diff --git a/saas/app/controllers/admin/audits_controller.rb b/saas/app/controllers/admin/audits_controller.rb new file mode 100644 index 000000000..9f9f13fb7 --- /dev/null +++ b/saas/app/controllers/admin/audits_controller.rb @@ -0,0 +1,17 @@ +class Admin::AuditsController < ::AdminController + private + # Extend Fizzy's authentication to support auditor bearer tokens. + def require_authentication + authenticate_by_audit_bearer_token || super + end + + def authenticate_by_audit_bearer_token + if auditor = auditor_from_bearer_token + Current.identity = auditor + end + end + + def find_current_auditor + Current.identity + end +end diff --git a/saas/app/controllers/saas_admin_controller.rb b/saas/app/controllers/saas_admin_controller.rb deleted file mode 100644 index f68ca492e..000000000 --- a/saas/app/controllers/saas_admin_controller.rb +++ /dev/null @@ -1,6 +0,0 @@ -class SaasAdminController < ::AdminController - private - def find_current_auditor - Current.identity - end -end diff --git a/saas/db/migrate/20260126230838_create_auditor_tokens.audits1984.rb b/saas/db/migrate/20260126230838_create_auditor_tokens.audits1984.rb new file mode 100644 index 000000000..3747a6863 --- /dev/null +++ b/saas/db/migrate/20260126230838_create_auditor_tokens.audits1984.rb @@ -0,0 +1,14 @@ +# This migration comes from audits1984 (originally 20260126000000) +class CreateAuditorTokens < ActiveRecord::Migration[7.0] + def change + create_table :audits1984_auditor_tokens do |t| + t.uuid :auditor_id, null: false, index: { unique: true } + t.string :token_digest, null: false + t.datetime :expires_at, null: false + + t.timestamps + + t.index :token_digest, unique: true + end + end +end diff --git a/saas/db/saas_schema.rb b/saas/db/saas_schema.rb index 7e9b80b92..980e952ac 100644 --- a/saas/db/saas_schema.rb +++ b/saas/db/saas_schema.rb @@ -10,7 +10,7 @@ # # It's strongly recommended that you check this file into your version control system. -ActiveRecord::Schema[8.2].define(version: 2025_12_16_000000) do +ActiveRecord::Schema[8.2].define(version: 2026_01_26_230838) do create_table "account_billing_waivers", id: :uuid, charset: "utf8mb4", collation: "utf8mb4_0900_ai_ci", force: :cascade do |t| t.uuid "account_id", null: false t.datetime "created_at", null: false @@ -43,6 +43,16 @@ ActiveRecord::Schema[8.2].define(version: 2025_12_16_000000) do t.index ["stripe_subscription_id"], name: "index_account_subscriptions_on_stripe_subscription_id", unique: true end + create_table "audits1984_auditor_tokens", charset: "utf8mb4", collation: "utf8mb4_0900_ai_ci", force: :cascade do |t| + t.uuid "auditor_id", null: false + t.datetime "created_at", null: false + t.datetime "expires_at", null: false + t.string "token_digest", null: false + t.datetime "updated_at", null: false + t.index ["auditor_id"], name: "index_audits1984_auditor_tokens_on_auditor_id", unique: true + t.index ["token_digest"], name: "index_audits1984_auditor_tokens_on_token_digest", unique: true + end + create_table "audits1984_audits", charset: "utf8mb4", collation: "utf8mb4_0900_ai_ci", force: :cascade do |t| t.uuid "auditor_id", null: false t.datetime "created_at", null: false diff --git a/saas/lib/fizzy/saas/engine.rb b/saas/lib/fizzy/saas/engine.rb index fc4ff891e..47b0480e1 100644 --- a/saas/lib/fizzy/saas/engine.rb +++ b/saas/lib/fizzy/saas/engine.rb @@ -126,7 +126,7 @@ module Fizzy config.console1984.base_record_class = "::SaasRecord" config.console1984.incinerate_after = 60.days - config.audits1984.base_controller_class = "::SaasAdminController" + config.audits1984.base_controller_class = "::Admin::AuditsController" config.audits1984.auditor_class = "::Identity" config.audits1984.auditor_name_attribute = :email_address diff --git a/saas/test/controllers/admin/audits_controller_test.rb b/saas/test/controllers/admin/audits_controller_test.rb index 4fdbe638e..6aa94ef7a 100644 --- a/saas/test/controllers/admin/audits_controller_test.rb +++ b/saas/test/controllers/admin/audits_controller_test.rb @@ -38,4 +38,38 @@ class Admin::AuditsControllerTest < ActionDispatch::IntegrationTest assert_response :unauthorized end + + test "valid bearer token is allowed" do + token = Audits1984::AuditorToken.generate_for(identities(:david)) + + untenanted do + get saas.admin_audits1984_path, headers: { "Authorization" => "Bearer #{token}" } + end + + assert_response :success + end + + test "expired bearer token is forbidden" do + token = Audits1984::AuditorToken.generate_for(identities(:david)) + Audits1984::AuditorToken.update_all(expires_at: 1.day.ago) + + untenanted do + get saas.admin_audits1984_path, headers: { "Authorization" => "Bearer #{token}" } + end + + assert_response :unauthorized + end + + test "bearer token for non-staff user is forbidden" do + # Even with a valid token, non-staff users should be denied access. + # This handles the case where a user's staff privileges are revoked + # after a token was issued. + token = Audits1984::AuditorToken.generate_for(identities(:jz)) + + untenanted do + get saas.admin_audits1984_path, headers: { "Authorization" => "Bearer #{token}" } + end + + assert_response :forbidden + end end