Chore: Update authentication requirement for API GET requests

app/controllers/api/points_controller.rb

@@ -1,6 +1,6 @@
 class Api::PointsController < ApplicationController
  skip_before_action :verify_authenticity_token
- before_action :authenticate, except: %i[index show]
+ before_action :authenticate
 
  def index
  render json: Point.all.order(points: :desc).limit(params[:limit]).offset(params[:offset])

spec/requests/api/points_spec.rb

@@ -2,42 +2,89 @@
 
 RSpec.describe 'Static Pages' do
  describe 'GET #index' do
- it 'returns all points ordered by the highest amount' do
- highest_points = create(:point, points: 6)
- middle_points = create(:point, points: 5)
- lowest_points = create(:point, points: 1)
-
- get api_points_path
- expect(JSON.parse(response.body)).to eq(
- [highest_points, middle_points, lowest_points].map(&:as_json)
- )
+ context 'when not authenticated' do
+ it 'returns 401 forbidden' do
+ get api_points_path
+
+ expect(response).to have_http_status(:unauthorized)
+ end
  end
 
- context 'when limit and offset params are provided' do
- it 'returns the filtererd points ordered by highest' do
+ context 'when authenticated' do
+ around do |example|
+ ClimateControl.modify(
+ ODIN_BOT_ACCESS_TOKEN: 'ODIN_BOT_ACCESS_TOKEN'
+ ) do
+ example.run
+ end
+ end
+
+ it 'returns all points ordered by the highest amount' do
+ highest_points = create(:point, points: 6)
+ middle_points = create(:point, points: 5)
+ lowest_points = create(:point, points: 1)
+
+ get(
+ api_points_path,
+ headers: { 'Authorization' => 'Token ODIN_BOT_ACCESS_TOKEN' }
+ )
+
+ expect(JSON.parse(response.body)).to eq(
+ [highest_points, middle_points, lowest_points].map(&:as_json)
+ )
+ end
+
+ it 'returns specified offset and limit to points' do
  create(:point, points: 6)
  create(:point, points: 1)
  middle_points = create(:point, points: 5)
 
- get api_points_path(offset: 1, limit: 1)
+ get(
+ api_points_path(offset: 1, limit: 1),
+ headers: { 'Authorization' => 'Token ODIN_BOT_ACCESS_TOKEN' }
+ )
  expect(JSON.parse(response.body)).to eq([middle_points.as_json])
  end
  end
  end
 
  describe 'GET #show' do
- it 'returns the points for that discord user' do
- user_points = create(:point, points: 6, discord_id: 907)
+ context 'when not authenticated' do
+ it 'returns status 401' do
+ get '/api/points/907'
 
- get api_point_path(id: 907)
-
- expect(JSON.parse(response.body)).to eq(user_points.as_json)
+ expect(response).to have_http_status(:unauthorized)
+ end
  end
 
- it 'returns an error message if the discord user cannot be found' do
- get api_point_path(id: 907)
+ context 'when authenticated' do
+ around do |example|
+ ClimateControl.modify(
+ ODIN_BOT_ACCESS_TOKEN: 'ODIN_BOT_ACCESS_TOKEN'
+ ) do
+ example.run
+ end
+ end
+
+ it 'returns the points for that discord user' do
+ user_points = create(:point, points: 6, discord_id: 907)
+
+ get(
+ '/api/points/907',
+ headers: { 'Authorization' => 'Token ODIN_BOT_ACCESS_TOKEN' }
+ )
+
+ expect(JSON.parse(response.body)).to eq(user_points.as_json)
+ end
 
- expect(JSON.parse(response.body)).to eq({ 'message' => 'Unable to find that user' })
+ it 'returns an error message if the discord user cannot be found' do
+ get(
+ '/api/points/907',
+ headers: { 'Authorization' => 'Token ODIN_BOT_ACCESS_TOKEN' }
+ )
+
+ expect(JSON.parse(response.body)).to eq({ 'message' => 'Unable to find that user' })
+ end
  end
  end