7fa06ed55d
- Move the `Oauth2::AccessTokenValidationService` class to `AccessTokenValidationService`, since it is now being used for personal access token validation as well. - Each API endpoint declares the scopes it accepts (if any). Currently, the top level API module declares the `api` scope, and the `Users` API module declares the `read_user` scope (for GET requests). - Move the `find_user_by_private_token` from the API `Helpers` module to the `APIGuard` module, to avoid littering `Helpers` with more auth-related methods to support `find_user_by_private_token`
30 lines
916 B
Ruby
30 lines
916 B
Ruby
require 'spec_helper'
|
|
|
|
describe API::API, api: true do
|
|
include ApiHelpers
|
|
|
|
let!(:user) { create(:user) }
|
|
let!(:application) { Doorkeeper::Application.create!(name: "MyApp", redirect_uri: "https://app.com", owner: user) }
|
|
let!(:token) { Doorkeeper::AccessToken.create! application_id: application.id, resource_owner_id: user.id, scopes: "api" }
|
|
|
|
describe "when unauthenticated" do
|
|
it "returns authentication success" do
|
|
get api("/user"), access_token: token.token
|
|
expect(response).to have_http_status(200)
|
|
end
|
|
end
|
|
|
|
describe "when token invalid" do
|
|
it "returns authentication error" do
|
|
get api("/user"), access_token: "123a"
|
|
expect(response).to have_http_status(401)
|
|
end
|
|
end
|
|
|
|
describe "authorization by private token" do
|
|
it "returns authentication success" do
|
|
get api("/user", user)
|
|
expect(response).to have_http_status(200)
|
|
end
|
|
end
|
|
end
|