Feature: Access tokens for API access (#604)

Co-authored-by: Pranav Raj Sreepuram <pranavrajs@gmail.com>

app/controllers/api/base_controller.rb

@@ -1,9 +1,16 @@
 class Api::BaseController < ApplicationController
+  include AccessTokenAuthHelper
   respond_to :json
-  before_action :authenticate_user!
+  before_action :authenticate_access_token!, if: :authenticate_by_access_token?
+  before_action :validate_bot_access_token!, if: :authenticate_by_access_token?
+  before_action :authenticate_user!, unless: :authenticate_by_access_token?
 
   private
 
+  def authenticate_by_access_token?
+    request.headers[:api_access_token].present?
+  end
+
   def set_conversation
     @conversation ||= current_account.conversations.find_by(display_id: params[:conversation_id])
   end

app/controllers/api/v1/accounts/widget/inboxes_controller.rb

@@ -1,4 +1,4 @@
-class Api::V1::Widget::InboxesController < Api::BaseController
+class Api::V1::Accounts::Widget::InboxesController < Api::BaseController
   before_action :authorize_request
   before_action :set_web_widget_channel, only: [:update]
   before_action :set_inbox, only: [:update]

app/controllers/application_controller.rb

@@ -14,7 +14,25 @@ class ApplicationController < ActionController::Base
   private
 
   def current_account
-    @_ ||= current_user.account
+    @_ ||= find_current_account
+  end
+
+  def find_current_account
+    account = Account.find(params[:account_id])
+    if current_user
+      account_accessible_for_user?(account)
+    elsif @resource&.is_a?(AgentBot)
+      account_accessible_for_bot?(account)
+    end
+    account
+  end
+
+  def account_accessible_for_user?(account)
+    render_unauthorized('You are not authorized to access this account') unless account.account_users.find_by(user_id: current_user.id)
+  end
+
+  def account_accessible_for_bot?(account)
+    render_unauthorized('You are not authorized to access this account') unless @resource.agent_bot_inboxes.find_by(account_id: account.id)
   end
 
   def handle_with_exception

app/controllers/concerns/access_token_auth_helper.rb

@@ -0,0 +1,24 @@
+module AccessTokenAuthHelper
+  BOT_ACCESSIBLE_ENDPOINTS = {
+    'api/v1/accounts/conversations' => ['toggle_status'],
+    'api/v1/accounts/conversations/messages' => ['create']
+  }.freeze
+
+  def authenticate_access_token!
+    access_token = AccessToken.find_by(token: request.headers[:api_access_token])
+    render_unauthorized('Invalid Access Token') && return unless access_token
+    token_owner = access_token.owner
+    @resource = token_owner
+  end
+
+  def validate_bot_access_token!
+    return if current_user.is_a?(User)
+    return if agent_bot_accessible?
+
+    render_unauthorized('Access to this endpoint is not authorized for bots')
+  end
+
+  def agent_bot_accessible?
+    BOT_ACCESSIBLE_ENDPOINTS.fetch(params[:controller], []).include?(params[:action])
+  end
+end