fix(graphql): check if tokens are revoked

2022-11-25 16:27:11 +01:00 · 2022-11-25 16:27:11 +01:00 · ee30a95847
commit ee30a95847
parent 286db17eb2
2 changed files with 29 additions and 1 deletions
--- a/app/controllers/api/v2/base_controller.rb
+++ b/app/controllers/api/v2/base_controller.rb
@ -10,7 +10,7 @@ class API::V2::BaseController < ApplicationController
  def context
    # new token give administrateur_id
    if api_token.administrateur?
-      { administrateur_id: api_token.administrateur_id }
+      { administrateur_id: api_token.administrateur_id, token: api_token.token }
    # web interface (/graphql) give current_administrateur
    elsif current_administrateur.present?
      { administrateur_id: current_administrateur.id }
--- a/spec/controllers/api/v2/graphql_controller_spec.rb
+++ b/spec/controllers/api/v2/graphql_controller_spec.rb
@ -123,6 +123,34 @@ describe API::V2::GraphqlController do
      request.env['HTTP_AUTHORIZATION'] = authorization_header
    end

+    describe "token authentication" do
+      it {
+        expect(gql_errors).to eq(nil)
+        expect(gql_data).not_to be_nil
+      }
+
+      context "when the token is invalid" do
+        before do
+          request.env['HTTP_AUTHORIZATION'] = ActionController::HttpAuthentication::Token.encode_credentials('invalid')
+        end
+
+        it {
+          expect(gql_errors.first[:message]).to eq("An object of type Demarche was hidden due to permissions")
+        }
+      end
+
+      context "when the token is revoked" do
+        before do
+          admin.update(encrypted_token: nil)
+        end
+
+        it {
+          expect(token).not_to be_nil
+          expect(gql_errors.first[:message]).to eq("An object of type Demarche was hidden due to permissions")
+        }
+      end
+    end
+
    describe "demarche" do
      describe "query a demarche" do
        let(:procedure) { create(:procedure, :published, :for_individual, :with_service, :with_all_champs, :with_all_annotations, administrateurs: [admin]) }