Address code review comments

2019-01-04 15:21:49 -06:00 · 2019-01-04 15:21:49 -06:00 · 101fbb7aa5
parent 83267d08e0
commit 101fbb7aa5
2 changed files with 21 additions and 13 deletions
--- a/documentation/api/v1/auth_api_doc.rb
+++ b/documentation/api/v1/auth_api_doc.rb
@ -15,7 +15,7 @@ module AuthApiDoc
  end

  swagger_path '/api/v1/auth/generate-token' do
-    # Swagger documentation for /api/v1/auth/generate-token GET
+    # Swagger documentation for /api/v1/auth/generate-token POST
    operation :post do

      key :description, 'Return a valid Authorization Bearer token.'
--- a/lib/msf/core/web_services/authentication/strategies/user_password.rb
+++ b/lib/msf/core/web_services/authentication/strategies/user_password.rb
@ -1,3 +1,5 @@
+require 'json'
+
 module Authentication
  module Strategies
    class UserPassword < Warden::Strategies::Base
@ -16,25 +18,31 @@ module Authentication
      # Check if request contains valid data and should be authenticated.
      # @return [Boolean] true if strategy should be run for the request; otherwise, false.
      def valid?
-        body = JSON.parse(request.body.read, symbolize_names: true)
-        request.body.rewind # Reset the StringIO buffer so any further consumers can read the body
-        body[:username] && body[:password]
+        begin
+          body = JSON.parse(request.body.read, symbolize_names: true)
+          body[:username] && body[:password]
+        ensure
+          request.body.rewind # Reset the StringIO buffer so any further consumers can read the body
+        end
      end

      # Authenticate the request.
      def authenticate!
-        body = JSON.parse(request.body.read, symbolize_names: true)
-        request.body.rewind # Reset the StringIO buffer so any further consumers can read the body
-        db_manager = env['msf.db_manager']
-        user = db_manager.users(username: body[:username]).first
+        begin
+          body = JSON.parse(request.body.read, symbolize_names: true)

-        if user.nil? || !db_manager.authenticate_user(id: user.id, password: body[:password])
-          fail("Invalid username or password.")
-        else
-          success!(user)
+          db_manager = env['msf.db_manager']
+          user = db_manager.users(username: body[:username]).first
+
+          if user.nil? || !db_manager.authenticate_user(id: user.id, password: body[:password])
+            fail("Invalid username or password.")
+          else
+            success!(user)
+          end
+        ensure
+          request.body.rewind # Reset the StringIO buffer so any further consumers can read the body
        end
      end
-
    end
  end
 end