refactor api_controller

app/controllers/api_controller.rb

@@ -1,15 +1,6 @@
 class APIController < ApplicationController
   before_action :default_format_json
-
-  protected
-
-  def find_administrateur_for_token(procedure)
-    api_token = APIToken.authenticate(authorization_bearer_token)
-    if api_token.present? && api_token.context.fetch(:procedure_ids).include?(procedure.id)
-      api_token.touch(:last_v1_authenticated_at)
-      api_token.administrateur
-    end
-  end
+  before_action :authenticate_from_token
 
   private
 
@@ -17,19 +8,24 @@ class APIController < ApplicationController
     request.format = "json" if !request.params[:format]
   end
 
-  def authorization_bearer_token
-    params_token.presence || header_token
-  end
-
-  def header_token
-    received_token = nil
-    authenticate_with_http_token do |token, _options|
-      received_token = token
+  def check_api_token
+    if @api_token.nil?
+      render json: {}, status: :unauthorized
     end
-    received_token
   end
 
-  def params_token
-    params[:token]
+  def authenticate_from_token
+    @api_token = authenticate_with_http_token { |t, _o| APIToken.authenticate(t) }
+
+    # legacy way of sending the token by url
+    # not available in api v2
+    if @api_token.nil?
+      @api_token = APIToken.authenticate(params[:token])
+    end
+
+    if @api_token.present?
+      @api_token.touch(:last_v1_authenticated_at)
+      @current_user = @api_token.administrateur.user
+    end
   end
 end

spec/controllers/api/v1/procedures_controller_spec.rb

@@ -19,6 +19,13 @@ describe API::V1::ProceduresController, type: :controller do
       it { is_expected.to have_http_status(401) }
     end
 
+    context 'when procedure exist but bad token' do
+      let(:token) { 'bad' }
+      let(:procedure_id) { create(:procedure, administrateur: admin).id }
+
+      it { is_expected.to have_http_status(401) }
+    end
+
     context 'when procedure exist' do
       let(:procedure_id) { create(:procedure, administrateur: admin).id }
 

spec/controllers/api_controller_spec.rb

@@ -1,36 +1,41 @@
 describe APIController, type: :controller do
-  describe 'valid_token_for_procedure?' do
+  describe 'authenticate_from_token' do
     let(:procedure) { create(:procedure) }
     let(:admin) { procedure.administrateurs.first }
 
-    subject { !!controller.send(:find_administrateur_for_token, procedure) }
+    subject do
+      controller.send(:authenticate_from_token)
+      assigns(:api_token)
+    end
 
     context 'when the admin has not any token' do
       context 'and the token is not given' do
-        it { is_expected.to be false }
+        it { is_expected.to be nil }
       end
     end
 
     context 'when the admin has a token' do
-      let!(:token) { APIToken.generate(admin)[1] }
+      let(:token_bearer_couple) { APIToken.generate(admin) }
+      let(:token) { token_bearer_couple[0] }
+      let(:bearer) { token_bearer_couple[1] }
 
       context 'and the token is given by params' do
-        before { controller.params[:token] = token }
+        before { controller.params[:token] = bearer }
 
-        it { is_expected.to be true }
+        it { is_expected.to eq(token) }
       end
 
       context 'and the token is given by header' do
         before do
-          valid_headers = { 'Authorization' => "Bearer token=#{token}" }
+          valid_headers = { 'Authorization' => "Bearer token=#{bearer}" }
           request.headers.merge!(valid_headers)
         end
 
-        it { is_expected.to be true }
+        it { is_expected.to eq(token) }
       end
 
       context 'and the token is not given' do
-        it { is_expected.to be false }
+        it { is_expected.to be nil }
       end
     end
   end