Allow to pass required_params to token

required_params will be matched with actual params to check if the token may be used for authorization. For example if { job_id: 44 } is passed as a required param, the token will be rejected for GET /jobs/33
2013-05-08 01:14:20 +02:00 · 2013-05-08 01:14:20 +02:00 · 3b299cfec7
commit 3b299cfec7
parent 56d61ed461
2 changed files with 28 additions and 1 deletions
--- a/lib/travis/api/app/extensions/scoping.rb
+++ b/lib/travis/api/app/extensions/scoping.rb
@ -11,6 +11,16 @@ class Travis::Api::App
        def public?
          scope == :public
        end
+
+        def required_params_match?
+          return true unless token = env['travis.access_token']
+
+          if token.extra && (required_params = token.extra['required_params'])
+            required_params.all? { |name, value| params[name] == value }
+          else
+            true
+          end
+        end
      end

      def self.registered(app)
@ -24,7 +34,7 @@ class Travis::Api::App
          scopes = env['travis.access_token'].try(:scopes) || settings.anonymous_scopes

          result = names.any? do |name|
-            if scopes.include? name
+            if scopes.include?(name) && required_params_match?
              headers['X-OAuth-Scopes'] = scopes.map(&:to_s).join(',')
              headers['X-Accepted-OAuth-Scopes'] = name.to_s

--- a/spec/integration/scopes_spec.rb
+++ b/spec/integration/scopes_spec.rb
@ -8,6 +8,10 @@ describe 'App' do
      get '/hash', scope: [:foo, :bar] do
        respond_with foo: 'bar'
      end
+
+      get '/:job_id/log' do
+        respond_with job_id: params[:job_id]
+      end
    end
  end

@ -29,4 +33,17 @@ describe 'App' do
    response = get '/foo/hash', {}, 'HTTP_ACCEPT' => 'application/json', 'HTTP_AUTHORIZATION' => "token #{token.token}"
    response.status.should == 403
  end
+
+  it 'checks if required_params match the from the request' do
+    extra = {
+      required_params: { job_id: '10' }
+    }
+    token = Travis::Api::App::AccessToken.new(app_id: 1, user_id: 2, extra: extra).tap(&:save)
+
+    response = get '/foo/10/log', {}, 'HTTP_ACCEPT' => 'application/json', 'HTTP_AUTHORIZATION' => "token #{token.token}"
+    response.should be_successful
+
+    response = get '/foo/11/log', {}, 'HTTP_ACCEPT' => 'application/json', 'HTTP_AUTHORIZATION' => "token #{token.token}"
+    response.status.should == 403
+  end
 end