From 932d2304f9ebdc0c74ab0d3623ad213701d69bdb Mon Sep 17 00:00:00 2001 From: cktricky Date: Wed, 12 Mar 2014 12:38:41 -0400 Subject: [PATCH 1/3] okay first run at making an API for railsgoat --- app/controllers/api/v1/users_controller.rb | 11 +++++++++++ app/helpers/api/v1/users_helper.rb | 2 ++ config/routes.rb | 8 +++++++- spec/controllers/api/v1/users_controller_spec.rb | 5 +++++ spec/helpers/api/v1/users_helper_spec.rb | 15 +++++++++++++++ 5 files changed, 40 insertions(+), 1 deletion(-) create mode 100644 app/controllers/api/v1/users_controller.rb create mode 100644 app/helpers/api/v1/users_helper.rb create mode 100644 spec/controllers/api/v1/users_controller_spec.rb create mode 100644 spec/helpers/api/v1/users_helper_spec.rb diff --git a/app/controllers/api/v1/users_controller.rb b/app/controllers/api/v1/users_controller.rb new file mode 100644 index 0000000..2afc41e --- /dev/null +++ b/app/controllers/api/v1/users_controller.rb @@ -0,0 +1,11 @@ +class Api::V1::UsersController < ApplicationController + + skip_before_filter :authenticated + + respond_to :json + + def index + respond_with ({:hi => :world}) + end + +end diff --git a/app/helpers/api/v1/users_helper.rb b/app/helpers/api/v1/users_helper.rb new file mode 100644 index 0000000..4d5288c --- /dev/null +++ b/app/helpers/api/v1/users_helper.rb @@ -0,0 +1,2 @@ +module Api::V1::UsersHelper +end diff --git a/config/routes.rb b/config/routes.rb index 9c21e1a..2383276 100755 --- a/config/routes.rb +++ b/config/routes.rb @@ -33,7 +33,7 @@ Railsgoat::Application.routes.draw do resources :messages do end - + end get "download" => "benefit_forms#download" @@ -81,6 +81,12 @@ Railsgoat::Application.routes.draw do get "home" end end + + namespace :api, defaults: {format: 'json'} do + namespace :v1 do + resources :users + end + end root :to => "sessions#new" diff --git a/spec/controllers/api/v1/users_controller_spec.rb b/spec/controllers/api/v1/users_controller_spec.rb new file mode 100644 index 0000000..184b048 --- /dev/null +++ b/spec/controllers/api/v1/users_controller_spec.rb @@ -0,0 +1,5 @@ +require 'spec_helper' + +describe Api::V1::UsersController do + +end diff --git a/spec/helpers/api/v1/users_helper_spec.rb b/spec/helpers/api/v1/users_helper_spec.rb new file mode 100644 index 0000000..13a6067 --- /dev/null +++ b/spec/helpers/api/v1/users_helper_spec.rb @@ -0,0 +1,15 @@ +require 'spec_helper' + +# Specs in this file have access to a helper object that includes +# the Api::V1::UsersHelper. For example: +# +# describe Api::V1::UsersHelper do +# describe "string concat" do +# it "concats two strings with spaces" do +# expect(helper.concat_strings("this","that")).to eq("this that") +# end +# end +# end +describe Api::V1::UsersHelper do + pending "add some examples to (or delete) #{__FILE__}" +end From f4f5d5744cc064a3612d87bb885061d5a09d96f3 Mon Sep 17 00:00:00 2001 From: cktricky Date: Wed, 12 Mar 2014 13:24:37 -0400 Subject: [PATCH 2/3] working on the auth structure for the API --- app/controllers/api/v1/users_controller.rb | 17 +++++++++++++---- 1 file changed, 13 insertions(+), 4 deletions(-) diff --git a/app/controllers/api/v1/users_controller.rb b/app/controllers/api/v1/users_controller.rb index 2afc41e..5f59b33 100644 --- a/app/controllers/api/v1/users_controller.rb +++ b/app/controllers/api/v1/users_controller.rb @@ -1,11 +1,20 @@ class Api::V1::UsersController < ApplicationController skip_before_filter :authenticated - + before_filter :valid_api_token + respond_to :json - def index - respond_with ({:hi => :world}) + def valid_api_token + authenticate_or_request_with_http_token do |token, options| + # TODO :add some functionality to check if the HTTP Header is valid + return true + end end - + + def index + respond_with User.all + end + + end From 95eb5a56fdecc079c727affe14472fb7a0492727 Mon Sep 17 00:00:00 2001 From: cktricky Date: Wed, 12 Mar 2014 15:40:12 -0400 Subject: [PATCH 3/3] added vulnerable auth check for the API --- app/controllers/api/v1/users_controller.rb | 43 ++++++++++++++++++---- config/initializers/constants.rb | 1 + 2 files changed, 36 insertions(+), 8 deletions(-) create mode 100644 config/initializers/constants.rb diff --git a/app/controllers/api/v1/users_controller.rb b/app/controllers/api/v1/users_controller.rb index 5f59b33..a23daf3 100644 --- a/app/controllers/api/v1/users_controller.rb +++ b/app/controllers/api/v1/users_controller.rb @@ -2,19 +2,46 @@ class Api::V1::UsersController < ApplicationController skip_before_filter :authenticated before_filter :valid_api_token + before_filter :extrapolate_user respond_to :json - def valid_api_token - authenticate_or_request_with_http_token do |token, options| - # TODO :add some functionality to check if the HTTP Header is valid - return true - end - end - def index - respond_with User.all + respond_with @user end +private + + def valid_api_token + authenticate_or_request_with_http_token do |token, options| + # TODO :add some functionality to check if the HTTP Header is valid + identify_user(token) + end + end + + def identify_user(token="") + # We've had issues with URL encoding, etc. causing issues so just to be safe + # we will go ahead and unescape the user's token + unescape_token(token) + @clean_token =~ /(.*?)-(.*)/ + id = $1 + hash = $2 + (id && hash) ? true : false + check_hash(id, hash) ? true : false + end + + def check_hash(id, hash) + digest = OpenSSL::Digest::SHA1.hexdigest("#{ACCESS_TOKEN_SALT}:#{id}") + hash == digest + end + + def unescape_token(token="") + @clean_token = CGI::unescape(token) + end + + # Added a method to make it easy to figure out who the user is. + def extrapolate_user + @user = User.find_by_id(@clean_token.split("-").first) + end end diff --git a/config/initializers/constants.rb b/config/initializers/constants.rb new file mode 100644 index 0000000..7fdcd8f --- /dev/null +++ b/config/initializers/constants.rb @@ -0,0 +1 @@ +ACCESS_TOKEN_SALT = "S4828341189aefiasd#ASDF" \ No newline at end of file