Class: AtlasRb::System::Token
- Inherits:
-
Object
- Object
- AtlasRb::System::Token
- Extended by:
- FaradayHelper
- Defined in:
- lib/atlas_rb/system/token.rb
Overview
Personal-access token lifecycle — mint and revoke the 1-week JWT a real
person exports as ATLAS_JWT to drive atlas_rb / curl against Atlas
headless (BYO-JWT mode, see FaradayHelper). Cerberus's "My DRS
→ Programmatic access" section calls these post-SSO and hands the token
to the librarian; the token is never persisted by Cerberus.
Why a separate class from User
Token lifecycle is a distinct concern from SSO user provisioning: minting
a bearer credential for someone is "become anyone," which is exactly why
both Atlas endpoints are :system-gated (authorize! :mint_token, User).
Keeping it in its own class keeps that carve-out legible rather than
burying it among provisioning methods.
Both methods authenticate via FaradayHelper#system_connection — the
hard-pinned system token + User: NUID header — so there is no way to
issue them as a regular user. This is never the ambient-user
relay-signing path.
Constant Summary
Constants included from FaradayHelper
FaradayHelper::ASSERTION_AUDIENCE, FaradayHelper::ASSERTION_ISSUER, FaradayHelper::ASSERTION_TTL
Class Method Summary collapse
-
.mint(nuid:) ⇒ String?
Mint a personal-access JWT for a real person (
POST /nuid). -
.revoke(nuid:) ⇒ Boolean
Revoke every outstanding token for a user (
DELETE /nuid) by rotating its jti.
Methods included from FaradayHelper
connection, multipart, system_connection, with_file_part
Class Method Details
.mint(nuid:) ⇒ String?
Mint a personal-access JWT for a real person (POST /nuid).
System-gated. The returned token authenticates as nuid in BYO-JWT
mode (Atlas resolves identity from the token's sub, ignores any
User: / On-Behalf-Of header, and refuses :system/:anonymous).
Full-privilege for that user, 1-week TTL, single-jti.
35 36 37 38 39 40 |
# File 'lib/atlas_rb/system/token.rb', line 35 def self.mint(nuid:) response = system_connection.post("/nuid", { nuid: nuid }.to_json) return nil if response.status == 404 AtlasRb::Mash.new(JSON.parse(response.body))["token"] end |
.revoke(nuid:) ⇒ Boolean
Revoke every outstanding token for a user (DELETE /nuid) by rotating
its jti. System-gated. Single-jti model → all-or-nothing: every token
the user holds dies at once. "Regenerate" on the Cerberus side is
revoke followed by a fresh mint.
The NUID rides as a query param (system_connection's params hash) so
this sidesteps DELETE-with-body handling; Atlas reads it from
params[:nuid] either way.
54 55 56 |
# File 'lib/atlas_rb/system/token.rb', line 54 def self.revoke(nuid:) system_connection({ nuid: nuid }).delete("/nuid").status == 204 end |