spec/requests/api/users_spec.rb

@@ -3,18 +3,29 @@ require 'swagger_helper'
 describe 'Users API', type: :request do
   path '/user' do
     get 'info about the currently logged-in user' do
+      # security [oauth2: []]
       tags '1. User'
       produces 'application/json'
+      let(:user) { create(:user) }
+      let(:api_access_token) { create(:oauth2_access_token, resource_owner_id: user.id, scopes: api_scopes&.join(' ')).token }
+      let(:Authorization) { "Bearer #{api_access_token}" }
 
       response '200', 'success' do
+        let(:api_scopes) { ['user:read'] }
         run_test! do |response|
-          let(:Authorization) { "Basic #{::Base64.strict_encode64('jsmith:jspass')}" }
           data = JSON.parse(response.body)
-          # expect(data[])
+          expect(data['user']['id']).to eq(user.id)
         end
       end
 
+      response '403', 'missing scope' do
+        let(:api_scopes) { [] }
+        run_test!
+      end
+
+
       response '401', 'not logged-in' do
+        let(:Authorization) { "" }
         run_test!
       end
     end

spec/swagger_helper.rb

@@ -26,8 +26,6 @@ RSpec.configure do |config|
         securitySchemes: {
           oauth2: {
             type: :oauth2,
-            in: :header,
-            name: 'Authorization',
             flows: {
               implicit: {
                 authorizationUrl: 'http://localhost:3000/f/oauth/authorize',

swagger/v1/swagger.yaml

@@ -12,14 +12,14 @@ paths:
       responses:
         '200':
           description: success
+        '403':
+          description: missing scope
         '401':
           description: not logged-in
 components:
   securitySchemes:
     oauth2:
       type: oauth2
-      in: header
-      name: Authorization
       flows:
         implicit:
           authorizationUrl: http://localhost:3000/f/oauth/authorize