Add Api::TeacherInvitationsController#show action

floehopper · floehopper · commit 44906df001a3 · 2024-06-24T13:45:13.000+01:00
When the user clicks on the link in the teacher invitation email, they
will be taken to a page which allows the user to accept the invitation.
This page needs to display the name of the school to which they've been
invited.

Also we need to check that the invitation token is valid for the
currently logged-in user - these scenarios as handled with HTTP status
codes as follows:

* User is not logged in: 401 Unauthorized
* Token does not exist: 404 Not Found
* Token has expired: 403 Forbidden
* Invitation email has changed since token was created: 403 Forbidden
* Invitation email does not match current user email: 403 Forbidden
  * This response includes an error message to distinguish it from
    the other two 403 Forbidden responses
diff --git a/app/controllers/api/teacher_invitations_controller.rb b/app/controllers/api/teacher_invitations_controller.rb
@@ -0,0 +1,27 @@
+# frozen_string_literal: true
+
+module Api
+  class TeacherInvitationsController < ApiController
+    rescue_from ActiveSupport::MessageVerifier::InvalidSignature, with: -> { denied }
+
+    before_action :authorize_user
+    before_action :load_invitation
+    before_action :ensure_invitation_email_matches_user_email
+
+    def show
+      render :show, formats: [:json], status: :ok
+    end
+
+    private
+
+    def load_invitation
+      @invitation = Invitation.find_by_token_for!(:teacher_invitation, params[:token])
+    end
+
+    def ensure_invitation_email_matches_user_email
+      return if @invitation.email_address == current_user.email
+
+      render json: { error: 'Invitation email does not match user email' }, status: :forbidden
+    end
+  end
+end
diff --git a/app/views/api/teacher_invitations/show.json.jbuilder b/app/views/api/teacher_invitations/show.json.jbuilder
@@ -0,0 +1,6 @@
+# frozen_string_literal: true
+
+json.call(
+  @invitation,
+  :school_name
+)
diff --git a/config/routes.rb b/config/routes.rb
@@ -53,6 +53,8 @@
     resources :lessons, only: %i[index create show update destroy] do
       post :copy, on: :member, to: 'lessons#create_copy'
     end
+
+    resources :teacher_invitations, param: :token, only: :show
   end
 
   resource :github_webhooks, only: :create, defaults: { formats: :json }
diff --git a/spec/features/teacher_invitations/viewing_an_invitation_spec.rb b/spec/features/teacher_invitations/viewing_an_invitation_spec.rb
@@ -0,0 +1,89 @@
+# frozen_string_literal: true
+
+require 'rails_helper'
+
+RSpec.describe 'Viewing an invitations', type: :request do
+  include ActiveSupport::Testing::TimeHelpers
+
+  let(:user) { create(:user) }
+  let(:headers) { { Authorization: UserProfileMock::TOKEN } }
+
+  context 'when user is not logged in' do
+    it 'responds 401 Unauthorized' do
+      get('/api/teacher_invitations/fake-token')
+      expect(response).to have_http_status(:unauthorized)
+    end
+  end
+
+  context 'when user is logged in' do
+    before do
+      authenticated_in_hydra_as(user)
+    end
+
+    context 'when invitation does not exist' do
+      let(:invitation) { build(:invitation) }
+      let!(:token) { invitation.generate_token_for(:teacher_invitation) }
+
+      it 'responds 404 Not Found' do
+        get("/api/teacher_invitations/#{token}", headers:)
+        expect(response).to have_http_status(:not_found)
+      end
+    end
+
+    context 'when invitation exists' do
+      let(:invitation_email) { user.email }
+      let(:invitation) { create(:invitation, email_address: invitation_email) }
+      let!(:token) { invitation.generate_token_for(:teacher_invitation) }
+
+      context 'when invitation token is not valid because invitation email has changed' do
+        before do
+          invitation.update!(email_address: "not-#{invitation.email_address}")
+        end
+
+        it 'responds 403 Forbidden' do
+          get("/api/teacher_invitations/#{token}", headers:)
+          expect(response).to have_http_status(:forbidden)
+        end
+      end
+
+      context 'when invitation token is not valid because token has expired' do
+        it 'responds 403 Forbidden' do
+          travel 31.days do
+            get("/api/teacher_invitations/#{token}", headers:)
+          end
+          expect(response).to have_http_status(:forbidden)
+        end
+      end
+
+      context 'when invitation email does not match user email' do
+        let(:invitation_email) { "not-#{user.email}" }
+
+        it 'responds 403 Forbidden' do
+          get("/api/teacher_invitations/#{token}", headers:)
+          expect(response).to have_http_status(:forbidden)
+        end
+
+        it 'includes error message in response' do
+          get("/api/teacher_invitations/#{token}", headers:)
+
+          json = JSON.parse(response.body)
+          expect(json['error']).to eq('Invitation email does not match user email')
+        end
+      end
+
+      context 'when invitation token is valid' do
+        it 'responds 200 OK' do
+          get("/api/teacher_invitations/#{token}", headers:)
+          expect(response).to have_http_status(:ok)
+        end
+
+        it 'includes school name in response' do
+          get("/api/teacher_invitations/#{token}", headers:)
+
+          json = JSON.parse(response.body)
+          expect(json['school_name']).to eq(invitation.school_name)
+        end
+      end
+    end
+  end
+end
