feat: create unique token for scorm asset retrieval

thoth-tech · Jun 26, 2024 · fc8134a · fc8134a
1 parent 4139690
commit fc8134a
Show file tree

Hide file tree

Showing 7 changed files with 48 additions and 8 deletions.
diff --git a/app/api/authentication_api.rb b/app/api/authentication_api.rb
@@ -11,6 +11,7 @@
 class AuthenticationApi < Grape::API
   helpers LogHelper
   helpers AuthenticationHelpers
+  helpers AuthorisationHelpers
 
   #
   # Sign in - only mounted if AAF auth is NOT used
@@ -368,4 +369,21 @@ class AuthenticationApi < Grape::API
 
     present nil
   end
+
+  desc 'Get SCORM authentication token'
+  get '/auth/scorm' do
+    if authenticated?
+      unless authorise? current_user, User, :get_scorm_test
+        error!({ error: 'You cannot access SCORM tests' }, 403)
+      end
+
+      token = current_user.auth_tokens.find_by(token_type: 'scorm')
+      if token.auth_token_expiry <= Time.zone.now
+        token.destroy!
+        token = current_user.generate_scorm_authentication_token!
+      end
+
+      present :scorm_auth_token, token.authentication_token
+    end
+  end
 end
diff --git a/app/api/scorm_api.rb b/app/api/scorm_api.rb
@@ -4,10 +4,11 @@
 class ScormApi < Grape::API
   # Include the AuthenticationHelpers for authentication functionality
   helpers AuthenticationHelpers
+  helpers AuthorisationHelpers
 
-  # before do
-  #   authenticated?
-  # end
+  before do
+    authenticated?
+  end
 
   helpers do
     # Method to stream a file from a zip archive at the specified path
@@ -51,7 +52,11 @@ def stream_file_from_zip(zip_path, file_path)
   params do
     requires :task_def_id, type: Integer, desc: 'Task Definition ID to get SCORM test data for'
   end
-  get '/scorm/:task_def_id/*file_path' do
+  get '/scorm/:task_def_id/:username/:auth_token/*file_path' do
+    unless authorise? current_user, User, :get_scorm_test
+      error!({ error: 'You cannot access SCORM tests' }, 403)
+    end
+
     env['api.format'] = :txt
     task_def = TaskDefinition.find(params[:task_def_id])
     if task_def.has_scorm_data?

diff --git a/app/api/test_attempts_api.rb b/app/api/test_attempts_api.rb
@@ -4,6 +4,7 @@ class TestAttemptsApi < Grape::API
   format :json
 
   helpers AuthenticationHelpers
+  helpers AuthorisationHelpers
 
   before do
     authenticated?

diff --git a/app/models/auth_token.rb b/app/models/auth_token.rb
@@ -6,7 +6,7 @@ class AuthToken < ApplicationRecord
   validates :authentication_token, presence: true
   validate :ensure_token_unique_for_user, on: :create
 
-  def self.generate(user, remember, expiry_time = Time.zone.now + 2.hours)
+  def self.generate(user, remember, expiry_time = Time.zone.now + 2.hours, token_type = 'general')
     # Loop until new unique auth token is found
     token = loop do
       token = Devise.friendly_token
@@ -16,6 +16,7 @@ def self.generate(user, remember, expiry_time = Time.zone.now + 2.hours)
     # Create a new AuthToken with this value
     result = AuthToken.new(user_id: user.id)
     result.authentication_token = token
+    result.token_type = token_type
     result.extend_token(remember, expiry_time, false)
     result.save!
     result

diff --git a/app/models/user.rb b/app/models/user.rb
@@ -107,6 +107,15 @@ def generate_temporary_authentication_token!
     AuthToken.generate(self, false, Time.zone.now + 30.seconds)
   end
 
+  #
+  # Generate an authentication token for scorm asset retrieval
+  #
+  def generate_scorm_authentication_token!
+    # Ensure this user is saved... so it has an id
+    self.save unless self.persisted?
+    AuthToken.generate(self, false, Time.zone.now + 2.hours, 'scorm')
+  end
+
   #
   # Returns whether the authentication token has expired
   #
@@ -344,8 +353,8 @@ def self.permissions
 
     # What can students do with users?
     student_role_permissions = [
-      :get_teaching_periods
-
+      :get_teaching_periods,
+      :get_scorm_test
     ]
 
     # Return the permissions hash

diff --git a/db/migrate/20240618135038_add_auth_token_type.rb b/db/migrate/20240618135038_add_auth_token_type.rb
@@ -0,0 +1,5 @@
+class AddAuthTokenType < ActiveRecord::Migration[7.1]
+  def change
+    add_column :auth_tokens, :token_type, :string, null: false
+  end
+end
diff --git a/db/schema.rb b/db/schema.rb
@@ -10,7 +10,7 @@
 #
 # It's strongly recommended that you check this file into your version control system.
 
-ActiveRecord::Schema[7.1].define(version: 2024_06_03_020127) do
+ActiveRecord::Schema[7.1].define(version: 2024_06_18_135038) do
   create_table "activity_types", charset: "utf8", collation: "utf8_unicode_ci", force: :cascade do |t|
     t.string "name", null: false
     t.string "abbreviation", null: false
@@ -24,6 +24,7 @@
     t.datetime "auth_token_expiry", null: false
     t.bigint "user_id"
     t.string "authentication_token", null: false
+    t.string "token_type", null: false
     t.index ["user_id"], name: "index_auth_tokens_on_user_id"
   end