| 1 | # frozen_string_literal: true |
| 2 | |
| 3 | require "rails_helper" |
| 4 | |
| 5 | RSpec.describe GithubConnection, type: :model do |
| 6 | let(:user) { User.create!(smbcloud_id: 42, email: "gh@example.com", username: "ghuser") } |
| 7 | |
| 8 | it "stores the access token encrypted at rest, not in plaintext" do |
| 9 | conn = user.create_github_connection!(access_token: "gho_secrettoken123", scope: "repo") |
| 10 | |
| 11 | # The model round-trips the real value... |
| 12 | expect(conn.reload.access_token).to eq("gho_secrettoken123") |
| 13 | |
| 14 | # ...but the raw column holds ciphertext, never the plaintext token. |
| 15 | raw = ActiveRecord::Base.connection.select_value( |
| 16 | "SELECT access_token FROM github_connections WHERE id = #{conn.id}" |
| 17 | ) |
| 18 | expect(raw).not_to include("gho_secrettoken123") |
| 19 | expect(raw).to be_present |
| 20 | end |
| 21 | |
| 22 | it "requires an access token" do |
| 23 | conn = user.build_github_connection(access_token: nil) |
| 24 | expect(conn).not_to be_valid |
| 25 | expect(conn.errors[:access_token]).to be_present |
| 26 | end |
| 27 | |
| 28 | it "is unique per user" do |
| 29 | user.create_github_connection!(access_token: "a") |
| 30 | dup = GithubConnection.new(user_id: user.id, access_token: "b") |
| 31 | expect(dup).not_to be_valid |
| 32 | expect(dup.errors[:user_id]).to be_present |
| 33 | end |
| 34 | |
| 35 | it "detects private scope" do |
| 36 | expect(user.build_github_connection(access_token: "a", scope: "repo").private_scope?).to be(true) |
| 37 | expect(user.build_github_connection(access_token: "a", scope: "public_repo").private_scope?).to be(false) |
| 38 | end |
| 39 | end |