From 4a91e45aa510801c5b2f27217099021178d0f8f9 Mon Sep 17 00:00:00 2001 From: Rob Zolkos Date: Wed, 8 Apr 2026 14:41:32 -0400 Subject: [PATCH] Cover bearer-authenticated export download URLs --- .../accounts/exports_controller_test.rb | 19 +++++++++++++++++++ .../active_storage_authorization_test.rb | 15 ++++++++------- 2 files changed, 27 insertions(+), 7 deletions(-) diff --git a/test/controllers/accounts/exports_controller_test.rb b/test/controllers/accounts/exports_controller_test.rb index fd950f989..188858355 100644 --- a/test/controllers/accounts/exports_controller_test.rb +++ b/test/controllers/accounts/exports_controller_test.rb @@ -103,6 +103,25 @@ class Account::ExportsControllerTest < ActionDispatch::IntegrationTest assert body["download_url"].present? end + test "show as JSON with bearer token returns a download URL that can be fetched" do + export = Account::Export.create!(account: Current.account, user: users(:jason)) + export.build + sign_out + bearer_token = { "HTTP_AUTHORIZATION" => "Bearer #{identity_access_tokens(:jasons_api_token).token}" } + + get account_export_path(export), as: :json, env: bearer_token + assert_response :success + + body = @response.parsed_body + assert_equal export.id, body["id"] + assert_equal "completed", body["status"] + assert body["download_url"].present? + + get URI(body["download_url"]).request_uri, env: bearer_token + assert_response :redirect + assert_match %r{rails/active_storage}, response.location + end + test "show as JSON with pending export" do export = Account::Export.create!(account: Current.account, user: users(:jason)) diff --git a/test/integration/active_storage_authorization_test.rb b/test/integration/active_storage_authorization_test.rb index 045d08e4b..3fed18267 100644 --- a/test/integration/active_storage_authorization_test.rb +++ b/test/integration/active_storage_authorization_test.rb @@ -18,7 +18,9 @@ class ActiveStorageAuthorizationTest < ActionDispatch::IntegrationTest end test "bearer token with board access can view blob" do - get rails_blob_path(@blob, disposition: :inline), env: bearer_token_env(identity_access_tokens(:davids_api_token).token) + bearer_token = { "HTTP_AUTHORIZATION" => "Bearer #{identity_access_tokens(:davids_api_token).token}" } + + get rails_blob_path(@blob, disposition: :inline), env: bearer_token assert_response :redirect assert_match %r{rails/active_storage}, response.location @@ -46,7 +48,9 @@ class ActiveStorageAuthorizationTest < ActionDispatch::IntegrationTest end test "bearer token with board access can view representation" do - get rails_representation_path(@blob.representation(resize_to_limit: [ 100, 100 ])), env: bearer_token_env(identity_access_tokens(:davids_api_token).token) + bearer_token = { "HTTP_AUTHORIZATION" => "Bearer #{identity_access_tokens(:davids_api_token).token}" } + + get rails_representation_path(@blob.representation(resize_to_limit: [ 100, 100 ])), env: bearer_token assert_response :redirect assert_match %r{rails/active_storage/}, response.location @@ -210,8 +214,9 @@ class ActiveStorageAuthorizationTest < ActionDispatch::IntegrationTest test "export owner can download their export with bearer token" do blob = create_export_blob_for(users(:david)) + bearer_token = { "HTTP_AUTHORIZATION" => "Bearer #{identity_access_tokens(:davids_api_token).token}" } - get rails_blob_path(blob, disposition: :attachment), env: bearer_token_env(identity_access_tokens(:davids_api_token).token) + get rails_blob_path(blob, disposition: :attachment), env: bearer_token assert_response :redirect assert_match %r{rails/active_storage}, response.location @@ -272,8 +277,4 @@ class ActiveStorageAuthorizationTest < ActionDispatch::IntegrationTest user.avatar.blob end end - - def bearer_token_env(token) - { "HTTP_AUTHORIZATION" => "Bearer #{token}" } - end end