Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Override AuthorizationsController Doorkeeper

Tags:

ruby-on-rails

ruby-on-rails-4

doorkeeper

I'm overriding Doorkeepers AuthorizationsController. As the docs suggested I inherit from the AuthorizationsController. Now the code below shows my latest attempt for the override.

What I currently have

Basically, add an extra if statement around the new Authorization Doorkeeper process. I've added line 3-7, currently that works fine. It returns me :error if line 6 is equal to true.

My question

I can still see the AccessToken via the Browser URL and the server log. So as a user, I could still use this AccessToken to retrieve some data with Postman for example. Even tho it gave me an error when signing in. Why is this? And how could I prevent this from happening?

class AuthorizationsController < Doorkeeper::AuthorizationsController
  def new
    application = Application.find(authorization.authorize.pre_auth.client.id)
    resource_owner = User.find(current_resource_owner)

    if application.users.exclude?(resource_owner) && application.owner != resource_owner
      render :error
    elsif pre_auth.authorizable?
      if skip_authorization? || matching_token?
        auth = authorization.authorize
        redirect_to auth.redirect_uri
      else
        render :new
      end
    else
      render :error
    end
  end

end

If you check the introduction to OAuth2 written by DigitalOcean, my if statement still succeeds on step 3 'User-agent Receives Access Token with Redirect URI', because I can see the AccessToken with the redirect URI in my browser URL. And after step 3 it gives me the :error.

UPDATE

The whole process of generating an AccessToken is already finished before my override on the AuthorizationsController starts. I added a simple before_action to print to the server log, but before that Doorkeeper::AccessToken Load (0.9ms) SELECT 'oauth_access_tokens'.* FROM 'oauth_access_tokens' WHERE 'oauth_access_tokens'.'token' = 'x' LIMIT 1 happens.

like image 972
Kevin Etore Avatar asked Oct 30 '22 09:10

Kevin Etore

1 Answers

You are assuming that the token you see in your browser url is an OAuth access_token. It is actually just a JWT(JSON Web Token). I'm assuming this token is some sort of session token because the user has not been authorized by Doorkeeper to use the application. You're wrongfully assuming that your OAuth flow reaches the 'User-agent Receives Access Token with Redirect URI' step.

The token in your url is not harmful at all, so there is no reason for you to prevent your application from issuing one. If the user discontinues their session, the token becomes useless.

Hope this helps :)

like image 142
Coos Pot Avatar answered Nov 15 '22 08:11

Coos Pot
Sign in to Comment

Related questions

Rails: Prevent XSS when using link_to with model attribute given to href
Rails forms using collection_radio_buttons on array instead of objects
ruby on rails "usr/bin/env: ‘ruby2.3’: No such file or directory"
Rails 5 - using polymorphic associations - rendering the views
Blockchain decentralised database on rails [closed]
Rails time_zone_select to use "official" time zone values
Star rating system in rails
Rails cache ActiveRecord result
Verify Spree promotion coupon from an external API
Run Rails controller before_action callback after others
Creating a list or array of objects in Ruby on Rails
quil js parchment error
Importing CSV data into Rails app, using something other then the association "id"
How to assure the same job doesn't run twice at the same time?
Environment variable in Gemfile
What is the highest Ruby version supported by Rails v4.1.16?
Missing library while installing ruby-filemagic gem on Linux
Rails: comparison of Status with Status failed
check_box_tag with label_tag click action
How to enable compression in Ruby on Rails?

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!