Merge pull request #6975 from cmrd-senya/6857-misscoped-destroy

[API] don't store ID tokens in DB

app/controllers/api/openid_connect/authorizations_controller.rb

@@ -53,7 +53,6 @@ module Api
       def reset_auth(auth)
         return unless auth
         auth.o_auth_access_tokens.destroy_all
-        auth.id_tokens.destroy_all
         auth.code_used = false
         auth.save
       end

app/models/api/openid_connect/authorization.rb

@@ -12,7 +12,6 @@ module Api
       serialize :scopes, JSON
 
       has_many :o_auth_access_tokens, dependent: :destroy
-      has_many :id_tokens, dependent: :destroy
 
       before_validation :setup, on: :create
 
@@ -50,7 +49,7 @@ module Api
       end
 
       def create_id_token
-        id_tokens.create!(nonce: nonce)
+        IdToken.new(self, nonce)
       end
 
       def self.find_by_client_id_user_and_scopes(client_id, user, scopes)

db/migrate/20160813115514_remove_id_tokens.rb

+require_relative "20150714055110_create_id_tokens"
+
+class RemoveIdTokens < ActiveRecord::Migration
+  def change
+    revert CreateIdTokens
+  end
+end

db/schema.rb

@@ -11,7 +11,7 @@
 #
 # It's strongly recommended that you check this file into your version control system.
 
-ActiveRecord::Schema.define(version: 20160810230114) do
+ActiveRecord::Schema.define(version: 20160813115514) do
 
   create_table "account_deletions", force: :cascade do |t|
     t.string   "diaspora_handle", limit: 255
@@ -160,16 +160,6 @@ ActiveRecord::Schema.define(version: 20160810230114) do
   add_index "conversations", ["author_id"], name: "conversations_author_id_fk", using: :btree
   add_index "conversations", ["guid"], name: "index_conversations_on_guid", unique: true, length: {"guid"=>191}, using: :btree
 
-  create_table "id_tokens", force: :cascade do |t|
-    t.integer  "authorization_id", limit: 4
-    t.datetime "expires_at"
-    t.string   "nonce",            limit: 255
-    t.datetime "created_at",                   null: false
-    t.datetime "updated_at",                   null: false
-  end
-
-  add_index "id_tokens", ["authorization_id"], name: "index_id_tokens_on_authorization_id", using: :btree
-
   create_table "invitation_codes", force: :cascade do |t|
     t.string   "token",      limit: 255
     t.integer  "user_id",    limit: 4
@@ -661,7 +651,6 @@ ActiveRecord::Schema.define(version: 20160810230114) do
   add_foreign_key "conversation_visibilities", "conversations", name: "conversation_visibilities_conversation_id_fk", on_delete: :cascade
   add_foreign_key "conversation_visibilities", "people", name: "conversation_visibilities_person_id_fk", on_delete: :cascade
   add_foreign_key "conversations", "people", column: "author_id", name: "conversations_author_id_fk", on_delete: :cascade
-  add_foreign_key "id_tokens", "authorizations"
   add_foreign_key "like_signatures", "likes", name: "like_signatures_like_id_fk", on_delete: :cascade
   add_foreign_key "like_signatures", "signature_orders", name: "like_signatures_signature_orders_id_fk"
   add_foreign_key "likes", "people", column: "author_id", name: "likes_author_id_fk", on_delete: :cascade

app/models/api/openid_connect/id_token.rb → lib/api/openid_connect/id_token.rb

@@ -25,15 +25,12 @@ require "uri"
 
 module Api
   module OpenidConnect
-    class IdToken < ActiveRecord::Base
-      belongs_to :authorization
-
-      before_validation :setup, on: :create
-
-      default_scope { where("expires_at >= ?", Time.zone.now.utc) }
-
-      def setup
-        self.expires_at = 30.minutes.from_now
+    class IdToken
+      def initialize(authorization, nonce)
+        @authorization = authorization
+        @nonce = nonce
+        @created_at = Time.current
+        @expires_at = 30.minutes.from_now
       end
 
       def to_jwt(options={})
@@ -42,6 +39,8 @@ module Api
         end
       end
 
+      private
+
       def to_response_object(options={})
         OpenIDConnect::ResponseObject::IdToken.new(claims).tap do |id_token|
           id_token.code = options[:code] if options[:code]
@@ -54,17 +53,17 @@ module Api
         @claims ||= {
           iss:       AppConfig.environment.url,
           sub:       sub,
-          aud:       authorization.o_auth_application.client_id,
-          exp:       expires_at.to_i,
-          iat:       created_at.to_i,
-          auth_time: authorization.user.current_sign_in_at.to_i,
-          nonce:     nonce,
+          aud:       @authorization.o_auth_application.client_id,
+          exp:       @expires_at.to_i,
+          iat:       @created_at.to_i,
+          auth_time: @authorization.user.current_sign_in_at.to_i,
+          nonce:     @nonce,
           acr:       0
         }
       end
 
       def build_sub
-        Api::OpenidConnect::SubjectIdentifierCreator.create(authorization)
+        Api::OpenidConnect::SubjectIdentifierCreator.create(@authorization)
       end
     end
   end