feat: enforce Flipper feature flag in ApplicationController

•Added Flipper validation to ApplicationController spec to ensure API access is blocked when :accredited_representative_portal_pilot is disabled. •Modified tests to check that the feature flag takes priority over authentication. •Ensured existing authentication tests remain intact, validating correct behavior when the flag is enabled. •If Flipper is disabled, requests now return 403 Forbidden before checking tokens or audience validation.
department-of-veterans-affairs · Mar 7, 2025 · 9a2ec9f · 9a2ec9f
1 parent 84264e4
commit 9a2ec9f
Showing 1 changed file with 31 additions and 21 deletions.
diff --git a/..._representative_portal/spec/requests/accredited_representative_portal/application_spec.rb b/..._representative_portal/spec/requests/accredited_representative_portal/application_spec.rb
@@ -29,34 +29,44 @@
       Rails.application.reload_routes!
     end
 
-    context 'when authenticated' do
-      context 'with a valid audience' do
-        it 'allows access' do
-          expect(subject).to have_http_status(:ok)
-        end
-      end
+    context 'when feature flag is enabled' do
+      before { Flipper.enable(:accredited_representative_portal_pilot) }
 
-      context 'with an invalid audience' do
-        let(:access_token_cookie) { SignIn::AccessTokenJwtEncoder.new(access_token: invalid_access_token).perform }
-        let(:expected_log_message) { '[SignIn][AudienceValidator] Invalid audience' }
-        let(:expected_log_payload) do
-          { invalid_audience: invalid_access_token.audience, valid_audience: valid_access_token.audience }
-        end
-        let(:expected_response_body) do
-          { errors: 'Invalid audience' }.to_json
+      context 'when authenticated' do
+        context 'with a valid audience' do
+          it 'allows access' do
+            expect(subject).to have_http_status(:ok)
+          end
         end
 
-        before do
-          allow(Rails.logger).to receive(:error)
-        end
+        context 'with an invalid audience' do
+          let(:access_token_cookie) { SignIn::AccessTokenJwtEncoder.new(access_token: invalid_access_token).perform }
+          let(:expected_log_message) { '[SignIn][AudienceValidator] Invalid audience' }
+          let(:expected_log_payload) do
+            { invalid_audience: invalid_access_token.audience, valid_audience: valid_access_token.audience }
+          end
+          let(:expected_response_body) do
+            { errors: 'Invalid audience' }.to_json
+          end
+
+          before { allow(Rails.logger).to receive(:error) }
 
-        it 'denies access' do
-          expect(subject).to have_http_status(:unauthorized)
-          expect(subject.body).to eq(expected_response_body)
-          expect(Rails.logger).to have_received(:error).with(expected_log_message, expected_log_payload)
+          it 'denies access' do
+            expect(subject).to have_http_status(:unauthorized)
+            expect(subject.body).to eq(expected_response_body)
+            expect(Rails.logger).to have_received(:error).with(expected_log_message, expected_log_payload)
+          end
         end
       end
     end
+
+    context 'when feature flag is disabled' do
+      before { Flipper.disable(:accredited_representative_portal_pilot) }
+
+      it 'returns 403 Forbidden regardless of authentication' do
+        expect(subject).to have_http_status(:forbidden)
+      end
+    end
   end
 end