Require authentication for most endpoints (#29)

Reviewed-on: #29
2024-09-08 21:07:51 -04:00 · 2024-09-08 21:07:51 -04:00 · c64550785e
commit c64550785e
parent 0f95034e8e
15 changed files with 84 additions and 11 deletions
--- a/app/controllers/application_controller.rb
+++ b/app/controllers/application_controller.rb
@ -1,3 +1,4 @@
 class ApplicationController < ActionController::Base
  include Authenticatable
  include Authorizable
 end
--- a/app/controllers/concerns/authorizable.rb
+++ b/app/controllers/concerns/authorizable.rb
@ -0,0 +1,37 @@
 module Authorizable
  extend ActiveSupport::Concern
  included do
    before_action :require_registered_user
  end
  class_methods do
    def allow_unregistered_user(**args)
      skip_before_action :require_registered_user, **args
    end
    def require_unregistered_user(**args)
      skip_before_action :require_registered_user, **args
      before_action :require_unregistered_user, **args
    end
  end
  private
  def require_registered_user
    Current.user.registered? || redirect_to_sign_in
  end
  def require_unregistered_user
    Current.user.unregistered? || redirect_to_dashboard
  end
  def redirect_to_sign_in
    session[:return_url] = request.url
    redirect_to new_session_url, alert: "You must be logged in to continue."
  end
  def redirect_to_dashboard
    redirect_to root_url, alert: "You are already logged in."
  end
 end
--- a/app/controllers/sessions_controller.rb
+++ b/app/controllers/sessions_controller.rb
@ -1,4 +1,5 @@
 class SessionsController < ApplicationController
  require_unregistered_user only: %i[new create]
  # GET /sessions/new
  def new
    @session = Session.new
@ -11,9 +12,8 @@ class SessionsController < ApplicationController
    respond_to do |format|
      if @session.save
        session[:current_user_id] = @session.user_id
        Rails.logger.info("ID: #{@session.user_id}")
-        format.html { redirect_to root_url, notice: "Session was successfully created." }
+        format.html { redirect_to redirect_url, notice: "Session was successfully created." }
        format.json { render :show, status: :created, location: @session }
      else
        format.html { render :new, status: :unprocessable_entity, alert: @session.errors }
@ -27,12 +27,16 @@ class SessionsController < ApplicationController
    session[:current_user_id] = nil
    respond_to do |format|
-      format.html { redirect_to root_url, notice: "Session was successfully destroyed." }
+      format.html { redirect_to new_session_url, notice: "Session was successfully destroyed." }
      format.json { head :no_content }
    end
  end
  private
    def redirect_url
      session.delete(:return_url) || root_url
    end
    # Only allow a list of trusted parameters through.
    def session_params
      params.require(:session).permit(:email, :password)
--- a/app/controllers/users_controller.rb
+++ b/app/controllers/users_controller.rb
@ -1,4 +1,6 @@
 class UsersController < ApplicationController
  require_unregistered_user only: %i[new create]
  before_action :set_user, only: %i[ show edit update destroy ]
  # GET /users or /users.json
@ -25,6 +27,9 @@ class UsersController < ApplicationController
    respond_to do |format|
      if @user.save
        @session = Session.new(session_params).save
        session[:current_user_id] = @session.user_id
        format.html { redirect_to user_url(@user), notice: "User was successfully created." }
        format.json { render :show, status: :created, location: @user }
      else
@ -67,4 +72,8 @@ class UsersController < ApplicationController
    def user_params
      params.require(:user).permit(:email, :password, :password_confirmation)
    end
    def session_params
      user_params.slice(:email, :password)
    end
 end
--- a/app/models/guest_user.rb
+++ b/app/models/guest_user.rb
@ -1,3 +1,5 @@
 class GuestUser
  def registered? = false
  def unregistered? = true
 end
--- a/app/models/user.rb
+++ b/app/models/user.rb
@ -2,4 +2,6 @@ class User < ApplicationRecord
  has_secure_password
  def registered? = true
  def unregistered? = false
 end
--- a/app/views/layouts/application.html.erb
+++ b/app/views/layouts/application.html.erb
@ -14,14 +14,15 @@
  <body>
    <nav class="w-100 p-6 bg-gray-900 flex items-center justify-between flex-wrap">
      <ul class="flex">
        <% if Current.user.registered? %>
          <li class="mr-6"><%= link_to "Dashboard", root_path, class: "text-white" %></li>
          <li class="mr-6"><%= link_to "Expenses", expenses_path, class: "text-white" %></li>
          <li class="mr-6"><%= link_to "Credit Card Bills", credit_card_bills_path, class: "text-white" %></li>
          <li class="mr-6"><%= link_to "Incomes", incomes_path, class: "text-white" %></li>
          <li class="mr-6"><%= link_to "Members", members_path, class: "text-white" %></li>
        <% if Current.user.registered? %>
          <li class="mr-6"><%= link_to "Log out", session_path, data: {turbo_method: :delete}, class: "text-white" %></li>
        <% else %>
          <li class="mr-6"><%= link_to "Sign up", new_user_path, class: "text-white" %></li>
          <li class="mr-6"><%= link_to "Log in", new_session_path, class: "text-white" %></li>
        <% end %>
      </ul>
--- a/test/controllers/sessions_controller_test.rb
+++ b/test/controllers/sessions_controller_test.rb
@ -20,8 +20,9 @@ class SessionsControllerTest < ActionDispatch::IntegrationTest
  end
  test "should destroy session" do
    login(users(:one).email)
    delete session_url(@session)
-    assert_redirected_to root_url
+    assert_redirected_to new_session_url
  end
 end
--- a/test/controllers/users_controller_test.rb
+++ b/test/controllers/users_controller_test.rb
@ -6,6 +6,7 @@ class UsersControllerTest < ActionDispatch::IntegrationTest
  end
  test "should get index" do
    login(@user.email)
    get users_url
    assert_response :success
  end
@ -31,21 +32,25 @@ class UsersControllerTest < ActionDispatch::IntegrationTest
  end
  test "should show user" do
    login(@user.email)
    get user_url(@user)
    assert_response :success
  end
  test "should get edit" do
    login(@user.email)
    get edit_user_url(@user)
    assert_response :success
  end
  test "should update user" do
    login(@user.email)
    patch user_url(@user), params: { user: { email: @user.email, password: "secret", password_confirmation: "secret" } }
    assert_redirected_to user_url(@user)
  end
  test "should destroy user" do
    login(@user.email)
    assert_difference("User.count", -1) do
      delete user_url(@user)
    end
--- a/test/system/credit_card_bills_test.rb
+++ b/test/system/credit_card_bills_test.rb
@ -3,6 +3,7 @@ require "application_system_test_case"
 class CreditCardBillsTest < ApplicationSystemTestCase
  setup do
    @credit_card_bill = credit_card_bills(:one)
    login(users(:one).email)
  end
  test "visiting the index" do
--- a/test/system/expenses_test.rb
+++ b/test/system/expenses_test.rb
@ -3,6 +3,7 @@ require "application_system_test_case"
 class ExpensesTest < ApplicationSystemTestCase
  setup do
    @expense = expenses(:monthly_expense)
    login(users(:one).email)
  end
  test "visiting the index" do
--- a/test/system/incomes_test.rb
+++ b/test/system/incomes_test.rb
@ -3,6 +3,7 @@ require "application_system_test_case"
 class IncomesTest < ApplicationSystemTestCase
  setup do
    @income = incomes(:included_1)
    login(users(:one).email)
  end
  test "visiting the index" do
--- a/test/system/members_test.rb
+++ b/test/system/members_test.rb
@ -3,6 +3,7 @@ require "application_system_test_case"
 class MembersTest < ApplicationSystemTestCase
  setup do
    @member = members(:one)
    login(users(:one).email)
  end
  test "visiting the index" do
--- a/test/system/users_test.rb
+++ b/test/system/users_test.rb
@ -6,13 +6,14 @@ class UsersTest < ApplicationSystemTestCase
  end
  test "visiting the index" do
    login(@user.email)
    visit users_url
    assert_selector "h1", text: "Users"
  end
  test "should create user" do
    visit users_url
-    click_on "New user"
+    click_on "Sign up"
    fill_in "Email", with: "userthree@example.local"
    fill_in "Password", with: "secret"
@ -24,6 +25,7 @@ class UsersTest < ApplicationSystemTestCase
  end
  test "should update User" do
    login(@user.email)
    visit user_url(@user)
    click_on "Edit this user", match: :first
@ -37,7 +39,8 @@ class UsersTest < ApplicationSystemTestCase
  end
  test "should destroy User" do
-    visit user_url(@user)
+    login(@user.email)
    visit user_url(users(:two))
    click_on "Destroy this user", match: :first
    assert_text "User was successfully destroyed"
--- a/test/test_helper.rb
+++ b/test/test_helper.rb
@ -10,4 +10,8 @@ class ActiveSupport::TestCase
  fixtures :all
  # Add more helper methods to be used by all tests here...
  def login(email, password = "secret")
    post sessions_url, params: { session: { email: email, password: password } }
    assert session[:current_user_id].present?
  end
 end