added new AuthenticationToken factory, as well as new tests to check if access is denied when the token is expired, smaller optimalization changes to the user_mailer_spec and authentication_spec

2022-08-02 17:35:24 +02:00
parent 146eee673f
commit 1a987a65d4
3 changed files with 79 additions and 35 deletions
--- a/spec/features/authentication_spec.rb
+++ b/spec/features/authentication_spec.rb
@ -32,6 +32,52 @@ describe 'Authentication' do
        expect(page).to have_content(I18n.t('sessions.create.failure'))
      end
    end
+
+    context 'with no authentication token' do
+      let(:request_for_comment) { create(:rfc_with_comment, user: user) }
+
+      it 'denies access to the request for comment' do
+        mail.deliver_now
+        visit(rfc_link)
+        expect(page).not_to have_content(request_for_comment.exercise.title)
+        expect(response).to redirect_to(root_path)
+        expect(page).to have_content(I18n.t('application.not_authorized'))
+      end
+    end
+
+    context 'with an authentication token' do
+      let(:user) { create(:learner) }
+      let(:request_for_comment) { create(:rfc_with_comment, user: user) }
+      let(:commenting_user) { InternalUser.create(attributes_for(:teacher)) }
+      let(:mail) { UserMailer.got_new_comment(request_for_comment.comments.first, request_for_comment, commenting_user) }
+      let(:rfc_link) { request_for_comment_url(request_for_comment, token: token.shared_secret) }
+
+      before { allow(AuthenticationToken).to receive(:generate!).with(user).and_return(token).once }
+
+      context 'when the token is valid' do
+        let(:token) { create(:authentication_token, user: user) }
+
+        it 'allows access to the request for comment' do
+          mail.deliver_now
+          visit(rfc_link)
+          expect(current_url).to be(rfc_link)
+          expect(response).to have_http_status :ok
+          expect(page).to have_content(request_for_comment.exercise.title)
+        end
+      end
+
+      context 'with an expired authentication token' do
+        let(:token) { create(:authentication_token, :invalid, user: user) }
+
+        it 'denies access to the request for comment' do
+          mail.deliver_now
+          visit(rfc_link)
+          expect(page).not_to have_content(request_for_comment.exercise.title)
+          expect(response).to redirect_to(root_path)
+          expect(page).to have_content(I18n.t('application.not_authorized'))
+        end
+      end
+    end
  end

  context 'when signed in' do