Feat: authenticate direct upload (#4160)

app/controllers/concerns/ensure_current_account_helper.rb

@@ -0,0 +1,28 @@
+module EnsureCurrentAccountHelper
+  private
+
+  def current_account
+    @current_account ||= ensure_current_account
+    Current.account = @current_account
+  end
+
+  def ensure_current_account
+    account = Account.find(params[:account_id])
+    if current_user
+      account_accessible_for_user?(account)
+    elsif @resource.is_a?(AgentBot)
+      account_accessible_for_bot?(account)
+    end
+    account
+  end
+
+  def account_accessible_for_user?(account)
+    @current_account_user = account.account_users.find_by(user_id: current_user.id)
+    Current.account_user = @current_account_user
+    render_unauthorized('You are not authorized to access this account') unless @current_account_user
+  end
+
+  def account_accessible_for_bot?(account)
+    render_unauthorized('You are not authorized to access this account') unless @resource.agent_bot_inboxes.find_by(account_id: account.id)
+  end
+end

app/controllers/concerns/website_token_helper.rb

@@ -0,0 +1,22 @@
+module WebsiteTokenHelper
+  def auth_token_params
+    @auth_token_params ||= ::Widget::TokenService.new(token: request.headers['X-Auth-Token']).decode_token
+  end
+
+  def set_web_widget
+    @web_widget = ::Channel::WebWidget.find_by!(website_token: permitted_params[:website_token])
+    @current_account = @web_widget.account
+  end
+
+  def set_contact
+    @contact_inbox = @web_widget.inbox.contact_inboxes.find_by(
+      source_id: auth_token_params[:source_id]
+    )
+    @contact = @contact_inbox&.contact
+    raise ActiveRecord::RecordNotFound unless @contact
+  end
+
+  def permitted_params
+    params.permit(:website_token)
+  end
+end