diff --git a/spec/controllers/api/v2/graphql_controller_spec.rb b/spec/controllers/api/v2/graphql_controller_spec.rb index 1ffeedf5e..3447beaec 100644 --- a/spec/controllers/api/v2/graphql_controller_spec.rb +++ b/spec/controllers/api/v2/graphql_controller_spec.rb @@ -3,7 +3,6 @@ describe API::V2::GraphqlController do let(:generated_token) { APIToken.generate(admin) } let(:api_token) { generated_token.first } let(:token) { generated_token.second } - let(:legacy_token) { APIToken.send(:unpack, token)[:plain_token] } let(:procedure) { create(:procedure, :published, :for_individual, :with_service, administrateurs: [admin]) } let(:dossier) { create(:dossier, :en_construction, :with_individual, procedure: procedure) } let(:dossier1) { create(:dossier, :en_construction, :with_individual, procedure: procedure, en_construction_at: 1.day.ago) } @@ -113,20 +112,6 @@ describe API::V2::GraphqlController do subject { post :execute, params: { query: query, variables: variables, operationName: operation_name, queryId: query_id }.compact, as: :json } - context "when authenticated with legacy token" do - let(:authorization_header) { ActionController::HttpAuthentication::Token.encode_credentials(legacy_token) } - - before do - request.env['HTTP_AUTHORIZATION'] = authorization_header - admin.api_tokens.first.update(version: 1) - end - - it "returns the demarche" do - expect(gql_errors).to eq(nil) - expect(gql_data[:demarche][:id]).to eq(procedure.to_typed_id) - end - end - context "when authenticated" do let(:authorization_header) { ActionController::HttpAuthentication::Token.encode_credentials(token) } @@ -164,18 +149,6 @@ describe API::V2::GraphqlController do expect(gql_errors.first[:message]).to eq("An object of type Demarche was hidden due to permissions") } end - context 'v2' do - let(:token) { APIToken.send(:message_verifier).generate([another_administrateur.id, plain_token]) } - it { - expect(gql_errors.first[:message]).to eq("An object of type Demarche was hidden due to permissions") - } - end - context 'v1' do - let(:token) { plain_token } - it { - expect(gql_errors.first[:message]).to eq("An object of type Demarche was hidden due to permissions") - } - end end context "when the token is revoked" do @@ -1499,13 +1472,15 @@ describe API::V2::GraphqlController do message { body } + errors { + message + } } }" end it "should return error" do - expect(gql_data[:dossierEnvoyerMessage]).to eq(nil) - expect(gql_errors).not_to eq(nil) + expect(gql_data[:dossierEnvoyerMessage][:errors].first[:message]).to eq("Le jeton utilisé est configuré seulement en lecture") end end end diff --git a/spec/models/api_token_spec.rb b/spec/models/api_token_spec.rb index ce07a1808..714ebc99e 100644 --- a/spec/models/api_token_spec.rb +++ b/spec/models/api_token_spec.rb @@ -1,12 +1,11 @@ describe APIToken, type: :model do let(:administrateur) { create(:administrateur) } - let(:api_token_and_packed_token) { APIToken.generate(administrateur) } - let(:api_token) { api_token_and_packed_token.first } - let(:packed_token) { api_token_and_packed_token.second } - let(:plain_token) { APIToken.send(:unpack, packed_token)[:plain_token] } - let(:packed_token_v2) { APIToken.send(:message_verifier).generate([administrateur.id, plain_token]) } describe '#generate' do + let(:api_token_and_packed_token) { APIToken.generate(administrateur) } + let(:api_token) { api_token_and_packed_token.first } + let(:packed_token) { api_token_and_packed_token.second } + it do expect(api_token.administrateur).to eq(administrateur) expect(api_token.prefix).to eq(packed_token.slice(0, 5)) @@ -109,137 +108,36 @@ describe APIToken, type: :model do end describe '#find_and_verify' do - let(:result) { APIToken.find_and_verify(token, administrateurs) } - let(:token) { packed_token } - let(:administrateurs) { [administrateur] } + let(:api_token_and_packed_token) { APIToken.generate(administrateur) } + let(:api_token) { api_token_and_packed_token.first } + let(:packed_token) { api_token_and_packed_token.second } + let(:bearer_token) { packed_token } - context 'without administrateur' do - let(:administrateurs) { [] } + subject { APIToken.find_and_verify(bearer_token) } - context 'with packed token' do - it { expect(result).to be_truthy } - end - - context 'with packed token v2' do - before { api_token.update(version: 2) } - let(:token) { packed_token_v2 } - it { expect(result).to be_truthy } - end - - context 'with plain token' do - before { api_token.update(version: 1) } - let(:token) { plain_token } - it { expect(result).to be_falsey } - end + context 'with the legit packed token' do + it { is_expected.to eq(api_token) } end context 'with destroyed token' do before { api_token.destroy } - context 'with packed token' do - it { expect(result).to be_falsey } - end - - context 'with packed token v2' do - let(:token) { packed_token_v2 } - it { expect(result).to be_falsey } - end - - context 'with plain token' do - let(:token) { plain_token } - it { expect(result).to be_falsey } - end + it { is_expected.to be_nil } end context 'with destroyed administrateur' do before { api_token.administrateur.destroy } - let(:administrateurs) { [] } - context 'with packed token' do - it { expect(result).to be_falsey } - end - - context 'with packed token v2' do - let(:token) { packed_token_v2 } - it { expect(result).to be_falsey } - end - - context 'with plain token' do - let(:token) { plain_token } - it { expect(result).to be_falsey } - end + it { is_expected.to be_nil } end - context 'with other administrateur' do - let(:other_administrateur) { create(:administrateur, :with_api_token) } - let(:administrateurs) { [other_administrateur] } - - context 'with packed token' do - it { expect(result).to be_truthy } + context "with a bearer token with the wrong plain_token" do + let(:bearer_token) do + clear_packed = [api_token.id, 'wrong'].join(';') + Base64.urlsafe_encode64(clear_packed) end - context 'with packed token v2' do - before { api_token.update(version: 2) } - - let(:token) { packed_token_v2 } - it { expect(result).to be_truthy } - end - - context 'with plain token' do - before { api_token.update(version: 1) } - - let(:token) { plain_token } - it { expect(result).to be_falsey } - end - end - - context 'with many administrateurs' do - let(:other_administrateur) { create(:administrateur, :with_api_token) } - let(:other_api_token_and_packed_token) { APIToken.generate(other_administrateur) } - let(:other_api_token) { other_api_token_and_packed_token.first } - let(:other_packed_token) { other_api_token_and_packed_token.second } - let(:other_plain_token) { APIToken.send(:unpack, other_packed_token)[:plain_token] } - let(:administrateurs) { [administrateur, other_administrateur] } - - context 'with plain token' do - before do - api_token.update(version: 1) - other_api_token.update(version: 1) - end - - let(:token) { plain_token } - it { expect(result).to be_truthy } - - context 'with other plain token' do - let(:token) { other_plain_token } - it { expect(result).to be_truthy } - end - end - end - - context 'with packed token' do - it { expect(result).to be_truthy } - end - - context 'with packed token v2' do - before { api_token.update(version: 2) } - - let(:token) { packed_token_v2 } - it { expect(result).to be_truthy } - end - - context 'with plain token' do - before { api_token.update(version: 1) } - - let(:token) { plain_token } - it { expect(result).to be_truthy } - end - - context "with valid garbage base64" do - before { api_token.update(version: 1, encrypted_token: BCrypt::Password.create(token)) } - - let(:token) { "R5dAqE7nMxfMp93PcuuevDtn" } - it { expect(result).to be_truthy } + it { is_expected.to be_nil } end end end