A related question implies that I can test a request with token authentication, in my intergration tests, as follows:
get "/v1/sites", nil, :authorization => "foo"
assert_response :success
For some reason, the headers don't get to my application:
get "/v1/sites", nil, :authorization => "foo"
assert_match response.headers, /foo/
Expected {"X-Frame-Options"=>"SAMEORIGIN", "X-XSS-Protection"=>"1; mode=block", "X-Content-Type-Options"=>"nosniff", "X-UA-Compatible"=>"chrome=1", "WWW-Authenticate"=>"Token realm=\"Application\"", "Content-Type"=>"text/html; charset=utf-8", "Cache-Control"=>"no-cache", "X-Request-Id"=>"23915302-9cfe-424d-86fe-5d60bc0d6b2c", "X-Runtime"=>"0.054857", "Content-Length"=>"27"} to match /foo/.
The authorization-header does not get through, which I can confirm when placing a throw response.headers in the controller. When I
test with e.g. curl, I do see the header coming through. And there I
can even set the token and get access. The relevant code from the
controller is:
module V1
  class SitesController < ApplicationController
    before_filter :restrict_access, :only => :index
    def index
      head :success
    end
    private
    def restrict_access
      authenticate_or_request_with_http_token do |token, options|
        token == "foo"
      end
    end
  end 
end
This is minitest, on Rails 4, using Rails-API
For reference, here is the Middleware stack, it is a lot slimmer then most default Rails apps.
use ActionDispatch::Static
use Rack::Lock
use #<ActiveSupport::Cache::Strategy::LocalCache::Middleware:0x992cd28>
use Rack::Runtime
use ActionDispatch::RequestId
use Rails::Rack::Logger
use ActionDispatch::ShowExceptions
use ActionDispatch::DebugExceptions
use ActionDispatch::RemoteIp
use ActionDispatch::Reloader
use ActionDispatch::Callbacks
use ActiveRecord::Migration::CheckPending
use ActiveRecord::ConnectionAdapters::ConnectionManagement
use ActiveRecord::QueryCache
use ActionDispatch::ParamsParser
use Rack::Head
use Rack::ConditionalGet
use Rack::ETag
run MyApp::Application.routes
To send a GET request with a Bearer Token authorization header, you need to make an HTTP GET request and provide your Bearer Token with the Authorization: Bearer {token} HTTP header.
The token is a text string, included in the request header. In the request Authorization tab, select Bearer Token from the Type dropdown list. In the Token field, enter your API key value. For added security, store it in a variable and reference the variable by name.
Just for reference. Everything was right, I was just being stupid and testing the wrong thing while debugging:
assert_match response.headers, /foo/
Is obviously false, because this is the response. Correct is to test the request
get "/v1/sites", nil, :authorization => %{Token token="foo"}
assert_includes request.headers["HTTP_AUTHORIZATION"], "foo"
This passes just fine.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With