Deprecate passing auth tokens as query parameters

cupakromer · cupakromer · commit dd4ed2fb2830 · 2018-05-14T11:53:47.000-04:00
This isn't secure as it will go over the wire in the clear for now HTTPS
connection. Additionally, it may be logged by the Heroku router (which
currently cannot be prevented).
diff --git a/lib/kracken/controllers/token_authenticatable.rb b/lib/kracken/controllers/token_authenticatable.rb
@@ -148,6 +148,15 @@ def current_user_id
       # transfer the knowledge about also checking for the params.
       def munge_header_auth_token!
         return unless params[:token]
+        deprecation = ActiveSupport::Deprecation.new("1.0", "kracken")
+        deprecation.behavior = ActiveSupport::Deprecation.behavior
+        deprecation.silenced = ActiveSupport::Deprecation.silenced
+        controller_action = "#{request.controller_class}#" \
+          "#{request.path_parameters[:action] || :index}"
+        deprecation.warn "[#{controller_action}][kracken] Passing auth " \
+          "tokens as query parameters is deprecated. This is insecure and " \
+          "will be removed in a future version of Kracken. Use the " \
+          "'Authorization' header instead."
         request.env['HTTP_AUTHORIZATION'] = "Token token=\"#{params[:token]}\""
       end
 
diff --git a/spec/kracken/controllers/token_authenticatable_spec.rb b/spec/kracken/controllers/token_authenticatable_spec.rb
@@ -36,7 +36,9 @@ def authenticate_or_request_with_http_token(realm = nil)
           a_controller.params = { token: expected_token }
 
           expect {
-            a_controller.authenticate_user_with_token!
+            ActiveSupport::Deprecation.silence do
+              a_controller.authenticate_user_with_token!
+            end
           }.to change {
             a_controller.request.env
           }.from(
diff --git a/spec/support/base_controller_double.rb b/spec/support/base_controller_double.rb
@@ -2,15 +2,15 @@
 
 module Kracken
   class BaseControllerDouble
-    Request = Struct.new(:env)
+    Request = Struct.new(:env, :controller_class, :path_parameters)
 
     attr_accessor :session, :cookies, :request, :params
 
     def initialize
       @session = {}
       @cookies = {}
-      @request = Request.new({})
-      @params = {}
+      @params = { action: :index }
+      @request = Request.new({}, self.class, @params.slice(:action))
     end
 
     def self.helper_method(*) ; end
