describe APIToken, type: :model do let(:administrateur) { create(:administrateur) } describe '#generate' do let(:api_token_and_packed_token) { APIToken.generate(administrateur) } let(:api_token) { api_token_and_packed_token.first } let(:packed_token) { api_token_and_packed_token.second } before { api_token_and_packed_token } it 'with a full access token' do expect(api_token.administrateur).to eq(administrateur) expect(api_token.prefix).to eq(packed_token.slice(0, 5)) expect(api_token.version).to eq(3) expect(api_token.write_access?).to eq(true) expect(api_token.procedure_ids).to eq([]) expect(api_token.context).to eq(administrateur_id: administrateur.id, procedure_ids: [], write_access: true, api_token_id: api_token.id) expect(api_token.full_access?).to be_truthy end context 'updated read_only' do before { api_token.update(write_access: false) } it do expect(api_token.context).to eq(administrateur_id: administrateur.id, procedure_ids: [], write_access: false, api_token_id: api_token.id) end end context 'with a new added procedure' do let(:procedure) { create(:procedure, administrateurs: [administrateur]) } before do procedure api_token.reload end it do expect(api_token.full_access?).to be_truthy expect(api_token.procedure_ids).to eq([procedure.id]) expect(api_token.procedures).to eq([procedure]) expect(api_token.context).to eq(administrateur_id: administrateur.id, procedure_ids: [procedure.id], write_access: true, api_token_id: api_token.id) end context 'and another procedure, but access only to the first one' do let(:other_procedure) { create(:procedure, administrateurs: [administrateur]) } before do other_procedure api_token.update(allowed_procedure_ids: [procedure.id]) api_token.reload end it do expect(api_token.full_access?).to be_falsey expect(api_token.procedure_ids).to match_array([procedure.id]) expect(api_token.targetable_procedures).to eq([other_procedure]) expect(api_token.context).to eq(administrateur_id: administrateur.id, procedure_ids: [procedure.id], write_access: true, api_token_id: api_token.id) end context 'and then gain full access' do before do api_token.become_full_access! api_token.reload end it do expect(api_token.full_access?).to be(true) expect(api_token.procedure_ids).to match_array([procedure.id, other_procedure.id]) expect(api_token.targetable_procedures).to eq([procedure, other_procedure]) end end end context 'but acces to a wrong procedure_id' do let(:forbidden_procedure) { create(:procedure) } before do api_token.update(allowed_procedure_ids: [forbidden_procedure.id]) api_token.reload end it do expect(api_token.full_access?).to be_falsey expect(api_token.procedure_ids).to eq([]) expect(api_token.targetable_procedures).to eq([procedure]) expect(api_token.context).to eq(administrateur_id: administrateur.id, procedure_ids: [], write_access: true, api_token_id: api_token.id) end end context 'update with destroyed procedure_id' do let(:procedure) { create(:procedure, administrateurs: [administrateur]) } before do api_token.update(allowed_procedure_ids: [procedure.id]) procedure.destroy api_token.reload end it do expect(api_token.full_access?).to be_falsey expect(api_token.procedure_ids).to eq([]) expect(api_token.targetable_procedures).to eq([]) expect(api_token.context).to eq(administrateur_id: administrateur.id, procedure_ids: [], write_access: true, api_token_id: api_token.id) end end context 'update with detached procedure_id' do let(:procedure) { create(:procedure, administrateurs: [administrateur]) } let(:other_procedure) { create(:procedure, administrateurs: [administrateur]) } before do api_token.update(allowed_procedure_ids: [procedure.id]) other_procedure administrateur.procedures.delete(procedure) api_token.reload end it do expect(api_token.full_access?).to be_falsey expect(api_token.procedure_ids).to eq([]) expect(api_token.targetable_procedures).to eq([other_procedure]) expect(api_token.context).to eq(administrateur_id: administrateur.id, procedure_ids: [], write_access: true, api_token_id: api_token.id) end end end end describe '#authenticate' do let(:api_token_and_packed_token) { APIToken.generate(administrateur) } let(:api_token) { api_token_and_packed_token.first } let(:packed_token) { api_token_and_packed_token.second } let(:bearer_token) { packed_token } subject { APIToken.authenticate(bearer_token) } context 'with the legit packed token' do it { is_expected.to eq(api_token) } end context 'with destroyed token' do before { api_token.destroy } it { is_expected.to be_nil } end context 'with destroyed administrateur' do before { api_token.administrateur.destroy } it { is_expected.to be_nil } end context "with a bearer token with the wrong plain_token" do let(:bearer_token) do APIToken::BearerToken.new(api_token.id, 'wrong').to_string end it { is_expected.to be_nil } end end end