token.rb 4.1 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189
  1. # Copyright (C) 2012-2024 Zammad Foundation, https://zammad-foundation.org/
  2. class Token < ApplicationModel
  3. include Token::Permissions
  4. include Token::TriggersSubscriptions
  5. before_create :generate_token
  6. belongs_to :user, optional: true
  7. store :preferences
  8. scope :without_sensitive_columns, -> { select(column_names - %w[persistent token]) }
  9. =begin
  10. create new token
  11. token = Token.create(action: 'PasswordReset', user_id: user.id)
  12. returns
  13. the token
  14. create new persistent token
  15. token = Token.create(
  16. action: 'api',
  17. persistent: true,
  18. user_id: user.id,
  19. preferences: {
  20. permission: {
  21. 'user_preferences.calendar' => true,
  22. }
  23. }
  24. )
  25. in case if you use it via an controller, e. g. you can verify via "curl -H "Authorization: Token token=…" http://…
  26. returns
  27. the token
  28. =end
  29. =begin
  30. check token
  31. user = Token.check(action: 'PasswordReset', token: '123abc12qweads')
  32. check api token with permissions
  33. user = Token.check(action: 'api', token: '123abc12qweads', permission: 'admin.session')
  34. user = Token.check(action: 'api', token: '123abc12qweads', permission: ['admin.session', 'ticket.agent'])
  35. returns
  36. user for who this token was created
  37. =end
  38. def self.check(action:, token:, permission: nil, inactive_user: false)
  39. # fetch token
  40. token = Token.find_by(action:, token:)
  41. return if !token
  42. token.user if token.check?(permission:, inactive_user:)
  43. end
  44. # Check token instance validity
  45. # Invalid non-persistant instance is removed
  46. #
  47. # @param data [Hash] check options
  48. # @option data [Boolean] :inactive_user skip checking if referenced user is active
  49. # @option data [String, Array<String>] :permission check if token has given permissions
  50. #
  51. # @return [Boolean]
  52. def check?(permission: nil, inactive_user: false)
  53. if !persistent && created_at < 1.day.ago
  54. destroy
  55. return false
  56. end
  57. # persistent token not valid if user is inactive
  58. return false if !inactive_user && persistent && user.active == false
  59. # add permission check
  60. return false if permission && !permissions?(permission)
  61. true
  62. end
  63. =begin
  64. cleanup old token
  65. Token.cleanup
  66. =end
  67. def self.cleanup
  68. Token.where(persistent: false, created_at: ...30.days.ago).delete_all
  69. true
  70. end
  71. # allows to evaluate token permissions in context of given user instead of owner
  72. # @param [User] user to use as context for the given block
  73. # @param block to evaluate in given context
  74. def with_context(user:, &block)
  75. @effective_user = user
  76. instance_eval(&block) if block
  77. ensure
  78. @effective_user = nil
  79. end
  80. # fetch token for a user with a given action
  81. # checks token validity
  82. #
  83. # @param [String] action name
  84. # @param [Integer, User] user
  85. #
  86. # @return [Token, nil]
  87. def self.fetch(action, user_id = UserInfo.current_user_id)
  88. token = find_by(action: action, user_id: user_id)
  89. token if token&.check?
  90. end
  91. # creates or returns existing token
  92. #
  93. # @param [String] action name
  94. # @param [Integer, User] user
  95. #
  96. # @return [String]
  97. def self.ensure_token!(action, user_id = UserInfo.current_user_id, persistent: false)
  98. instance = fetch(action, user_id)
  99. return instance.token if instance.present?
  100. create!(action: action, user_id: user_id, persistent: persistent).token
  101. end
  102. # regenerates an existing token
  103. #
  104. # @param [String] action name
  105. # @param [Integer, User] user
  106. #
  107. # @return [String]
  108. def self.renew_token!(action, user_id = UserInfo.current_user_id, persistent: false)
  109. instance = fetch(action, user_id)
  110. return create(action: action, user_id: user_id, persistent: persistent).token if !instance
  111. instance.renew_token!
  112. end
  113. # regenerates an existing token
  114. #
  115. # @return [String]
  116. def renew_token!
  117. generate_token
  118. save!
  119. token
  120. end
  121. def visible_in_frontend?
  122. action == 'api' && persistent
  123. end
  124. private
  125. def generate_token
  126. loop do
  127. self.token = SecureRandom.urlsafe_base64(48)
  128. break if !Token.exists?(token: token)
  129. end
  130. true
  131. end
  132. # token owner or user set by #with_context
  133. def effective_user
  134. @effective_user || user
  135. end
  136. end