IIRR-30(auth): Enforce user token check on all controllers

Add a before_action in ApplicationController to check for the presence
of a user token in the session, rendering the login page if missing.
Remove redundant token check from PuzzlesController. Allow
SessionsController to skip this check for authentication purposes.

Ref: https://ombulabs.atlassian.net/browse/IIRR-30

Author: fbuys

app/controllers/application_controller.rb

@@ -2,9 +2,16 @@ class ApplicationController < ActionController::Base
   # Only allow modern browsers supporting webp images, web push, badges, import maps, CSS nesting, and CSS :has.
   allow_browser versions: :modern
   before_action :check_session_expiry
+  before_action :check_user_token
 
   private
 
+  def check_user_token
+    unless session[:user_token]
+      render "puzzles/login"
+    end
+  end
+
   def check_session_expiry
     if session[:expires_at].present? && Time.current > session[:expires_at]
       reset_session

app/controllers/puzzles_controller.rb

@@ -1,9 +1,5 @@
 class PuzzlesController < ApplicationController
   def index
-    unless session[:user_token]
-      render "login"
-    end
-
     @pending_puzzles = Puzzle.pending
     @approved_puzzles = Puzzle.approved
     @rejected_puzzles = Puzzle.rejected

app/controllers/sessions_controller.rb

@@ -1,9 +1,11 @@
 class SessionsController < ApplicationController
+  skip_before_action :check_user_token
+
   def create
     auth = request.env["omniauth.auth"]
     user_email = auth.info.email
 
-    domain_allowlist = ENV.fetch("DOMAIN_ALLOWLIST").split(",").map(&:strip)
+    domain_allowlist = ENV.fetch("DOMAIN_ALLOWLIST", "").split(",").map(&:strip)
     if domain_allowlist.present?
       unless domain_allowlist.any? { |domain| user_email.end_with?("@#{domain}") }
         reset_session

config/environments/test.rb

@@ -50,4 +50,9 @@
 
   # Raise error when a before_action's only/except options reference missing actions.
   config.action_controller.raise_on_missing_callback_actions = true
+
+  # Once you have enabled test mode, all requests to OmniAuth will be short circuited to use
+  # the mock authentication hash.
+  # See: https://github.com/omniauth/omniauth/wiki/Integration-Testing
+  OmniAuth.config.test_mode = true
 end

test/controllers/puzzles_controller_test.rb

@@ -2,13 +2,15 @@
 
 class PuzzlesControllerTest < ActionDispatch::IntegrationTest
   test "should get index" do
+    sign_in
     get puzzles_path
     assert_response :success
   end
 
   test "should show error message when editing puzzle with invalid data" do
     puzzle = puzzles(:one)
 
+    sign_in
     patch puzzle_path(puzzle), params: {
       puzzle: {
         question: "",
@@ -27,6 +29,7 @@ class PuzzlesControllerTest < ActionDispatch::IntegrationTest
   test "should successfully update puzzle with valid data" do
     puzzle = puzzles(:one)
 
+    sign_in
     patch puzzle_path(puzzle), params: {
       puzzle: {
         question: "Updated question",

test/test_helper.rb

@@ -10,6 +10,28 @@ class TestCase
     # Setup all fixtures in test/fixtures/*.yml for all tests in alphabetical order.
     fixtures :all
 
+    # Global setup to be run before each test
+    setup do
+      OmniAuth.config.mock_auth[:google] = nil
+    end
+
     # Add more helper methods to be used by all tests here...
+    def sign_in
+      auth = {
+        provider: "google_oauth2",
+        uid: "123456789",
+        info: {
+          email: "cooper@ombulabs.com"
+        },
+        credentials: {
+          token: "token"
+        }
+      }
+
+      OmniAuth.config.add_mock(:google, auth)
+      Rails.application.env_config["omniauth.auth"] = OmniAuth.config.mock_auth[:google]
+
+      post sessions_path, params: { provider: :google }
+    end
   end
 end