Restrict bearer token authentication to JSON requests
Bearer tokens are for API/SDK/CLI access — they should only authenticate JSON requests.
This commit is contained in:
@@ -145,6 +145,26 @@ class UsersControllerTest < ActionDispatch::IntegrationTest
|
||||
assert_response :no_content
|
||||
end
|
||||
|
||||
test "bearer token does not authenticate HTML requests" do
|
||||
sign_in_as :jason
|
||||
sign_out
|
||||
|
||||
bearer = { "HTTP_AUTHORIZATION" => "Bearer #{identity_access_tokens(:jasons_api_token).token}" }
|
||||
get user_path(users(:jason)), env: bearer
|
||||
|
||||
assert_response :redirect
|
||||
end
|
||||
|
||||
test "bearer token authenticates JSON requests" do
|
||||
sign_in_as :jason
|
||||
sign_out
|
||||
|
||||
bearer = { "HTTP_AUTHORIZATION" => "Bearer #{identity_access_tokens(:jasons_api_token).token}" }
|
||||
get user_path(users(:jason)), env: bearer, as: :json
|
||||
|
||||
assert_response :success
|
||||
end
|
||||
|
||||
test "index avoids N+1 queries on identity" do
|
||||
sign_in_as :kevin
|
||||
|
||||
|
||||
Reference in New Issue
Block a user