add logic to detect empty scopes

2021-09-16 09:09:26 +02:00 · 2021-09-16 09:09:26 +02:00 · 7ee360df30
commit 7ee360df30
parent 745e19bb8e
3 changed files with 63 additions and 7 deletions
--- a/app/controllers/new_administrateur/jeton_particulier_controller.rb
+++ b/app/controllers/new_administrateur/jeton_particulier_controller.rb
@ -11,15 +11,19 @@ module NewAdministrateur
    def update
      @procedure.api_particulier_token = token

-      if @procedure.valid? && fetch_scopes(token).any?
+      if @procedure.invalid?
+        flash.now.alert = @procedure.errors.full_messages
+        render :show
+      elsif scopes.empty?
+        flash.now.alert = t('.no_scopes_token')
+        render :show
+      else
        @procedure.save

        redirect_to admin_procedure_api_particulier_jeton_path(procedure_id: @procedure.id),
          notice: t('.token_ok')
-      else
-        flash.now.alert = t('.invalid_token')
-        render :show
      end
+
    rescue APIParticulier::Error::Unauthorized
      flash.now.alert = t('.not_found_token')
      render :show
@ -30,7 +34,7 @@ module NewAdministrateur

    private

-    def fetch_scopes(token)
+    def scopes
      @scopes ||= APIParticulier::API.new(token).scopes
    end

--- a/spec/controllers/new_administrateur/jeton_particulier_controller_spec.rb
+++ b/spec/controllers/new_administrateur/jeton_particulier_controller_spec.rb
@ -46,6 +46,14 @@ describe NewAdministrateur::JetonParticulierController, type: :controller do
        it { expect(procedure.reload.api_particulier_token).to eql(token) }
      end

+      context "and the api response is a success but with an empty scopes" do
+        let(:cassette) { "api_particulier/success/introspect_empty_scopes" }
+
+        it { expect(flash.alert).to include("le jeton n'a pas acces aux données") }
+        it { expect(flash.notice).to be_nil }
+        it { expect(procedure.reload.api_particulier_token).not_to eql(token) }
+      end
+
      context "and the api response is not unauthorized" do
        let(:cassette) { "api_particulier/unauthorized/introspect" }

@ -55,12 +63,12 @@ describe NewAdministrateur::JetonParticulierController, type: :controller do
      end
    end

-    context "when jeton is invalid and no call is made" do
+    context "when jeton is invalid and no network call is made" do
      let(:token) { "jet0n 1nvalide" }

      before { subject }

-      it { expect(flash.alert).to include("Mise à jour impossible : le jeton n'est pas valide") }
+      it { expect(flash.alert.first).to include("pas le bon format") }
      it { expect(flash.notice).to be_nil }
      it { expect(procedure.reload.api_particulier_token).not_to eql(token) }
    end
--- a/spec/fixtures/cassettes/api_particulier/success/introspect_empty_scopes.yml
+++ b/spec/fixtures/cassettes/api_particulier/success/introspect_empty_scopes.yml
@ -0,0 +1,44 @@
+---
+http_interactions:
+- request:
+    method: get
+    uri: https://particulier.api.gouv.fr/api/introspect
+    body:
+      encoding: US-ASCII
+      string: ''
+    headers:
+      User-Agent:
+      - demarches-simplifiees.fr
+      Accept:
+      - application/json
+      X-Api-Key:
+      - d7e9c9f4c3ca00caadde31f50fd4521a
+      Expect:
+      - ''
+  response:
+    status:
+      code: 200
+      message: OK
+    headers:
+      Date:
+      - Tue, 16 Mar 2021 15:25:24 GMT
+      Content-Type:
+      - application/json
+      Content-Length:
+      - '228'
+      Connection:
+      - keep-alive
+      Keep-Alive:
+      - timeout=5
+      X-Gravitee-Request-Id:
+      - 0e4dd327-de40-4052-8dd3-27de401052c4
+      X-Gravitee-Transaction-Id:
+      - cc30bb74-6516-46d9-b0bb-746516d6d904
+      Strict-Transport-Security:
+      - max-age=15552000
+    body:
+      encoding: UTF-8
+      string: '{"_id":"1d99db5a-a099-4314-ad2f-2707c6b505a6","name":"Application de
+        sandbox","scopes":[]}'
+  recorded_at: Tue, 16 Mar 2021 15:25:24 GMT
+recorded_with: VCR 6.0.0