Restrict bearer token authentication to JSON requests

Bearer tokens are for API/SDK/CLI access — they should only
authenticate JSON requests.
This commit is contained in:
Donal McBreen
2026-04-01 08:35:30 +01:00
parent d63801eae3
commit 13e2c74929
2 changed files with 21 additions and 1 deletions
+20
View File
@@ -145,6 +145,26 @@ class UsersControllerTest < ActionDispatch::IntegrationTest
assert_response :no_content
end
test "bearer token does not authenticate HTML requests" do
sign_in_as :jason
sign_out
bearer = { "HTTP_AUTHORIZATION" => "Bearer #{identity_access_tokens(:jasons_api_token).token}" }
get user_path(users(:jason)), env: bearer
assert_response :redirect
end
test "bearer token authenticates JSON requests" do
sign_in_as :jason
sign_out
bearer = { "HTTP_AUTHORIZATION" => "Bearer #{identity_access_tokens(:jasons_api_token).token}" }
get user_path(users(:jason)), env: bearer, as: :json
assert_response :success
end
test "index avoids N+1 queries on identity" do
sign_in_as :kevin