c0a0786539
We had a call about this. In short, we could reuse access tokens but then the user would see access tokens for every mobile device they have without any indication as to what is going on. So, since this really is just logging in instead of an integration which seems to be the primary purpose of access tokens, we can just use our regular session cookie for authentication.
50 lines
1.5 KiB
Ruby
50 lines
1.5 KiB
Ruby
require "test_helper"
|
|
|
|
class ApiTest < ActionDispatch::IntegrationTest
|
|
setup do
|
|
@davids_bearer_token = bearer_token_env(identity_access_tokens(:davids_api_token).token)
|
|
@jasons_bearer_token = bearer_token_env(identity_access_tokens(:jasons_api_token).token)
|
|
end
|
|
|
|
test "request a magic link" do
|
|
untenanted do
|
|
post session_path(format: :json), params: { email_address: identities(:david).email_address }
|
|
assert_response :created
|
|
end
|
|
end
|
|
|
|
test "magic link consumption" do
|
|
identity = identities(:david)
|
|
magic_link = identity.send_magic_link
|
|
|
|
untenanted do
|
|
post session_magic_link_path(format: :json), params: { code: magic_link.code }
|
|
assert_response :success
|
|
assert @response.parsed_body["session_token"].present?
|
|
end
|
|
end
|
|
|
|
test "authenticate with valid access token" do
|
|
get boards_path(format: :json), env: @davids_bearer_token
|
|
assert_response :success
|
|
end
|
|
|
|
test "fail to authenticate with invalid access token" do
|
|
get boards_path(format: :json), env: bearer_token_env("nonsense")
|
|
assert_response :unauthorized
|
|
end
|
|
|
|
test "changing data requires a write-endowed access token" do
|
|
post boards_path(format: :json), params: { board: { name: "My new board" } }, env: @jasons_bearer_token
|
|
assert_response :unauthorized
|
|
|
|
post boards_path(format: :json), params: { board: { name: "My new board" } }, env: @davids_bearer_token
|
|
assert_response :success
|
|
end
|
|
|
|
private
|
|
def bearer_token_env(token)
|
|
{ "HTTP_AUTHORIZATION" => "Bearer #{token}" }
|
|
end
|
|
end
|