From da5bead87c34adec980f072c4ec2a5f049c0908a Mon Sep 17 00:00:00 2001
From: mclilzee <70924991+Mclilzee@users.noreply.github.com>
Date: Sun, 16 Jul 2023 23:27:58 +0200
Subject: [PATCH 1/2] Update authentication requirement for API GET requests

---
 app/controllers/api/points_controller.rb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/app/controllers/api/points_controller.rb b/app/controllers/api/points_controller.rb
index 1676e92fbc..5feb23caaf 100644
--- a/app/controllers/api/points_controller.rb
+++ b/app/controllers/api/points_controller.rb
@@ -1,6 +1,6 @@
 class Api::PointsController < ApplicationController
   skip_before_action :verify_authenticity_token
-  before_action :authenticate, except: %i[index show]
+  before_action :authenticate
 
   def index
     render json: Point.all.order(points: :desc).limit(params[:limit]).offset(params[:offset])

From fb6cd95e87b3bbca5ece69f7ab6a739552bb879b Mon Sep 17 00:00:00 2001
From: mclilzee <70924991+Mclilzee@users.noreply.github.com>
Date: Mon, 17 Jul 2023 20:00:06 +0200
Subject: [PATCH 2/2] Update test suite to reflect new authentication changes

---
 spec/requests/api/points_spec.rb | 87 ++++++++++++++++++++++++--------
 1 file changed, 67 insertions(+), 20 deletions(-)

diff --git a/spec/requests/api/points_spec.rb b/spec/requests/api/points_spec.rb
index d5fca243bf..4dee418ba4 100644
--- a/spec/requests/api/points_spec.rb
+++ b/spec/requests/api/points_spec.rb
@@ -2,42 +2,89 @@
 
 RSpec.describe 'Static Pages' do
   describe 'GET #index' do
-    it 'returns all points ordered by the highest amount' do
-      highest_points = create(:point, points: 6)
-      middle_points = create(:point, points: 5)
-      lowest_points = create(:point, points: 1)
-
-      get api_points_path
-      expect(JSON.parse(response.body)).to eq(
-        [highest_points, middle_points, lowest_points].map(&:as_json)
-      )
+    context 'when not authenticated' do
+      it 'returns 401 forbidden' do
+        get api_points_path
+
+        expect(response).to have_http_status(:unauthorized)
+      end
     end
 
-    context 'when limit and offset params are provided' do
-      it 'returns the filtererd points ordered by highest' do
+    context 'when authenticated' do
+      around do |example|
+        ClimateControl.modify(
+          ODIN_BOT_ACCESS_TOKEN: 'ODIN_BOT_ACCESS_TOKEN'
+        ) do
+          example.run
+        end
+      end
+
+      it 'returns all points ordered by the highest amount' do
+        highest_points = create(:point, points: 6)
+        middle_points = create(:point, points: 5)
+        lowest_points = create(:point, points: 1)
+
+        get(
+          api_points_path,
+          headers: { 'Authorization' => 'Token ODIN_BOT_ACCESS_TOKEN' }
+        )
+
+        expect(JSON.parse(response.body)).to eq(
+          [highest_points, middle_points, lowest_points].map(&:as_json)
+        )
+      end
+
+      it 'returns specified offset and limit to points' do
         create(:point, points: 6)
         create(:point, points: 1)
         middle_points = create(:point, points: 5)
 
-        get api_points_path(offset: 1, limit: 1)
+        get(
+          api_points_path(offset: 1, limit: 1),
+          headers: { 'Authorization' => 'Token ODIN_BOT_ACCESS_TOKEN' }
+        )
         expect(JSON.parse(response.body)).to eq([middle_points.as_json])
       end
     end
   end
 
   describe 'GET #show' do
-    it 'returns the points for that discord user' do
-      user_points = create(:point, points: 6, discord_id: 907)
+    context 'when not authenticated' do
+      it 'returns status 401' do
+        get '/api/points/907'
 
-      get api_point_path(id: 907)
-
-      expect(JSON.parse(response.body)).to eq(user_points.as_json)
+        expect(response).to have_http_status(:unauthorized)
+      end
     end
 
-    it 'returns an error message if the discord user cannot be found' do
-      get api_point_path(id: 907)
+    context 'when authenticated' do
+      around do |example|
+        ClimateControl.modify(
+          ODIN_BOT_ACCESS_TOKEN: 'ODIN_BOT_ACCESS_TOKEN'
+        ) do
+          example.run
+        end
+      end
+
+      it 'returns the points for that discord user' do
+        user_points = create(:point, points: 6, discord_id: 907)
+
+        get(
+          '/api/points/907',
+          headers: { 'Authorization' => 'Token ODIN_BOT_ACCESS_TOKEN' }
+        )
+
+        expect(JSON.parse(response.body)).to eq(user_points.as_json)
+      end
 
-      expect(JSON.parse(response.body)).to eq({ 'message' => 'Unable to find that user' })
+      it 'returns an error message if the discord user cannot be found' do
+        get(
+          '/api/points/907',
+          headers: { 'Authorization' => 'Token ODIN_BOT_ACCESS_TOKEN' }
+        )
+
+        expect(JSON.parse(response.body)).to eq({ 'message' => 'Unable to find that user' })
+      end
     end
   end