fix(api): on fixe avec avec des tests le prob de token

2023-01-19 17:40:19 +01:00 · 2023-01-19 17:40:19 +01:00 · 52380d5249
commit 52380d5249
parent 7206f1b298
2 changed files with 25 additions and 8 deletions
--- a/app/graphql/api/v2/context.rb
+++ b/app/graphql/api/v2/context.rb
@ -34,10 +34,10 @@ class API::V2::Context < GraphQL::Query::Context
    # We are caching authorization logic because it is called for each node
    # of the requested graph and can be expensive. Context is reset per request so it is safe.
    self[:authorized] ||= Hash.new do |hash, demarche_id|
-      hash[demarche_id] = if self[:token]
-        APIToken.find_and_verify(self[:token], demarche.administrateurs).present?
-      elsif self[:administrateur_id]
+      hash[demarche_id] = if self[:administrateur_id]
        demarche.administrateurs.map(&:id).include?(self[:administrateur_id])
+      elsif self[:token]
+        APIToken.find_and_verify(self[:token], demarche.administrateurs).present?
      end
    end

--- a/spec/controllers/api/v2/graphql_controller_spec.rb
+++ b/spec/controllers/api/v2/graphql_controller_spec.rb
@ -151,15 +151,32 @@ describe API::V2::GraphqlController do
        }
      end

-      context "when the does not belong to an admin of the procedure" do
+      context "when the token does not belong to an admin of the procedure" do
        let(:another_administrateur) { create(:administrateur) }
+        let(:token_v3) { APIToken.generate(another_administrateur)[1] }
+        let(:plain_token) { APIToken.send(:unpack, token_v3)[:plain_token] }
        before do
-          request.env['HTTP_AUTHORIZATION'] = ActionController::HttpAuthentication::Token.encode_credentials(APIToken.generate(another_administrateur)[1])
+          request.env['HTTP_AUTHORIZATION'] = ActionController::HttpAuthentication::Token.encode_credentials(token)
        end

-        it {
-          expect(gql_errors.first[:message]).to eq("An object of type Demarche was hidden due to permissions")
-        }
+        context 'v3' do
+          let(:token) { token_v3 }
+          it {
+            expect(gql_errors.first[:message]).to eq("An object of type Demarche was hidden due to permissions")
+          }
+        end
+        context 'v2' do
+          let(:token) { APIToken.send(:message_verifier).generate([another_administrateur.id, plain_token]) }
+          it {
+            expect(gql_errors.first[:message]).to eq("An object of type Demarche was hidden due to permissions")
+          }
+        end
+        context 'v1' do
+          let(:token) { plain_token }
+          it {
+            expect(gql_errors.first[:message]).to eq("An object of type Demarche was hidden due to permissions")
+          }
+        end
      end

      context "when the token is revoked" do