espoo-dev · lucasleandro1 · May 5, 2025 · May 5, 2025 · May 5, 2025 · May 6, 2025
diff --git a/app/models/user.rb b/app/models/user.rb
@@ -2,10 +2,10 @@
 
 class User < ApplicationRecord
   # Include default devise modules. Others available are:
-  # :lockable, :timeoutable, :trackable and :omniauthable
+  # :lockable, :trackable and :omniauthable
   devise :database_authenticatable, :registerable,
     :recoverable, :rememberable, :validatable, :api,
-    :omniauthable, :confirmable, omniauth_providers: %i[github strava]
+    :omniauthable, :confirmable, :timeoutable, omniauth_providers: %i[github strava]
 
   has_many :event_procedures, dependent: :destroy
   has_many :medical_shifts, dependent: :destroy

diff --git a/config/initializers/devise.rb b/config/initializers/devise.rb
@@ -178,7 +178,7 @@
   # ==> Configuration for :timeoutable
   # The time you want to timeout the user session without activity. After this
   # time the user will be asked for credentials again. Default is 30 minutes.
-  # config.timeout_in = 30.minutes
+  config.timeout_in = 30.minutes
 
   # ==> Configuration for :lockable
   # Defines which strategy will be used to lock an account.
@@ -265,10 +265,8 @@
     scope: "user,public_repo"
 
   config.omniauth :strava, ENV.fetch("STRAVA_CLIENT_ID", nil).to_i, ENV.fetch("STRAVA_CLIENT_SECRET", nil),
-    scope: "profile:read_all", token_params: {
-      client_id: ENV.fetch("STRAVA_CLIENT_ID", nil),
-      client_secret: ENV.fetch("STRAVA_CLIENT_SECRET", nil)
-    }
+    scope: "profile:read_all", token_params: { client_id: ENV.fetch("STRAVA_CLIENT_ID", nil),
+                                               client_secret: ENV.fetch("STRAVA_CLIENT_SECRET", nil) }
   # ==> Warden configuration
   # If you want to use other strategies, that are not supported by Devise, or
   # change the failure app, you can configure them inside the config.warden block.
@@ -308,7 +306,7 @@
   # config.sign_in_after_change_password = true
 
   config.api.configure do |api|
-    api.access_token.expires_in = 1.month
+    api.access_token.expires_in = 1.hour
   end
 
   config.secret_key = Rails.application.secret_key_base

diff --git a/spec/rails_helper.rb b/spec/rails_helper.rb
@@ -42,7 +42,7 @@
   # instead of true.
   config.use_transactional_fixtures = true
   config.include Devise::Test::IntegrationHelpers, type: :request
-
+  config.include ActiveSupport::Testing::TimeHelpers
   # You can uncomment this line to turn off ActiveRecord support entirely.
   # config.use_active_record = false
 

diff --git a/spec/requests/api/v1/users_request_spec.rb b/spec/requests/api/v1/users_request_spec.rb
@@ -66,6 +66,21 @@
         }
       end
     end
+
+    context "when token is expired" do
+      let(:user) { create(:user, admin: true) }
+
+      it "returns unauthorized for token expiration" do
+        get path, headers: headers
+        expect(response).to have_http_status(:ok)
+
+        travel 61.minutes
+
+        get path, headers: headers
+        expect(response).to have_http_status(:unauthorized)
+        expect(response.parsed_body["error_description"]).to eq(["Token has expired"])
+      end
+    end
   end
 
   describe "Password recovery" do