ensure doorkeeper_token is valid when authenticating requests in v2

spree · Oct 14, 2020 · e43643a · e43643a
1 parent c8b7557
commit e43643a
Show file tree

Hide file tree

Showing 3 changed files with 22 additions and 2 deletions.
diff --git a/api/app/controllers/spree/api/v2/base_controller.rb b/api/app/controllers/spree/api/v2/base_controller.rb
@@ -53,7 +53,12 @@ def render_error_payload(error, status = 422)
         end
 
         def spree_current_user
-          @spree_current_user ||= Spree.user_class.find_by(id: doorkeeper_token.resource_owner_id) if doorkeeper_token
+          return nil unless doorkeeper_token
+          return @spree_current_user if @spree_current_user
+
+          doorkeeper_authorize!
+
+          @spree_current_user ||= Spree.user_class.find_by(id: doorkeeper_token.resource_owner_id)
         end
 
         def spree_authorize!(action, subject, *args)

diff --git a/api/lib/spree/api/testing_support/v2/base.rb b/api/lib/spree/api/testing_support/v2/base.rb
@@ -4,7 +4,7 @@
   let(:headers_order_token) { { 'X-Spree-Order-Token' => order.token } }
 end
 
-[200, 201, 400, 404, 403, 422].each do |status_code|
+[200, 201, 400, 401, 404, 403, 422].each do |status_code|
   shared_examples "returns #{status_code} HTTP status" do
     it "returns #{status_code}" do
       expect(response.status).to eq(status_code)

diff --git a/api/spec/requests/spree/api/v2/errors_spec.rb b/api/spec/requests/spree/api/v2/errors_spec.rb
@@ -29,4 +29,19 @@
       expect(json_response['error']).to eq('You are not authorized to access this page.')
     end
   end
+
+  context 'expired token failure' do
+    let(:user) { create(:user) }
+    let(:headers) { headers_bearer }
+
+    include_context 'API v2 tokens'
+
+    before do
+      token.expires_in = -1
+      token.save
+      get '/api/v2/storefront/account', headers: headers
+    end
+
+    it_behaves_like 'returns 401 HTTP status'
+  end
 end