diff --git a/app/controllers/api/v2/base_controller.rb b/app/controllers/api/v2/base_controller.rb index 6bb8f44ac..d993c787e 100644 --- a/app/controllers/api/v2/base_controller.rb +++ b/app/controllers/api/v2/base_controller.rb @@ -10,7 +10,7 @@ class API::V2::BaseController < ApplicationController def context # new token give administrateur_id if api_token.administrateur? - { administrateur_id: api_token.administrateur_id } + { administrateur_id: api_token.administrateur_id, token: api_token.token } # web interface (/graphql) give current_administrateur elsif current_administrateur.present? { administrateur_id: current_administrateur.id } diff --git a/spec/controllers/api/v2/graphql_controller_spec.rb b/spec/controllers/api/v2/graphql_controller_spec.rb index 7fd451c30..c8725c3d7 100644 --- a/spec/controllers/api/v2/graphql_controller_spec.rb +++ b/spec/controllers/api/v2/graphql_controller_spec.rb @@ -123,6 +123,34 @@ describe API::V2::GraphqlController do request.env['HTTP_AUTHORIZATION'] = authorization_header end + describe "token authentication" do + it { + expect(gql_errors).to eq(nil) + expect(gql_data).not_to be_nil + } + + context "when the token is invalid" do + before do + request.env['HTTP_AUTHORIZATION'] = ActionController::HttpAuthentication::Token.encode_credentials('invalid') + end + + it { + expect(gql_errors.first[:message]).to eq("An object of type Demarche was hidden due to permissions") + } + end + + context "when the token is revoked" do + before do + admin.update(encrypted_token: nil) + end + + it { + expect(token).not_to be_nil + expect(gql_errors.first[:message]).to eq("An object of type Demarche was hidden due to permissions") + } + end + end + describe "demarche" do describe "query a demarche" do let(:procedure) { create(:procedure, :published, :for_individual, :with_service, :with_all_champs, :with_all_annotations, administrateurs: [admin]) }