feat: enforce Flipper feature flag in ApplicationController

ojbucao · ojbucao · commit 77cd0309a8da · 2025-03-09T17:04:52.000-07:00
•Added Flipper validation to ApplicationController spec to ensure API access is blocked when :accredited_representative_portal_pilot is disabled.
•Modified tests to check that the feature flag takes priority over authentication.
•Ensured existing authentication tests remain intact, validating correct behavior when the flag is enabled.
•If Flipper is disabled, requests now return 403 Forbidden before checking tokens or audience validation.
diff --git a/modules/accredited_representative_portal/spec/requests/accredited_representative_portal/application_spec.rb b/modules/accredited_representative_portal/spec/requests/accredited_representative_portal/application_spec.rb
@@ -29,34 +29,45 @@
       Rails.application.reload_routes!
     end
 
-    context 'when authenticated' do
-      context 'with a valid audience' do
-        it 'allows access' do
-          expect(subject).to have_http_status(:ok)
-        end
-      end
+    context 'when feature flag is enabled' do
+      before { Flipper.enable(:accredited_representative_portal_pilot) }
 
-      context 'with an invalid audience' do
-        let(:access_token_cookie) { SignIn::AccessTokenJwtEncoder.new(access_token: invalid_access_token).perform }
-        let(:expected_log_message) { '[SignIn][AudienceValidator] Invalid audience' }
-        let(:expected_log_payload) do
-          { invalid_audience: invalid_access_token.audience, valid_audience: valid_access_token.audience }
-        end
-        let(:expected_response_body) do
-          { errors: 'Invalid audience' }.to_json
+      context 'when authenticated' do
+        context 'with a valid audience' do
+          it 'allows access' do
+            expect(subject).to have_http_status(:ok)
+          end
         end
 
-        before do
-          allow(Rails.logger).to receive(:error)
-        end
+        context 'with an invalid audience' do
+          let(:access_token_cookie) { SignIn::AccessTokenJwtEncoder.new(access_token: invalid_access_token).perform }
+          let(:expected_log_message) { '[SignIn][AudienceValidator] Invalid audience' }
+          let(:expected_log_payload) do
+            { invalid_audience: invalid_access_token.audience, valid_audience: valid_access_token.audience }
+          end
+          let(:expected_response_body) do
+            { errors: 'Invalid audience' }.to_json
+          end
+
+          before { allow(Rails.logger).to receive(:error) }
 
-        it 'denies access' do
-          expect(subject).to have_http_status(:unauthorized)
-          expect(subject.body).to eq(expected_response_body)
-          expect(Rails.logger).to have_received(:error).with(expected_log_message, expected_log_payload)
+          it 'denies access' do
+            expect(subject).to have_http_status(:unauthorized)
+            expect(subject.body).to eq(expected_response_body)
+            expect(Rails.logger).to have_received(:error).with(expected_log_message, expected_log_payload)
+          end
         end
       end
     end
+
+    context 'when feature flag is disabled' do
+      before { Flipper.disable(:accredited_representative_portal_pilot) }
+
+      it 'returns 403 Forbidden regardless of authentication' do
+        expect(subject).to have_http_status(:forbidden)
+        expect(subject.body).to match(/flag is disabled/)
+      end
+    end
   end
 end
 
