Connect the token authentication mechanism to Devise session tracking

mikejamesthompson · mikejamesthompson · commit a69bbc10ff00 · 2025-11-14T10:17:52.000Z
diff --git a/app/controllers/concerns/reporting_api/token_authentication_concern.rb b/app/controllers/concerns/reporting_api/token_authentication_concern.rb
@@ -43,8 +43,12 @@ def authenticate_user_by_jwt!
             )
           )
         if @current_user
-          session["user"] = data["user"]
           session["cis2_info"] = data["cis2_info"]
+
+          # Establish a Warden session with activity tracking
+          # which enables Devise's timeoutable module
+          sign_in @current_user, event: :authentication
+
           authenticate_user!
         else
           session.clear
diff --git a/spec/controllers/concerns/reporting_api/token_authentication_concern_spec.rb b/spec/controllers/concerns/reporting_api/token_authentication_concern_spec.rb
@@ -12,6 +12,9 @@
         def authenticate_user!
         end
 
+        def sign_in(user, options = {})
+        end
+
         def initialize(request: nil, session: {})
           @request = request
           @session = session
@@ -201,20 +204,20 @@ def current_user
       context "when a User exists with the values of id, session_token and reporting_api_session_token" do
         let(:user_id) { user.id }
 
-        it "copies the user key into session['user']" do
-          an_object_which_includes_the_concern.send(:authenticate_user_by_jwt!)
-          expect(an_object_which_includes_the_concern.session["user"]).to eq(
-            user_info.first["data"]["user"]
-          )
-        end
-
         it "copies the cis2_info key into session['cis2_info']" do
           an_object_which_includes_the_concern.send(:authenticate_user_by_jwt!)
           expect(
             an_object_which_includes_the_concern.session["cis2_info"]
           ).to eq(user_info.first["data"]["cis2_info"])
         end
 
+        it "signs in the user through Devise/Warden" do
+          expect(an_object_which_includes_the_concern).to receive(
+            :sign_in
+          ).with(user, event: :authentication)
+          an_object_which_includes_the_concern.send(:authenticate_user_by_jwt!)
+        end
+
         it "calls authenticate_user!" do
           expect(an_object_which_includes_the_concern).to receive(
             :authenticate_user!
diff --git a/spec/support/reporting_api_helper.rb b/spec/support/reporting_api_helper.rb
@@ -4,6 +4,13 @@ module ReportingAPIHelper
   def valid_jwt_payload
     team = create(:team, :with_one_nurse)
     user = team.users.first
+
+    # Ensure the user has session tokens required by Warden callbacks
+    user.update!(
+      session_token: SecureRandom.hex(32),
+      reporting_api_session_token: SecureRandom.hex(32)
+    )
+
     {
       data: {
         user: user.as_json,
@@ -16,12 +23,8 @@ def valid_jwt_payload
     }
   end
 
-  def valid_jwt
-    JWT.encode(
-      valid_jwt_payload,
-      Settings.reporting_api.client_app.secret,
-      "HS512"
-    )
+  def valid_jwt(payload = valid_jwt_payload)
+    JWT.encode(payload, Settings.reporting_api.client_app.secret, "HS512")
   end
 
   def invalid_jwt_payload
diff --git a/spec/support/shared_examples/a_reporting_api_controller.rb b/spec/support/shared_examples/a_reporting_api_controller.rb
@@ -1,11 +1,14 @@
 # frozen_string_literal: true
 
 shared_examples "a ReportingAPI controller" do
-  let(:team) { create(:team, :with_one_nurse) }
-  let(:user) { team.users.first }
-
   include ReportingAPIHelper
 
+  # Extract the user from the JWT payload so we're testing with the same user
+  # that was authenticated via JWT
+  let(:jwt_payload) { valid_jwt_payload }
+  let(:user) { User.find(jwt_payload[:data][:user]["id"]) }
+  let(:team) { user.teams.first }
+
   context "when the reporting_api feature flag is disabled" do
     before { Flipper.disable(:reporting_api) }
 
@@ -14,7 +17,7 @@
         let(:params) { { jwt: jwt } }
 
         context "which is valid" do
-          let(:jwt) { valid_jwt }
+          let(:jwt) { valid_jwt(jwt_payload) }
 
           it "responds with status :forbidden" do
             get :index, params: { jwt: jwt }
@@ -33,12 +36,20 @@
         let(:params) { { jwt: jwt } }
 
         context "which is valid" do
-          let(:jwt) { valid_jwt }
+          let(:jwt) { valid_jwt(jwt_payload) }
 
           it "responds with status 200" do
             get :index, params: { jwt: jwt }
             expect(response.status).to eq(200)
           end
+
+          it "establishes a Warden session with activity tracking" do
+            get :index, params: { jwt: jwt }
+
+            expect(
+              request.session.dig("warden.user.user.session", "last_request_at")
+            ).to be_a(Integer)
+          end
         end
 
         context "which is not valid" do

Original file line number	Diff line number	Diff line change
`@@ -43,8 +43,12 @@ def authenticate_user_by_jwt!`
`43`	`43`	`)`
`44`	`44`	`)`
`45`	`45`	`if @current_user`
`46`		`- session["user"] = data["user"]`
`47`	`46`	`session["cis2_info"] = data["cis2_info"]`
	`47`	`+`
	`48`	`+ # Establish a Warden session with activity tracking`
	`49`	`+ # which enables Devise's timeoutable module`
	`50`	`+ sign_in @current_user, event: :authentication`
	`51`	`+`
`48`	`52`	`authenticate_user!`
`49`	`53`	`else`
`50`	`54`	`session.clear`