From f8d316e212d315a13f7d09149f1fd05624a20399 Mon Sep 17 00:00:00 2001
From: Jean Boussier <jean.boussier@gmail.com>
Date: Tue, 8 Dec 2015 15:49:55 -0500
Subject: Refactor and fix authentication

---
 lib/dashing/app.rb | 11 +++++++----
 1 file changed, 7 insertions(+), 4 deletions(-)

diff --git a/lib/dashing/app.rb b/lib/dashing/app.rb
index 0e7f7bb..b11352d 100644
--- a/lib/dashing/app.rb
+++ b/lib/dashing/app.rb
@@ -23,6 +23,11 @@ helpers do
   def protected!
     # override with auth logic
   end
+
+  def authenticated?(token)
+    return true unless settings.auth_token
+    token && Rack::Utils.secure_compare(settings.auth_token, token)
+  end
 end
 
 set :root, Dir.pwd
@@ -89,8 +94,7 @@ post '/dashboards/:id' do
   request.body.rewind
   body = JSON.parse(request.body.read)
   body['dashboard'] ||= params['id']
-  auth_token = body.delete("auth_token")
-  if !settings.auth_token || settings.auth_token == auth_token
+  if authenticated?(body.delete("auth_token"))
     send_event(params['id'], body, 'dashboards')
     204 # response without entity body
   else
@@ -102,8 +106,7 @@ end
 post '/widgets/:id' do
   request.body.rewind
   body = JSON.parse(request.body.read)
-  auth_token = body.delete("auth_token")
-  if !settings.auth_token || settings.auth_token == auth_token
+  if authenticated?(body.delete("auth_token"))
     send_event(params['id'], body)
     204 # response without entity body
   else
-- 
cgit v1.2.3