Cover bearer-authenticated export download URLs

This commit is contained in:
Rob Zolkos
2026-04-08 14:41:32 -04:00
parent 5e154a767f
commit 4a91e45aa5
2 changed files with 27 additions and 7 deletions
@@ -103,6 +103,25 @@ class Account::ExportsControllerTest < ActionDispatch::IntegrationTest
assert body["download_url"].present? assert body["download_url"].present?
end end
test "show as JSON with bearer token returns a download URL that can be fetched" do
export = Account::Export.create!(account: Current.account, user: users(:jason))
export.build
sign_out
bearer_token = { "HTTP_AUTHORIZATION" => "Bearer #{identity_access_tokens(:jasons_api_token).token}" }
get account_export_path(export), as: :json, env: bearer_token
assert_response :success
body = @response.parsed_body
assert_equal export.id, body["id"]
assert_equal "completed", body["status"]
assert body["download_url"].present?
get URI(body["download_url"]).request_uri, env: bearer_token
assert_response :redirect
assert_match %r{rails/active_storage}, response.location
end
test "show as JSON with pending export" do test "show as JSON with pending export" do
export = Account::Export.create!(account: Current.account, user: users(:jason)) export = Account::Export.create!(account: Current.account, user: users(:jason))
@@ -18,7 +18,9 @@ class ActiveStorageAuthorizationTest < ActionDispatch::IntegrationTest
end end
test "bearer token with board access can view blob" do test "bearer token with board access can view blob" do
get rails_blob_path(@blob, disposition: :inline), env: bearer_token_env(identity_access_tokens(:davids_api_token).token) bearer_token = { "HTTP_AUTHORIZATION" => "Bearer #{identity_access_tokens(:davids_api_token).token}" }
get rails_blob_path(@blob, disposition: :inline), env: bearer_token
assert_response :redirect assert_response :redirect
assert_match %r{rails/active_storage}, response.location assert_match %r{rails/active_storage}, response.location
@@ -46,7 +48,9 @@ class ActiveStorageAuthorizationTest < ActionDispatch::IntegrationTest
end end
test "bearer token with board access can view representation" do test "bearer token with board access can view representation" do
get rails_representation_path(@blob.representation(resize_to_limit: [ 100, 100 ])), env: bearer_token_env(identity_access_tokens(:davids_api_token).token) bearer_token = { "HTTP_AUTHORIZATION" => "Bearer #{identity_access_tokens(:davids_api_token).token}" }
get rails_representation_path(@blob.representation(resize_to_limit: [ 100, 100 ])), env: bearer_token
assert_response :redirect assert_response :redirect
assert_match %r{rails/active_storage/}, response.location assert_match %r{rails/active_storage/}, response.location
@@ -210,8 +214,9 @@ class ActiveStorageAuthorizationTest < ActionDispatch::IntegrationTest
test "export owner can download their export with bearer token" do test "export owner can download their export with bearer token" do
blob = create_export_blob_for(users(:david)) blob = create_export_blob_for(users(:david))
bearer_token = { "HTTP_AUTHORIZATION" => "Bearer #{identity_access_tokens(:davids_api_token).token}" }
get rails_blob_path(blob, disposition: :attachment), env: bearer_token_env(identity_access_tokens(:davids_api_token).token) get rails_blob_path(blob, disposition: :attachment), env: bearer_token
assert_response :redirect assert_response :redirect
assert_match %r{rails/active_storage}, response.location assert_match %r{rails/active_storage}, response.location
@@ -272,8 +277,4 @@ class ActiveStorageAuthorizationTest < ActionDispatch::IntegrationTest
user.avatar.blob user.avatar.blob
end end
end end
def bearer_token_env(token)
{ "HTTP_AUTHORIZATION" => "Bearer #{token}" }
end
end end