Create cookie for scratch auth when loading projects

This feels like a sensible place as it should always be set before a scratch project is loaded

We may need to extend this when creating/remixing projects if it uses another path.

Alternatively we could make a new endpoint that creates a cookie.

Author: zetter-rpf

app/controllers/api/projects_controller.rb

@@ -4,12 +4,15 @@
 
 module Api
   class ProjectsController < ApiController
+    include ActionController::Cookies
+
     before_action :authorize_user, only: %i[create update index destroy]
     before_action :load_project, only: %i[show update destroy show_context]
     before_action :load_projects, only: %i[index]
     load_and_authorize_resource
     before_action :verify_lesson_belongs_to_school, only: :create
     after_action :pagination_link_header, only: %i[index]
+    before_action :set_auth_cookie_for_scratch, only: %i[show]
 
     def index
       @paginated_projects = @projects.page(params[:page])
@@ -59,6 +62,18 @@ def show_context
 
     private
 
+    def set_auth_cookie_for_scratch
+      return unless @project.project_type == Project::Types::CODE_EDITOR_SCRATCH
+      return unless Flipper.enabled?(:cat_mode, school)
+
+      cookies[:scratch_auth] = {
+        value: request.headers['Authorization'],
+        secure: Rails.env.production?,
+        same_site: :strict,
+        http_only: true
+      }
+    end
+
     def verify_lesson_belongs_to_school
       return if base_params[:lesson_id].blank?
       return if school&.lessons&.pluck(:id)&.include?(base_params[:lesson_id])

app/models/project.rb

@@ -5,6 +5,7 @@ module Types
     PYTHON = 'python'
     HTML = 'html'
     SCRATCH = 'scratch'
+    CODE_EDITOR_SCRATCH = 'code_editor_scratch'
   end
 
   belongs_to :school, optional: true

config/initializers/cors.rb

@@ -23,5 +23,6 @@
 end
 
 def standard_cors_options
+  resource '/api/projects/*', headers: :any, methods: %i[get post patch put delete], credentials: true, expose: ['Link']
   resource '*', headers: :any, methods: %i[get post patch put delete], expose: ['Link']
 end

spec/requests/projects/show_spec.rb

@@ -54,6 +54,43 @@
       end
     end
 
+    context 'when setting scratch auth cookie' do
+      let(:project_type) { Project::Types::PYTHON }
+      let!(:project) { create(:project, school:, user_id: teacher.id, locale: nil, project_type:) }
+
+      before do
+        Flipper.disable :cat_mode
+        Flipper.disable_actor :cat_mode, school
+      end
+
+      it 'does not set auth cookie when project is not scratch' do
+        get("/api/projects/#{project.identifier}", headers:)
+
+        expect(response).to have_http_status(:ok)
+        expect(response.cookies['scratch_auth']).to be_nil
+      end
+
+      context 'when project is code editor scratch' do
+        let(:project_type) { Project::Types::CODE_EDITOR_SCRATCH }
+
+        it 'does not set auth cookie when cat_mode is not enabled' do
+          get("/api/projects/#{project.identifier}", headers:)
+
+          expect(response).to have_http_status(:ok)
+          expect(response.cookies['scratch_auth']).to be_nil
+        end
+
+        it 'sets auth cookie to auth header' do
+          Flipper.enable_actor :cat_mode, school
+
+          get("/api/projects/#{project.identifier}", headers:)
+
+          expect(response).to have_http_status(:ok)
+          expect(cookies['scratch_auth']).to eq(UserProfileMock::TOKEN)
+        end
+      end
+    end
+
     context 'when loading a student\'s project' do
       let(:school_class) { create(:school_class, school:, teacher_ids: [teacher.id]) }
       let(:lesson) { create(:lesson, school:, school_class:, user_id: teacher.id, visibility: 'students') }