Files
fizzy/saas/test/controllers/admin/audits_controller_test.rb
T
Mike Dalessio 89d2f2d0fc saas: Add bearer token authentication for audit console
- Rename SaasAdminController to Admin::AuditController
- Override require_authentication to support bearer tokens alongside
  session auth, allowing API access to audit console
- Add migration for audits1984_auditor_tokens table
- Add controller tests for authentication scenarios including staff
  validation on token-based access

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-01-28 14:13:54 -05:00

76 lines
2.0 KiB
Ruby

require "test_helper"
class Admin::AuditsControllerTest < ActionDispatch::IntegrationTest
# Test authentication via the Audits1984::SessionsController#index endpoint,
# which inherits from Admin::AuditsController through Audits1984::ApplicationController.
test "unauthenticated access is forbidden" do
untenanted do
get saas.admin_audits1984_path
assert_redirected_to new_session_path
end
end
test "logged-in non-staff access is forbidden" do
sign_in_as :jz
untenanted do
get saas.admin_audits1984_path
end
assert_response :forbidden
end
test "logged-in staff access is allowed" do
sign_in_as :david
untenanted do
get saas.admin_audits1984_path
end
assert_response :success
end
test "invalid bearer token is forbidden" do
untenanted do
get saas.admin_audits1984_path, headers: { "Authorization" => "Bearer invalid_token" }
end
assert_response :unauthorized
end
test "valid bearer token is allowed" do
token = Audits1984::AuditorToken.generate_for(identities(:david))
untenanted do
get saas.admin_audits1984_path, headers: { "Authorization" => "Bearer #{token}" }
end
assert_response :success
end
test "expired bearer token is forbidden" do
token = Audits1984::AuditorToken.generate_for(identities(:david))
Audits1984::AuditorToken.update_all(expires_at: 1.day.ago)
untenanted do
get saas.admin_audits1984_path, headers: { "Authorization" => "Bearer #{token}" }
end
assert_response :unauthorized
end
test "bearer token for non-staff user is forbidden" do
# Even with a valid token, non-staff users should be denied access.
# This handles the case where a user's staff privileges are revoked
# after a token was issued.
token = Audits1984::AuditorToken.generate_for(identities(:jz))
untenanted do
get saas.admin_audits1984_path, headers: { "Authorization" => "Bearer #{token}" }
end
assert_response :forbidden
end
end