Skip to content
This repository has been archived by the owner on Mar 22, 2021. It is now read-only.

Fix security flaw and add Soft(optional) authentication feature #171

Open
wants to merge 8 commits into
base: master
Choose a base branch
from

Conversation

Arinzeokeke
Copy link

@Arinzeokeke Arinzeokeke commented Jun 3, 2017

Hi, here are my modifications in detail

  1. Security flaw in authenticate_for.
  • Using authenticate_for directly for namespaced models(any model actually) doesn't send back an Unauthorized header when an invalid/no token is sent as authenticate_for doesn't check for that.

  • I added wrapper functions set_authenticate_for and set_soft_authenticated_for to fix that issue for strict and optional authentications respectively.

  1. Soft (Optional) Authentication
  • Some controllers may not require authentication but acts slightly different if authenticated.
    Example: It may add extra(private or user-specific) values to JSON response if authenticated.

  • Modified method_missing in authenticable.rb to accept the soft_authenticate_<entity> method to implement said behaviour.

  • Also added set_soft_authenticate_for for same functionality as explained in 1.

  1. Added tests to ensure changes are working

  2. Updated README

  • Updated readme to reflect changes

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

1 participant