controller

5 years ago · 7b20665959
parent 20aecafd79
commit 7b20665959
3 changed files with 376 additions and 0 deletions
--- a/1
+++ b/1
@ -356,6 +356,7 @@ SPEC_HELPER_MIN_SPECS = \
 	spec/lib/carto/oauth/google/api_spec.rb \
 	spec/queries/carto/dashboard_preview_searcher_spec.rb \
 	spec/requests/carto/api/search_preview_controller_spec.rb \
+	spec/requests/carto/api/public/oauth_apps_controller_spec.rb \
 	$(NULL)

 # This class must be tested isolated as pollutes namespace
--- a/app/controllers/carto/api/public/oauth_apps_controller.rb
+++ b/app/controllers/carto/api/public/oauth_apps_controller.rb
@ -0,0 +1,82 @@
+require_relative '../paged_searcher'
+
+module Carto
+  module Api
+    module Public
+      class OauthAppsController < Carto::Api::Public::ApplicationController
+        include Carto::Api::PagedSearcher
+        include Carto::ControllerHelper
+        extend Carto::DefaultRescueFroms
+
+        ssl_required
+
+        before_action :load_user
+        before_action :load_oauth_app, only: [:show, :update, :destroy]
+
+        setup_default_rescues
+
+        VALID_ORDER_PARAMS = [:name, :updated_at, :restricted, :user_id].freeze
+
+        def index
+          page, per_page, order = page_per_page_order_params(VALID_ORDER_PARAMS)
+          oauth_apps = user_or_organization_apps
+          filtered_oauth_apps = Carto::PagedModel.paged_association(oauth_apps, page, per_page, order)
+          result = filtered_oauth_apps.map { |oauth_app| OauthAppPresenter.new(oauth_app).to_poro }
+
+          render_jsonp(
+            paged_result(
+              result: result,
+              total_count: oauth_apps.size,
+              page: page,
+              per_page: per_page,
+              params: params.except('controller', 'action')
+            ) { |params| api_keys_url(params) },
+            200
+          )
+        end
+
+        def show
+          render_jsonp(OauthAppPresenter.new(@oauth_app).to_poro, 200)
+        end
+
+        def create
+          create_params = permitted_params.merge(user: @user)
+          oauth_app = OauthApp.create!(create_params)
+          render_jsonp(OauthAppPresenter.new(oauth_app).to_poro, 201)
+        end
+
+        def update
+          @oauth_app.update_attributes!(permitted_params)
+          render_jsonp(OauthAppPresenter.new(@oauth_app).to_poro, 200)
+        end
+
+        def destroy
+          @oauth_app.destroy!
+          head :no_content
+        end
+
+        private
+
+        def load_user
+          @user = Carto::User.find(current_viewer.id)
+        end
+
+        def load_oauth_app
+          @oauth_app = Carto::OauthApp.find(params[:id])
+        end
+
+        def user_or_organization_apps
+          return @user.oauth_apps unless @user.organization_owner?
+
+          org_users = @user.organization.users
+          Carto::OauthApp.where(user: org_users)
+        end
+
+        def permitted_params
+          params.permit(:name, :icon_url, :restricted, redirect_uris: [])
+        end
+
+      end
+    end
+  end
+end
--- a/spec/requests/carto/api/public/oauth_apps_controller_spec.rb
+++ b/spec/requests/carto/api/public/oauth_apps_controller_spec.rb
@ -0,0 +1,293 @@
+require 'spec_helper_min'
+require 'support/helpers'
+
+describe Carto::Api::Public::OauthAppsController do
+  include_context 'users helper'
+  include_context 'organization with users helper'
+  include HelperMethods
+
+  describe 'index' do
+    context 'regular users' do
+      before(:all) do
+        @params = { api_key: @user1.api_key, page: 1, per_page: 10 }
+
+        @app1 = FactoryGirl.create(:oauth_app, user_id: @user1.id, name: 'ZZZ', restricted: false)
+        @app2 = FactoryGirl.create(:oauth_app, user_id: @user1.id, name: 'ABC', restricted: true)
+        @app3 = FactoryGirl.create(:oauth_app, user_id: @user2.id, name: 'ABC', restricted: true)
+      end
+
+      after(:all) do
+        [@app1, @app2, @app3].each(&:destroy)
+      end
+
+      before(:each) do
+        host! "#{@user1.username}.localhost.lan"
+      end
+
+      it 'returns 401 if there is no authenticated user' do
+        get_json api_v4_oauth_apps_index_url do |response|
+          expect(response.status).to eq(401)
+        end
+      end
+
+      it 'returns 200 with the OAuth apps owned by the current user (sort by updated at by default)' do
+        get_json api_v4_oauth_apps_index_url(@params) do |response|
+          expect(response.status).to eq(200)
+          expect(response.body[:total]).to eq 2
+          expect(response.body[:count]).to eq 2
+          expect(response.body[:result][0][:id]).to eq @app1.id
+          expect(response.body[:result][0][:username]).to eq @user1.username
+        end
+      end
+
+      it 'returns 200 with an empty array if the current user does not have apps' do
+        @user3 = FactoryGirl.create(:valid_user)
+        host! "#{@user3.username}.localhost.lan"
+
+        get_json api_v4_oauth_apps_index_url(api_key: @user3.api_key) do |response|
+          expect(response.status).to eq(200)
+          expect(response.body[:total]).to eq 0
+          expect(response.body[:count]).to eq 0
+          expect(response.body[:result]).to be_empty
+        end
+      end
+
+      it 'paginates the results' do
+        get_json api_v4_oauth_apps_index_url(@params.merge(page: 2, per_page: 1)) do |response|
+          expect(response.status).to eq(200)
+          expect(response.body[:total]).to eq 2
+          expect(response.body[:count]).to eq 1
+          expect(response.body[:result][0][:id]).to eq @app2.id
+        end
+      end
+
+      context 'ordering' do
+        it 'orders results by name' do
+          get_json api_v4_oauth_apps_index_url(@params.merge(order: 'name')) do |response|
+            expect(response.status).to eq(200)
+            expect(response.body[:total]).to eq 2
+            expect(response.body[:count]).to eq 2
+            expect(response.body[:result][0][:id]).to eq @app2.id
+            expect(response.body[:result][1][:id]).to eq @app1.id
+          end
+        end
+
+        it 'orders results by restricted' do
+          get_json api_v4_oauth_apps_index_url(@params.merge(order: 'restricted')) do |response|
+            expect(response.status).to eq(200)
+            expect(response.body[:total]).to eq 2
+            expect(response.body[:count]).to eq 2
+            expect(response.body[:result][0][:id]).to eq @app1.id
+            expect(response.body[:result][1][:id]).to eq @app2.id
+          end
+        end
+
+        it 'returns 400 if the ordering param is invalid' do
+          get_json api_v4_oauth_apps_index_url(@params.merge(order: 'client_secret')) do |response|
+            expect(response.status).to eq(400)
+            expect(response.body[:errors]).to include "Wrong 'order' parameter value"
+          end
+        end
+      end
+    end
+
+    context 'organizational users' do
+      before(:all) do
+        @params = { page: 1, per_page: 10 }
+
+        @app1 = FactoryGirl.create(:oauth_app, user_id: @org_user_1.id)
+        @app2 = FactoryGirl.create(:oauth_app, user_id: @org_user_2.id)
+        @app3 = FactoryGirl.create(:oauth_app, user_id: @org_user_owner.id)
+      end
+
+      after(:all) do
+        [@app1, @app2, @app3].each(&:destroy)
+      end
+
+      before(:each) do
+        host! "#{@organization.name}.localhost.lan"
+      end
+
+      it 'returns all the OAuth apps in the organization for the organization owner' do
+        params = @params.merge(api_key: @org_user_owner.api_key, user_domain: @org_user_owner.username)
+        get_json api_v4_oauth_apps_index_url(params) do |response|
+          expect(response.status).to eq(200)
+          expect(response.body[:total]).to eq 3
+        end
+      end
+
+      it 'returns only the user apps for non owners' do
+        params = @params.merge(api_key: @org_user_1.api_key, user_domain: @org_user_1.username)
+        get_json api_v4_oauth_apps_index_url(params) do |response|
+          expect(response.status).to eq(200)
+          expect(response.body[:total]).to eq 1
+        end
+      end
+    end
+
+  end
+
+  describe 'show' do
+    before(:all) do
+      @params = { api_key: @user1.api_key, page: 1, per_page: 10 }
+      @app = FactoryGirl.create(:oauth_app, user_id: @user1.id)
+    end
+
+    after(:all) do
+      @app.destroy
+    end
+
+    before(:each) do
+      host! "#{@user1.username}.localhost.lan"
+    end
+
+    it 'returns 401 if there is no authenticated user' do
+      get_json api_v4_oauth_apps_index_url do |response|
+        expect(response.status).to eq(401)
+      end
+    end
+
+    it 'returns 404 if the app is not found' do
+      wrong_id = @user1.id
+
+      get_json api_v4_oauth_apps_show_url(@params.merge(id: wrong_id)) do |response|
+        expect(response.status).to eq(404)
+        expect(response.body[:errors]).to eq 'Record not found'
+      end
+    end
+
+    it 'returns 200 with all the info from an OAuth App' do
+      get_json api_v4_oauth_apps_show_url(@params.merge(id: @app.id)) do |response|
+        expect(response.status).to eq(200)
+        expect(response.body[:id]).to eq @app.id
+        expect(response.body[:name]).to eq @app.name
+        expect(response.body[:client_secret]).to eq @app.client_secret
+        expect(response.body[:username]).to eq @user1.username
+        expect(response.body.size).to eq 11
+      end
+    end
+
+  end
+
+  describe 'create' do
+    before(:all) do
+      @params = { api_key: @user1.api_key }
+      @payload = { name: 'my app', redirect_uris: ['https://example.com'], icon_url: 'https://example.com/icon.png' }
+    end
+
+    after(:each) do
+      @carto_user1.reload.oauth_apps.each(&:destroy)
+    end
+
+    before(:each) do
+      host! "#{@user1.username}.localhost.lan"
+    end
+
+    it 'returns 401 if there is no authenticated user' do
+      post_json api_v4_oauth_apps_create_url, @payload do |response|
+        expect(response.status).to eq(401)
+      end
+    end
+
+    it 'returns 422 if a required parameter is missing' do
+      post_json api_v4_oauth_apps_create_url(@params), @payload.except(:name) do |response|
+        expect(response.status).to eq(422)
+        expect(response.body[:errors]).to eq ({ name: ["can't be blank"] })
+      end
+    end
+
+    it 'returns 201 if everything is ok' do
+      post_json api_v4_oauth_apps_create_url(@params), @payload do |response|
+        expect(response.status).to eq(201)
+        expect(response.body[:name]).to eq 'my app'
+        expect(@carto_user1.reload.oauth_apps.size).to eq 1
+      end
+    end
+  end
+
+  describe 'update' do
+    before(:all) do
+      @app = FactoryGirl.create(:oauth_app, user_id: @user1.id)
+      @params = { id: @app.id, api_key: @user1.api_key }
+      @payload = { name: 'updated name' }
+    end
+
+    after(:all) do
+      @app.destroy
+    end
+
+    before(:each) do
+      host! "#{@user1.username}.localhost.lan"
+    end
+
+    it 'returns 401 if there is no authenticated user' do
+      put_json api_v4_oauth_apps_update_url(id: @app.id), @payload do |response|
+        expect(response.status).to eq(401)
+      end
+    end
+
+    it 'returns 404 if the app is not found' do
+      wrong_id = @user1.id
+
+      get_json api_v4_oauth_apps_show_url(@params.merge(id: wrong_id)), @payload do |response|
+        expect(response.status).to eq(404)
+        expect(response.body[:errors]).to eq 'Record not found'
+      end
+    end
+
+    it 'returns 200 if everything is ok' do
+      put_json api_v4_oauth_apps_update_url(@params), @payload do |response|
+        expect(response.status).to eq(200)
+        expect(response.body[:name]).to eq 'updated name'
+        expect(@app.reload.name).to eq 'updated name'
+      end
+    end
+
+    it 'ignores non-editable fields' do
+      payload = { client_secret: 'secreto ibérico' }
+
+      put_json api_v4_oauth_apps_update_url(@params), payload do |response|
+        expect(response.status).to eq(200)
+        expect(@app.reload.client_secret).to_not eq 'secreto ibérico'
+      end
+    end
+  end
+
+  describe 'destroy' do
+    before(:each) do
+      @app = FactoryGirl.create(:oauth_app, user_id: @user1.id)
+      @params = { id: @app.id, api_key: @user1.api_key }
+    end
+
+    after(:each) do
+      @app.try(:destroy)
+    end
+
+    before(:each) do
+      host! "#{@user1.username}.localhost.lan"
+    end
+
+    it 'returns 401 if there is no authenticated user' do
+      delete_json api_v4_oauth_apps_destroy_url(id: @app.id) do |response|
+        expect(response.status).to eq(401)
+      end
+    end
+
+    it 'returns 404 if the app is not found' do
+      wrong_id = @user1.id
+
+      delete_json api_v4_oauth_apps_destroy_url(@params.merge(id: wrong_id)) do |response|
+        expect(response.status).to eq(404)
+        expect(response.body[:errors]).to eq 'Record not found'
+      end
+    end
+
+    it 'returns 204 if everything is ok' do
+      delete_json api_v4_oauth_apps_destroy_url(@params) do |response|
+        expect(response.status).to eq(204)
+        expect(@carto_user1.reload.oauth_apps.size).to eq 0
+      end
+    end
+
+  end
+end