Add bearer token authentication for audit console

flavorjones · claude · flavorjones · commit 8abf82e7643c · 2026-01-27T16:39:37.000-05:00
- Rename SaasAdminController to Admin::AuditController
- Override require_authentication to support bearer tokens alongside
  session auth, allowing API access to audit console
- Add migration for audits1984_auditor_tokens table
- Add controller tests for authentication scenarios including staff
  validation on token-based access

Co-Authored-By: Claude Opus 4.5 &lt;noreply@anthropic.com&gt;
diff --git a/saas/app/controllers/admin/audits_controller.rb b/saas/app/controllers/admin/audits_controller.rb
@@ -0,0 +1,17 @@
+class Admin::AuditsController < ::AdminController
+  private
+    # Extend Fizzy's authentication to support auditor bearer tokens.
+    def require_authentication
+      authenticate_by_audit_bearer_token || super
+    end
+
+    def authenticate_by_audit_bearer_token
+      if auditor = auditor_from_bearer_token
+        Current.identity = auditor
+      end
+    end
+
+    def find_current_auditor
+      Current.identity
+    end
+end
diff --git a/saas/app/controllers/saas_admin_controller.rb b/saas/app/controllers/saas_admin_controller.rb
diff --git a/saas/db/migrate/20260126230838_create_auditor_tokens.audits1984.rb b/saas/db/migrate/20260126230838_create_auditor_tokens.audits1984.rb
@@ -0,0 +1,14 @@
+# This migration comes from audits1984 (originally 20260126000000)
+class CreateAuditorTokens < ActiveRecord::Migration[7.0]
+  def change
+    create_table :audits1984_auditor_tokens do |t|
+      t.uuid :auditor_id, null: false, index: { unique: true }
+      t.string :token_digest, null: false
+      t.datetime :expires_at, null: false
+
+      t.timestamps
+
+      t.index :token_digest, unique: true
+    end
+  end
+end
diff --git a/saas/db/saas_schema.rb b/saas/db/saas_schema.rb
@@ -10,7 +10,7 @@
 #
 # It's strongly recommended that you check this file into your version control system.
 
-ActiveRecord::Schema[8.2].define(version: 2025_12_16_000000) do
+ActiveRecord::Schema[8.2].define(version: 2026_01_26_230838) do
   create_table "account_billing_waivers", id: :uuid, charset: "utf8mb4", collation: "utf8mb4_0900_ai_ci", force: :cascade do |t|
     t.uuid "account_id", null: false
     t.datetime "created_at", null: false
@@ -43,6 +43,16 @@
     t.index ["stripe_subscription_id"], name: "index_account_subscriptions_on_stripe_subscription_id", unique: true
   end
 
+  create_table "audits1984_auditor_tokens", charset: "utf8mb4", collation: "utf8mb4_0900_ai_ci", force: :cascade do |t|
+    t.uuid "auditor_id", null: false
+    t.datetime "created_at", null: false
+    t.datetime "expires_at", null: false
+    t.string "token_digest", null: false
+    t.datetime "updated_at", null: false
+    t.index ["auditor_id"], name: "index_audits1984_auditor_tokens_on_auditor_id", unique: true
+    t.index ["token_digest"], name: "index_audits1984_auditor_tokens_on_token_digest", unique: true
+  end
+
   create_table "audits1984_audits", charset: "utf8mb4", collation: "utf8mb4_0900_ai_ci", force: :cascade do |t|
     t.uuid "auditor_id", null: false
     t.datetime "created_at", null: false
diff --git a/saas/lib/fizzy/saas/engine.rb b/saas/lib/fizzy/saas/engine.rb
@@ -120,7 +120,7 @@ class Engine < ::Rails::Engine
         config.console1984.ask_for_username_if_empty = true
         config.console1984.base_record_class = "::SaasRecord"
 
-        config.audits1984.base_controller_class = "::SaasAdminController"
+        config.audits1984.base_controller_class = "::Admin::AuditsController"
         config.audits1984.auditor_class = "::Identity"
         config.audits1984.auditor_name_attribute = :email_address
 
diff --git a/saas/test/controllers/admin/audits_controller_test.rb b/saas/test/controllers/admin/audits_controller_test.rb
@@ -38,4 +38,38 @@ class Admin::AuditsControllerTest < ActionDispatch::IntegrationTest
 
     assert_response :unauthorized
   end
+
+  test "valid bearer token is allowed" do
+    token = Audits1984::AuditorToken.generate_for(identities(:david))
+
+    untenanted do
+      get saas.admin_audits1984_path, headers: { "Authorization" => "Bearer #{token}" }
+    end
+
+    assert_response :success
+  end
+
+  test "expired bearer token is forbidden" do
+    token = Audits1984::AuditorToken.generate_for(identities(:david))
+    Audits1984::AuditorToken.update_all(expires_at: 1.day.ago)
+
+    untenanted do
+      get saas.admin_audits1984_path, headers: { "Authorization" => "Bearer #{token}" }
+    end
+
+    assert_response :unauthorized
+  end
+
+  test "bearer token for non-staff user is forbidden" do
+    # Even with a valid token, non-staff users should be denied access.
+    # This handles the case where a user's staff privileges are revoked
+    # after a token was issued.
+    token = Audits1984::AuditorToken.generate_for(identities(:jz))
+
+    untenanted do
+      get saas.admin_audits1984_path, headers: { "Authorization" => "Bearer #{token}" }
+    end
+
+    assert_response :forbidden
+  end
 end
