Commit 97df325

mo <mo@mokhan.ca>
2018-10-13 17:24:55
store client secrets as a bcrypt hash
main
1 parent eb1636f
Changed files (6)
app
controllers
my
clients_controller.rb
models
client.rb
views
my
clients
new.html.erb
db
migrate
20180905011437_create_clients.rb
schema.rb
spec
requests
tokens_spec.rb
app/controllers/my/clients_controller.rb
@@ -18,7 +18,7 @@ module My
     private
 
     def secure_params
-      params.require(:client).permit(:name, :secret, :redirect_uri)
+      params.require(:client).permit(:name, :password, :redirect_uri)
     end
   end
 end
app/models/client.rb
@@ -3,20 +3,16 @@
 class Client < ApplicationRecord
   RESPONSE_TYPES = %w[code token].freeze
   audited
-  has_secure_token :secret
+  has_secure_password
   has_many :authorizations
 
   validates :name, presence: true
-  validates :redirect_uri, presence: true, format: { with: /\A#{URI::regexp(['http', 'https'])}\z/ }
+  validates :redirect_uri, presence: true, format: { with: /\A#{URI.regexp(%w[http https])}\z/ }
   validates :uuid, presence: true, format: { with: ApplicationRecord::UUID }
 
   after_initialize do
     self.uuid = SecureRandom.uuid unless uuid
-    self.secret = self.class.generate_unique_secure_token unless secret
-  end
-
-  def authenticate(provided_secret)
-    return self if secret == provided_secret
+    self.password = SecureRandom.base58(24) unless password_digest
   end
 
   def access_token
app/views/my/clients/new.html.erb
@@ -4,7 +4,7 @@
       <h1>Client</h1>
       <div data-controller="clients--new">
         <p>Client Id: <%= @client.to_param %></p>
-        <p>Secret: <%= @client.secret %></p>
+        <p>Secret: <%= @client.password %></p>
 
         <%= form_for @client, url: my_clients_path, method: :post do |form| %>
           <div class="form-group">
db/migrate/20180905011437_create_clients.rb
@@ -5,7 +5,7 @@ class CreateClients < ActiveRecord::Migration[5.2]
     create_table :clients do |t|
       t.string :uuid, null: false, index: true
       t.string :name, null: false
-      t.string :secret, null: false
+      t.string :password_digest, null: false
       t.string :redirect_uri, null: false
       t.timestamps null: false
     end
db/schema.rb
@@ -50,7 +50,7 @@ ActiveRecord::Schema.define(version: 2018_09_23_234502) do
   create_table "clients", force: :cascade do |t|
     t.string "uuid", null: false
     t.string "name", null: false
-    t.string "secret", null: false
+    t.string "password_digest", null: false
     t.string "redirect_uri", null: false
     t.datetime "created_at", null: false
     t.datetime "updated_at", null: false
spec/requests/tokens_spec.rb
@@ -2,7 +2,7 @@ require 'rails_helper'
 
 RSpec.describe '/tokens' do
   let(:client) { create(:client) }
-  let(:credentials) { ActionController::HttpAuthentication::Basic.encode_credentials(client.uuid, client.secret) }
+  let(:credentials) { ActionController::HttpAuthentication::Basic.encode_credentials(client.uuid, client.password) }
   let(:headers) { { 'Authorization' => credentials } }
 
   describe "POST /oauth/token" do