[openstreetmap/openstreetmap-website] oauth_filter intercepts OAuth2.0 endpoints meant for Doorkeeper (#3245)

Tom Hughes notifications at github.com
Fri Jul 2 14:52:59 UTC 2021 

Yes there's a redundant check from the filter but once the content type is right it reads the correct table:

```
Started POST "/oauth2/introspect" for 2001:8b0:bd:1:fce3:75ff:febd:6a8c at 2021-07-02 15:51:08 +0100
   (1.1ms)  SELECT "schema_migrations"."version" FROM "schema_migrations" ORDER BY "schema_migrations"."version" ASC
  ↳ config/initializers/cors.rb:9:in `call'
  Oauth2Token Load (0.7ms)  SELECT "oauth_tokens".* FROM "oauth_tokens" WHERE "oauth_tokens"."type" = $1 AND (invalidated_at IS NULL and authorized_at IS NOT NULL and token = '05sMxyhosM-gISCObOgdfSq7urPxGMlaGqS3VoeYse8') ORDER BY "oauth_tokens"."id" ASC LIMIT $2  [["type", "Oauth2Token"], ["LIMIT", 1]]
  ↳ config/initializers/compressed_requests.rb:27:in `call'
Processing by Oauth2TokensController#introspect as */*
  Parameters: {"token"=>"05sMxyhosM-gISCObOgdfSq7urPxGMlaGqS3VoeYse8"}
  Doorkeeper::AccessToken Load (0.7ms)  SELECT "oauth_access_tokens".* FROM "oauth_access_tokens" WHERE "oauth_access_tokens"."token" = $1 LIMIT $2  [["token", "05sMxyhosM-gISCObOgdfSq7urPxGMlaGqS3VoeYse8"], ["LIMIT", 1]]
  ↳ app/controllers/api_controller.rb:64:in `current_ability'
  User Load (1.2ms)  SELECT "users".* FROM "users" WHERE "users"."id" = $1 LIMIT $2  [["id", 1], ["LIMIT", 1]]
  ↳ app/abilities/api_capability.rb:9:in `initialize'
  UserRole Load (0.7ms)  SELECT "user_roles".* FROM "user_roles" WHERE "user_roles"."user_id" = $1  [["user_id", 1]]
  ↳ app/models/user.rb:238:in `has_role?'
  CACHE Doorkeeper::AccessToken Load (0.0ms)  SELECT "oauth_access_tokens".* FROM "oauth_access_tokens" WHERE "oauth_access_tokens"."token" = $1 LIMIT $2  [["token", "05sMxyhosM-gISCObOgdfSq7urPxGMlaGqS3VoeYse8"], ["LIMIT", 1]]
  ↳ app/controllers/application_controller.rb:333:in `better_errors_allow_inline'
  CACHE Doorkeeper::AccessToken Load (0.0ms)  SELECT "oauth_access_tokens".* FROM "oauth_access_tokens" WHERE "oauth_access_tokens"."token" = $1 LIMIT $2  [["token", "05sMxyhosM-gISCObOgdfSq7urPxGMlaGqS3VoeYse8"], ["LIMIT", 1]]
  ↳ app/controllers/application_controller.rb:333:in `better_errors_allow_inline'
Completed 401 Unauthorized in 136ms (Views: 0.4ms | ActiveRecord: 20.4ms | Allocations: 88287)
```

Still working on hacking our cancancan config to authorize the requests...

-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/openstreetmap/openstreetmap-website/issues/3245#issuecomment-873058309
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstreetmap.org/pipermail/rails-dev/attachments/20210702/c51e13cc/attachment.htm>

More information about the rails-dev mailing list