Add permissions to access tokens

Author: lfdebrux

app/controllers/api/v1/access_tokens_controller.rb

@@ -32,7 +32,7 @@ def caller_identity
 private
 
   def token_params
-    params.permit(:owner, :description)
+    params.permit(:owner, :description, :permissions)
   end
 
   def token_deactivate_params

app/models/access_token.rb

@@ -3,6 +3,11 @@ class AccessToken < ApplicationRecord
 
   scope :active, -> { where(deactivated_at: nil) }
 
+  enum :permissions, {
+    all: "all",
+    readonly: "readonly",
+  }, suffix: true, validate: true
+
   def generate_token
     users_token = SecureRandom.uuid
     self.token_digest = Digest::SHA256.hexdigest(users_token)

db/migrate/20231218125427_add_permissions_to_access_tokens.rb

@@ -0,0 +1,5 @@
+class AddPermissionsToAccessTokens < ActiveRecord::Migration[7.1]
+  def change
+    add_column :access_tokens, :permissions, :string, default: "all"
+  end
+end

db/schema.rb

@@ -2,6 +2,7 @@
   factory :access_token do
     token_digest { Faker::Crypto.sha256 }
     owner { Faker::Name.first_name.underscore }
+    permissions { :all }
     deactivated_at { nil }
     description { nil }
     last_accessed_at { nil }

spec/factories/access_tokens.rb

@@ -46,6 +46,35 @@
     end
   end
 
+  describe "permissions" do
+    let(:access_token) do
+      described_class.new(owner: "test")
+        .tap(&:generate_token)
+    end
+
+    it "defaults to all permissions" do
+      expect(access_token.all_permissions?).to be true
+    end
+
+    it "allows readonly permissions" do
+      access_token.permissions = :readonly
+
+      expect(access_token).to be_valid(:permissions)
+    end
+
+    it "validates the permissions are set" do
+      access_token.permissions = nil
+
+      expect(access_token).not_to be_valid(:permissions)
+    end
+
+    it "validates the permissions are valid" do
+      access_token.permissions = :foobar
+
+      expect(access_token).not_to be_valid(:permissions)
+    end
+  end
+
   describe "#generate_token" do
     let(:result) { access_token.generate_token }
 

spec/models/access_token_spec.rb

@@ -15,6 +15,7 @@
         expect(token.keys).to contain_exactly(
           :id,
           :owner,
+          :permissions,
           :deactivated_at,
           :description,
           :created_at,
@@ -63,6 +64,36 @@
         expect(AccessToken.last.description).to eq "This is one key to rule them all."
       end
     end
+
+    context "when specific permissions are requested" do
+      before do
+        allow(AccessToken).to receive(:new).and_call_original
+        post access_tokens_path, params: { owner: "testing user", permissions: :all }, as: :json
+      end
+
+      it "returns 201 if its saved" do
+        expect(response).to have_http_status(:created)
+      end
+
+      it "returns json" do
+        expect(response.headers["Content-Type"]).to eq("application/json")
+      end
+
+      it "sets the description" do
+        expect(AccessToken.last.permissions).to eq "all"
+      end
+    end
+
+    context "when invalid permissions are requested" do
+      before do
+        allow(AccessToken).to receive(:new).and_call_original
+        post access_tokens_path, params: { owner: "testing user", permissions: :foobar }, as: :json
+      end
+
+      it "returns an error code" do
+        expect(response).to have_http_status(:bad_request)
+      end
+    end
   end
 
   describe "#deactivate" do
@@ -117,6 +148,7 @@
         id: access_token.id,
         token_digest: access_token.token_digest,
         owner: access_token.owner,
+        permissions: access_token.permissions,
         description: nil,
         deactivated_at: nil,
         created_at: access_token.created_at.as_json,