Add tests for invalid token to password flow

2015-07-07 17:06:24 +09:00 · 2015-07-07 17:06:24 +09:00 · 52e10a91fe
commit 52e10a91fe
parent 9de2837a63
1 changed files with 32 additions and 3 deletions
--- a/spec/controllers/api/v0/users_controller_spec.rb
+++ b/spec/controllers/api/v0/users_controller_spec.rb
@ -1,19 +1,48 @@
 require 'spec_helper'

-# TODO: Confirm that the cache-control header in the response is private as according to RFC 6750
-# TODO: Check for WWW-Authenticate response header field as according to RFC 6750
 describe Api::V0::UsersController, type: :request do
  describe "#show" do
    let!(:application) { bob.o_auth_applications.create!(client_id: 1, client_secret: "secret") }
    let!(:token) { application.tokens.create!.bearer_token.to_s }
+    let(:invalid_token) { SecureRandom.hex(32).to_s }

    context "when valid" do
-      it "shows the user's info" do
+      it "shows the user's username and email" do
        get "/api/v0/user/?access_token=" + token
        jsonBody = JSON.parse(response.body)
        expect(jsonBody["username"]).to eq(bob.username)
        expect(jsonBody["email"]).to eq(bob.email)
      end
+      it "should include private in the cache-control header" do
+        get "/api/v0/user/?access_token=" + token
+        expect(response.headers["Cache-Control"]).to include("private")
+      end
+    end
+
+    context "when no access token is provided" do
+      it "should respond with a 401 Unauthorized response" do
+        get "/api/v0/user/"
+        expect(response.status).to be(401)
+      end
+      it "should have an auth-scheme value of Bearer" do
+        get "/api/v0/user/"
+        expect(response.headers["WWW-Authenticate"]).to include("Bearer")
+      end
+    end
+
+    context "when an invalid access token is provided" do
+      it "should respond with a 401 Unauthorized response" do
+        get "/api/v0/user/?access_token=" + invalid_token
+        expect(response.status).to be(401)
+      end
+      it "should have an auth-scheme value of Bearer" do
+        get "/api/v0/user/?access_token=" + invalid_token
+        expect(response.headers["WWW-Authenticate"]).to include("Bearer")
+      end
+      it "should contain an invalid_token error" do
+        get "/api/v0/user/?access_token=" + invalid_token
+        expect(response.body).to include("invalid_token")
+      end
    end
  end
 end