From 262664bd15c84f4223f0a4ce0e079f8c5f08bd3f Mon Sep 17 00:00:00 2001 From: baarkerlounger Date: Tue, 12 Oct 2021 17:20:16 +0100 Subject: [PATCH 1/3] Skip authenticity check only if it's a post#create json format request --- app/controllers/case_logs_controller.rb | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/app/controllers/case_logs_controller.rb b/app/controllers/case_logs_controller.rb index a15811dac..36c32d286 100644 --- a/app/controllers/case_logs_controller.rb +++ b/app/controllers/case_logs_controller.rb @@ -1,5 +1,5 @@ class CaseLogsController < ApplicationController - skip_before_action :verify_authenticity_token + skip_before_action :verify_authenticity_token, only: [:create], if: :json_request? def index @submitted_case_logs = CaseLog.where(status: 1) @@ -72,6 +72,10 @@ private end end + def json_request? + request.format.json? + end + def create_params return {} unless params[:case_log] From 13fc571cdd72d7b1f681b4493726de5deb53b0cb Mon Sep 17 00:00:00 2001 From: baarkerlounger Date: Tue, 12 Oct 2021 17:35:54 +0100 Subject: [PATCH 2/3] Stick the endpoint behind basic auth --- app/controllers/case_logs_controller.rb | 1 + 1 file changed, 1 insertion(+) diff --git a/app/controllers/case_logs_controller.rb b/app/controllers/case_logs_controller.rb index 36c32d286..98af41d26 100644 --- a/app/controllers/case_logs_controller.rb +++ b/app/controllers/case_logs_controller.rb @@ -1,5 +1,6 @@ class CaseLogsController < ApplicationController skip_before_action :verify_authenticity_token, only: [:create], if: :json_request? + http_basic_authenticate_with name: ENV["API_USER"], password: ENV["API_KEY"], only: [:create], if: :json_request? def index @submitted_case_logs = CaseLog.where(status: 1) From 5697302799d133306a8e72c26207f3f6cc806dc3 Mon Sep 17 00:00:00 2001 From: baarkerlounger Date: Wed, 13 Oct 2021 09:44:59 +0100 Subject: [PATCH 3/3] Spec basic auth --- app/controllers/case_logs_controller.rb | 6 ++++- spec/requests/case_log_controller_spec.rb | 28 +++++++++++++++++++---- 2 files changed, 29 insertions(+), 5 deletions(-) diff --git a/app/controllers/case_logs_controller.rb b/app/controllers/case_logs_controller.rb index 98af41d26..311de1d7c 100644 --- a/app/controllers/case_logs_controller.rb +++ b/app/controllers/case_logs_controller.rb @@ -1,6 +1,6 @@ class CaseLogsController < ApplicationController skip_before_action :verify_authenticity_token, only: [:create], if: :json_request? - http_basic_authenticate_with name: ENV["API_USER"], password: ENV["API_KEY"], only: [:create], if: :json_request? + before_action :authenticate, only: [:create], if: :json_request? def index @submitted_case_logs = CaseLog.where(status: 1) @@ -77,6 +77,10 @@ private request.format.json? end + def authenticate + http_basic_authenticate_or_request_with name: ENV["API_USER"], password: ENV["API_KEY"] + end + def create_params return {} unless params[:case_log] diff --git a/spec/requests/case_log_controller_spec.rb b/spec/requests/case_log_controller_spec.rb index 754ab8683..1cef4f373 100644 --- a/spec/requests/case_log_controller_spec.rb +++ b/spec/requests/case_log_controller_spec.rb @@ -2,17 +2,24 @@ require "rails_helper" RSpec.describe CaseLogsController, type: :request do describe "POST #create" do + let(:tenant_code) { "T365" } + let(:tenant_age) { 35 } + let(:property_postcode) { "SE11 6TY" } + let(:api_username) { "test_user" } + let(:api_password) { "test_password" } + let(:basic_credentials) do + ActionController::HttpAuthentication::Basic + .encode_credentials(api_username, api_password) + end + let(:headers) do { "Content-Type" => "application/json", "Accept" => "application/json", + "Authorization" => basic_credentials, } end - let(:tenant_code) { "T365" } - let(:tenant_age) { 35 } - let(:property_postcode) { "SE11 6TY" } - let(:params) do { "tenant_code": tenant_code, @@ -22,6 +29,9 @@ RSpec.describe CaseLogsController, type: :request do end before do + allow(ENV).to receive(:[]) + allow(ENV).to receive(:[]).with("API_USER").and_return(api_username) + allow(ENV).to receive(:[]).with("API_KEY").and_return(api_password) post "/case_logs", headers: headers, params: params.to_json end @@ -40,5 +50,15 @@ RSpec.describe CaseLogsController, type: :request do expect(json_response["tenant_age"]).to eq(tenant_age) expect(json_response["property_postcode"]).to eq(property_postcode) end + + context "request with invalid credentials" do + let(:basic_credentials) do + ActionController::HttpAuthentication::Basic.encode_credentials(api_username, "Oops") + end + + it "returns 401" do + expect(response).to have_http_status(:unauthorized) + end + end end end