saas: Add bearer token authentication for audit console
- Rename SaasAdminController to Admin::AuditController - Override require_authentication to support bearer tokens alongside session auth, allowing API access to audit console - Add migration for audits1984_auditor_tokens table - Add controller tests for authentication scenarios including staff validation on token-based access Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
This commit is contained in:
@@ -38,4 +38,38 @@ class Admin::AuditsControllerTest < ActionDispatch::IntegrationTest
|
||||
|
||||
assert_response :unauthorized
|
||||
end
|
||||
|
||||
test "valid bearer token is allowed" do
|
||||
token = Audits1984::AuditorToken.generate_for(identities(:david))
|
||||
|
||||
untenanted do
|
||||
get saas.admin_audits1984_path, headers: { "Authorization" => "Bearer #{token}" }
|
||||
end
|
||||
|
||||
assert_response :success
|
||||
end
|
||||
|
||||
test "expired bearer token is forbidden" do
|
||||
token = Audits1984::AuditorToken.generate_for(identities(:david))
|
||||
Audits1984::AuditorToken.update_all(expires_at: 1.day.ago)
|
||||
|
||||
untenanted do
|
||||
get saas.admin_audits1984_path, headers: { "Authorization" => "Bearer #{token}" }
|
||||
end
|
||||
|
||||
assert_response :unauthorized
|
||||
end
|
||||
|
||||
test "bearer token for non-staff user is forbidden" do
|
||||
# Even with a valid token, non-staff users should be denied access.
|
||||
# This handles the case where a user's staff privileges are revoked
|
||||
# after a token was issued.
|
||||
token = Audits1984::AuditorToken.generate_for(identities(:jz))
|
||||
|
||||
untenanted do
|
||||
get saas.admin_audits1984_path, headers: { "Authorization" => "Bearer #{token}" }
|
||||
end
|
||||
|
||||
assert_response :forbidden
|
||||
end
|
||||
end
|
||||
|
||||
Reference in New Issue
Block a user