Site: Editor delegations API — GET /editeur/api/v1/delegations + rswag bootstrap#144
Merged
Un3x merged 5 commits intoMay 26, 2026
Merged
Conversation
skelz0r
requested changes
May 26, 2026
Member
skelz0r
left a comment
skelz0r
left a comment
There was a problem hiding this comment.
Y'a les quelques issues que je pointe + il faudrait à mon sens vérifier qu'on régénère bien le swagger si il y a des modifications (comme ce qu'on fait sur siade/)
Un3x
force-pushed
the
feature/api-6627-t8-api-editeur-get-editeurapidelegations
branch
from
42662d9 to
0af557c
Compare
Establish the editor API namespace at /editeur/api/v1, gated by an EditorAPIDomainConstraint that restricts access to entreprise/particulier hosts, and shared with a base controller that authenticates editor JWT bearer tokens and exposes the calling API to subclasses. Open CORS on /editeur/api/* so SaaS éditeurs can call the API from arbitrary origins.
Expose the authenticated editor's delegations (active and revoked) as the integration channel for SaaS éditeurs: callers map siret → id and pass X-Delegation-Id on subsequent metier calls. The endpoint is scoped to the API matching the calling host (entreprise.api.* vs particulier.api.*), so an editor with delegations on both APIs sees only the relevant slice per host. Pagination follows the shared editor API conventions (default 50, max 100). The payload is a flat JSON document with delegation id, DataPass authorization_request_id, SIRET, intitule, scopes, statut and creation timestamp.
Drive the editor API OpenAPI spec from RSpec integration specs via rswag, mirroring siade/'s approach. The integration spec is the source of truth for swagger/v1/openapi-editor.yaml; bin/generate_swagger.sh regenerates the file from the spec. Mount Rswag::Ui at /editeur/api-docs so éditeurs can browse the spec directly from the editor API host.
Mirror siade/'s swagger drift check on site/: bin/test_swagger.sh snapshots the committed OpenAPI file, regenerates it from the rswag specs and fails if the two differ. A new check-swagger CI job runs this on every push and gates the merge and deploy jobs, so an editor API contract change can never land without its OpenAPI counterpart.
Surface GET /editeur/api/v1/delegations on the public changelog so SaaS éditeurs know the dashboard-only siret → id mapping can now be automated end-to-end.
Un3x
force-pushed
the
feature/api-6627-t8-api-editeur-get-editeurapidelegations
branch
from
0af557c to
2eb9aa9
Compare
Samuelfaure
reviewed
May 26, 2026
Contributor
Samuelfaure
left a comment
Samuelfaure
left a comment
There was a problem hiding this comment.
LGTM en dehors des remarques du Skelz0r
Un3x
deleted the
feature/api-6627-t8-api-editeur-get-editeurapidelegations
branch
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
GET /editeur/api/v1/delegations— first endpoint of the editor-facing API. SaaS clients authenticate with their JWT editor token (Bearer), get back the list of their delegations as flat JSON, and mapsiret → delegation_idto setX-Delegation-Idon métier calls.Editor::API::BaseControllerthat decodes the JWT viaAccessToken.decode, enforces theeditor: trueclaim (so admin tokens cannot cross into the editor API surface), and looks up an activeEditorTokenbyjti. Any failure on the auth path returns 401 before reaching the action body.site/(gems + initializers + generators) — Swagger UI mounted at/editeur/api-docs, generated YAML atsite/swagger/v1/openapi-editor.yaml, regenerate viabin/generate_swagger.sh.current_editor.editor_delegations.Closes API-6627 (T8).
Notes
entreprise.api.gouv.fr(option 2, confirmed by @skelz0r). The host-level routing/CORS configuration is handled separately by Loïc on the site/ side.clients/ruby/,clients/node/) are not updated: those target the métier APIs (siade/) perclients/SPECS.md, not the editor admin surface. This new endpoint is a separate API class that editors call once at startup.Test plan
bundle exec rspec spec/requests/editor/api spec/lib/editor/api spec/integration/editor/api— 25 examples, 0 failuresbundle exec rubocopon touched files — clean./bin/brakeman— no new warnings (same 15 pre-existing, 8 ignored)bin/generate_swagger.shproducessite/swagger/v1/openapi-editor.yaml🤖 Generated with Claude Code