Add test coverage for internal v2 token generation

aaronskiba · aaronskiba · commit 8ef06e2c10f8 · 2026-02-17T10:34:11.000-07:00
Add request specs for InternalUserAccessTokensController
- Include both authenticated &amp; unauthenticated user scenarios
- Include both present &amp; absent internal OAuth app scenarios

Add service specs for InternalUserAccessTokenService
- Test token retrieval, rotation, and OAuth app presence
- Verify old token revocation when rotating

Add view specs for API token partials
- Test legacy partial rendering based on `user.can_use_api?`
- Test OAuth application availability scenarios
diff --git a/spec/requests/api/v2/internal_user_access_tokens_controller_spec.rb b/spec/requests/api/v2/internal_user_access_tokens_controller_spec.rb
@@ -0,0 +1,91 @@
+# frozen_string_literal: true
+
+require 'rails_helper'
+
+RSpec.describe Api::V2::InternalUserAccessTokensController do
+  let(:user) { create(:user) }
+  let(:app_name) { Rails.application.config.x.application.internal_oauth_app_name }
+  let!(:oauth_app) { create(:oauth_application, name: app_name) }
+
+  describe 'POST #create' do
+    def post_create_token
+      post api_v2_internal_user_access_token_path(format: :js)
+    end
+
+    context 'when user is not authenticated' do
+      # In production, CSRF protection would reject the request with a 422 error
+      # before it reaches Pundit. However, RSpec bypasses CSRF checks, so this
+      # test verifies that Pundit raises NotDefinedError when authorize is called
+      # with nil. This error won't occur in production due to CSRF protection.
+      it 'raises Pundit::NotDefinedError and does not create a token' do
+        expect do
+          expect do
+            post_create_token
+          end.to raise_error(Pundit::NotDefinedError)
+        end.not_to change { Doorkeeper::AccessToken.count }
+      end
+    end
+
+    context 'when user is authenticated' do
+      before { sign_in(user) }
+
+      it 'rotates the user token' do
+        post_create_token
+
+        expect(response).to have_http_status(:ok)
+      end
+
+      it 'creates a new token' do
+        expect do
+          post_create_token
+        end.to change { Doorkeeper::AccessToken.count }.by(1)
+      end
+
+      it 'assigns the token' do
+        post_create_token
+
+        expect(assigns(:token)).to be_a(Doorkeeper::AccessToken)
+        expect(assigns(:token).resource_owner_id).to eq(user.id)
+      end
+
+      it 'renders the refresh_token template' do
+        post_create_token
+
+        expect(response).to render_template('users/refresh_token')
+      end
+
+      context 'when a token already exists' do
+        let!(:old_token) do
+          create(:oauth_access_token, application: oauth_app, resource_owner_id: user.id, scopes: 'read')
+        end
+
+        it 'revokes the old token' do
+          post_create_token
+
+          old_token.reload
+          expect(old_token.revoked_at).not_to be_nil
+        end
+
+        it 'creates a new token' do
+          post_create_token
+
+          new_token = assigns(:token)
+          expect(new_token).not_to eq(old_token)
+        end
+      end
+    end
+
+    context 'when the internal OAuth application is missing' do
+      before do
+        sign_in(user)
+        oauth_app.destroy
+      end
+
+      it 'raises a StandardError' do
+        expect do
+          post_create_token
+        end.to raise_error(StandardError, /not found/)
+      end
+    end
+  end
+end
diff --git a/spec/services/api/v2/internal_user_access_token_service_spec.rb b/spec/services/api/v2/internal_user_access_token_service_spec.rb
@@ -0,0 +1,82 @@
+# frozen_string_literal: true
+
+require 'rails_helper'
+
+RSpec.describe Api::V2::InternalUserAccessTokenService do
+  let(:user) { create(:user) }
+  let(:app_name) { Rails.application.config.x.application.internal_oauth_app_name }
+  let!(:oauth_app) { create(:oauth_application, name: app_name) }
+
+  def create_internal_user_access_token
+    create(:oauth_access_token, application: oauth_app, resource_owner_id: user.id, scopes: 'read')
+  end
+
+  describe '#for_user' do
+    context 'when a token exists for the user' do
+      let!(:access_token) do
+        create_internal_user_access_token
+      end
+
+      it 'returns the access token' do
+        token = described_class.for_user(user)
+        expect(token).to be_present
+        expect(token.resource_owner_id).to eq(user.id)
+      end
+    end
+
+    context 'when no token exists for the user' do
+      it 'returns nil' do
+        token = described_class.for_user(user)
+        expect(token).to be_nil
+      end
+    end
+  end
+
+  describe '#rotate!' do
+    def rotate_token_expectations(new_token, old_token = nil) # rubocop:disable Metrics/AbcSize
+      expect(new_token).to be_persisted
+      expect(new_token.resource_owner_id).to eq(user.id)
+      expect(new_token.revoked_at).to be_nil
+      expect(new_token.scopes.to_s).to include('read')
+      return unless old_token
+
+      expect(new_token).not_to eq(old_token)
+      expect(old_token.revoked_at).not_to be_nil
+    end
+
+    context 'when a token already exists' do
+      let!(:old_token) do
+        create_internal_user_access_token
+      end
+
+      it 'revokes the old token and creates a new one' do
+        new_token = described_class.rotate!(user)
+        old_token.reload
+        rotate_token_expectations(new_token, old_token)
+      end
+    end
+
+    context 'when no token exists' do
+      it 'creates a new token' do
+        token = described_class.rotate!(user)
+        rotate_token_expectations(token)
+      end
+    end
+  end
+
+  describe '#application_present?' do
+    context 'when the app exists' do
+      it 'returns true' do
+        expect(described_class.application_present?).to be true
+      end
+    end
+
+    context 'when the app does not exist' do
+      before { oauth_app.destroy }
+
+      it 'returns false' do
+        expect(described_class.application_present?).to be false
+      end
+    end
+  end
+end
diff --git a/spec/views/devise/registrations/_api_token.html.erb_spec.rb b/spec/views/devise/registrations/_api_token.html.erb_spec.rb
@@ -0,0 +1,35 @@
+# frozen_string_literal: true
+
+require 'rails_helper'
+
+RSpec.describe 'devise/registrations/_api_token.html.erb' do
+  let(:app_name) { Rails.application.config.x.application.internal_oauth_app_name }
+  let!(:oauth_app) { create(:oauth_application, name: app_name) }
+
+  before do
+    # Clear memoization between tests
+    Api::V2::InternalUserAccessTokenService.instance_variable_set(:@application, nil)
+  end
+
+  context 'When a user has the `use_api` permission' do
+    it 'renders both the v2 and legacy API token sections' do
+      user = create(:user, :org_admin)
+
+      render partial: 'devise/registrations/api_token', locals: { user: user }
+
+      expect(rendered).to have_selector('#v2-api-token')
+      expect(rendered).to have_selector('#legacy-api-token')
+    end
+  end
+
+  context 'When a user does not have the `use_api` permission' do
+    it 'renders only the v2 API token section' do
+      user = create(:user)
+
+      render partial: 'devise/registrations/api_token', locals: { user: user }
+
+      expect(rendered).to have_selector('#v2-api-token')
+      expect(rendered).not_to have_selector('#legacy-api-token')
+    end
+  end
+end
diff --git a/spec/views/devise/registrations/_v2_api_token.html.erb_spec.rb b/spec/views/devise/registrations/_v2_api_token.html.erb_spec.rb
@@ -0,0 +1,61 @@
+# frozen_string_literal: true
+
+require 'rails_helper'
+
+RSpec.describe 'devise/registrations/_v2_api_token.html.erb' do
+  let(:user) { create(:user) }
+  let(:app_name) { Rails.application.config.x.application.internal_oauth_app_name }
+
+  context 'when the OAuth application exists' do
+    let!(:oauth_app) { create(:oauth_application, name: app_name) }
+
+    it 'displays the regenerate button' do
+      render partial: 'devise/registrations/v2_api_token', locals: { user: user }
+
+      expect(rendered).to have_link('Regenerate token',
+                                    href: api_v2_internal_user_access_token_path(format: :js))
+    end
+
+    context 'when user has a token' do
+      let!(:token) do
+        create(:oauth_access_token,
+               application: oauth_app,
+               resource_owner_id: user.id,
+               scopes: 'read')
+      end
+
+      it 'displays the token' do
+        render partial: 'devise/registrations/v2_api_token', locals: { user: user }
+
+        expect(rendered).to have_selector('code', text: token.token)
+        expect(rendered).not_to have_content('Click the button below to generate an API token')
+      end
+    end
+
+    context 'when user does not have a token' do
+      it 'displays the generate message' do
+        render partial: 'devise/registrations/v2_api_token', locals: { user: user }
+
+        expect(rendered).to have_content('Click the button below to generate an API token')
+        expect(rendered).not_to have_selector('code')
+      end
+    end
+  end
+
+  context 'when the OAuth application does not exist' do
+    it 'displays the warning message and helpdesk email link' do
+      render partial: 'devise/registrations/v2_api_token', locals: { user: user }
+
+      expect(rendered).to have_selector('.alert-warning')
+      expect(rendered).to have_content('V2 API token service is currently unavailable')
+      expect(rendered).to have_link(href: "mailto:#{Rails.application.config.x.organisation.helpdesk_email}")
+    end
+
+    it 'does not display the token or regenerate button' do
+      render partial: 'devise/registrations/v2_api_token', locals: { user: user }
+
+      expect(rendered).not_to have_link('Regenerate token')
+      expect(rendered).not_to have_selector('code')
+    end
+  end
+end
