knock icon indicating copy to clipboard operation
knock copied to clipboard

Published 20 hours ago verified publisher icon nsarno

Fix security flaw and add Soft(optional) authentication feature

Open Arinzeokeke opened this issue 7 years ago • 0 comments

Hi, here are my modifications in detail

  1. Security flaw in authenticate_for.

  • Using authenticate_for directly for namespaced models(any model actually) doesn't send back an Unauthorized header when an invalid/no token is sent as authenticate_for doesn't check for that.

  • I added wrapper functions set_authenticate_for and set_soft_authenticated_for to fix that issue for strict and optional authentications respectively.

  1. Soft (Optional) Authentication

  • Some controllers may not require authentication but acts slightly different if authenticated. Example: It may add extra(private or user-specific) values to JSON response if authenticated.

  • Modified method_missing in authenticable.rb to accept the soft_authenticate_<entity> method to implement said behaviour.

  • Also added set_soft_authenticate_for for same functionality as explained in 1.

  1. Added tests to ensure changes are working

  2. Updated README

  • Updated readme to reflect changes

Arinzeokeke avatar Jun 03 '17 13:06 Arinzeokeke