fix(api): on fixe avec avec des tests le prob de token

This commit is contained in:
Martin 2023-01-19 17:40:19 +01:00
parent 7206f1b298
commit 52380d5249
2 changed files with 25 additions and 8 deletions

View file

@ -34,10 +34,10 @@ class API::V2::Context < GraphQL::Query::Context
# We are caching authorization logic because it is called for each node # We are caching authorization logic because it is called for each node
# of the requested graph and can be expensive. Context is reset per request so it is safe. # of the requested graph and can be expensive. Context is reset per request so it is safe.
self[:authorized] ||= Hash.new do |hash, demarche_id| self[:authorized] ||= Hash.new do |hash, demarche_id|
hash[demarche_id] = if self[:token] hash[demarche_id] = if self[:administrateur_id]
APIToken.find_and_verify(self[:token], demarche.administrateurs).present?
elsif self[:administrateur_id]
demarche.administrateurs.map(&:id).include?(self[:administrateur_id]) demarche.administrateurs.map(&:id).include?(self[:administrateur_id])
elsif self[:token]
APIToken.find_and_verify(self[:token], demarche.administrateurs).present?
end end
end end

View file

@ -151,16 +151,33 @@ describe API::V2::GraphqlController do
} }
end end
context "when the does not belong to an admin of the procedure" do context "when the token does not belong to an admin of the procedure" do
let(:another_administrateur) { create(:administrateur) } let(:another_administrateur) { create(:administrateur) }
let(:token_v3) { APIToken.generate(another_administrateur)[1] }
let(:plain_token) { APIToken.send(:unpack, token_v3)[:plain_token] }
before do before do
request.env['HTTP_AUTHORIZATION'] = ActionController::HttpAuthentication::Token.encode_credentials(APIToken.generate(another_administrateur)[1]) request.env['HTTP_AUTHORIZATION'] = ActionController::HttpAuthentication::Token.encode_credentials(token)
end end
context 'v3' do
let(:token) { token_v3 }
it { it {
expect(gql_errors.first[:message]).to eq("An object of type Demarche was hidden due to permissions") expect(gql_errors.first[:message]).to eq("An object of type Demarche was hidden due to permissions")
} }
end end
context 'v2' do
let(:token) { APIToken.send(:message_verifier).generate([another_administrateur.id, plain_token]) }
it {
expect(gql_errors.first[:message]).to eq("An object of type Demarche was hidden due to permissions")
}
end
context 'v1' do
let(:token) { plain_token }
it {
expect(gql_errors.first[:message]).to eq("An object of type Demarche was hidden due to permissions")
}
end
end
context "when the token is revoked" do context "when the token is revoked" do
before do before do