Api Token: do not generate one token by default

2018-08-24 15:53:57 +02:00 · 2018-08-24 15:53:57 +02:00 · 1997f45d7e
commit 1997f45d7e
parent 17285b0368
7 changed files with 55 additions and 33 deletions
--- a/app/controllers/api_controller.rb
+++ b/app/controllers/api_controller.rb
@ -7,6 +7,11 @@ class APIController < ApplicationController
    ```
  EOS

+  # deny request with an empty token as we do not want it
+  # to match the first admin with an empty token
+  # it should not happen as an empty token is serialized by ''
+  # and a administrateur without token has admin.api_token == nil
+  before_action :ensure_token_is_present
  before_action :authenticate_user
  before_action :default_format_json

@ -39,4 +44,18 @@ class APIController < ApplicationController
  def default_format_json
    request.format = "json" if !request.params[:format]
  end
+
+  def ensure_token_is_present
+    if params[:token].blank? && header_token.blank?
+      render json: {}, status: 401
+    end
+  end
+
+  def header_token
+    received_token = nil
+    authenticate_with_http_token do |token, _options|
+      received_token = token
+    end
+    received_token
+  end
 end
--- a/app/models/administrateur.rb
+++ b/app/models/administrateur.rb
@ -13,7 +13,6 @@ class Administrateur < ApplicationRecord
  has_many :dossiers, -> { state_not_brouillon }, through: :procedures

  before_validation -> { sanitize_email(:email) }
-  before_save :ensure_api_token

  scope :inactive, -> { where(active: false) }

@ -36,12 +35,6 @@ class Administrateur < ApplicationRecord
    self.inactive.find(id)
  end

-  def ensure_api_token
-    if api_token.nil?
-      self.api_token = generate_api_token
-    end
-  end
-
  def renew_api_token
    update(api_token: generate_api_token)
  end
--- a/spec/controllers/api/v1/dossiers_controller_spec.rb
+++ b/spec/controllers/api/v1/dossiers_controller_spec.rb
@ -1,7 +1,7 @@
 require 'spec_helper'

 describe API::V1::DossiersController do
-  let(:admin) { create(:administrateur) }
+  let(:admin) { create(:administrateur, :with_api_token) }
  let(:procedure) { create(:procedure, :with_two_type_de_piece_justificative, :with_type_de_champ, :with_type_de_champ_private, administrateur: admin) }
  let(:wrong_procedure) { create(:procedure) }

--- a/spec/controllers/api/v1/procedures_controller_spec.rb
+++ b/spec/controllers/api/v1/procedures_controller_spec.rb
@ -1,7 +1,7 @@
 require 'spec_helper'

 describe API::V1::ProceduresController, type: :controller do
-  let(:admin) { create(:administrateur) }
+  let(:admin) { create(:administrateur, :with_api_token) }
  it { expect(described_class).to be < APIController }

  describe 'GET show' do
--- a/spec/controllers/api_controller_spec.rb
+++ b/spec/controllers/api_controller_spec.rb
@ -12,18 +12,43 @@ describe APIController, type: :controller do
  end

  describe 'GET index' do
+    let!(:administrateur) { create(:administrateur) }
+    let!(:administrateur_with_token) { create(:administrateur, :with_api_token) }
+
    context 'when token is missing' do
      subject { get :index }
+
      it { expect(subject.status).to eq(401) }
    end
+
+    context 'when token is empty' do
+      subject { get :index, params: { token: nil } }
+
+      it { expect(subject.status).to eq(401) }
+    end
+
    context 'when token does not exist' do
      let(:token) { 'invalid_token' }
+
      subject { get :index, params: { token: token } }
+
      it { expect(subject.status).to eq(401) }
    end
-    context 'when token exist' do
-      let(:administrateur) { create(:administrateur) }
-      subject { get :index, params: { token: administrateur.api_token } }
+
+    context 'when token exist in the params' do
+      subject { get :index, params: { token: administrateur_with_token.api_token } }
+
+      it { expect(subject.status).to eq(200) }
+    end
+
+    context 'when token exist in the header' do
+      before do
+        valid_headers = { 'Authorization' => "Bearer token=#{administrateur_with_token.api_token}" }
+        request.headers.merge!(valid_headers)
+      end
+
+      subject { get(:index) }
+
      it { expect(subject.status).to eq(200) }
    end
  end
--- a/spec/factories/administrateur.rb
+++ b/spec/factories/administrateur.rb
@ -4,4 +4,10 @@ FactoryBot.define do
    email { generate(:administrateur_email) }
    password { 'mon chien aime les bananes' }
  end
+
+  trait :with_api_token do
+    after(:create) do |admin|
+      admin.renew_api_token
+    end
+  end
 end
--- a/spec/models/administrateur_spec.rb
+++ b/spec/models/administrateur_spec.rb
@ -8,27 +8,6 @@ describe Administrateur, type: :model do
    it { is_expected.to have_many(:procedures) }
  end

-  describe 'after_save' do
-    subject { create(:administrateur) }
-    before do
-      subject.save
-    end
-    it { expect(subject.api_token).not_to be_blank }
-  end
-
-  describe 'generate_api_token' do
-    let(:token) { 'bullshit' }
-    let(:new_token) { 'pocket_master' }
-    let!(:admin_1) { create(:administrateur, api_token: token) }
-    before do
-      allow(SecureRandom).to receive(:hex).and_return(token, new_token)
-      admin_1.renew_api_token
-    end
-    it 'generate a token who does not already exist' do
-      expect(admin_1.api_token).to eq(new_token)
-    end
-  end
-
  context 'unified login' do
    it 'syncs credentials to associated user' do
      administrateur = create(:administrateur)