analytics/test/plausible_web/plugs/authorize_plugins_api_test.exs

defmodule PlausibleWeb.Plugs.AuthorizePluginsAPITest do
  use PlausibleWeb.ConnCase, async: true

  alias Plausible.Plugins.API.{Token, Tokens}
  alias PlausibleWeb.Plugs.AuthorizePluginsAPI
  alias Plausible.Repo

  import Plug.Conn

  test "plug passes when a token is found" do
    %{id: site_id} = site = insert(:site, domain: "pass.example.com")
    {:ok, _, raw} = Tokens.create(site, "Some token")

    credentials = "Basic " <> Base.encode64("#{site.domain}:#{raw}")

    conn =
      build_conn()
      |> put_req_header("authorization", credentials)
      |> AuthorizePluginsAPI.call()

    refute conn.halted
    assert %Plausible.Site{id: ^site_id} = conn.assigns.authorized_site
  end

  test "plug passes when a token is found, no domain provided" do
    %{id: site_id} = site = insert(:site, domain: "pass.example.com")
    {:ok, _, raw} = Tokens.create(site, "Some token")

    credentials = "Basic " <> Base.encode64(raw)

    conn =
      build_conn()
      |> put_req_header("authorization", credentials)
      |> AuthorizePluginsAPI.call()

    refute conn.halted
    assert %Plausible.Site{id: ^site_id} = conn.assigns.authorized_site
  end

  test "plug halts when a token is not found" do
    site = insert(:site, domain: "pass.example.com")

    credentials = "Basic " <> Base.encode64("#{site.domain}:invalid-token")

    conn =
      build_conn()
      |> put_req_header("authorization", credentials)
      |> AuthorizePluginsAPI.call()

    assert conn.halted

    assert json_response(conn, 401) == %{
             "errors" => [
               %{"detail" => "Plugins API: unauthorized"}
             ]
           }
  end

  test "plug halts when no authorization header is passed" do
    conn =
      build_conn()
      |> AuthorizePluginsAPI.call()

    assert conn.halted

    assert json_response(conn, 401) == %{
             "errors" => [
               %{"detail" => "Plugins API: unauthorized"}
             ]
           }
  end

  test "plug optionally doesn't halt when no authorization header is passed" do
    conn =
      build_conn()
      |> AuthorizePluginsAPI.call(send_error?: false)

    refute conn.halted
  end

  test "plug updates last seen timestamp" do
    site = insert(:site, domain: "pass.example.com")
    {:ok, token, raw} = Tokens.create(site, "Some token")

    refute token.last_used_at
    assert Token.last_used_humanize(token) == "Not yet"

    credentials = "Basic " <> Base.encode64(raw)

    build_conn()
    |> put_req_header("authorization", credentials)
    |> AuthorizePluginsAPI.call()

    token = Repo.reload!(token)
    assert token.last_used_at
    assert Token.last_used_humanize(token) == "Just recently"
  end
end
Implement Plugins API authorization (#3373) * Implement Plugins API Token schema * Work with domain change grace period * Do not cast internal data, extend schema with hints * Implement Plugins API authorization * Test no authorization header passed * Preload authorized site * Fixup typespecs 2023-09-26 14:13:08 +03:00			`defmodule PlausibleWeb.Plugs.AuthorizePluginsAPITest do`
			`use PlausibleWeb.ConnCase, async: true`

Track tokens usage (#3438) * Migration: track last seen usage for Plugins API Tokens * Track and interpret Token.last_seen_at * Display last used * Order tokens by inserted date, rather than UUID :clown: * s/Last seen/Last used in the UI * Test for "Last used" column presence * Fix table layout for very long descriptions * Update lib/plausible/plugins/api/tokens.ex Co-authored-by: Adrian Gruntkowski <adrian.gruntkowski@gmail.com> * Update lib/plausible/plugins/api/token.ex Co-authored-by: Adrian Gruntkowski <adrian.gruntkowski@gmail.com> * Update test/plausible/plugins/api/token_test.exs Co-authored-by: Adrian Gruntkowski <adrian.gruntkowski@gmail.com> * s/last_seen_at/last_used_at * Update lib/plausible_web/live/plugins/api/settings.ex Co-authored-by: Adrian Gruntkowski <adrian.gruntkowski@gmail.com> * fixup * Document reasoning behind 5m windows * s/last_seen/last_used * Mute credo --------- Co-authored-by: Adrian Gruntkowski <adrian.gruntkowski@gmail.com> 2023-10-18 15:14:30 +03:00			`alias Plausible.Plugins.API.{Token, Tokens}`
Implement Plugins API authorization (#3373) * Implement Plugins API Token schema * Work with domain change grace period * Do not cast internal data, extend schema with hints * Implement Plugins API authorization * Test no authorization header passed * Preload authorized site * Fixup typespecs 2023-09-26 14:13:08 +03:00			`alias PlausibleWeb.Plugs.AuthorizePluginsAPI`
Track tokens usage (#3438) * Migration: track last seen usage for Plugins API Tokens * Track and interpret Token.last_seen_at * Display last used * Order tokens by inserted date, rather than UUID :clown: * s/Last seen/Last used in the UI * Test for "Last used" column presence * Fix table layout for very long descriptions * Update lib/plausible/plugins/api/tokens.ex Co-authored-by: Adrian Gruntkowski <adrian.gruntkowski@gmail.com> * Update lib/plausible/plugins/api/token.ex Co-authored-by: Adrian Gruntkowski <adrian.gruntkowski@gmail.com> * Update test/plausible/plugins/api/token_test.exs Co-authored-by: Adrian Gruntkowski <adrian.gruntkowski@gmail.com> * s/last_seen_at/last_used_at * Update lib/plausible_web/live/plugins/api/settings.ex Co-authored-by: Adrian Gruntkowski <adrian.gruntkowski@gmail.com> * fixup * Document reasoning behind 5m windows * s/last_seen/last_used * Mute credo --------- Co-authored-by: Adrian Gruntkowski <adrian.gruntkowski@gmail.com> 2023-10-18 15:14:30 +03:00			`alias Plausible.Repo`
Implement Plugins API authorization (#3373) * Implement Plugins API Token schema * Work with domain change grace period * Do not cast internal data, extend schema with hints * Implement Plugins API authorization * Test no authorization header passed * Preload authorized site * Fixup typespecs 2023-09-26 14:13:08 +03:00
			`import Plug.Conn`

			`test "plug passes when a token is found" do`
			`%{id: site_id} = site = insert(:site, domain: "pass.example.com")`
			`{:ok, _, raw} = Tokens.create(site, "Some token")`

			`credentials = "Basic " <> Base.encode64("#{site.domain}:#{raw}")`

			`conn =`
No longer require domain to seek Plugins API Tokens (#3409) * No longer require domain to seek Plugins API Tokens * Accept raw token only 2023-10-16 14:22:09 +03:00			`build_conn()`
			`\|> put_req_header("authorization", credentials)`
			`\|> AuthorizePluginsAPI.call()`

			`refute conn.halted`
			`assert %Plausible.Site{id: ^site_id} = conn.assigns.authorized_site`
			`end`

			`test "plug passes when a token is found, no domain provided" do`
			`%{id: site_id} = site = insert(:site, domain: "pass.example.com")`
			`{:ok, _, raw} = Tokens.create(site, "Some token")`

			`credentials = "Basic " <> Base.encode64(raw)`

			`conn =`
Implement Plugins API authorization (#3373) * Implement Plugins API Token schema * Work with domain change grace period * Do not cast internal data, extend schema with hints * Implement Plugins API authorization * Test no authorization header passed * Preload authorized site * Fixup typespecs 2023-09-26 14:13:08 +03:00			`build_conn()`
			`\|> put_req_header("authorization", credentials)`
			`\|> AuthorizePluginsAPI.call()`

			`refute conn.halted`
			`assert %Plausible.Site{id: ^site_id} = conn.assigns.authorized_site`
			`end`

			`test "plug halts when a token is not found" do`
			`site = insert(:site, domain: "pass.example.com")`

			`credentials = "Basic " <> Base.encode64("#{site.domain}:invalid-token")`

			`conn =`
			`build_conn()`
			`\|> put_req_header("authorization", credentials)`
			`\|> AuthorizePluginsAPI.call()`

			`assert conn.halted`

			`assert json_response(conn, 401) == %{`
			`"errors" => [`
			`%{"detail" => "Plugins API: unauthorized"}`
			`]`
			`}`
			`end`

			`test "plug halts when no authorization header is passed" do`
			`conn =`
			`build_conn()`
			`\|> AuthorizePluginsAPI.call()`

			`assert conn.halted`

			`assert json_response(conn, 401) == %{`
			`"errors" => [`
			`%{"detail" => "Plugins API: unauthorized"}`
			`]`
			`}`
			`end`
Track tokens usage (#3438) * Migration: track last seen usage for Plugins API Tokens * Track and interpret Token.last_seen_at * Display last used * Order tokens by inserted date, rather than UUID :clown: * s/Last seen/Last used in the UI * Test for "Last used" column presence * Fix table layout for very long descriptions * Update lib/plausible/plugins/api/tokens.ex Co-authored-by: Adrian Gruntkowski <adrian.gruntkowski@gmail.com> * Update lib/plausible/plugins/api/token.ex Co-authored-by: Adrian Gruntkowski <adrian.gruntkowski@gmail.com> * Update test/plausible/plugins/api/token_test.exs Co-authored-by: Adrian Gruntkowski <adrian.gruntkowski@gmail.com> * s/last_seen_at/last_used_at * Update lib/plausible_web/live/plugins/api/settings.ex Co-authored-by: Adrian Gruntkowski <adrian.gruntkowski@gmail.com> * fixup * Document reasoning behind 5m windows * s/last_seen/last_used * Mute credo --------- Co-authored-by: Adrian Gruntkowski <adrian.gruntkowski@gmail.com> 2023-10-18 15:14:30 +03:00
Add `GET /capabilities` to Plugins API (#3808) * Add `GET /capabilities` to Plugins API It aims to: - help the client verify the data-domain the token is associated with - list all the features available for the site's owner (and therefore determine availability of the subset of those for the current Plugins API caller) The endpoint does not require authentication, in the sense that it'll always respond with 200 OK. However when the token is provided, a verification lookup is made. * Remove IO.inspect() call * Credo * Aesthetics * s/send_resp/send_error/ * Call preload just once 2024-02-21 14:41:56 +03:00			`test "plug optionally doesn't halt when no authorization header is passed" do`
			`conn =`
			`build_conn()`
			`\|> AuthorizePluginsAPI.call(send_error?: false)`

			`refute conn.halted`
			`end`

Track tokens usage (#3438) * Migration: track last seen usage for Plugins API Tokens * Track and interpret Token.last_seen_at * Display last used * Order tokens by inserted date, rather than UUID :clown: * s/Last seen/Last used in the UI * Test for "Last used" column presence * Fix table layout for very long descriptions * Update lib/plausible/plugins/api/tokens.ex Co-authored-by: Adrian Gruntkowski <adrian.gruntkowski@gmail.com> * Update lib/plausible/plugins/api/token.ex Co-authored-by: Adrian Gruntkowski <adrian.gruntkowski@gmail.com> * Update test/plausible/plugins/api/token_test.exs Co-authored-by: Adrian Gruntkowski <adrian.gruntkowski@gmail.com> * s/last_seen_at/last_used_at * Update lib/plausible_web/live/plugins/api/settings.ex Co-authored-by: Adrian Gruntkowski <adrian.gruntkowski@gmail.com> * fixup * Document reasoning behind 5m windows * s/last_seen/last_used * Mute credo --------- Co-authored-by: Adrian Gruntkowski <adrian.gruntkowski@gmail.com> 2023-10-18 15:14:30 +03:00			`test "plug updates last seen timestamp" do`
			`site = insert(:site, domain: "pass.example.com")`
			`{:ok, token, raw} = Tokens.create(site, "Some token")`

			`refute token.last_used_at`
			`assert Token.last_used_humanize(token) == "Not yet"`

			`credentials = "Basic " <> Base.encode64(raw)`

			`build_conn()`
			`\|> put_req_header("authorization", credentials)`
			`\|> AuthorizePluginsAPI.call()`

			`token = Repo.reload!(token)`
			`assert token.last_used_at`
			`assert Token.last_used_humanize(token) == "Just recently"`
			`end`
Implement Plugins API authorization (#3373) * Implement Plugins API Token schema * Work with domain change grace period * Do not cast internal data, extend schema with hints * Implement Plugins API authorization * Test no authorization header passed * Preload authorized site * Fixup typespecs 2023-09-26 14:13:08 +03:00			`end`