add logic to detect empty scopes

This commit is contained in:
simon lehericey 2021-09-16 09:09:26 +02:00
parent 745e19bb8e
commit 7ee360df30
3 changed files with 63 additions and 7 deletions

View file

@ -11,15 +11,19 @@ module NewAdministrateur
def update
@procedure.api_particulier_token = token
if @procedure.valid? && fetch_scopes(token).any?
if @procedure.invalid?
flash.now.alert = @procedure.errors.full_messages
render :show
elsif scopes.empty?
flash.now.alert = t('.no_scopes_token')
render :show
else
@procedure.save
redirect_to admin_procedure_api_particulier_jeton_path(procedure_id: @procedure.id),
notice: t('.token_ok')
else
flash.now.alert = t('.invalid_token')
render :show
end
rescue APIParticulier::Error::Unauthorized
flash.now.alert = t('.not_found_token')
render :show
@ -30,7 +34,7 @@ module NewAdministrateur
private
def fetch_scopes(token)
def scopes
@scopes ||= APIParticulier::API.new(token).scopes
end

View file

@ -46,6 +46,14 @@ describe NewAdministrateur::JetonParticulierController, type: :controller do
it { expect(procedure.reload.api_particulier_token).to eql(token) }
end
context "and the api response is a success but with an empty scopes" do
let(:cassette) { "api_particulier/success/introspect_empty_scopes" }
it { expect(flash.alert).to include("le jeton n'a pas acces aux données") }
it { expect(flash.notice).to be_nil }
it { expect(procedure.reload.api_particulier_token).not_to eql(token) }
end
context "and the api response is not unauthorized" do
let(:cassette) { "api_particulier/unauthorized/introspect" }
@ -55,12 +63,12 @@ describe NewAdministrateur::JetonParticulierController, type: :controller do
end
end
context "when jeton is invalid and no call is made" do
context "when jeton is invalid and no network call is made" do
let(:token) { "jet0n 1nvalide" }
before { subject }
it { expect(flash.alert).to include("Mise à jour impossible : le jeton n'est pas valide") }
it { expect(flash.alert.first).to include("pas le bon format") }
it { expect(flash.notice).to be_nil }
it { expect(procedure.reload.api_particulier_token).not_to eql(token) }
end

View file

@ -0,0 +1,44 @@
---
http_interactions:
- request:
method: get
uri: https://particulier.api.gouv.fr/api/introspect
body:
encoding: US-ASCII
string: ''
headers:
User-Agent:
- demarches-simplifiees.fr
Accept:
- application/json
X-Api-Key:
- d7e9c9f4c3ca00caadde31f50fd4521a
Expect:
- ''
response:
status:
code: 200
message: OK
headers:
Date:
- Tue, 16 Mar 2021 15:25:24 GMT
Content-Type:
- application/json
Content-Length:
- '228'
Connection:
- keep-alive
Keep-Alive:
- timeout=5
X-Gravitee-Request-Id:
- 0e4dd327-de40-4052-8dd3-27de401052c4
X-Gravitee-Transaction-Id:
- cc30bb74-6516-46d9-b0bb-746516d6d904
Strict-Transport-Security:
- max-age=15552000
body:
encoding: UTF-8
string: '{"_id":"1d99db5a-a099-4314-ad2f-2707c6b505a6","name":"Application de
sandbox","scopes":[]}'
recorded_at: Tue, 16 Mar 2021 15:25:24 GMT
recorded_with: VCR 6.0.0