mirror of
https://github.com/we-promise/sure.git
synced 2026-04-07 14:31:25 +00:00
cade5b22f7
* Document admin-only reset auth in OpenAPI docs The DELETE /api/v1/users/reset endpoint now requires admin role (ensure_admin). Update the rswag spec to: - Set default user role to admin so the 200 test passes - Add a 403 response case for non-admin users with read_write scope - Clarify the description notes admin requirement - Add SuccessMessage schema and users paths to openapi.yaml https://claude.ai/code/session_01Tj8ToLRmVg5HLmHwq9KKDY * Consolidate duplicate 403 responses for reset endpoint OpenAPI keys responses by status code, so two 403 blocks caused the first (insufficient scope) to be silently overwritten by the second (non-admin). Merge into a single 403 whose description covers both causes: requires read_write scope and admin role. The test exercises the read-only key path which hits 403 via scope check. https://claude.ai/code/session_01Tj8ToLRmVg5HLmHwq9KKDY * Em-dash out of messages. * Fix tests * Fix tests --------- Co-authored-by: Claude <noreply@anthropic.com>
128 lines
3.0 KiB
Ruby
128 lines
3.0 KiB
Ruby
# frozen_string_literal: true
|
|
|
|
require 'swagger_helper'
|
|
|
|
RSpec.describe 'API V1 Users', type: :request do
|
|
let(:family) do
|
|
Family.create!(
|
|
name: 'API Family',
|
|
currency: 'USD',
|
|
locale: 'en',
|
|
date_format: '%m-%d-%Y'
|
|
)
|
|
end
|
|
|
|
let(:role) { :admin }
|
|
|
|
let(:user) do
|
|
family.users.create!(
|
|
email: 'api-user@example.com',
|
|
password: 'password123',
|
|
password_confirmation: 'password123',
|
|
role: role
|
|
)
|
|
end
|
|
|
|
let(:api_key) do
|
|
key = ApiKey.generate_secure_key
|
|
ApiKey.create!(
|
|
user: user,
|
|
name: 'API Docs Key',
|
|
key: key,
|
|
scopes: %w[read_write],
|
|
source: 'web'
|
|
)
|
|
end
|
|
|
|
let(:'X-Api-Key') { api_key.plain_key }
|
|
|
|
path '/api/v1/users/reset' do
|
|
delete 'Reset account' do
|
|
tags 'Users'
|
|
description 'Resets all financial data (accounts, categories, merchants, tags, etc.) ' \
|
|
'for the current user\'s family while keeping the user account intact. ' \
|
|
'The reset runs asynchronously in the background. ' \
|
|
'Requires admin role.'
|
|
security [ { apiKeyAuth: [] } ]
|
|
produces 'application/json'
|
|
|
|
response '200', 'account reset initiated' do
|
|
schema '$ref' => '#/components/schemas/SuccessMessage'
|
|
|
|
run_test!
|
|
end
|
|
|
|
response '401', 'unauthorized' do
|
|
let(:'X-Api-Key') { 'invalid-key' }
|
|
|
|
run_test!
|
|
end
|
|
|
|
response '403', 'forbidden - requires read_write scope and admin role' do
|
|
let(:api_key) do
|
|
key = ApiKey.generate_secure_key
|
|
ApiKey.create!(
|
|
user: user,
|
|
name: 'Read Only Key',
|
|
key: key,
|
|
scopes: %w[read],
|
|
source: 'web'
|
|
)
|
|
end
|
|
|
|
run_test!
|
|
end
|
|
end
|
|
end
|
|
|
|
path '/api/v1/users/me' do
|
|
delete 'Delete account' do
|
|
tags 'Users'
|
|
description 'Permanently deactivates the current user account and all associated data. ' \
|
|
'This action cannot be undone.'
|
|
security [ { apiKeyAuth: [] } ]
|
|
produces 'application/json'
|
|
|
|
response '200', 'account deleted' do
|
|
schema '$ref' => '#/components/schemas/SuccessMessage'
|
|
|
|
run_test!
|
|
end
|
|
|
|
response '401', 'unauthorized' do
|
|
let(:'X-Api-Key') { 'invalid-key' }
|
|
|
|
run_test!
|
|
end
|
|
|
|
response '403', 'insufficient scope' do
|
|
let(:api_key) do
|
|
key = ApiKey.generate_secure_key
|
|
ApiKey.create!(
|
|
user: user,
|
|
name: 'Read Only Key',
|
|
key: key,
|
|
scopes: %w[read],
|
|
source: 'web'
|
|
)
|
|
end
|
|
|
|
run_test!
|
|
end
|
|
|
|
response '422', 'deactivation failed' do
|
|
schema '$ref' => '#/components/schemas/ErrorResponse'
|
|
|
|
before do
|
|
allow_any_instance_of(User).to receive(:deactivate).and_return(false)
|
|
allow_any_instance_of(User).to receive(:errors).and_return(
|
|
double(full_messages: [ 'Cannot deactivate admin with other users' ])
|
|
)
|
|
end
|
|
|
|
run_test!
|
|
end
|
|
end
|
|
end
|
|
end
|