This article will be part3. If you haven't seen part1 and part2, please see there. (Very long)
↓part1 https://qiita.com/yoshi_4/items/6c9f3ced0eb20131903d ↓part2 https://qiita.com/yoshi_4/items/963bd1f5397caf8d7d67
In this part3, we will use the user authentication implemented in part2 to implement actions that can be used only when authentication such as create action is performed. The goal this time is to implement create, update and destroy actions. Let's go for the first time.
First, we will add endpoints. And before that, write a test once.
spec/routing/articles_spec.rb
it 'should route articles create' do
expect(post '/articles').to route_to('articles#create')
end
Since the http request is post for the create action, write it with post instead of get.
$ bundle exec rspec spec/routing/articles_spec.rb
No route matches "/articles"
Since it appears like this, I will add routing
config/routes.rb
resources :articles, only: [:index, :show, :create]
$ bundle exec rspec spec/routing/articles_spec.rb
Run the test to make sure it passes.
And next, I will write a test for the controller.
spec/controllers/articles_controller_spec.rb
describe '#create' do
subject { post :create }
end
end
Add this description to the end.
And I will write a test when authentication does not work using forbidden_requests defined in part2.
spec/controllers/articles_controller_spec.rb
describe '#create' do
subject { post :create }
context 'when no code provided' do
it_behaves_like 'forbidden_requests'
end
context 'when invalid code provided' do
before { request.headers['authorization'] = 'Invalid token' }
it_behaves_like 'forbidden_requests'
end
context 'when invalid parameters provided' do
end
end
This forbidden_rquests runs a test that expects a 403 to be returned.
$ rspec spec/controllers/articles_controller_spec.rb
Then the following message will be returned
The action 'create' could not be found for ArticlesController
It is said that the create action cannot be found, so let's define it.
app/controllers/articles_controller.rb
def create
end
Now run the test again to make sure everything passes. If the test passes, it means that the certification is working properly.
Now let's write a test to implement the create action.
spec/controllers/articles_controller_spec.rb
context 'when authorized' do
let(:access_token) { create :access_token }
before { request.headers['authorization'] = "Bearer #{access_token.token}" }
context 'when invalid parameters provided' do
let(:invalid_attributes) do
{
data: {
attributes: {
title: '',
content: '',
}
}
}
end
subject { post :create, params: invalid_attributes }
it 'should return 422 status code' do
subject
expect(response).to have_http_status(:unprocessable_entity)
end
it 'should return proper error json' do
subject
expect(json['errors']).to include(
{
"source" => { "pointer" => "/data/attributes/title" },
"detail" => "can't be blank"
},
{
"source" => {"pointer" => "/data/attributes/content"},
"detail" => "can't be blank"
},
{
"source" => {"pointer" => "/data/attributes/slug"},
"detail" => "can't be blank"
}
)
end
end
context 'when success request sent' do
end
end
Added a test. I added a lot at once, but each one has many parts that have already arrived and are covered.
The added test is when authorized, so if the authentication is successful, we will test. Each item to be tested
when invalid parameters provided
should return 422 status code
should return proper error json
Is being added. If the parameter is correct, I will write it later.
If parameter is from, I expect can't be blank to be returned. The source pointer shows where the error is occurring. This time, everything is a string from, so I expect that can't be blank will be returned from everything.
Run the test. Two tests fail.
expected the response to have status code :unprocessable_entity (422) but it was :no_content (204)
The first is expecting a response that says unprocessable, but no_content is back. I want to return no_content when createa runs successfully, so I'll fix it later.
unexpected token at ''
The second is the error because JSON.parse gives an error with the string from.
Now, let's implement it on the controller and eliminate the error.
app/controllers/articles_controller.rb
def create
article = Article.new(article_params)
if article.valid?
#we will figure that out
else
render json: article, adapter: :json_api,
serializer: ActiveModel::Serializer::ErrorSerializer,
status: :unprocessable_entity
end
end
private
def article_params
ActionController::Parameters.new
end
I'm creating an instance of ActionController :: Parameters because it allows me to use StrongParameter. You will be able to use permit and require, which are instance methods of ActionController :: Parameters. By using permit and require, if something is different from what you are formally expecting, or if some parameter is sent with a different key, you can truncate the unnecessary part.
I have specified adapter for render, which specifies the format. If you do not specify this adapter, attributes is specified by default. This time, I'm using a person called json_api. The following shows the difference as an example. I copied it from Learn about Rails active_model_serializer_100DaysOfCode Challenge Day 10 (Day_10: # 100DaysOfCode).
attributes
[
{
"id": 1,
"name": "Nakajima Hikari",
"email": "[email protected]",
"birthdate": "2016-05-02",
"birthday": "2016/05/02"
}
]
}
json_api
{
"data": [
{
"id": "1",
"type": "contacts",
"attributes": {
"name": "Nakajima Hikari",
"email": "[email protected]",
"birthdate": "2016-05-02",
"birthday": "2016/05/02"
}
}
]
}
This time I will use json_api which is suitable for api.
Run the test and make sure it passes.
Next, I will write a test when the parameter is correct.
spec/controllers/articles_controller_spec.rb
context 'when success request sent' do
let(:access_token) { create :access_token }
before { request.headers['authorization'] = "Bearer #{access_token.token}" }
let(:valid_attributes) do
{
'data' => {
'attributes' => {
'title' => 'Awesome article',
'content' => 'Super content',
'slug' => 'awesome-article',
}
}
}
end
subject { post :create, params: valid_attributes }
it 'should have 201 status code' do
subject
expect(response).to have_http_status(:created)
end
it 'should have proper json body' do
subject
expect(json_data['attributes']).to include(
valid_attributes['data']['attributes']
)
end
it 'should create article' do
expect { subject }.to change{ Article.count }.by(1)
end
end
You have entered the correct token and the correct parameters. Now run the test.
expected the response to have status code :created (201) but it was :unprocessable_entity (422)
undefined method `[]' for nil:NilClass
`Article.count` to have changed by 1, but was changed by 0
I think each of the three tests will fail this way. Since these are making the correct mistakes, we will implement the controller when the parameters are actually correct.
app/controllers/articles_controller.rb
def create
article = Article.new(article_params)
article.save!
render json: article, status: :created
rescue
render json: article, adapter: :json_api,
serializer: ActiveModel::Serializer::ErrorSerializer,
status: :unprocessable_entity
end
private
def article_params
params.requrie(:data).require(:attributes).
permit(:title, :content, :slug) ||
ActionController::Parameters.new
end
Next, edit create like this. When an error occurs by using rescue, render skips the error.
In article_params, by setting a condition that only : title ,: content,: slug in: attributes in : data is acquired, all other than this specified format will be played. I am.
Now when I run the test, everything goes through.
I'll do one more refactoring.
app/controllers/articles_controller.rb
rescue
render json: article, adapter: :json_api,
serializer: ActiveModel::Serializer::ErrorSerializer,
status: :unprocessable_entity
end
Since this ʻActiveModel :: Serializer :: ErrorSerializer,` is long, I will inherit it to a different class elsewhere so that it can be written short.
ʻCreate app / serializers / error_serializer.rb`
app/serializers/error_serializer.rb
class ErrorSerializer < ActiveModel::Serializer::ErrorSerializer; end
Let it be inherited like this.
app/controllers/articles_controller.rb
rescue
render json: article, adapter: :json_api,
serializer: ErrorSerializer,
status: :unprocessable_entity
end
And you can clean up the long description. Run a test to see if it fails.
This completes the implementation of the action to create an article.
Let's start by adding endpoints again. First of all, I will write a test.
spec/routing/articles_spec.rb
it 'should route articles show' do
expect(patch '/articles/1').to route_to('articles#update', id: '1')
end
I will write endpoint tests like every time. The show action uses either the patch or put because the http request is a patch or put.
Run the test to make sure you get the error correctly.
config/routes.rb
resources :articles, only: [:index, :show, :create, :update]
Add an update to make sure the test passes.
Next, let's write a test for the controller # update action.
spec/controllers/articles_controller_spec.rb
describe '#update' do
let(:article) { create :article }
subject { patch :update, params: { id: article.id } }
context 'when no code provided' do
it_behaves_like 'forbidden_requests'
end
context 'when invalid code provided' do
before { request.headers['authorization'] = 'Invalid token' }
it_behaves_like 'forbidden_requests'
end
context 'when authorized' do
let(:access_token) { create :access_token }
before { request.headers['authorization'] = "Bearer #{access_token.token}" }
context 'when invalid parameters provided' do
let(:invalid_attributes) do
{
data: {
attributes: {
title: '',
content: '',
}
}
}
end
it 'should return 422 status code' do
subject
expect(response).to have_http_status(:unprocessable_entity)
end
it 'should return proper error json' do
subject
expect(json['errors']).to include(
{
"source" => { "pointer" => "/data/attributes/title" },
"detail" => "can't be blank"
},
{
"source" => {"pointer" => "/data/attributes/content"},
"detail" => "can't be blank"
},
{
"source" => {"pointer" => "/data/attributes/slug"},
"detail" => "can't be blank"
}
)
end
end
context 'when success request sent' do
let(:access_token) { create :access_token }
before { request.headers['authorization'] = "Bearer #{access_token.token}" }
let(:valid_attributes) do
{
'data' => {
'attributes' => {
'title' => 'Awesome article',
'content' => 'Super content',
'slug' => 'awesome-article',
}
}
}
end
subject { post :create, params: valid_attributes }
it 'should have 201 status code' do
subject
expect(response).to have_http_status(:created)
end
it 'should have proper json body' do
subject
expect(json_data['attributes']).to include(
valid_attributes['data']['attributes']
)
end
it 'should create article' do
expect { subject }.to change{ Article.count }.by(1)
end
end
end
end
The difference between the update action and the create action is the type of request and the update already in the database. Since it is only the situation that there is an article to be targeted, I just copied the test of create except for the part where the article is created first and the part where the request is defined.
Now run the test.
The action 'update' could not be found for ArticlesController
I think you will get an error like this. So, let's actually define update.
app/controllers/articles_controller.rb
def update
article = Article.find(params[:id])
article.update_attributes!(article_params)
render json: article, status: :ok
rescue
render json: article, adapter: :json_api,
serializer: ErrorSerializer,
status: :unprocessable_entity
end
It's nothing new, so I won't explain it.
Now run the test to make sure everything goes through. If you know the difference between create and update, you can see that there is almost no difference. And you can reuse almost the same test.
However, there is a slight problem here. It can be updated on anyone's article on request. I don't want it to be updated without permission. So I will fix it.
As for how to fix it, at the moment, it is a problem because user and article are not related, so we will add association to user and article.
Before that, set the association and test that the expected value is returned.
spec/controllers/articles_controller_spec.rb
describe '#update' do
+ let(:user) { create :user }
let(:article) { create :article }
+ let(:access_token) { user.create_access_token }
subject { patch :update, params: { id: article.id } }
@ -140,8 +142,17 @@ describe ArticlesController do
it_behaves_like 'forbidden_requests'
end
+ context 'when trying to update not owned article' do
+ let(:other_user) { create :user }
+ let(:other_article) { create :article, user: other_user }
+
+ subject { patch :update, params: { id: other_article.id } }
+ before { request.headers['authorization'] = "Bearer #{access_token.token}" }
+
+ it_behaves_like 'forbidden_requests'
+ end
context 'when authorized' do
- let(:access_token) { create :access_token }
before { request.headers['authorization'] = "Bearer #{access_token.token}" }
context 'when invalid parameters provided' do
let(:invalid_attributes) do
I added the test like this. We create articles that connect with users and even authenticate them.
What I'm doing with the newly added test item is to check if forbidden_requests is properly returned when trying to update the article of another user.
Now when you run the test
undefined method user=
It will fail with a message like this. This is proof that the association has not been established, so we will set up the association next.
app/models/article.rb
belongs_to :user
app/models/user.rb
has_many :articles, dependent: :destroy
And in order to connect the two models, it is necessary to give the article model a user_id, so add it.
$ rails g migration AddUserToArticles user:references
$ rails db:migrate
Now the association itself has been implemented. So, using that, we will change the description of the controller.
app/controllers/articles_controller.rb
def update
article = current_user.articles.find(params[:id])
article.update_attributes!(article_params)
render json: article, status: :ok
rescue ActiveRecord::RecordNotFound
authorization_error
rescue
render json: article, adapter: :json_api,
serializer: ErrorSerializer,
status: :unprocessable_entity
end
What changed in the description is that the user to find is called with current_user. This allows you to find only from the logged-in user. And if the specified id is not in the article of current_user, ʻActiveRecord :: RecordNotFound` will be raised, so rescue it like that and issue authorization_error dedicated to authentication.
Also, even with create, describe who creates the article, and set the user_id to article. I want to have it, so I will make some changes.
app/controllers/articles_controller.rb
def create
- article = Article.new(article_params)
+ article = current_user.articles.build(article_params)
Then, add the description of the association to factorybot.
spec/factories/articles.rb
FactoryBot.define do
factory :article do
sequence(:title) { |n| "My article #{n}"}
sequence(:content) { |n| "The content of article #{n}"}
sequence(:slug) { |n| "article-#{n}"}
association :user
end
end
association :model_name
Will automatically define the id of the model.
If you run the test with this, it will pass. Next, let's move on to the destroy action.
First, let's write a test to add an endpoint.
spec/routing/articles_spec.rb
it 'should route articles destroy' do
expect(delete '/articles/1').to route_to('articles#destroy', id: '1')
end
When I run the test, I get the following message
No route matches "/articles/1"
So, let's edit the routing.
config/routes.rb
resources :articles
Set everything without specifying with the only option. This will pass the routing test.
Next, add a test for the controller.
spec/controllers/articles_controller_spec.rb
describe '#delete' do
let(:user) { create :user }
let(:article) { create :article, user_id: user.id }
let(:access_token) { user.create_access_token }
subject { delete :destroy, params: { id: article.id } }
context 'when no code provided' do
it_behaves_like 'forbidden_requests'
end
context 'when invalid code provided' do
before { request.headers['authorization'] = 'Invalid token' }
it_behaves_like 'forbidden_requests'
end
context 'when trying to remove not owned article' do
let(:other_user) { create :user }
let(:other_article) { create :article, user: other_user }
subject { delete :destroy, params: { id: other_article.id } }
before { request.headers['authorization'] = "Bearer #{access_token.token}" }
it_behaves_like 'forbidden_requests'
end
context 'when authorized' do
before { request.headers['authorization'] = "Bearer #{access_token.token}" }
it 'should have 204 status code' do
subject
expect(response).to have_http_status(:no_content)
end
it 'should have empty json body' do
subject
expect(response.body).to be_blank
end
it 'should destroy the article' do
article
expect{ subject }.to change{ user.articles.count }.by(-1)
end
end
end
Most of the code for this test is a copy of the update test. The content is nothing new. Run the test.
The action 'destroy' could not be found for ArticlesController
This error is correct because we haven't defined the destroy action yet. Then controller Will be implemented.
app/controllers/articles_controller.rb
def destroy
article = current_user.articles.find(params[:id])
article.destroy
head :no_content
rescue
authorization_error
end
It simply destroys the specified article in current_user.
Now run the test.
If you pass this, everything is done. Thank you for staying with us for a long time!