Merge pull request #12 from RadiusNetworks/cache-auth-tokens

cupakromer · cupakromer · commit 817aaf539a45 · 2015-12-21T22:15:46.000-05:00
Cache auth tokens
diff --git a/lib/kracken/controllers/token_authenticatable.rb b/lib/kracken/controllers/token_authenticatable.rb
@@ -11,32 +11,57 @@ def self.included(base)
           before_action :authenticate_user_with_token!
           helper_method :current_user
         end
-
-
       end
 
-      attr_reader :current_user
-
       # NOTE: Monkey-patch until this is merged into the gem
       def request_http_token_authentication(realm = 'Application')
         headers["WWW-Authenticate"] = %(Token realm="#{realm.gsub(/"/, "")}")
         raise TokenUnauthorized, "Invalid Credentials"
       end
 
-      private
+    private
+
+      CACHE_TTL_OPTS = {
+        expires_in: ENV.fetch("KRACKEN_TOKEN_TTL", 1.minute).to_i,
+        race_condition_ttl: 1.second,
+      }.freeze
 
       # `authenticate_or_request_with_http_token` is a nice Rails helper:
       # http://api.rubyonrails.org/classes/ActionController/HttpAuthentication/Token/ControllerMethods.html#method-i-authenticate_or_request_with_http_token
       def authenticate_user_with_token!
-        unless current_user
-          munge_header_auth_token!
+        munge_header_auth_token!
 
-          authenticate_or_request_with_http_token(realm) { |token, _options|
-            # Attempt to reduce namespace conflicts with controllers which may access
-            # an team instance for display.
-            @current_user = Authenticator.user_with_token(token)
+        authenticate_or_request_with_http_token(realm) { |token, _options|
+          # Attempt to reduce ivar namespace conflicts with controllers
+          @_auth_info = cache_valid_auth(token) {
+            if @current_user = Authenticator.user_with_token(token)
+              { id: @current_user.id, team_ids: @current_user.team_ids }
+            end
           }
-        end
+        }
+      end
+
+      def cache_valid_auth(token, &generate_cache)
+        cache_key = "auth/token/#{token}"
+        val = Rails.cache.read(cache_key)
+        val ||= store_valid_auth(cache_key, &generate_cache)
+        val.transform_values!(&:freeze).freeze if val
+      end
+
+      def current_auth_info
+        @_auth_info ||= {}
+      end
+
+      def current_team_ids
+        current_auth_info[:team_ids]
+      end
+
+      def current_user
+        @current_user ||= Kracken.config.user_class.find(current_auth_info[:id])
+      end
+
+      def current_user_id
+        current_auth_info[:id]
       end
 
       # Make it **explicit** that we are munging the `token` param with the
@@ -55,6 +80,12 @@ def munge_header_auth_token!
       def realm
         self.class.realm
       end
+
+      def store_valid_auth(cache_key)
+        val = yield
+        Rails.cache.write(cache_key, val, CACHE_TTL_OPTS) if val
+        val
+      end
     end
 
   end
diff --git a/lib/kracken/rspec.rb b/lib/kracken/rspec.rb
@@ -46,6 +46,18 @@ module TokenAuthenticatable
       def current_user
         Kracken::SpecHelper.current_user
       end
+
+      alias_method :__original_auth__, :authenticate_user_with_token!
+      def authenticate_user_with_token!
+        if current_user
+          @_auth_info = {
+            id: current_user.id,
+            team_ids: current_user.team_ids,
+          }
+        else
+          __original_auth__
+        end
+      end
     end
   end
 end
diff --git a/spec/dummy/app/models/user.rb b/spec/dummy/app/models/user.rb
@@ -22,4 +22,10 @@ def id
   def uid
     @hash["uid"]
   end
+
+  def team_ids
+    @hash["info"] ||= {}
+    @hash["info"]["teams"] ||= []
+    @hash["info"]["teams"].map { |t| t["uid"] }
+  end
 end
diff --git a/spec/kracken/controllers/token_authenticatable_spec.rb b/spec/kracken/controllers/token_authenticatable_spec.rb
@@ -0,0 +1,236 @@
+require "support/base_controller_double"
+require "support/using_cache"
+
+module Kracken
+  class TokenAuthController < BaseControllerDouble
+    include Kracken::Controllers::TokenAuthenticatable
+    public :authenticate_user_with_token!
+    # The module includes things as private so that they are not accidentally
+    # exposed as controller routes. However, we really treat some of them as the
+    # "public" API for the module:
+    public :current_auth_info,
+           :current_team_ids,
+           :current_user,
+           :current_user_id
+
+    def authenticate_or_request_with_http_token(realm = nil)
+      /\AToken token="(?<token>.*)"\z/ =~ request.env['HTTP_AUTHORIZATION']
+      yield token if block_given?
+    end
+  end
+
+  RSpec.describe Controllers::TokenAuthenticatable do
+    describe "authenticating via a token", :using_cache do
+      subject(:a_controller) { TokenAuthController.new }
+
+      shared_examples "the authorization request headers" do |token_helper|
+        let(:expected_token) { public_send token_helper }
+
+        specify "are munged to include a provided parameterized token" do
+          a_controller.request.env = {
+            'HTTP_AUTHORIZATION' => 'Token token="header token"'
+          }
+          a_controller.params = { token: expected_token }
+
+          expect {
+            a_controller.authenticate_user_with_token!
+          }.to change {
+            a_controller.request.env
+          }.from(
+            'HTTP_AUTHORIZATION' => 'Token token="header token"'
+          ).to(
+            'HTTP_AUTHORIZATION' => "Token token=\"#{expected_token}\""
+          )
+        end
+
+        specify "are not modified when no parameterized token provided" do
+          a_controller.request.env = {
+            'HTTP_AUTHORIZATION' => "Token token=\"#{expected_token}\""
+          }
+
+          expect {
+            a_controller.authenticate_user_with_token!
+          }.not_to change { a_controller.request.env }.from(
+            'HTTP_AUTHORIZATION' => "Token token=\"#{expected_token}\""
+          )
+        end
+      end
+
+      context "on a cache hit" do
+        let(:auth_info) {
+          {
+            id: :any_id,
+            team_ids: [:some, :team, :ids],
+          }
+        }
+        let(:cached_token) { "any token" }
+        let(:cache_key) { "auth/token/any token" }
+
+        before do
+          a_controller.request.env = {
+            'HTTP_AUTHORIZATION' => "Token token=\"#{cached_token}\""
+          }
+
+          Rails.cache.write cache_key, auth_info
+          stub_const "Kracken::Authenticator", spy("Kracken::Authenticator")
+        end
+
+        include_examples "the authorization request headers", :cached_token
+
+        it "uses the exising cache to bypass the authentication process" do
+          a_controller.authenticate_user_with_token!
+          expect(Authenticator).not_to have_received(:user_with_token)
+        end
+
+        it "returns the auth info" do
+          expect(a_controller.authenticate_user_with_token!).to eq(
+            id: :any_id,
+            team_ids: [:some, :team, :ids],
+          ).and be_frozen
+        end
+
+        it "exposes the auth info via the `current_` helpers", :aggregate_failures do
+          expect {
+            a_controller.authenticate_user_with_token!
+          }.to(
+            change { a_controller.current_auth_info }.from({}).to(auth_info)
+            .and change { a_controller.current_user_id }.from(nil).to(:any_id)
+            .and change { a_controller.current_team_ids }.from(nil).to(
+              [:some, :team, :ids]
+            )
+          )
+
+          expect(a_controller.current_auth_info).to be_frozen
+          expect(a_controller.current_team_ids).to be_frozen
+        end
+
+        it "lazy loads the current user" do
+          begin
+            # Ensure we cannot lookup a user - doing so would raise an error
+            org_user_class = Kracken.config.user_class
+            user_class = double("AnyUserClass")
+            Kracken.config.user_class = user_class
+
+            # Action under test
+            a_controller.authenticate_user_with_token!
+
+            # Make sure we perform the lookup as expected now
+            expect(user_class).to receive(:find).with(:any_id).and_return(:user)
+
+            expect(a_controller.current_user).to be :user
+          ensure
+            Kracken.config.user_class = org_user_class
+          end
+        end
+      end
+
+      context "on a cache miss with an invalid token" do
+        let(:invalid_token) { "any token" }
+
+        before do
+          a_controller.request.env = {
+            'HTTP_AUTHORIZATION' => "Token token=\"#{invalid_token}\""
+          }
+
+          allow(Authenticator).to receive(:user_with_token).with(invalid_token)
+                                                           .and_return(nil)
+        end
+
+        include_examples "the authorization request headers", :invalid_token
+
+        it "follows the token authentication process" do
+          a_controller.authenticate_user_with_token!
+          expect(Authenticator).to have_received(:user_with_token)
+            .with(invalid_token)
+        end
+
+        it "returns nil" do
+          expect(a_controller.authenticate_user_with_token!).to be nil
+        end
+
+        it "doesn't cache invalid tokens" do
+          expect {
+            a_controller.authenticate_user_with_token!
+          }.not_to change {
+            Rails.cache.exist?("auth/token/#{invalid_token}")
+          }.from false
+        end
+      end
+
+      context "on a cache miss with a valid token" do
+        let(:a_user) {
+          instance_double(User, id: user_id, team_ids: some_team_ids)
+        }
+        let(:some_team_ids) { [:some, :team, :ids] }
+        let(:user_id) { :any_id }
+        let(:valid_token) { "any token" }
+
+        before do
+          a_controller.request.env = {
+            'HTTP_AUTHORIZATION' => "Token token=\"#{valid_token}\""
+          }
+
+          allow(Authenticator).to receive(:user_with_token).with(valid_token)
+                                                           .and_return(a_user)
+        end
+
+        include_examples "the authorization request headers", :valid_token
+
+        it "follows the token authentication process" do
+          a_controller.authenticate_user_with_token!
+          expect(Authenticator).to have_received(:user_with_token)
+            .with(valid_token)
+        end
+
+        it "returns the auth info in a frozen state" do
+          expect(a_controller.authenticate_user_with_token!).to eq(
+            id: :any_id,
+            team_ids: [:some, :team, :ids],
+          ).and be_frozen
+        end
+
+        it "exposes the auth info via the `current_` helpers", :aggregate_failures do
+          expect {
+            a_controller.authenticate_user_with_token!
+          }.to(
+            change { a_controller.current_auth_info }.from({}).to(
+              id: :any_id,
+              team_ids: [:some, :team, :ids],
+            )
+            .and change { a_controller.current_user_id }.from(nil).to(:any_id)
+            .and change { a_controller.current_team_ids }.from(nil).to(
+              [:some, :team, :ids]
+            )
+          )
+
+          expect(a_controller.current_auth_info).to be_frozen
+          expect(a_controller.current_team_ids).to be_frozen
+        end
+
+        it "sets the auth info as the cache value" do
+          expect {
+            a_controller.authenticate_user_with_token!
+          }.to change { Rails.cache.read("auth/token/any token") }.from(nil).to(
+            id: :any_id,
+            team_ids: [:some, :team, :ids],
+          )
+        end
+
+        it "sets the cache expiration to one minute by default" do
+          expect(Rails.cache).to receive(:write).with(
+            "auth/token/any token",
+            anything,
+            include(expires_in: 1.minute),
+          )
+          a_controller.authenticate_user_with_token!
+        end
+
+        it "eager loads the current user" do
+          expect(Kracken.config.user_class).not_to receive(:find)
+          a_controller.authenticate_user_with_token!
+          expect(a_controller.current_user).to be a_user
+        end
+      end
+    end
+  end
+end
diff --git a/spec/support/base_controller_double.rb b/spec/support/base_controller_double.rb
@@ -1,10 +1,14 @@
 module Kracken
   class BaseControllerDouble
-    attr_accessor :session, :cookies
+    Request = Struct.new(:env)
+
+    attr_accessor :session, :cookies, :request, :params
 
     def initialize
       @session = {}
       @cookies = {}
+      @request = Request.new({})
+      @params = {}
     end
 
     def self.helper_method(*) ; end
diff --git a/spec/support/using_cache.rb b/spec/support/using_cache.rb
@@ -0,0 +1,14 @@
+RSpec.shared_context "using Rails cache", :using_cache do
+  before(:context) do
+    @org_cache = Rails.cache
+    Rails.cache = ActiveSupport::Cache.lookup_store(:memory_store)
+  end
+
+  after(:context) do
+    Rails.cache = @org_cache
+  end
+
+  before do
+    Rails.cache.clear
+  end
+end
