access_token_spec.rb 3.0 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100
  1. # Copyright (C) 2012-2025 Zammad Foundation, https://zammad-foundation.org/
  2. require 'rails_helper'
  3. RSpec.describe 'User Access token', authenticated_as: :user, type: :request do
  4. let(:user) { create(:agent) }
  5. let(:token) { create(:token, user: user) }
  6. let(:another_token) { create(:token) }
  7. before do
  8. token && another_token
  9. end
  10. describe 'GET /user_access_token' do
  11. it 'returns user tokens and permissions' do
  12. get '/api/v1/user_access_token'
  13. expect(json_response)
  14. .to include(
  15. 'tokens' => contain_exactly(include('id' => token.id)),
  16. 'permissions' => include(
  17. include('name' => 'ticket.agent'),
  18. include('name' => 'user_preferences'),
  19. )
  20. )
  21. end
  22. it 'uses tokens list service', aggregate_failures: true do
  23. allow(Service::User::AccessToken::List)
  24. .to receive(:new)
  25. .and_call_original
  26. expect_any_instance_of(Service::User::AccessToken::List)
  27. .to receive(:execute)
  28. .and_call_original
  29. get '/api/v1/user_access_token'
  30. expect(Service::User::AccessToken::List)
  31. .to have_received(:new)
  32. end
  33. end
  34. describe 'POST /user_access_token' do
  35. before { Setting.set('api_token_access', enabled) }
  36. context 'when token access is enabled' do
  37. let(:enabled) { true }
  38. it 'checks if name is present' do
  39. post '/api/v1/user_access_token', params: { name: '', permission: %w[ticket.agent] }, as: :json
  40. expect(response).to have_http_status(:unprocessable_entity)
  41. end
  42. it 'returns token value' do
  43. post '/api/v1/user_access_token', params: { name: 'test', permission: %w[ticket.agent] }, as: :json
  44. expect(json_response).to eq('token' => Token.last.token)
  45. end
  46. it 'users token create service', aggregate_failures: true do
  47. allow(Service::User::AccessToken::Create)
  48. .to receive(:new)
  49. .and_call_original
  50. expect_any_instance_of(Service::User::AccessToken::Create)
  51. .to receive(:execute)
  52. .and_call_original
  53. post '/api/v1/user_access_token', params: { name: 'test', permission: %w[ticket.agent] }, as: :json
  54. expect(Service::User::AccessToken::Create)
  55. .to have_received(:new)
  56. end
  57. end
  58. context 'when token access is disabled' do
  59. let(:enabled) { false }
  60. it 'throws error' do
  61. post '/api/v1/user_access_token', params: {}, as: :json
  62. expect(response).to have_http_status(:unprocessable_entity)
  63. end
  64. end
  65. end
  66. describe 'DELETE /user_access_token' do
  67. it 'deletes token' do
  68. expect { delete "/api/v1/user_access_token/#{token.id}", as: :json }
  69. .to change { Token.exists? token.id }
  70. .to false
  71. end
  72. it 'raises error if token is owned by another user' do
  73. expect { delete "/api/v1/user_access_token/#{another_token.id}", as: :json }
  74. .not_to change { Token.exists? token.id }
  75. .from true
  76. end
  77. end
  78. end