Merge pull request #644 from Shopify/refactor-auth

Refactor and fix authentication
author: Daniel Beauchamp <daniel.beauchamp@gmail.com> 2015-12-08 17:14:31 -0500
committer: Daniel Beauchamp <daniel.beauchamp@gmail.com> 2015-12-08 17:14:31 -0500
commit: 56de2ad7073cff38d2ff3c4fade8ed1c6bd59702 (patch)
tree: 5f13b6444a86ea694d2307025fd0038de88dc58c /lib
parent: e02401ea8b5e2bf2337c387daedf5b3437ba2298 (diff)
parent: f8d316e212d315a13f7d09149f1fd05624a20399 (diff)
1 files changed, 7 insertions, 4 deletions
diff --git a/lib/dashing/app.rb b/lib/dashing/app.rb
index 0e7f7bb..b11352d 100644
--- a/lib/dashing/app.rb
+++ b/lib/dashing/app.rb
@@ -23,6 +23,11 @@ helpers do
   def protected!
     # override with auth logic
   end
+
+  def authenticated?(token)
+    return true unless settings.auth_token
+    token && Rack::Utils.secure_compare(settings.auth_token, token)
+  end
 end
 
 set :root, Dir.pwd
@@ -89,8 +94,7 @@ post '/dashboards/:id' do
   request.body.rewind
   body = JSON.parse(request.body.read)
   body['dashboard'] ||= params['id']
-  auth_token = body.delete("auth_token")
-  if !settings.auth_token || settings.auth_token == auth_token
+  if authenticated?(body.delete("auth_token"))
     send_event(params['id'], body, 'dashboards')
     204 # response without entity body
   else
@@ -102,8 +106,7 @@ end
 post '/widgets/:id' do
   request.body.rewind
   body = JSON.parse(request.body.read)
-  auth_token = body.delete("auth_token")
-  if !settings.auth_token || settings.auth_token == auth_token
+  if authenticated?(body.delete("auth_token"))
     send_event(params['id'], body)
     204 # response without entity body
   else
author	Daniel Beauchamp <daniel.beauchamp@gmail.com>	2015-12-08 17:14:31 -0500
committer	Daniel Beauchamp <daniel.beauchamp@gmail.com>	2015-12-08 17:14:31 -0500
commit	56de2ad7073cff38d2ff3c4fade8ed1c6bd59702 (patch)
tree	5f13b6444a86ea694d2307025fd0038de88dc58c /lib
parent	e02401ea8b5e2bf2337c387daedf5b3437ba2298 (diff)
parent	f8d316e212d315a13f7d09149f1fd05624a20399 (diff)