Update API test for cross code

This commit is contained in:
Fernando Olivares
2025-12-12 12:47:57 -06:00
committed by Stanko K.R.
parent 9009e0fb49
commit fbf829b346
+3 -6
View File
@@ -63,19 +63,16 @@ class ApiTest < ActionDispatch::IntegrationTest
end
end
test "magic link consumption with cross-user code via JSON creates session for magic link owner" do
test "magic link consumption with cross-user code via JSON returns unauthorized" do
identity = identities(:david)
other_identity = identities(:jason)
magic_link = other_identity.send_magic_link
pending_token = pending_authentication_token_for(identity.email_address)
# Note: Unlike the HTML flow, the JSON flow creates a session for the magic link's identity
# regardless of whose pending_authentication_token was provided. The token only proves
# that *someone* requested a magic link for *some* email address.
untenanted do
post session_magic_link_path(format: :json), params: { code: magic_link.code, pending_authentication_token: pending_token }
assert_response :success
assert @response.parsed_body["session_token"].present?
assert_response :unauthorized
assert_equal "Authentication failed. Please try again.", @response.parsed_body["message"]
end
end