Change API authentication to use hashed token with unique salts

app/controllers/api/application_controller.rb

@@ -8,7 +8,13 @@ class Api::ApplicationController < ApplicationController
   private
 
   def authenticate!
-    head 401 unless ActiveSupport::SecurityUtils.secure_compare params[:access_token] || '', ENV.fetch('API_ACCESS_TOKEN')
+    head 401 unless BCrypt::Password.valid_hash?(params[:access_token]) && valid_access_token?
+  end
+
+  def valid_access_token?
+    password = BCrypt::Password.new params[:access_token]
+
+    password.is_password?(ENV['API_ACCESS_TOKEN']) && $redis_workers.with { _1.set password.salt, nil, nx: true, ex: 24.hours.seconds }
   end
 
   def current_user

config/initializers/redis.rb

@@ -1,3 +1,7 @@
 $redis_standings = ConnectionPool.new do
   Redis::Namespace.new "#{ Rails.env }_standings", redis: Redis.new(driver: :hiredis)
 end
+
+$redis_workers = ConnectionPool.new do
+  Redis::Namespace.new "#{ Rails.env }_workers", redis: Redis.new(driver: :hiredis)
+end

spec/controllers/api/application_controller_spec.rb

@@ -6,9 +6,7 @@
   its(:default_url_options) { should eq({}) }
 
   describe '#authenticate!' do
-    let(:uuid) { SecureRandom.uuid }
-
-    before { ENV['API_ACCESS_TOKEN'] = uuid }
+    let(:hash) { '$2a$12$P9FY1uI4pexijYtWXIW2pufjvBs/Om4uz9Gf4lDbuj8E8oUrFZ/OG' }
 
     after { subject.send :authenticate! }
 
@@ -25,12 +23,62 @@
     end
 
     context do
-      before { expect(subject).to receive(:params).and_return(access_token: uuid) }
+      before { expect(subject).to receive(:params).and_return(access_token: hash) }
+
+      before { expect(subject).to receive(:valid_access_token?).and_return(false) }
+
+      it { expect(subject).to receive(:head).with(401) }
+    end
+
+    context do
+      before { expect(subject).to receive(:params).and_return(access_token: hash) }
+
+      before { expect(subject).to receive(:valid_access_token?).and_return(true) }
 
       it { expect(subject).to_not receive(:head) }
     end
   end
 
+  describe '#valid_access_token?' do
+    let(:uuid) { SecureRandom.uuid }
+
+    let(:corrent_hash) { BCrypt::Password.create uuid }
+
+    let(:wrong_hash) { BCrypt::Password.create 'xxxx' }
+
+    before { ENV['API_ACCESS_TOKEN'] = uuid }
+
+    after { $redis_workers.keys('*').each { |k| $redis_workers.del k } }
+
+    context do
+      before { expect(subject).to receive(:params).and_return(access_token: wrong_hash.to_s) }
+
+      after { expect($redis_workers.keys '*').to eq([]) }
+
+      its(:valid_access_token?) { should be false }
+    end
+
+    context do
+      before { expect(subject).to receive(:params).and_return(access_token: corrent_hash.to_s) }
+
+      before { $redis_workers.set corrent_hash.salt, nil }
+
+      after { expect($redis_workers.keys '*').to eq([corrent_hash.salt]) }
+
+      its(:valid_access_token?) { should be false }
+    end
+
+    context do
+      before { expect(subject).to receive(:params).and_return(access_token: corrent_hash.to_s) }
+
+      after { expect($redis_workers.keys '*').to eq([corrent_hash.salt]) }
+
+      after { expect($redis_workers.ttl corrent_hash.salt).to eq(86400) }
+
+      its(:valid_access_token?) { should be true }
+    end
+  end
+
   describe '#set_locale' do
     after { I18n.locale = I18n.default_locale }