Skip to content
GitLab
Menu
Projects
Groups
Snippets
/
Help
Help
Support
Community forum
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in
Toggle navigation
Menu
Open sidebar
immerda
Immerda Apps
iapi
Commits
428e2d83
Commit
428e2d83
authored
Sep 10, 2021
by
o@immerda.ch
Browse files
address review
parent
9d76c4c0
Pipeline
#8606
passed with stage
in 2 minutes and 47 seconds
Changes
2
Pipelines
1
Hide whitespace changes
Inline
Side-by-side
lib/iapi/helpers/api_token.rb
View file @
428e2d83
...
...
@@ -15,8 +15,9 @@ module ApiTokenHelpers
end
end
def
api_token_age
(
email
,
token
)
return
Float
::
INFINITY
unless
token
def
api_token_age
(
email
)
token
=
parsed_body
[
'token'
]
return
nil
unless
token
.
present?
catch
:secretbox_open_err
do
ticket
=
Base64
.
decode64
(
token
)
return
false
unless
ticket
...
...
@@ -31,7 +32,7 @@ module ApiTokenHelpers
end
end
end
Float
::
INFINITY
nil
end
def
self
.
valid_api_token?
(
token
,
email
,
kind
)
...
...
lib/iapi/routes/auth.rb
View file @
428e2d83
...
...
@@ -12,21 +12,14 @@ class IApi < Sinatra::Base
end
end
def
valid_reissue_token
(
email
)
if
parsed_body
[
'token'
].
present?
return
api_token_age
(
email
,
parsed_body
[
'token'
])
end
false
end
post
'/master_saml'
do
email
=
validate_email
(
parsed_body
[
'email'
].
downcase
)
saml_req
=
parsed_body
[
'saml_request'
]
info
=
SamlManager
.
sp_info
(
saml_req
)
sps
=
application_specific_secret
(
info
)
skip_2fa
=
valid_reissue
_token
(
email
)
&&
valid_reissue
_token
(
email
)
<
IApiConf
.
tfa_validity
skip_2fa
=
api
_token
_age
(
email
)
&&
api
_token
_age
(
email
)
<
IApiConf
.
tfa_validity
user
=
AuthManager
.
auth
(
email
,
parsed_body
,
false
,
...
...
@@ -93,10 +86,10 @@ class IApi < Sinatra::Base
allowed
=
IApiConf
.
acl
.
is_allowed_to_access?
(
email
,
saml
[
:plain_issuer
])
end
if
saml
&&
allowed
&&
valid_reissue
_token
(
email
)
valid
=
valid_reissue
_token
(
email
)
<
saml
[
:max_reissue_time
]
if
saml
&&
allowed
&&
api
_token
_age
(
email
)
valid
=
api
_token
_age
(
email
)
<
saml
[
:max_reissue_time
]
valid_with_tfa
=
valid_reissue
_token
(
email
)
<
saml
[
:max_reissue_time_2fa
]
api
_token
_age
(
email
)
<
saml
[
:max_reissue_time_2fa
]
# if the user has webauthn and we are within the :max_reissue_time_2fa
# then we only ask for a challenge and not for the full password.
...
...
@@ -154,8 +147,8 @@ class IApi < Sinatra::Base
post
'/handoff'
do
email
=
validate_email
(
parsed_body
[
'email'
].
downcase
)
user
=
nil
skip_2fa
=
valid_reissue
_token
(
email
)
&&
valid_reissue
_token
(
email
)
<
IApiConf
.
tfa_validity
skip_2fa
=
api
_token
_age
(
email
)
&&
api
_token
_age
(
email
)
<
IApiConf
.
tfa_validity
do_auth
=
->
do
user
=
AuthManager
.
auth
(
email
,
parsed_body
,
false
,
...
...
Write
Preview
Supports
Markdown
0%
Try again
or
attach a new file
.
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment