feat: enforce Flipper feature flag in ApplicationController

ojbucao · ojbucao · commit 0b2a20739f8a · 2025-03-07T10:43:35.000-08:00
•Added Flipper validation to ApplicationController spec to ensure API access is blocked when :accredited_representative_portal_pilot is disabled.
•Modified tests to check that the feature flag takes priority over authentication.
•Ensured existing authentication tests remain intact, validating correct behavior when the flag is enabled.
•If Flipper is disabled, requests now return 403 Forbidden before checking tokens or audience validation.
diff --git a/modules/accredited_representative_portal/spec/requests/accredited_representative_portal/application_spec.rb b/modules/accredited_representative_portal/spec/requests/accredited_representative_portal/application_spec.rb
@@ -22,41 +22,46 @@
       end
     end
 
-    after do
-      # We could have set up our test such that we can unset
-      # `ArbitraryController` as a const during cleanup. But we'll just leave it
-      # around and avoid the extra metaprogramming.
-      Rails.application.reload_routes!
-    end
+    after { Rails.application.reload_routes! }
 
-    context 'when authenticated' do
-      context 'with a valid audience' do
-        it 'allows access' do
-          expect(subject).to have_http_status(:ok)
-        end
-      end
+    context 'when feature flag is enabled' do
+      before { Flipper.enable(:accredited_representative_portal_pilot) }
 
-      context 'with an invalid audience' do
-        let(:access_token_cookie) { SignIn::AccessTokenJwtEncoder.new(access_token: invalid_access_token).perform }
-        let(:expected_log_message) { '[SignIn][AudienceValidator] Invalid audience' }
-        let(:expected_log_payload) do
-          { invalid_audience: invalid_access_token.audience, valid_audience: valid_access_token.audience }
-        end
-        let(:expected_response_body) do
-          { errors: 'Invalid audience' }.to_json
+      context 'when authenticated' do
+        context 'with a valid audience' do
+          it 'allows access' do
+            expect(subject).to have_http_status(:ok)
+          end
         end
 
-        before do
-          allow(Rails.logger).to receive(:error)
-        end
+        context 'with an invalid audience' do
+          let(:access_token_cookie) { SignIn::AccessTokenJwtEncoder.new(access_token: invalid_access_token).perform }
+          let(:expected_log_message) { '[SignIn][AudienceValidator] Invalid audience' }
+          let(:expected_log_payload) do
+            { invalid_audience: invalid_access_token.audience, valid_audience: valid_access_token.audience }
+          end
+          let(:expected_response_body) do
+            { errors: 'Invalid audience' }.to_json
+          end
 
-        it 'denies access' do
-          expect(subject).to have_http_status(:unauthorized)
-          expect(subject.body).to eq(expected_response_body)
-          expect(Rails.logger).to have_received(:error).with(expected_log_message, expected_log_payload)
+          before { allow(Rails.logger).to receive(:error) }
+
+          it 'denies access' do
+            expect(subject).to have_http_status(:unauthorized)
+            expect(subject.body).to eq(expected_response_body)
+            expect(Rails.logger).to have_received(:error).with(expected_log_message, expected_log_payload)
+          end
         end
       end
     end
+
+    context 'when feature flag is disabled' do
+      before { Flipper.disable(:accredited_representative_portal_pilot) }
+
+      it 'returns 403 Forbidden regardless of authentication' do
+        expect(subject).to have_http_status(:forbidden)
+      end
+    end
   end
 end
 
