fix(api): on fixe avec avec des tests le prob de token
This commit is contained in:
parent
7206f1b298
commit
52380d5249
2 changed files with 25 additions and 8 deletions
|
@ -34,10 +34,10 @@ class API::V2::Context < GraphQL::Query::Context
|
||||||
# We are caching authorization logic because it is called for each node
|
# We are caching authorization logic because it is called for each node
|
||||||
# of the requested graph and can be expensive. Context is reset per request so it is safe.
|
# of the requested graph and can be expensive. Context is reset per request so it is safe.
|
||||||
self[:authorized] ||= Hash.new do |hash, demarche_id|
|
self[:authorized] ||= Hash.new do |hash, demarche_id|
|
||||||
hash[demarche_id] = if self[:token]
|
hash[demarche_id] = if self[:administrateur_id]
|
||||||
APIToken.find_and_verify(self[:token], demarche.administrateurs).present?
|
|
||||||
elsif self[:administrateur_id]
|
|
||||||
demarche.administrateurs.map(&:id).include?(self[:administrateur_id])
|
demarche.administrateurs.map(&:id).include?(self[:administrateur_id])
|
||||||
|
elsif self[:token]
|
||||||
|
APIToken.find_and_verify(self[:token], demarche.administrateurs).present?
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
|
|
|
@ -151,16 +151,33 @@ describe API::V2::GraphqlController do
|
||||||
}
|
}
|
||||||
end
|
end
|
||||||
|
|
||||||
context "when the does not belong to an admin of the procedure" do
|
context "when the token does not belong to an admin of the procedure" do
|
||||||
let(:another_administrateur) { create(:administrateur) }
|
let(:another_administrateur) { create(:administrateur) }
|
||||||
|
let(:token_v3) { APIToken.generate(another_administrateur)[1] }
|
||||||
|
let(:plain_token) { APIToken.send(:unpack, token_v3)[:plain_token] }
|
||||||
before do
|
before do
|
||||||
request.env['HTTP_AUTHORIZATION'] = ActionController::HttpAuthentication::Token.encode_credentials(APIToken.generate(another_administrateur)[1])
|
request.env['HTTP_AUTHORIZATION'] = ActionController::HttpAuthentication::Token.encode_credentials(token)
|
||||||
end
|
end
|
||||||
|
|
||||||
|
context 'v3' do
|
||||||
|
let(:token) { token_v3 }
|
||||||
it {
|
it {
|
||||||
expect(gql_errors.first[:message]).to eq("An object of type Demarche was hidden due to permissions")
|
expect(gql_errors.first[:message]).to eq("An object of type Demarche was hidden due to permissions")
|
||||||
}
|
}
|
||||||
end
|
end
|
||||||
|
context 'v2' do
|
||||||
|
let(:token) { APIToken.send(:message_verifier).generate([another_administrateur.id, plain_token]) }
|
||||||
|
it {
|
||||||
|
expect(gql_errors.first[:message]).to eq("An object of type Demarche was hidden due to permissions")
|
||||||
|
}
|
||||||
|
end
|
||||||
|
context 'v1' do
|
||||||
|
let(:token) { plain_token }
|
||||||
|
it {
|
||||||
|
expect(gql_errors.first[:message]).to eq("An object of type Demarche was hidden due to permissions")
|
||||||
|
}
|
||||||
|
end
|
||||||
|
end
|
||||||
|
|
||||||
context "when the token is revoked" do
|
context "when the token is revoked" do
|
||||||
before do
|
before do
|
||||||
|
|
Loading…
Reference in a new issue