Files
fizzy/test/controllers/api_test.rb
T
Stanko K.R. c0a0786539 Return the session cookie
We had a call about this. In short, we could reuse access tokens but then the user would see access tokens for every mobile device they have without any indication as to what is going on. So, since this really is just logging in instead of an integration which seems to be the primary purpose of access tokens, we can just use our regular session cookie for authentication.
2025-12-19 19:21:57 +01:00

50 lines
1.5 KiB
Ruby

require "test_helper"
class ApiTest < ActionDispatch::IntegrationTest
setup do
@davids_bearer_token = bearer_token_env(identity_access_tokens(:davids_api_token).token)
@jasons_bearer_token = bearer_token_env(identity_access_tokens(:jasons_api_token).token)
end
test "request a magic link" do
untenanted do
post session_path(format: :json), params: { email_address: identities(:david).email_address }
assert_response :created
end
end
test "magic link consumption" do
identity = identities(:david)
magic_link = identity.send_magic_link
untenanted do
post session_magic_link_path(format: :json), params: { code: magic_link.code }
assert_response :success
assert @response.parsed_body["session_token"].present?
end
end
test "authenticate with valid access token" do
get boards_path(format: :json), env: @davids_bearer_token
assert_response :success
end
test "fail to authenticate with invalid access token" do
get boards_path(format: :json), env: bearer_token_env("nonsense")
assert_response :unauthorized
end
test "changing data requires a write-endowed access token" do
post boards_path(format: :json), params: { board: { name: "My new board" } }, env: @jasons_bearer_token
assert_response :unauthorized
post boards_path(format: :json), params: { board: { name: "My new board" } }, env: @davids_bearer_token
assert_response :success
end
private
def bearer_token_env(token)
{ "HTTP_AUTHORIZATION" => "Bearer #{token}" }
end
end