Check content types before processing API endpoint

cupakromer · cupakromer · commit 36b63422fa79 · 2017-01-11T17:46:40.000-05:00
Now that we are only checking the path before wrapping exceptions we
still need to verify that the endpoint supports the JSON API spec. We do
this via mime type negotiation when processing the request. If we do not
have a valid type then we raise the customary Rails `UnknownFormat`
exception.
diff --git a/lib/kracken/controllers/json_api_compatible.rb b/lib/kracken/controllers/json_api_compatible.rb
@@ -102,6 +102,18 @@ def verify_required_params!
                   "Single beacon object provided but multiple resources requested"
           end
         end
+
+        # Negotiate the mime type for the request format
+        #
+        # This will modify the request object setting the format.
+        def negotiate_mime
+          return if request.negotiate_mime(ALLOWED_MEDIA_TYPES)
+          raise ::ActionController::UnknownFormat
+        end
+
+      private
+
+        ALLOWED_MEDIA_TYPES = [Mime[:json]].freeze
       end
       include DataIntegrity
 
@@ -125,6 +137,7 @@ def self.included(base)
         base.instance_exec do
           extend Macros
 
+          before_action :negotiate_mime
           before_action :munge_chained_param_ids!
           skip_before_action :verify_authenticity_token, raise: false
 
diff --git a/spec/requests/api_spec.rb b/spec/requests/api_spec.rb
@@ -4,29 +4,53 @@ module Kracken
   RSpec.describe 'token authenticatable resource requests', type: :request do
 
     def headers_with_token(token)
-      { 'HTTP_AUTHORIZATION'=>"Token token=\"#{token}\"" }
+      {
+        'HTTP_AUTHORIZATION'=>"Token token=\"#{token}\"",
+        'HTTP_ACCEPT' => 'application/json',
+      }
+    end
+
+    # Temporary work around while we support versions of Rails before 4
+    if Rails::VERSION::MAJOR >= 5
+      def request_resource(path, params: {}, headers: {})
+        get api_index_path, params: params, headers: headers
+      end
+    else
+      def request_resource(path, params: {}, headers: {})
+        get api_index_path, params, headers
+      end
     end
 
     let(:json){ Fixtures.auth_hash.to_json }
 
-    describe "authenticatable resource", type: :request do
+    describe "authenticatable resource" do
       it "will raise error if there is no token" do
-        expect{get api_index_path}.to raise_error Kracken::TokenUnauthorized
+        expect {
+          request_resource api_index_path
+        }.to raise_error Kracken::TokenUnauthorized
       end
 
       it "is redirected to the oauth server if there is no current user" do
         stub_request(:get, "https://account.radiusnetworks.com/auth/radius/user.json?oauth_token=123")
           .to_return(status: 200, body: json)
 
-        # Temporary work around while we support versions of Rails before 4
-        if Rails::VERSION::MAJOR >= 5
-          get api_index_path, params: {}, headers: headers_with_token("123")
-        else
-          get api_index_path, {}, headers_with_token("123")
-        end
+        request_resource api_index_path, headers: headers_with_token("123")
 
         expect(response.status).to be 200
       end
     end
+
+    describe "content negotiation" do
+      it "will raise an error with an incorrect accept header" do
+        stub_request(:get, "https://account.radiusnetworks.com/auth/radius/user.json?oauth_token=123")
+          .to_return(status: 200, body: json)
+
+        auth_headers = headers_with_token("123")
+        auth_headers.delete 'HTTP_ACCEPT'
+        expect {
+          request_resource api_index_path, headers: auth_headers
+        }.to raise_error ActionController::UnknownFormat
+      end
+    end
   end
 end
