mirror of
https://github.com/we-promise/sure.git
synced 2026-05-07 21:04:12 +00:00
a8425a2488
* feat(api): expose reset status polling * fix(api): hide reset enqueue exception details * fix(api): use stable reset authorization message * fix(api): narrow reset enqueue error handling * fix(api): document reset enqueue failures * docs(api): regenerate reset status OpenAPI * fix(api): address reset polling review feedback
177 lines
4.5 KiB
Ruby
177 lines
4.5 KiB
Ruby
# frozen_string_literal: true
|
|
|
|
require 'swagger_helper'
|
|
|
|
RSpec.describe 'API V1 Users', type: :request do
|
|
let(:family) do
|
|
Family.create!(
|
|
name: 'API Family',
|
|
currency: 'USD',
|
|
locale: 'en',
|
|
date_format: '%m-%d-%Y'
|
|
)
|
|
end
|
|
|
|
let(:role) { :admin }
|
|
|
|
let(:user) do
|
|
family.users.create!(
|
|
email: 'api-user@example.com',
|
|
password: 'password123',
|
|
password_confirmation: 'password123',
|
|
role: role
|
|
)
|
|
end
|
|
|
|
let(:api_key) do
|
|
key = ApiKey.generate_secure_key
|
|
ApiKey.create!(
|
|
user: user,
|
|
name: 'API Docs Key',
|
|
key: key,
|
|
scopes: %w[read_write],
|
|
source: 'web'
|
|
)
|
|
end
|
|
|
|
let(:'X-Api-Key') { api_key.plain_key }
|
|
|
|
path '/api/v1/users/reset' do
|
|
delete 'Reset account' do
|
|
tags 'Users'
|
|
description 'Resets all financial data (accounts, categories, merchants, tags, etc.) ' \
|
|
'for the current user\'s family while keeping the user account intact. ' \
|
|
'The reset runs asynchronously in the background. ' \
|
|
'The returned job_id is informational only; reset status is family-scoped, not job-scoped. ' \
|
|
'Requires admin role.'
|
|
security [ { apiKeyAuth: [] } ]
|
|
produces 'application/json'
|
|
|
|
response '200', 'account reset initiated' do
|
|
schema '$ref' => '#/components/schemas/ResetInitiatedResponse'
|
|
|
|
run_test!
|
|
end
|
|
|
|
response '401', 'unauthorized' do
|
|
schema '$ref' => '#/components/schemas/ErrorResponse'
|
|
|
|
let(:'X-Api-Key') { 'invalid-key' }
|
|
|
|
run_test!
|
|
end
|
|
|
|
response '403', 'forbidden - requires read_write scope and admin role' do
|
|
schema '$ref' => '#/components/schemas/ErrorResponse'
|
|
|
|
let(:api_key) do
|
|
key = ApiKey.generate_secure_key
|
|
ApiKey.create!(
|
|
user: user,
|
|
name: 'Read Only Key',
|
|
key: key,
|
|
scopes: %w[read],
|
|
source: 'web'
|
|
)
|
|
end
|
|
|
|
run_test!
|
|
end
|
|
|
|
response '500', 'reset enqueue failed' do
|
|
schema '$ref' => '#/components/schemas/ErrorResponse'
|
|
|
|
before do
|
|
allow(FamilyResetJob).to receive(:perform_later).and_raise(StandardError, 'queue down')
|
|
end
|
|
|
|
run_test!
|
|
end
|
|
end
|
|
end
|
|
|
|
path '/api/v1/users/reset/status' do
|
|
get 'Retrieve reset status' do
|
|
tags 'Users'
|
|
description 'Returns counts of family-owned data targeted by account reset. ' \
|
|
'Use this after DELETE /api/v1/users/reset to decide whether reset materialization has completed. ' \
|
|
'Completion is a counts-based family snapshot and may change if new data is created after reset.'
|
|
security [ { apiKeyAuth: [] } ]
|
|
produces 'application/json'
|
|
|
|
response '200', 'reset status returned' do
|
|
schema '$ref' => '#/components/schemas/ResetStatusResponse'
|
|
|
|
run_test!
|
|
end
|
|
|
|
response '401', 'unauthorized' do
|
|
schema '$ref' => '#/components/schemas/ErrorResponse'
|
|
|
|
let(:'X-Api-Key') { 'invalid-key' }
|
|
|
|
run_test!
|
|
end
|
|
|
|
response '403', 'forbidden - requires admin role' do
|
|
schema '$ref' => '#/components/schemas/ErrorResponse'
|
|
|
|
let(:role) { :member }
|
|
|
|
run_test!
|
|
end
|
|
end
|
|
end
|
|
|
|
path '/api/v1/users/me' do
|
|
delete 'Delete account' do
|
|
tags 'Users'
|
|
description 'Permanently deactivates the current user account and all associated data. ' \
|
|
'This action cannot be undone.'
|
|
security [ { apiKeyAuth: [] } ]
|
|
produces 'application/json'
|
|
|
|
response '200', 'account deleted' do
|
|
schema '$ref' => '#/components/schemas/SuccessMessage'
|
|
|
|
run_test!
|
|
end
|
|
|
|
response '401', 'unauthorized' do
|
|
let(:'X-Api-Key') { 'invalid-key' }
|
|
|
|
run_test!
|
|
end
|
|
|
|
response '403', 'insufficient scope' do
|
|
let(:api_key) do
|
|
key = ApiKey.generate_secure_key
|
|
ApiKey.create!(
|
|
user: user,
|
|
name: 'Read Only Key',
|
|
key: key,
|
|
scopes: %w[read],
|
|
source: 'web'
|
|
)
|
|
end
|
|
|
|
run_test!
|
|
end
|
|
|
|
response '422', 'deactivation failed' do
|
|
schema '$ref' => '#/components/schemas/ErrorResponse'
|
|
|
|
before do
|
|
api_key
|
|
allow_any_instance_of(User).to receive(:deactivate).and_return(false)
|
|
allow_any_instance_of(User).to receive(:errors).and_return(
|
|
double(full_messages: [ 'Cannot deactivate admin with other users' ])
|
|
)
|
|
end
|
|
|
|
run_test!
|
|
end
|
|
end
|
|
end
|
|
end
|