DGNum/demarches-normaliennes
13
1
Fork 0
Code Issues 1 Pull requests Projects Releases Packages Wiki Activity

secu(graphql): without a token, only persisted queries are allowed

Browse source
This commit is contained in:
Paul Chavard 2024-07-22 11:11:06 +02:00
parent c31321d695
commit d6f9e57e77
No known key found for this signature in database
4 changed files with 28 additions and 2 deletions
Download patch file Download diff file Expand all files Collapse all files

4
spec/controllers/api/v2/graphql_controller_spec.rb
View file

@ -131,7 +131,7 @@ describe API::V2::GraphqlController do
end
it {
expect(gql_errors.first[:message]).to eq("An object of type Demarche was hidden due to permissions")
expect(gql_errors.first[:message]).to eq("Without a token, only persisted queries are allowed")
}
end
@ -158,7 +158,7 @@ describe API::V2::GraphqlController do
it {
expect(token).not_to be_nil
expect(gql_errors.first[:message]).to eq("An object of type Demarche was hidden due to permissions")
expect(gql_errors.first[:message]).to eq("Without a token, only persisted queries are allowed")
}
end

18
spec/controllers/api/v2/graphql_controller_stored_queries_spec.rb
View file

@ -47,6 +47,24 @@ describe API::V2::GraphqlController do
}
end
describe 'when not authenticated' do
let(:variables) { { dossierNumber: dossier.id } }
let(:operation_name) { 'getDossier' }
let!(:authorization_header) { nil }
context 'with query' do
let(:query) { 'query getDossier($dossierNumber: Int!) { dossier(number: $dossierNumber) { id } }' }
it { expect(gql_errors.first[:message]).to eq('Without a token, only persisted queries are allowed') }
end
context 'with queryId' do
let(:query_id) { 'ds-query-v2' }
it { expect(gql_errors.first[:message]).to eq('An object of type Dossier was hidden due to permissions') }
end
end
describe 'ds-query-v2' do
let(:dossier) { create(:dossier, :en_construction, :with_individual, procedure:, depose_at: 4.days.ago) }
let(:query_id) { 'ds-query-v2' }