From a57848b3a6206e538d6afe7ef2cab977fee10ea6 Mon Sep 17 00:00:00 2001
From: Robbe Van Herck <robbevanherck1@gmail.com>
Date: Mon, 8 Apr 2019 16:41:19 +0200
Subject: [PATCH 1/2] Added User API and userkey

---
 app/controllers/application_controller.rb  |  5 ++++-
 app/controllers/users_controller.rb        | 26 +++++++++++++++++++++-
 app/models/user.rb                         | 15 +++++++++++++
 config/routes.rb                           |  1 +
 db/migrate/20190408122720_add_api_token.rb | 10 +++++++++
 db/schema.rb                               |  5 +++--
 6 files changed, 58 insertions(+), 4 deletions(-)
 create mode 100644 db/migrate/20190408122720_add_api_token.rb

diff --git a/app/controllers/application_controller.rb b/app/controllers/application_controller.rb
index 3593ddf..b9d8db7 100644
--- a/app/controllers/application_controller.rb
+++ b/app/controllers/application_controller.rb
@@ -2,7 +2,10 @@ class ApplicationController < ActionController::Base
   protect_from_forgery with: :exception
 
   rescue_from CanCan::AccessDenied do |exception|
-    redirect_to root_path, flash: { error: message_for(exception) }
+    respond_to do |format|
+      format.json { render json: [ "Diefstal is een misdrijf." ], status: :forbidden }
+      format.html { redirect_to root_path, flash: { error: message_for(exception) } }
+    end
   end
 
   def after_sign_in_path_for(resource)
diff --git a/app/controllers/users_controller.rb b/app/controllers/users_controller.rb
index 45963ed..c81854a 100644
--- a/app/controllers/users_controller.rb
+++ b/app/controllers/users_controller.rb
@@ -23,8 +23,21 @@
 class UsersController < ApplicationController
   load_and_authorize_resource
   before_action :init, only: :show
+  skip_load_and_authorize_resource :only => :show
 
   def show
+    # TODO fix this with `authorize!`
+    if params[:id] && (@user.name != params[:id] && !@user.admin?)
+      respond_to do |format|
+        format.json { render json: ["Mind your own business"] }
+        format.html { redirect_to root_url }
+      end
+    else
+      respond_to do |format|
+        format.json { render json: @user }
+        format.html {}
+      end
+    end
   end
 
   def update
@@ -81,6 +94,17 @@ class UsersController < ApplicationController
   end
 
   def init
-    @user ||= current_user
+    @user ||= current_user || user_token || User.new
+  end
+
+  def user_token
+    @user_token ||= authenticate_with_http_token do |token, options|
+      User.find_by userkey: token
+    end
+  end
+
+  def reset_key
+    @user.generate_key!
+    redirect_to @user
   end
 end
diff --git a/app/models/user.rb b/app/models/user.rb
index 0b10c17..7967d3d 100644
--- a/app/models/user.rb
+++ b/app/models/user.rb
@@ -37,6 +37,7 @@ class User < ActiveRecord::Base
     where(name: auth.uid).first_or_create do |user|
       user.name = auth.uid
       user.avatar = Identicon.data_url_for auth.uid
+      user.generate_key!
     end
   end
 
@@ -89,4 +90,18 @@ class User < ActiveRecord::Base
       user.koelkast = true
     end
   end
+
+  def generate_key
+    set_key unless self.userkey
+  end
+
+  def generate_key!
+    set_key
+    self.save
+  end
+
+  private
+  def set_key
+    self.userkey = SecureRandom.base64(16)
+  end
 end
diff --git a/config/routes.rb b/config/routes.rb
index e223888..16a5da5 100644
--- a/config/routes.rb
+++ b/config/routes.rb
@@ -22,6 +22,7 @@ Rails.application.routes.draw do
     member do
       get 'quickpay'               => 'users#quickpay'
       get 'dagschotel/edit'        => 'users#edit_dagschotel', as: 'edit_dagschotel'
+      post :reset_key
     end
   end
 
diff --git a/db/migrate/20190408122720_add_api_token.rb b/db/migrate/20190408122720_add_api_token.rb
new file mode 100644
index 0000000..b73f94c
--- /dev/null
+++ b/db/migrate/20190408122720_add_api_token.rb
@@ -0,0 +1,10 @@
+class AddApiToken < ActiveRecord::Migration
+  def change
+    add_column :users, :userkey, :string
+
+    User.all.each do |user|
+      user.generate_key
+      user.save
+    end
+  end
+end
diff --git a/db/schema.rb b/db/schema.rb
index 7e13464..027c761 100644
--- a/db/schema.rb
+++ b/db/schema.rb
@@ -11,7 +11,7 @@
 #
 # It's strongly recommended that you check this file into your version control system.
 
-ActiveRecord::Schema.define(version: 20160304192839) do
+ActiveRecord::Schema.define(version: 20190408122720) do
 
   create_table "barcodes", force: :cascade do |t|
     t.integer  "product_id"
@@ -86,7 +86,8 @@ ActiveRecord::Schema.define(version: 20160304192839) do
     t.string   "name"
     t.boolean  "private",             default: false
     t.integer  "frecency",            default: 0,     null: false
-    t.boolean  "quickpay_hidden"
+    t.boolean  "quickpay_hidden",     default: false
+    t.string   "userkey"
   end
 
   add_index "users", ["koelkast"], name: "index_users_on_koelkast"

From c588d0f6d4924558e39584069468184275dea6b2 Mon Sep 17 00:00:00 2001
From: redfast00 <redfast00@gmail.com>
Date: Thu, 18 Apr 2019 22:50:33 +0200
Subject: [PATCH 2/2] Better authentication

---
 app/controllers/users_controller.rb | 9 ---------
 app/models/ability.rb               | 3 +++
 db/schema.rb                        | 3 ++-
 3 files changed, 5 insertions(+), 10 deletions(-)

diff --git a/app/controllers/users_controller.rb b/app/controllers/users_controller.rb
index c81854a..76909e4 100644
--- a/app/controllers/users_controller.rb
+++ b/app/controllers/users_controller.rb
@@ -23,21 +23,12 @@
 class UsersController < ApplicationController
   load_and_authorize_resource
   before_action :init, only: :show
-  skip_load_and_authorize_resource :only => :show
 
   def show
-    # TODO fix this with `authorize!`
-    if params[:id] && (@user.name != params[:id] && !@user.admin?)
-      respond_to do |format|
-        format.json { render json: ["Mind your own business"] }
-        format.html { redirect_to root_url }
-      end
-    else
       respond_to do |format|
         format.json { render json: @user }
         format.html {}
       end
-    end
   end
 
   def update
diff --git a/app/models/ability.rb b/app/models/ability.rb
index 9c2b8a0..a856eb0 100644
--- a/app/models/ability.rb
+++ b/app/models/ability.rb
@@ -24,6 +24,9 @@ class Ability
 
   def initialize_user(user)
     can :read, :all
+    cannot :read, User do |otheruser|
+        otheruser != user && !user.admin? && !user.koelkast
+    end
     can :manage, User, id: user.id
     can :create, Order do |order|
       order.user == user && user.try(:balance).try(:>, -500)
diff --git a/db/schema.rb b/db/schema.rb
index 027c761..cfcfc89 100644
--- a/db/schema.rb
+++ b/db/schema.rb
@@ -11,7 +11,7 @@
 #
 # It's strongly recommended that you check this file into your version control system.
 
-ActiveRecord::Schema.define(version: 20190408122720) do
+ActiveRecord::Schema.define(version: 20190415182036) do
 
   create_table "barcodes", force: :cascade do |t|
     t.integer  "product_id"
@@ -87,6 +87,7 @@ ActiveRecord::Schema.define(version: 20190408122720) do
     t.boolean  "private",             default: false
     t.integer  "frecency",            default: 0,     null: false
     t.boolean  "quickpay_hidden",     default: false
+    t.string   "key"
     t.string   "userkey"
   end