Add OAuth scopes

https://github.com/foodcoops/foodsoft/issues/582#issuecomment-442513237
2019-02-05 20:53:02 +01:00 · 2019-02-05 20:53:02 +01:00 · e9be38b3e9
commit e9be38b3e9
parent 02f1940694
12 changed files with 162 additions and 32 deletions
--- a/spec/api/v1/swagger_spec.rb
+++ b/spec/api/v1/swagger_spec.rb
@ -15,6 +15,7 @@ describe 'API v1', type: :apivore, order: :defined do

  context 'has valid paths' do
    context 'user' do
+      let(:api_scopes) { ['user:read'] }
      # create multiple users to make sure we're getting the authenticated user, not just any
      let!(:other_user_1) { create :user }
      let!(:user)         { create :user }
@ -23,20 +24,23 @@ describe 'API v1', type: :apivore, order: :defined do
      it { is_expected.to validate(:get, '/user', 200, api_auth) }
      it { is_expected.to validate(:get, '/user', 401) }

-      context 'with invalid access token' do
-        let(:api_access_token) { 'abc' }
-        it { is_expected.to validate(:get, '/user', 401, api_auth) }
-      end
+      it_handles_invalid_token_and_scope(:get, '/user')
    end

    context 'config' do
+      let(:api_scopes) { ['config:user'] }
+
      it { is_expected.to validate(:get, '/config', 200, api_auth) }
      it { is_expected.to validate(:get, '/config', 401) }
+
+      it_handles_invalid_token_and_scope(:get, '/config')
    end

    context 'navigation' do
      it { is_expected.to validate(:get, '/navigation', 200, api_auth) }
      it { is_expected.to validate(:get, '/navigation', 401) }
+
+      it_handles_invalid_token(:get, '/navigation')
    end
  end

--- a/spec/factories/user.rb
+++ b/spec/factories/user.rb
@ -21,6 +21,14 @@ FactoryBot.define do
        create :ordergroup, user_ids: [user.id]
      end
    end
+
+    [:ordergroup, :finance, :invoices, :article_meta, :suppliers, :pickups, :orders].each do |role|
+      trait "role_#{role}".to_sym do
+        after :create do |user, evaluator|
+          create :workgroup, "role_#{role}" => true, user_ids: [user.id]
+        end
+      end
+    end
  end

  factory :group do
--- a/spec/support/api_helper.rb
+++ b/spec/support/api_helper.rb
@ -3,8 +3,28 @@ module ApiHelper

  included do
    let(:user) { create(:user) }
-    let(:api_access_token) { create(:oauth2_access_token, resource_owner_id: user.id).token }
+    let(:api_scopes) { [] } # empty scopes for stricter testing (in reality this would be default_scopes)
+    let(:api_access_token) { create(:oauth2_access_token, resource_owner_id: user.id, scopes: api_scopes&.join(' ')).token }
    let(:api_authorization) { "Bearer #{api_access_token}" }
+
+    def self.it_handles_invalid_token(method, path, params_block = ->{ api_auth })
+      context 'with invalid access token' do
+        let(:api_access_token) { 'abc' }
+        it { is_expected.to validate(method, path, 401, instance_exec(&params_block)) }
+      end
+    end
+
+    def self.it_handles_invalid_scope(method, path, params_block = ->{ api_auth })
+      context 'with invalid scope' do
+        let(:api_scopes) { ['none'] }
+        it { is_expected.to validate(method, path, 403, instance_exec(&params_block)) }
+      end
+    end
+
+    def self.it_handles_invalid_token_and_scope(*args)
+      it_handles_invalid_token(*args)
+      it_handles_invalid_scope(*args)
+    end
  end

  # Add authentication to parameters for {Swagger::RspecHelpers#validate}