Add endpoint for Profile API authorisation check (#694)

mwtrew · adrian-rpf · web-flow · commit 4396d3d835df · 2026-03-03T16:45:17.000Z
## Status - Closes https://github.com/orgs/RaspberryPiFoundation/projects/51/views/11?pane=issue&itemId=159250789&issue=RaspberryPiFoundation%7Cdigital-editor-issues%7C1174 ## What's changed? - Add endpoint that Standalone can use to check if the current user has access to Profile API. ## Before deployment - Platform Capabilities need to merge and deploy RaspberryPiFoundation/profile#2024. --------- Co-authored-by: Adrian Lansdown <adrian.lansdown@raspberrypi.org>
diff --git a/app/controllers/api/profile_auth_check_controller.rb b/app/controllers/api/profile_auth_check_controller.rb
@@ -0,0 +1,13 @@
+# frozen_string_literal: true
+
+module Api
+  class ProfileAuthCheckController < ApiController
+    def index
+      authorised = ProfileApiClient.check_auth(token: current_user&.token)
+
+      render json: { can_use_profile_api: authorised }, status: :ok
+    rescue ProfileApiClient::UnauthorizedError
+      render json: { can_use_profile_api: false }, status: :ok
+    end
+  end
+end
diff --git a/config/routes.rb b/config/routes.rb
@@ -98,6 +98,8 @@
     post '/google/auth/exchange-code', to: 'google_auth#exchange_code', defaults: { format: :json }
 
     resources :features, only: %i[index]
+
+    resources :profile_auth_check, only: %i[index]
   end
 
   resource :github_webhooks, only: :create, defaults: { formats: :json }
diff --git a/lib/profile_api_client.rb b/lib/profile_api_client.rb
@@ -36,12 +36,21 @@ def initialize(response)
       @response_status = response.status
       @response_headers = response.headers
       @response_body = response.body
-
       super("Unexpected response from Profile API (status code #{response.status})")
     end
   end
 
   class << self
+    def check_auth(token:)
+      return true if ENV['BYPASS_OAUTH'].present?
+
+      response = connection(token).get('/api/v1/access')
+
+      response.status == 200
+    rescue Faraday::BadRequestError, Faraday::UnauthorizedError
+      false
+    end
+
     def create_school(token:, id:, code:)
       return { 'id' => id, 'schoolCode' => code } if ENV['BYPASS_OAUTH'].present?
 
diff --git a/spec/requests/api/profile_auth_check_spec.rb b/spec/requests/api/profile_auth_check_spec.rb
@@ -0,0 +1,63 @@
+# frozen_string_literal: true
+
+require 'rails_helper'
+
+RSpec.describe 'Profile auth check API' do
+  let(:headers) { { Authorization: UserProfileMock::TOKEN } }
+  let(:school) { create(:school) }
+  let(:student) { create(:student, school:) }
+  let(:api_url) { 'http://example.com' }
+  let(:api_key) { 'api-key' }
+
+  before do
+    allow(ENV).to receive(:fetch).and_call_original
+    allow(ENV).to receive(:fetch).with('IDENTITY_URL').and_return(api_url)
+    allow(ENV).to receive(:fetch).with('PROFILE_API_KEY').and_return(api_key)
+  end
+
+  describe 'GET /api/profile_auth_check' do
+    context 'when the profile API authorises the current user' do
+      it 'returns can_use_profile_api: true' do
+        # Arrange
+        authenticated_in_hydra_as(student)
+        stub_request(:get, "#{ENV.fetch('IDENTITY_URL')}/api/v1/access").to_return(status: 200, headers:)
+
+        # Act
+        get '/api/profile_auth_check', headers: headers
+
+        # Assert
+        expect(response).to have_http_status(:ok)
+        expect(response.parsed_body).to eq('can_use_profile_api' => true)
+      end
+    end
+
+    context 'when the profile API returns unauthorized' do
+      it 'returns can_use_profile_api: false' do
+        # Arrange
+        authenticated_in_hydra_as(student)
+        stub_request(:get, "#{ENV.fetch('IDENTITY_URL')}/api/v1/access").to_return(status: 401, headers:)
+
+        # Act
+        get '/api/profile_auth_check', headers: headers
+
+        # Assert
+        expect(response).to have_http_status(:ok)
+        expect(response.parsed_body).to eq('can_use_profile_api' => false)
+      end
+    end
+
+    context 'when there is no current user' do
+      it 'returns can_use_profile_api: false' do
+        # Arrange
+        stub_request(:get, "#{ENV.fetch('IDENTITY_URL')}/api/v1/access").to_return(status: 400, headers:)
+
+        # Act
+        get '/api/profile_auth_check'
+
+        # Assert
+        expect(response).to have_http_status(:ok)
+        expect(response.parsed_body).to eq('can_use_profile_api' => false)
+      end
+    end
+  end
+end
