ApiController: check token validity for a given admin

2018-09-26 15:39:45 +02:00 · 2018-09-26 15:39:45 +02:00 · 4a04f2e59f
commit 4a04f2e59f
parent d576d426f4
3 changed files with 43 additions and 42 deletions
--- a/app/controllers/api_controller.rb
+++ b/app/controllers/api_controller.rb
@ -16,6 +16,10 @@ class APIController < ApplicationController

  protected

+  def valid_token_for_administrateur?(administrateur)
+    administrateur.valid_api_token?(token)
+  end
+
  def default_format_json
    request.format = "json" if !request.params[:format]
  end
@ -26,6 +30,10 @@ class APIController < ApplicationController
    end
  end

+  def token
+    params_token.presence || header_token
+  end
+
  def header_token
    received_token = nil
    authenticate_with_http_token do |token, _options|
@ -33,4 +41,8 @@ class APIController < ApplicationController
    end
    received_token
  end
+
+  def params_token
+    params[:token]
+  end
 end
--- a/app/models/administrateur.rb
+++ b/app/models/administrateur.rb
@ -43,6 +43,12 @@ class Administrateur < ApplicationRecord
    api_token
  end

+  def valid_api_token?(api_token)
+    BCrypt::Password.new(encrypted_token) == api_token
+  rescue BCrypt::Errors::InvalidHash
+    false
+  end
+
  def registration_state
    if active?
      'Actif'
--- a/spec/controllers/api_controller_spec.rb
+++ b/spec/controllers/api_controller_spec.rb
@ -1,55 +1,38 @@
 require 'spec_helper'

 describe APIController, type: :controller do
-  controller(APIController) do
-    def show
-      render json: {}, satus: 200
+  describe 'valid_token_for_administrateur?' do
+    let!(:admin) { create(:administrateur) }
+
+    subject { controller.send(:'valid_token_for_administrateur?', admin) }
+
+    context 'when the admin has not any token' do
+      context 'and the token is not given' do
+        it { is_expected.to be false }
+      end
    end

-    def index
-      render json: {}, satus: 200
-    end
-  end
+    context 'when the admin has a token' do
+      let!(:token) { admin.renew_api_token }

-  describe 'GET index' do
-    let!(:administrateur) { create(:administrateur) }
-    let!(:administrateur_with_token) { create(:administrateur, :with_api_token) }
+      context 'and the token is given by params' do
+        before { controller.params[:token] = token }

-    context 'when token is missing' do
-      subject { get :index }
-
-      it { expect(subject.status).to eq(401) }
-    end
-
-    context 'when token is empty' do
-      subject { get :index, params: { token: nil } }
-
-      it { expect(subject.status).to eq(401) }
-    end
-
-    context 'when token does not exist' do
-      let(:token) { 'invalid_token' }
-
-      subject { get :index, params: { token: token } }
-
-      it { expect(subject.status).to eq(401) }
-    end
-
-    context 'when token exist in the params' do
-      subject { get :index, params: { token: administrateur_with_token.api_token } }
-
-      it { expect(subject.status).to eq(200) }
-    end
-
-    context 'when token exist in the header' do
-      before do
-        valid_headers = { 'Authorization' => "Bearer token=#{administrateur_with_token.api_token}" }
-        request.headers.merge!(valid_headers)
+        it { is_expected.to be true }
      end

-      subject { get(:index) }
+      context 'and the token is given by header' do
+        before do
+          valid_headers = { 'Authorization' => "Bearer token=#{token}" }
+          request.headers.merge!(valid_headers)
+        end

-      it { expect(subject.status).to eq(200) }
+        it { is_expected.to be true }
+      end
+
+      context 'and the token is not given' do
+        it { is_expected.to be false }
+      end
    end
  end
 end