forked from instructure/canvas-lms
-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathjwts_controller.rb
More file actions
111 lines (103 loc) · 3.63 KB
/
Copy pathjwts_controller.rb
File metadata and controls
111 lines (103 loc) · 3.63 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
#
# Copyright (C) 2015 - present Instructure, Inc.
#
# This file is part of Canvas.
#
# Canvas is free software: you can redistribute it and/or modify it under
# the terms of the GNU Affero General Public License as published by the Free
# Software Foundation, version 3 of the License.
#
# Canvas is distributed in the hope that it will be useful, but WITHOUT ANY
# WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR
# A PARTICULAR PURPOSE. See the GNU Affero General Public License for more
# details.
#
# You should have received a copy of the GNU Affero General Public License along
# with this program. If not, see <http://www.gnu.org/licenses/>.
# @API JWTs
# @beta
# Short term tokens useful for talking to other services in the Canvas Ecosystem.
# Note: JWTs have no value or use directly against the Canvas API, and expire
# after one hour
#
# @model JWT
# {
# "properties": {
# "token": {
# "description": "The signed, encrypted, base64 encoded JWT",
# "example": "ZXlKaGJHY2lPaUprYVhJaUxDSmxibU1pT2lKQk1qVTJSME5OSW4wLi5QbnAzS1QzLUJkZ3lQZHgtLm5JT0pOV01iZmdtQ0g3WWtybjhLeHlMbW13cl9yZExXTXF3Y0IwbXkzZDd3V1NDd0JYQkV0UTRtTVNJSVRrX0FJcG0zSU1DeThMcW5NdzA0ckdHVTkweDB3MmNJbjdHeWxOUXdveU5ZZ3UwOEN4TkZteUpCeW5FVktrdU05QlRyZXZ3Y1ZTN2hvaC1WZHRqM19PR3duRm5yUVgwSFhFVFc4R28tUGxoQVUtUnhKT0pNakx1OUxYd2NDUzZsaW9ZMno5NVU3T0hLSGNpaDBmSGVjN2FzekVJT3g4NExUeHlReGxYU3BtbFZ5LVNuYWdfbVJUeU5yNHNsMmlDWFcwSzZCNDhpWHJ1clJVVm1LUkVlVTl4ZVVJcTJPaWNpSHpfemJ0X3FrMjhkdzRyajZXRnBHSlZPNWcwTlUzVHlSWk5qdHg1S2NrTjVSQjZ1X2FzWTBScjhTY2VhNFk3Y2JFX01wcm54cFZTNDFIekVVSVRNdzVMTk1GLVpQZy52LVVDTkVJYk8zQ09EVEhPRnFXLUFR",
# "type": "string"
# }
# }
# }
#
class JwtsController < ApplicationController
before_action :require_user, :require_non_jwt_auth
# @API Create JWT
#
# Create a unique jwt for using with other canvas services
#
# Generates a different JWT each time it's called, each one expires
# after a short window (1 hour)
#
# @example_request
# curl 'https://<canvas>/api/v1/jwts' \
# -X POST \
# -H "Accept: application/json" \
# -H 'Authorization: Bearer <token>'
#
# @returns JWT
def create
services_jwt = Canvas::Security::ServicesJwt.
for_user(request.env['HTTP_HOST'], @current_user, real_user: @real_current_user)
render json: { token: services_jwt }
end
# @API Refresh JWT
#
# Refresh a JWT for use with other canvas services
#
# Generates a different JWT each time it's called, each one expires
# after a short window (1 hour).
#
# @argument jwt [Required, String]
# An existing JWT token to be refreshed. The new token will have
# the same context and workflows as the existing token.
#
# @example_request
# curl 'https://<canvas>/api/v1/jwts/refresh' \
# -X POST \
# -H "Accept: application/json" \
# -H 'Authorization: Bearer <token>'
# -d 'jwt=<jwt>'
#
# @returns JWT
def refresh
if params[:jwt].nil?
return render(
json: {errors: {jwt: "required"}},
status: 400
)
end
services_jwt = Canvas::Security::ServicesJwt.refresh_for_user(
params[:jwt],
request.env['HTTP_HOST'],
@current_user,
real_user: @real_current_user
)
render json: { token: services_jwt }
rescue Canvas::Security::ServicesJwt::InvalidRefresh
render(
json: {errors: {jwt: "invalid refresh"}},
status: 400
)
end
private
def require_non_jwt_auth
if @authenticated_with_jwt
render(
json: {error: "cannot generate a JWT when authorized by a JWT"},
status: 403
)
end
end
end