From c64550785e23fbcfe57422a73e48645733cce590 Mon Sep 17 00:00:00 2001
From: Andrew Tomaka <atomaka@atomaka.com>
Date: Sun, 8 Sep 2024 21:07:51 -0400
Subject: [PATCH] Require authentication for most endpoints (#29)

Reviewed-on: https://git.atomaka.com/atomaka/budget/pulls/29
---
 app/controllers/application_controller.rb    |  1 +
 app/controllers/concerns/authorizable.rb     | 37 ++++++++++++++++++++
 app/controllers/sessions_controller.rb       | 10 ++++--
 app/controllers/users_controller.rb          |  9 +++++
 app/models/guest_user.rb                     |  2 ++
 app/models/user.rb                           |  2 ++
 app/views/layouts/application.html.erb       | 11 +++---
 test/controllers/sessions_controller_test.rb |  3 +-
 test/controllers/users_controller_test.rb    |  5 +++
 test/system/credit_card_bills_test.rb        |  1 +
 test/system/expenses_test.rb                 |  1 +
 test/system/incomes_test.rb                  |  1 +
 test/system/members_test.rb                  |  1 +
 test/system/users_test.rb                    |  7 ++--
 test/test_helper.rb                          |  4 +++
 15 files changed, 84 insertions(+), 11 deletions(-)
 create mode 100644 app/controllers/concerns/authorizable.rb

diff --git a/app/controllers/application_controller.rb b/app/controllers/application_controller.rb
index 1374ee0..c42fe74 100644
--- a/app/controllers/application_controller.rb
+++ b/app/controllers/application_controller.rb
@@ -1,3 +1,4 @@
 class ApplicationController < ActionController::Base
   include Authenticatable
+  include Authorizable
 end
diff --git a/app/controllers/concerns/authorizable.rb b/app/controllers/concerns/authorizable.rb
new file mode 100644
index 0000000..7b81667
--- /dev/null
+++ b/app/controllers/concerns/authorizable.rb
@@ -0,0 +1,37 @@
+module Authorizable
+  extend ActiveSupport::Concern
+
+  included do
+    before_action :require_registered_user
+  end
+
+  class_methods do
+    def allow_unregistered_user(**args)
+      skip_before_action :require_registered_user, **args
+    end
+
+    def require_unregistered_user(**args)
+      skip_before_action :require_registered_user, **args
+      before_action :require_unregistered_user, **args
+    end
+  end
+
+  private
+
+  def require_registered_user
+    Current.user.registered? || redirect_to_sign_in
+  end
+
+  def require_unregistered_user
+    Current.user.unregistered? || redirect_to_dashboard
+  end
+
+  def redirect_to_sign_in
+    session[:return_url] = request.url
+    redirect_to new_session_url, alert: "You must be logged in to continue."
+  end
+
+  def redirect_to_dashboard
+    redirect_to root_url, alert: "You are already logged in."
+  end
+end
diff --git a/app/controllers/sessions_controller.rb b/app/controllers/sessions_controller.rb
index f6fd1fe..3bf7328 100644
--- a/app/controllers/sessions_controller.rb
+++ b/app/controllers/sessions_controller.rb
@@ -1,4 +1,5 @@
 class SessionsController < ApplicationController
+  require_unregistered_user only: %i[new create]
   # GET /sessions/new
   def new
     @session = Session.new
@@ -11,9 +12,8 @@ class SessionsController < ApplicationController
     respond_to do |format|
       if @session.save
         session[:current_user_id] = @session.user_id
-        Rails.logger.info("ID: #{@session.user_id}")
 
-        format.html { redirect_to root_url, notice: "Session was successfully created." }
+        format.html { redirect_to redirect_url, notice: "Session was successfully created." }
         format.json { render :show, status: :created, location: @session }
       else
         format.html { render :new, status: :unprocessable_entity, alert: @session.errors }
@@ -27,12 +27,16 @@ class SessionsController < ApplicationController
     session[:current_user_id] = nil
 
     respond_to do |format|
-      format.html { redirect_to root_url, notice: "Session was successfully destroyed." }
+      format.html { redirect_to new_session_url, notice: "Session was successfully destroyed." }
       format.json { head :no_content }
     end
   end
 
   private
+    def redirect_url
+      session.delete(:return_url) || root_url
+    end
+
     # Only allow a list of trusted parameters through.
     def session_params
       params.require(:session).permit(:email, :password)
diff --git a/app/controllers/users_controller.rb b/app/controllers/users_controller.rb
index 2f1084d..e8058a3 100644
--- a/app/controllers/users_controller.rb
+++ b/app/controllers/users_controller.rb
@@ -1,4 +1,6 @@
 class UsersController < ApplicationController
+  require_unregistered_user only: %i[new create]
+
   before_action :set_user, only: %i[ show edit update destroy ]
 
   # GET /users or /users.json
@@ -25,6 +27,9 @@ class UsersController < ApplicationController
 
     respond_to do |format|
       if @user.save
+        @session = Session.new(session_params).save
+        session[:current_user_id] = @session.user_id
+
         format.html { redirect_to user_url(@user), notice: "User was successfully created." }
         format.json { render :show, status: :created, location: @user }
       else
@@ -67,4 +72,8 @@ class UsersController < ApplicationController
     def user_params
       params.require(:user).permit(:email, :password, :password_confirmation)
     end
+
+    def session_params
+      user_params.slice(:email, :password)
+    end
 end
diff --git a/app/models/guest_user.rb b/app/models/guest_user.rb
index 9f6dbd1..1121af6 100644
--- a/app/models/guest_user.rb
+++ b/app/models/guest_user.rb
@@ -1,3 +1,5 @@
 class GuestUser
   def registered? = false
+
+  def unregistered? = true
 end
diff --git a/app/models/user.rb b/app/models/user.rb
index 1d74647..e8e6d64 100644
--- a/app/models/user.rb
+++ b/app/models/user.rb
@@ -2,4 +2,6 @@ class User < ApplicationRecord
   has_secure_password
 
   def registered? = true
+
+  def unregistered? = false
 end
diff --git a/app/views/layouts/application.html.erb b/app/views/layouts/application.html.erb
index a4b84df..0ba3739 100644
--- a/app/views/layouts/application.html.erb
+++ b/app/views/layouts/application.html.erb
@@ -14,14 +14,15 @@
   <body>
     <nav class="w-100 p-6 bg-gray-900 flex items-center justify-between flex-wrap">
       <ul class="flex">
-        <li class="mr-6"><%= link_to "Dashboard", root_path, class: "text-white" %></li>
-        <li class="mr-6"><%= link_to "Expenses", expenses_path, class: "text-white" %></li>
-        <li class="mr-6"><%= link_to "Credit Card Bills", credit_card_bills_path, class: "text-white" %></li>
-        <li class="mr-6"><%= link_to "Incomes", incomes_path, class: "text-white" %></li>
-        <li class="mr-6"><%= link_to "Members", members_path, class: "text-white" %></li>
         <% if Current.user.registered? %>
+          <li class="mr-6"><%= link_to "Dashboard", root_path, class: "text-white" %></li>
+          <li class="mr-6"><%= link_to "Expenses", expenses_path, class: "text-white" %></li>
+          <li class="mr-6"><%= link_to "Credit Card Bills", credit_card_bills_path, class: "text-white" %></li>
+          <li class="mr-6"><%= link_to "Incomes", incomes_path, class: "text-white" %></li>
+          <li class="mr-6"><%= link_to "Members", members_path, class: "text-white" %></li>
           <li class="mr-6"><%= link_to "Log out", session_path, data: {turbo_method: :delete}, class: "text-white" %></li>
         <% else %>
+          <li class="mr-6"><%= link_to "Sign up", new_user_path, class: "text-white" %></li>
           <li class="mr-6"><%= link_to "Log in", new_session_path, class: "text-white" %></li>
         <% end %>
       </ul>
diff --git a/test/controllers/sessions_controller_test.rb b/test/controllers/sessions_controller_test.rb
index bdd5045..bf45eca 100644
--- a/test/controllers/sessions_controller_test.rb
+++ b/test/controllers/sessions_controller_test.rb
@@ -20,8 +20,9 @@ class SessionsControllerTest < ActionDispatch::IntegrationTest
   end
 
   test "should destroy session" do
+    login(users(:one).email)
     delete session_url(@session)
 
-    assert_redirected_to root_url
+    assert_redirected_to new_session_url
   end
 end
diff --git a/test/controllers/users_controller_test.rb b/test/controllers/users_controller_test.rb
index 71dd43d..48ce687 100644
--- a/test/controllers/users_controller_test.rb
+++ b/test/controllers/users_controller_test.rb
@@ -6,6 +6,7 @@ class UsersControllerTest < ActionDispatch::IntegrationTest
   end
 
   test "should get index" do
+    login(@user.email)
     get users_url
     assert_response :success
   end
@@ -31,21 +32,25 @@ class UsersControllerTest < ActionDispatch::IntegrationTest
   end
 
   test "should show user" do
+    login(@user.email)
     get user_url(@user)
     assert_response :success
   end
 
   test "should get edit" do
+    login(@user.email)
     get edit_user_url(@user)
     assert_response :success
   end
 
   test "should update user" do
+    login(@user.email)
     patch user_url(@user), params: { user: { email: @user.email, password: "secret", password_confirmation: "secret" } }
     assert_redirected_to user_url(@user)
   end
 
   test "should destroy user" do
+    login(@user.email)
     assert_difference("User.count", -1) do
       delete user_url(@user)
     end
diff --git a/test/system/credit_card_bills_test.rb b/test/system/credit_card_bills_test.rb
index 50cf2fc..0f1dbde 100644
--- a/test/system/credit_card_bills_test.rb
+++ b/test/system/credit_card_bills_test.rb
@@ -3,6 +3,7 @@ require "application_system_test_case"
 class CreditCardBillsTest < ApplicationSystemTestCase
   setup do
     @credit_card_bill = credit_card_bills(:one)
+    login(users(:one).email)
   end
 
   test "visiting the index" do
diff --git a/test/system/expenses_test.rb b/test/system/expenses_test.rb
index 9d162d8..b4a979a 100644
--- a/test/system/expenses_test.rb
+++ b/test/system/expenses_test.rb
@@ -3,6 +3,7 @@ require "application_system_test_case"
 class ExpensesTest < ApplicationSystemTestCase
   setup do
     @expense = expenses(:monthly_expense)
+    login(users(:one).email)
   end
 
   test "visiting the index" do
diff --git a/test/system/incomes_test.rb b/test/system/incomes_test.rb
index 7a6863c..0ae4e55 100644
--- a/test/system/incomes_test.rb
+++ b/test/system/incomes_test.rb
@@ -3,6 +3,7 @@ require "application_system_test_case"
 class IncomesTest < ApplicationSystemTestCase
   setup do
     @income = incomes(:included_1)
+    login(users(:one).email)
   end
 
   test "visiting the index" do
diff --git a/test/system/members_test.rb b/test/system/members_test.rb
index 2b491ad..fca56bb 100644
--- a/test/system/members_test.rb
+++ b/test/system/members_test.rb
@@ -3,6 +3,7 @@ require "application_system_test_case"
 class MembersTest < ApplicationSystemTestCase
   setup do
     @member = members(:one)
+    login(users(:one).email)
   end
 
   test "visiting the index" do
diff --git a/test/system/users_test.rb b/test/system/users_test.rb
index 00e5e87..4617f3d 100644
--- a/test/system/users_test.rb
+++ b/test/system/users_test.rb
@@ -6,13 +6,14 @@ class UsersTest < ApplicationSystemTestCase
   end
 
   test "visiting the index" do
+    login(@user.email)
     visit users_url
     assert_selector "h1", text: "Users"
   end
 
   test "should create user" do
     visit users_url
-    click_on "New user"
+    click_on "Sign up"
 
     fill_in "Email", with: "userthree@example.local"
     fill_in "Password", with: "secret"
@@ -24,6 +25,7 @@ class UsersTest < ApplicationSystemTestCase
   end
 
   test "should update User" do
+    login(@user.email)
     visit user_url(@user)
     click_on "Edit this user", match: :first
 
@@ -37,7 +39,8 @@ class UsersTest < ApplicationSystemTestCase
   end
 
   test "should destroy User" do
-    visit user_url(@user)
+    login(@user.email)
+    visit user_url(users(:two))
     click_on "Destroy this user", match: :first
 
     assert_text "User was successfully destroyed"
diff --git a/test/test_helper.rb b/test/test_helper.rb
index d713e37..a45e11f 100644
--- a/test/test_helper.rb
+++ b/test/test_helper.rb
@@ -10,4 +10,8 @@ class ActiveSupport::TestCase
   fixtures :all
 
   # Add more helper methods to be used by all tests here...
+  def login(email, password = "secret")
+    post sessions_url, params: { session: { email: email, password: password } }
+    assert session[:current_user_id].present?
+  end
 end