Force signin on API if the organization requires it (#5859)

* Force signin on API if the org requires it

* Add changelog

* Fix typo

* Fix class name

* Fix docs

* Add tests

* Lint code

CHANGELOG.md

@@ -36,6 +36,7 @@ After this, `Decidim::Proposals::ProposalEndorsement` and the corresponding coun
 - **decidim-admin**: Fix: let components without step settings be added [\#5568](https://github.com/decidim/decidim/pull/5568)
 - **decidim-proposals**: Fix proposals that have their state not published [\#5832](https://github.com/decidim/decidim/pull/5832)
 - **decidim-core**: Fix missing tribute source map [\#5869](https://github.com/decidim/decidim/pull/5869)
+- **decidim-api**: Force signin on API if the organization requires it [\#5859](https://github.com/decidim/decidim/pull/5859)
 - **decidim-core**: Apply security patch for GHSA-65cv-r6x7-79hv [\#5896](https://github.com/decidim/decidim/pull/5896)
 
 ### Removed

decidim-api/app/controllers/decidim/api/application_controller.rb

@@ -8,6 +8,7 @@ class ApplicationController < ::DecidimController
       include NeedsOrganization
       include NeedsPermission
       include ImpersonateUsers
+      include ForceAuthentication
 
       register_permissions(::Decidim::Api::ApplicationController,
                            ::Decidim::Permissions)

decidim-api/app/controllers/decidim/api/graphiql_controller.rb

@@ -0,0 +1,16 @@
+# frozen_string_literal: true
+
+module Decidim
+  module Api
+    # Controller to serve the GraphiQL client. Used so that we can hook the
+    # `ForceAuthentication` module.
+    class GraphiQLController < ::GraphiQL::Rails::EditorsController
+      include NeedsOrganization
+      include ForceAuthentication
+
+      def self.controller_path
+        "graphiql/rails/editors"
+      end
+    end
+  end
+end

decidim-api/config/routes.rb

@@ -1,7 +1,7 @@
 # frozen_string_literal: true
 
 Decidim::Api::Engine.routes.draw do
-  mount GraphiQL::Rails::Engine, at: "/graphiql", graphql_path: "/api", as: :graphiql
+  get "/graphiql", to: "graphiql#show", graphql_path: "/api", as: :graphiql
   get "/docs", to: "documentation#show", as: :documentation
   get "/", to: redirect("/api/docs")
   post "/" => "queries#create", as: :root

decidim-api/spec/controllers/queries_controller_spec.rb

@@ -7,8 +7,25 @@ module Api
     describe QueriesController, type: :controller do
       routes { Decidim::Api::Engine.routes }
 
+      let(:organization) { create :organization }
+
       before do
-        request.env["decidim.current_organization"] = create(:organization)
+        request.env["decidim.current_organization"] = organization
+      end
+
+      context "when the organization has private access" do
+        let(:organization) do
+          create(
+            :organization,
+            force_users_to_authenticate_before_access_organization: true
+          )
+        end
+
+        it "doesn't accept queries" do
+          post :create, params: { query: "{ __schema { queryType { name } } }" }
+
+          expect(response).to redirect_to("/users/sign_in")
+        end
       end
 
       it "executes a query" do

decidim-api/spec/system/graphiql_spec.rb

@@ -14,6 +14,20 @@
     visit decidim_api.graphiql_path
   end
 
+  context "when the organization has private access" do
+    let(:organization) do
+      create(
+        :organization,
+        force_users_to_authenticate_before_access_organization: true
+      )
+    end
+
+    it "forces the user to login" do
+      expect(page).to have_current_path("/users/sign_in")
+      expect(page).to have_content("Please, login with your account before access")
+    end
+  end
+
   it "is able to execute the default query" do
     find(".execute-button").click
     within ".result-window" do