do not store token from /auth/github

2013-01-11 16:49:08 +01:00 · 2013-01-11 16:49:08 +01:00 · 3d6defe3b1
commit 3d6defe3b1
parent ada6ee0f2c
2 changed files with 12 additions and 7 deletions
--- a/lib/travis/api/app/endpoint/authorization.rb
+++ b/lib/travis/api/app/endpoint/authorization.rb
@ -78,7 +78,7 @@ class Travis::Api::App
      #
      # * **github_token**: GitHub token for checking authorization (required)
      post '/github' do
-        { 'access_token' => github_to_travis(params[:github_token], app_id: 1) }
+        { 'access_token' => github_to_travis(params[:github_token], app_id: 1, drop_token: true) }
      end

      # Endpoint for making sure user authorized Travis CI to access GitHub.
@ -191,10 +191,11 @@ class Travis::Api::App
        end

        def github_to_travis(token, options = {})
-          generate_token options.merge(user: user_for_github_token(token))
+          drop_token = options.delete(:drop_token)
+          generate_token options.merge(user: user_for_github_token(token, drop_token))
        end

-        class UserManager < Struct.new(:data, :token)
+        class UserManager < Struct.new(:data, :token, :drop_token)
          def info(attributes = {})
            info = data.to_hash.slice('name', 'login', 'gravatar_id')
            info.merge! attributes.stringify_keys
@ -204,7 +205,7 @@ class Travis::Api::App

          def fetch
            user   = ::User.find_by_github_id(data['id'])
-            info   = info(github_oauth_token: token)
+            info   = drop_token ? info : info(github_oauth_token: token)

            if user
              user.update_attributes info
@ -216,12 +217,12 @@ class Travis::Api::App
          end
        end

-        def user_for_github_token(token)
+        def user_for_github_token(token, drop_token = false)
          data   = GH.with(token: token.to_s) { GH['user'] }
          scopes = parse_scopes data.headers['x-oauth-scopes']
          halt 403, 'insufficient access' unless acceptable? scopes

-          user   = UserManager.new(data, token).fetch
+          user   = UserManager.new(data, token, drop_token).fetch
          halt 403, 'not a Travis user' if user.nil?
          user
        end
--- a/spec/unit/endpoint/authorization_spec.rb
+++ b/spec/unit/endpoint/authorization_spec.rb
@ -40,7 +40,7 @@ describe Travis::Api::App::Endpoint::Authorization do
    def user_for(github_token)
      get '/info/login', access_token: get_token(github_token)
      last_response.status.should == 200
-      User.find_by_login(body)
+      user if user.login == body
    end

    it 'accepts tokens with repo scope' do
@ -60,5 +60,9 @@ describe Travis::Api::App::Endpoint::Authorization do
      post('/auth/github', github_token: 'invalid token').should_not be_ok
      body.should_not include('access_token')
    end
+
+    it 'does not store the token' do
+      user_for('public repos').github_oauth_token.should_not == 'public repos'
+    end
  end
 end