117 lines
3.2 KiB
Elixir
117 lines
3.2 KiB
Elixir
defmodule HostasWeb.Auth.TokenController do
|
|
import Ecto.Query, only: [from: 2]
|
|
use HostasWeb, :controller
|
|
|
|
alias Hostas.Repo
|
|
alias Hostas.Denizen
|
|
alias Hostas.Token
|
|
|
|
@doc """
|
|
Generates an API token. Responds with the token if the user
|
|
provides the correct password
|
|
"""
|
|
def create(conn, %{"handle" => handle, "password" => given_password}) do
|
|
case Repo.one(
|
|
from d in Denizen,
|
|
where: d.handle == ^handle,
|
|
select: %{id: d.id, password: d.password}
|
|
) do
|
|
nil ->
|
|
conn
|
|
|> put_status(404)
|
|
|> json(%{"error" => "No user with handle #{handle}"})
|
|
|
|
denizen ->
|
|
%{id: denizen_id, password: real_password_hash} = denizen
|
|
|
|
if Bcrypt.verify_pass(given_password, real_password_hash) do
|
|
{:ok, token_struct} = Token.new(denizen_id)
|
|
|
|
conn
|
|
|> put_status(201)
|
|
|> json(Map.take(token_struct, [:token, :expires]))
|
|
else
|
|
# Reject the request, as passwords don't match
|
|
conn
|
|
|> put_status(401)
|
|
|> json(%{"error" => "Password mismatch"})
|
|
end
|
|
end
|
|
end
|
|
|
|
def create(conn, _params) do
|
|
conn
|
|
|> put_status(422)
|
|
|> json(%{"error" => "Missing required parameters"})
|
|
end
|
|
|
|
@doc """
|
|
Responds with 200 OK if the requester's `Bearing` header
|
|
contains a valid, non-expired API token, along with a
|
|
payload with an `expires` key detailing when the key
|
|
expires.
|
|
"""
|
|
def verify(conn, _params) do
|
|
conn
|
|
|> put_status(200)
|
|
|> json(%{"expires" => conn.assigns[:token].expires})
|
|
end
|
|
|
|
@doc """
|
|
Deletes the token the requester used in the `Bearing` header
|
|
"""
|
|
def revoke(conn, %{"id" => id_param}) do
|
|
with {:parsed_id, {id, ""}} <- {:parsed_id, Integer.parse(id_param, 10)},
|
|
{:ok, token} <- fetch_token(id, conn) do
|
|
Repo.delete_all(from t in Token, where: t.id == ^token.id)
|
|
|
|
conn
|
|
|> send_resp(200, "")
|
|
else
|
|
_ ->
|
|
conn
|
|
|> put_status(404)
|
|
|> json(%{"error" => "Token not found"})
|
|
end
|
|
end
|
|
|
|
@doc """
|
|
Deletes the token the requester used in the `Bearing` header
|
|
and responds with a new one if the old one was valid and unexpired
|
|
"""
|
|
def renew(conn, %{"id" => id_param}) do
|
|
with {:parsed_id, {id, ""}} <- {:parsed_id, Integer.parse(id_param, 10)},
|
|
{:ok, token} <- fetch_token(id, conn) do
|
|
Repo.delete_all(from t in Token, where: t.id == ^token.id)
|
|
|
|
{:ok, new_token} = Token.new(conn.assigns[:denizen].id)
|
|
|
|
conn
|
|
|> put_status(201)
|
|
|> json(Map.take(new_token, [:token, :expires]))
|
|
else
|
|
_ ->
|
|
conn
|
|
|> put_status(404)
|
|
|> json(%{"error" => "Token not found"})
|
|
end
|
|
end
|
|
|
|
defp fetch_token(id, conn) do
|
|
if id == conn.assigns[:token].id do
|
|
{:ok, conn.assigns[:token]}
|
|
else
|
|
case Repo.one(from t in Token, where: t.id == ^id) do
|
|
nil -> {:error, :token_not_found}
|
|
token ->
|
|
# If the denizen doesn't own it, we lie about its existence
|
|
if token.denizen_id == conn.assigns[:denizen].id do
|
|
{:ok, token}
|
|
else
|
|
{:error, :token_not_found}
|
|
end
|
|
end
|
|
end
|
|
end
|
|
end
|