Merge branch 'api_v2_dmponline' into aaron/feature/v2-api-token-for-internal-users

aaronskiba · aaronskiba · commit fdae153ed59c · 2026-03-12T10:38:25.000-06:00
diff --git a/app/controllers/api/v2/base_api_controller.rb b/app/controllers/api/v2/base_api_controller.rb
@@ -13,6 +13,7 @@ class BaseApiController < ApplicationController # rubocop:todo Style/Documentati
 
       before_action :log_access
 
+      before_action :require_read_scope, except: %i[heartbeat me]
       # controller can respond to json format requests
       respond_to :json
 
@@ -43,7 +44,6 @@ def base_response_content
         @application = ApplicationService.application_name
         @client = doorkeeper_token&.application
         @caller = @client&.name || request.remote_ip
-        @scopes = doorkeeper_token.scopes.to_a if doorkeeper_token
         return unless doorkeeper_token&.resource_owner_id
 
         @resource_owner = User.find(doorkeeper_token.resource_owner_id)
@@ -95,6 +95,10 @@ def paginate_response(results:)
         @total_items = results.total_count
         results
       end
+
+      def require_read_scope
+        raise Pundit::NotAuthorizedError unless doorkeeper_token.scopes.include?('read')
+      end
     end
   end
 end
diff --git a/app/controllers/api/v2/plans_controller.rb b/app/controllers/api/v2/plans_controller.rb
@@ -8,8 +8,6 @@ class PlansController < BaseApiController # rubocop:todo Style/Documentation
 
       # GET /api/v2/plans/:id
       def show
-        raise Pundit::NotAuthorizedError unless @scopes.include?('read')
-
         @plan = Plan.includes(roles: :user).find_by(id: params[:id])
 
         raise Pundit::NotAuthorizedError unless @plan.present?
@@ -23,8 +21,6 @@ def show
 
       # GET /api/v2/plans
       def index
-        raise Pundit::NotAuthorizedError unless @scopes.include?('read')
-
         @plans = PlansPolicy::Scope.new(@resource_owner).resolve
         @plans = @plans.includes(answers: { question: :section }) if @complete
         @items = paginate_response(results: @plans)
diff --git a/app/controllers/api/v2/templates_controller.rb b/app/controllers/api/v2/templates_controller.rb
@@ -8,8 +8,6 @@ class TemplatesController < BaseApiController
 
       # GET /api/v2/templates
       def index
-        raise Pundit::NotAuthorizedError unless @scopes.include?('read')
-
         templates = Api::V2::TemplatesPolicy::Scope.new(@resource_owner).resolve
         @items = paginate_response(results: templates)
         render '/api/v2/templates/index', status: :ok
diff --git a/config/initializers/doorkeeper.rb b/config/initializers/doorkeeper.rb
@@ -36,12 +36,14 @@
 
   # set the token endpoint configurations
   access_token_expires_in 2.hours
-  reuse_access_token
 
   # enable refresh tokens of duration 90 days
   use_refresh_token expiry: 90.days
 
   # enable ssl requirement for redirect url
   # - Allow HTTP in test and development environments
   force_ssl_in_redirect_uri !(Rails.env.test? || Rails.env.development?)
+
+  hash_application_secrets
+  hash_token_secrets
 end
diff --git a/spec/requests/api/v2/plans_controller_spec.rb b/spec/requests/api/v2/plans_controller_spec.rb
@@ -12,7 +12,7 @@
     before do
       @user = create(:user)
       @client = create(:oauth_application)
-      token = mock_authorization_code_token(oauth_application: @client, user: @user).token
+      token = mock_authorization_code_token(oauth_application: @client, user: @user).plaintext_token
 
       @headers = {
         Accept: 'application/json',
diff --git a/spec/requests/api/v2/templates_controller_spec.rb b/spec/requests/api/v2/templates_controller_spec.rb
@@ -8,7 +8,7 @@
   before do
     @user = create(:user)
     @client = create(:oauth_application)
-    token = mock_authorization_code_token(oauth_application: @client, user: @user).token
+    token = mock_authorization_code_token(oauth_application: @client, user: @user).plaintext_token
 
     @headers = {
       Accept: 'application/json',
