contained in:
parent
cff7b9386f
commit
18798d2e99
1 changed files with 4 additions and 11 deletions
|
@ -1,30 +1,23 @@
|
||||||
defmodule PhilomenaWeb.ApiTokenPlug do
|
defmodule PhilomenaWeb.ApiTokenPlug do
|
||||||
|
alias Philomena.Users
|
||||||
alias Philomena.Users.User
|
|
||||||
alias Philomena.Repo
|
|
||||||
alias Pow.Plug
|
alias Pow.Plug
|
||||||
import Ecto.Query
|
|
||||||
|
|
||||||
def init([]), do: []
|
def init([]), do: []
|
||||||
|
|
||||||
def call(conn, _opts) do
|
def call(conn, _opts) do
|
||||||
conn
|
conn
|
||||||
|> maybe_find_user(conn.params["key"])
|
|> maybe_find_user(conn.params["key"])
|
||||||
|> maybe_assign_user()
|
|> assign_user()
|
||||||
end
|
end
|
||||||
|
|
||||||
defp maybe_find_user(conn, nil), do: {conn, nil}
|
defp maybe_find_user(conn, nil), do: {conn, nil}
|
||||||
defp maybe_find_user(conn, key) do
|
defp maybe_find_user(conn, key) do
|
||||||
user =
|
user = Users.get_by(authentication_token: key)
|
||||||
User
|
|
||||||
|> where(authentication_token: ^key)
|
|
||||||
|> Repo.one()
|
|
||||||
|
|
||||||
{conn, user}
|
{conn, user}
|
||||||
end
|
end
|
||||||
|
|
||||||
defp maybe_assign_user({conn, nil}), do: conn
|
defp assign_user({conn, user}) do
|
||||||
defp maybe_assign_user({conn, user}) do
|
|
||||||
config = Plug.fetch_config(conn)
|
config = Plug.fetch_config(conn)
|
||||||
|
|
||||||
Plug.assign_current_user(conn, user, config)
|
Plug.assign_current_user(conn, user, config)
|
||||||
|
|
Loading…
Reference in a new issue