Merge pull request #95 from OWASP/cktricky_mar_2014_updates

Cktricky mar 2014 updates

app/controllers/api/v1/users_controller.rb

@@ -0,0 +1,47 @@
+class Api::V1::UsersController < ApplicationController
+  
+   skip_before_filter :authenticated
+   before_filter :valid_api_token
+   before_filter :extrapolate_user
+  
+     respond_to :json
+     
+     def index
+      respond_with @user
+     end
+     
+private
+
+      def valid_api_token
+        authenticate_or_request_with_http_token do |token, options|
+          # TODO :add some functionality to check if the HTTP Header is valid
+          identify_user(token)
+        end
+      end
+     
+     def identify_user(token="")
+        # We've had issues with URL encoding, etc. causing issues so just to be safe
+        # we will go ahead and unescape the user's token
+        unescape_token(token)
+        @clean_token =~ /(.*?)-(.*)/
+        id = $1
+        hash = $2
+        (id && hash) ? true : false
+        check_hash(id, hash) ? true : false
+     end
+     
+     def check_hash(id, hash)
+      digest = OpenSSL::Digest::SHA1.hexdigest("#{ACCESS_TOKEN_SALT}:#{id}")
+      hash == digest 
+     end
+     
+     def unescape_token(token="")
+       @clean_token = CGI::unescape(token)
+     end
+     
+     # Added a method to make it easy to figure out who the user is.
+     def extrapolate_user
+       @user = User.find_by_id(@clean_token.split("-").first)
+     end
+     
+end

app/helpers/api/v1/users_helper.rb

@@ -0,0 +1,2 @@
+module Api::V1::UsersHelper
+end

config/initializers/constants.rb

@@ -0,0 +1 @@
+ACCESS_TOKEN_SALT = "S4828341189aefiasd#ASDF"

config/routes.rb

@@ -33,7 +33,7 @@ Railsgoat::Application.routes.draw do
 
     resources :messages do
     end
-
+  
   end
 
   get "download" => "benefit_forms#download"
@@ -81,6 +81,12 @@ Railsgoat::Application.routes.draw do
       get "home"
     end
   end
+  
+  namespace :api, defaults: {format: 'json'} do
+    namespace :v1 do
+        resources :users
+    end
+   end
 
 
   root :to => "sessions#new"

spec/controllers/api/v1/users_controller_spec.rb

@@ -0,0 +1,5 @@
+require 'spec_helper'
+
+describe Api::V1::UsersController do
+
+end

spec/helpers/api/v1/users_helper_spec.rb

@@ -0,0 +1,15 @@
+require 'spec_helper'
+
+# Specs in this file have access to a helper object that includes
+# the Api::V1::UsersHelper. For example:
+#
+# describe Api::V1::UsersHelper do
+#   describe "string concat" do
+#     it "concats two strings with spaces" do
+#       expect(helper.concat_strings("this","that")).to eq("this that")
+#     end
+#   end
+# end
+describe Api::V1::UsersHelper do
+  pending "add some examples to (or delete) #{__FILE__}"
+end