New presenter for granted OAuth Apps (#15014)

.rubocop.yml

@@ -1,5 +1,5 @@
 AllCops:
-  TargetRubyVersion: 2.2
+  TargetRubyVersion: 2.4
   Include:
   - "**/*.gemspec"
   - "**/*.podspec"

NEWS.md

@@ -17,6 +17,7 @@ sudo make install
 - Document and fix timeouts for the ArcGIS connector ([CartoDB/support#2075](https://github.com/CartoDB/support/issues/2075))
 - Document column names normalization ([CartoDB/support#2111](https://github.com/CartoDB/support/issues/2111))
 - Remove some rollbar logging ([#15001](https://github.com/CartoDB/cartodb/issues/15001))
+- Include scopes for granted OAuth apps endpoint and hide private information ([#15002](https://github.com/CartoDB/cartodb/issues/15002))
 
 4.28.0 (2019-07-01)
 -------------------

app/controllers/carto/api/public/oauth_app_presenter.rb

@@ -3,16 +3,31 @@ module Carto
     module Public
       class OauthAppPresenter
 
-        EXPOSED_ATTRIBUTES = %i(
+        PRIVATE_ATTRIBUTES = %i(
           id user_id name created_at updated_at client_id client_secret redirect_uris icon_url restricted
         ).freeze
 
-        def initialize(oauth_app)
+        PUBLIC_ATTRIBUTES = %i(id name created_at updated_at).freeze
+
+        def initialize(oauth_app, user: nil)
           @oauth_app = oauth_app
+          @user = user
+        end
+
+        def to_hash(private_data: false)
+          private_data ? to_private_hash : to_public_hash
+        end
+
+        private
+
+        def to_private_hash
+          @oauth_app.slice(*PRIVATE_ATTRIBUTES).merge(username: @oauth_app.user.username)
         end
 
-        def to_hash
+        def to_public_hash
-          @oauth_app.slice(*EXPOSED_ATTRIBUTES).merge(username: @oauth_app.user.username)
+          oauth_app_user = @oauth_app.oauth_app_users.where(user: @user).first
+          scopes = Carto::OauthProvider::Scopes.scopes_by_category(oauth_app_user&.all_scopes)
+          @oauth_app.slice(*PUBLIC_ATTRIBUTES).merge(scopes: scopes)
         end
 
       end

app/controllers/carto/api/public/oauth_apps_controller.rb

@@ -22,7 +22,7 @@ module Carto
 
         def index
           oauth_apps = user_or_organization_apps
-          render_paged(oauth_apps) { |params| api_v4_oauth_apps_url(params) }
+          render_paged(oauth_apps, private_data: true) { |params| api_v4_oauth_apps_url(params) }
         end
 
         def index_granted
@@ -31,23 +31,23 @@ module Carto
         end
 
         def show
-          render_jsonp(OauthAppPresenter.new(@oauth_app).to_hash, 200)
+          render_jsonp(OauthAppPresenter.new(@oauth_app).to_hash(private_data: true), 200)
         end
 
         def create
           create_params = permitted_params.merge(user: @user)
           oauth_app = OauthApp.create!(create_params)
-          render_jsonp(OauthAppPresenter.new(oauth_app).to_hash, 201)
+          render_jsonp(OauthAppPresenter.new(oauth_app).to_hash(private_data: true), 201)
         end
 
         def update
           @oauth_app.update_attributes!(permitted_params)
-          render_jsonp(OauthAppPresenter.new(@oauth_app).to_hash, 200)
+          render_jsonp(OauthAppPresenter.new(@oauth_app).to_hash(private_data: true), 200)
         end
 
         def regenerate_secret
           @oauth_app.regenerate_client_secret!
-          render_jsonp(OauthAppPresenter.new(@oauth_app.reload).to_hash, 200)
+          render_jsonp(OauthAppPresenter.new(@oauth_app.reload).to_hash(private_data: true), 200)
         end
 
         def destroy
@@ -102,9 +102,11 @@ module Carto
           params.permit(:name, :icon_url, redirect_uris: [])
         end
 
-        def render_paged(oauth_apps)
+        def render_paged(oauth_apps, private_data: false)
           filtered_oauth_apps = Carto::PagedModel.paged_association(oauth_apps, @page, @per_page, @order)
-          result = filtered_oauth_apps.map { |oauth_app| OauthAppPresenter.new(oauth_app).to_hash }
+          result = filtered_oauth_apps.map do |oauth_app|
+            OauthAppPresenter.new(oauth_app, user: @user).to_hash(private_data: private_data)
+          end
 
           enriched_response = paged_result(
             result: result,

lib/carto/oauth_provider/scopes.rb

@@ -208,7 +208,7 @@ module Carto
         result
       end
 
-      def self.scopes_by_category(new_scopes, previous_scopes)
+      def self.scopes_by_category(new_scopes, previous_scopes = [])
         # If we had previous scopes, DEFAULT was already granted.
         previous_scopes = previous_scopes.blank? ? [] : previous_scopes + [SCOPE_DEFAULT]
 

spec/requests/carto/api/public/oauth_apps_controller_spec.rb

@@ -167,7 +167,7 @@ describe Carto::Api::Public::OauthAppsController do
       @app1.oauth_app_organizations.create!(organization: @carto_organization, seats: 1)
       @app2.oauth_app_organizations.create!(organization: @carto_organization, seats: 1)
 
-      Carto::OauthAppUser.create!(user: @carto_org_user_1, oauth_app: @app1)
+      Carto::OauthAppUser.create!(user: @carto_org_user_1, oauth_app: @app1, scopes: ['user:profile'])
       Carto::OauthAppUser.create!(user: @carto_org_user_1, oauth_app: @app2)
     end
 
@@ -203,13 +203,15 @@ describe Carto::Api::Public::OauthAppsController do
       end
     end
 
-    it 'returns 200 with the OAuth apps granted by the current user (sort by updated at by default)' do
+    it 'returns 200 with the OAuth apps granted by the current user and the scopes (sort by updated at by default)' do
       get_json api_v4_oauth_apps_index_granted_url(@params) do |response|
         expect(response.status).to eq(200)
         expect(response.body[:total]).to eq 2
         expect(response.body[:count]).to eq 2
         expect(response.body[:result][0][:id]).to eq @app1.id
-        expect(response.body[:result][0][:username]).to eq @carto_org_user_2.username
+        expect(response.body[:result][0][:scopes][0][:description]).to eq 'User and personal data'
+        expect(response.body[:result][0][:username]).to be_nil
+        expect(response.body[:result][0][:client_secret]).to be_nil
       end
     end