try with svg_token (wip)

lib/travis/api/app/helpers/respond_with.rb

@@ -16,6 +16,8 @@ module RespondWith
       }
 
       def respond_with(resource, options = {})
+        halt 403, 'access denied' unless token_proper?(options[:acceptable_tokens])
+
         result = respond(resource, options)
 
         if result && response.content_type =~ /application\/json/
@@ -32,6 +34,19 @@ def body(value = nil, options = {}, &block)
       end
 
       private
+        # def acceptable_tokens(responder)
+        #   case(responder)
+        #   when :atom
+        #   else
+        # end
+
+        def token_proper?(acceptable_tokens)
+          return true unless params[:token] # it means that ScopeCheck granted access basing on other proper token
+
+          acceptable_tokens ||= [:default]
+          token = Token.find_by_token(params[:token])
+          acceptable_tokens.include?(token.try(:type))
+        end
 
         def respond(resource, options)
           resource = apply_service_responder(resource, options)

lib/travis/model/token.rb

@@ -15,6 +15,14 @@ class Token < Travis::Model
 
   serialize :token, Travis::Model::EncryptedColumn.new(disable: true)
 
+  def type
+    if self.token =~ /svg-/
+      :svg
+    else
+      :default
+    end
+  end
+
   protected
 
     def generate_token

lib/travis/model/user.rb

@@ -15,6 +15,7 @@ class User < Travis::Model
 
   before_create :set_as_recent
   after_create :create_a_token
+  after_create :create_svg_token
   before_save :track_previous_changes
 
   serialize :github_scopes
@@ -40,7 +41,11 @@ def with_email(email_address)
   end
 
   def token
-    tokens.first.try(:token)
+    tokens.find { |t| t.try(:type) == :default}.try(:token)
+  end
+
+  def svg_token
+    tokens.find { |t| t.try(:type) == :svg}.try(:token)
   end
 
   def to_json
@@ -162,8 +167,16 @@ def inspect
     github_oauth_token ? super.gsub(github_oauth_token, '[REDACTED]') : super
   end
 
-  def create_a_token
-    self.tokens.create!
+  def create_a_token(type = :default)
+    token = self.tokens.create!
+    if type == :svg
+      token.token = "svg-#{token.token}"
+      token.save!
+    end
+  end
+
+  def create_svg_token
+    create_a_token(:svg)
   end
 
   protected