Feature/6207 Endpoint api/v1/sign_in now outputs randomized tokens in response upon sign-in

[7riumph]

What github issue is this PR for, if any?

Resolves #6207

What changed, and why?

Volunteers api/v1/sign_in endpoint now outputs secured randomized tokens upon sign-in.

• Dropped token column from users table
• Added api_credentials table to be used for users model for greater separation of concerns (SoC)
• Utilized SHA-256 hash to ensure raw tokens are never stored in db ( api_token_digest & refresh_token_digest )
• Created models/api_credentials and concern/api.rb for further api concern separation and utility

Why?: To ensure compliance with apples review process, and enhance security with an applicable industry standard.

How is this tested? (please write tests!) 💖💪

New tests:

Authentication Helper Function tests (14 in total) → spec/models/api_credential_spec.rb
Credentials Factory Definition → spec/factories/api_credential.rb

Updated tests ( no more token column ):

BaseController test → spec/requests/api/v1/base_spec.rb
SessionController test → spec/requests/api/v1/users/sessions_spec.rb
Users Factory Definition → spec/factories/users.rb

Deployment & Documentation:

Deployment task → lib/tasks/deployment/20230822145532_populate_api_tokens.rake
Swagger Documentation → swagger/v1/swagger.yaml
More Swagger→ spec/swagger_helper.rb

Screenshots please :)

Example output with updated api/v1/sign_in endpoint blueprint

Feelings gif (optional)

[xihai01]

looks good to me so far 🔥

I think instead of storing the token and refresh token as plaintext in the db, we can store it as a hash
like what shen suggested

Then the client would be provided the plaintext versions of the tokens and whenever they call the api, the hash versions will be compared

[compwron]

don't do this twice?

[7riumph]

It is actually for two separate tokens. The plan is the session_token expires quickly and is repeatedly replaced for as long as the refresh_token is valid to maintain access.

[7riumph]

Token regeneration is now handled in the blueprint before being passed to the session controller.

[compwron]

maybe make a new type of user, ApiUser?

[7riumph]

Looking into this, may complicate authorization. I'll just create a completely new table for api/v1 credentials so the user model and roles inheriting from it aren't overloaded.

Additionally, will attempt to do more compartmentalizing this PR through a concern :)

[7riumph]

Created the concern and imported into models/user.rb

[compwron]

36 what? seconds, minutes, days, weeks?

[7riumph]

Vague syntax refers to token length, in this case. The token is 36 characters long.

[7riumph]

Tokens are now in a credentials table

[xihai01]

does these functions return boolean value?
if so, the naming should be consistent with other similar functions starting with the is_....

[7riumph]

Yes, returns a boolean. How's Something like "is_api_token_valid"?

[xihai01]

yes that would be perfect
also follows ruby conventions too

[xihai01]

you're also storing the plain text tokens in the table?

[xihai01]

nvm I think you created a migration to remove them right?

[7riumph]

Yeah, originally added 2 unneeded token columns then created a migration to remove them.

[xihai01]

cool

[xihai01]

is it possible to create a separate deployment task for populating the api tokens?
so we don't touch the sms stuff

[7riumph]

Get the concern, but this task was not made as part of the original SMS epic. History is you originally created the file here then Sam Williams or schoork added our sms and your token addition to it here

I've edited the task because tokens are in a api_credentials table now.

[xihai01]

I see I see
I forgot I originally created this
yea, just leave it then

[xihai01]

lgtm