Fix issue of early return on authentications API

blackcandy-org · Jul 20, 2022 · 8d7d880 · 8d7d880
1 parent 6e1638d
commit 8d7d880
Show file tree

Hide file tree

Showing 5 changed files with 26 additions and 10 deletions.
diff --git a/app/controllers/api/v1/authentications_controller.rb b/app/controllers/api/v1/authentications_controller.rb
@@ -10,13 +10,13 @@ def create
         session = UserSession.new(session_params.merge({remember_me: true}).to_h)
 
         if params[:with_session]
-          head :unauthorized unless session.save
+          return head :unauthorized unless session.save
         else
-          head :unauthorized unless session.valid?
+          return head :unauthorized unless session.valid?
         end
 
         @current_user = User.find_by(email: session_params[:email])
-        head :unauthorized unless @current_user.present?
+        return head :unauthorized unless @current_user.present?
 
         @current_user.regenerate_api_token if @current_user.api_token.blank?
       end

diff --git a/app/controllers/application_controller.rb b/app/controllers/application_controller.rb
@@ -3,6 +3,8 @@
 class ApplicationController < ActionController::Base
   include SessionsHelper
 
+  helper_method :turbo_native?
+
   before_action :find_current_user
   before_action :require_login
 
@@ -54,7 +56,13 @@ def find_current_user
   end
 
   def require_login
-    redirect_to new_session_path unless logged_in?
+    return if logged_in?
+
+    if turbo_native?
+      head :unauthorized
+    else
+      redirect_to new_session_path
+    end
   end
 
   def require_admin
@@ -67,4 +75,8 @@ def logout_current_user
 
     redirect_to new_session_path
   end
+
+  def turbo_native?
+    request.user_agent.to_s.match?(/Turbo Native/)
+  end
 end
diff --git a/app/helpers/application_helper.rb b/app/helpers/application_helper.rb
@@ -82,8 +82,4 @@ def shelf_grid_tag(**options, &block)
   def page_title_tag(title)
     content_for :title, title
   end
-
-  def turbo_native?
-    request.user_agent.to_s.match?(/Turbo Native/)
-  end
 end
diff --git a/test/controllers/api/v1/authentications_controller_test.rb b/test/controllers/api/v1/authentications_controller_test.rb
@@ -41,7 +41,7 @@ class Api::V1::AuthenticationsControllerTest < ActionDispatch::IntegrationTest
   test "should not create authentication with wrong credential" do
     post api_v1_authentication_url, as: :json, params: {
       user_session: {
-        email: @user.email,
+        email: "fake@email.com",
         password: "fake"
       }
     }
@@ -55,7 +55,7 @@ class Api::V1::AuthenticationsControllerTest < ActionDispatch::IntegrationTest
     post api_v1_authentication_url, as: :json, params: {
       with_session: true,
       user_session: {
-        email: @user.email,
+        email: "fake@email.com",
         password: "fake"
       }
     }

diff --git a/test/controllers/application_controller_test.rb b/test/controllers/application_controller_test.rb
@@ -32,4 +32,12 @@ class ApplicationControllerTest < ActionDispatch::IntegrationTest
     get "/dummy_index"
     assert_response :success
   end
+
+  test "should get unauthorized when did not logged in on turbo native agent" do
+    get "/dummy_index", headers: {"User-Agent" => "Turbo Native iOS"}
+    assert_response :unauthorized
+
+    get "/dummy_index", headers: {"User-Agent" => "Turbo Native Android"}
+    assert_response :unauthorized
+  end
 end