address review

428e2d83 · o@immerda.ch · 9d76c4c0 · 428e2d83 · 428e2d83
Commit 428e2d83 authored Sep 10, 2021 by o@immerda.ch
--- a/lib/iapi/helpers/api_token.rb
+++ b/lib/iapi/helpers/api_token.rb
@@ -15,8 +15,9 @@ module ApiTokenHelpers
    end
  end

-  def api_token_age(email, token)
-    return Float::INFINITY unless token
+  def api_token_age(email)
+    token = parsed_body['token']
+    return nil unless token.present?
    catch :secretbox_open_err do
      ticket = Base64.decode64(token)
      return false unless ticket
@@ -31,7 +32,7 @@ module ApiTokenHelpers
        end
      end
    end
-    Float::INFINITY
+    nil
  end

  def self.valid_api_token?(token, email, kind)

--- a/lib/iapi/routes/auth.rb
+++ b/lib/iapi/routes/auth.rb
@@ -12,21 +12,14 @@ class IApi < Sinatra::Base
      end
    end

-    def valid_reissue_token(email)
-      if parsed_body['token'].present?
-        return api_token_age(email, parsed_body['token'])
-      end
-      false
-    end
-
    post '/master_saml' do
      email = validate_email(parsed_body['email'].downcase)

      saml_req = parsed_body['saml_request']
      info = SamlManager.sp_info(saml_req)
      sps = application_specific_secret(info)
-      skip_2fa = valid_reissue_token(email) &&
-        valid_reissue_token(email) < IApiConf.tfa_validity
+      skip_2fa = api_token_age(email) &&
+        api_token_age(email) < IApiConf.tfa_validity

      user = AuthManager.auth(email, parsed_body,
                              false,
@@ -93,10 +86,10 @@ class IApi < Sinatra::Base
          allowed = IApiConf.acl.is_allowed_to_access?(email, saml[:plain_issuer])
        end

-        if saml && allowed && valid_reissue_token(email)
-          valid = valid_reissue_token(email) < saml[:max_reissue_time]
+        if saml && allowed && api_token_age(email)
+          valid = api_token_age(email) < saml[:max_reissue_time]
          valid_with_tfa =
-            valid_reissue_token(email) < saml[:max_reissue_time_2fa]
+            api_token_age(email) < saml[:max_reissue_time_2fa]

          # if the user has webauthn and we are within the :max_reissue_time_2fa
          # then we only ask for a challenge and not for the full password.
@@ -154,8 +147,8 @@ class IApi < Sinatra::Base
    post '/handoff' do
      email = validate_email(parsed_body['email'].downcase)
      user = nil
-      skip_2fa = valid_reissue_token(email) &&
-        valid_reissue_token(email) < IApiConf.tfa_validity
+      skip_2fa = api_token_age(email) &&
+        api_token_age(email) < IApiConf.tfa_validity
      do_auth = -> do
        user = AuthManager.auth(email, parsed_body,
                                false,