FIX: client duplicate registration should be cleaned up

If for any reason we are unable to correct client id on a user api key invalidate old keys for client/user
2018-08-22 12:56:49 +10:00 · 2018-08-22 12:56:49 +10:00 · 272de95175
parent 5d96809abd
commit 272de95175
2 changed files with 28 additions and 0 deletions
--- a/lib/auth/default_current_user_provider.rb
+++ b/lib/auth/default_current_user_provider.rb
@ -259,7 +259,15 @@ class Auth::DefaultCurrentUserProvider
      end

      api_key.update_columns(last_used_at: Time.zone.now)
+
      if client_id.present? && client_id != api_key.client_id
+
+        # invalidate old dupe api key for client if needed
+        UserApiKey
+          .where(client_id: client_id, user_id: api_key.user_id)
+          .where('id <> ?', api_key.id)
+          .destroy_all
+
        api_key.update_columns(client_id: client_id)
      end

--- a/spec/components/auth/default_current_user_provider_spec.rb
+++ b/spec/components/auth/default_current_user_provider_spec.rb
@ -368,6 +368,26 @@ describe Auth::DefaultCurrentUserProvider do
      )
    end

+    it "can clear old duplicate keys correctly" do
+      dupe = UserApiKey.create!(
+        application_name: 'my app',
+        client_id: '12345',
+        scopes: ['read'],
+        key: SecureRandom.hex,
+        user_id: user.id
+      )
+
+      params = {
+        "REQUEST_METHOD" => "GET",
+        "HTTP_USER_API_KEY" => api_key.key,
+        "HTTP_USER_API_CLIENT_ID" => dupe.client_id,
+      }
+
+      good_provider = provider("/", params)
+      expect(good_provider.current_user.id).to eq(user.id)
+      expect(UserApiKey.find_by(id: dupe.id)).to eq(nil)
+    end
+
    it "allows user API access correctly" do
      params = {
        "REQUEST_METHOD" => "GET",