A related question implies that I can test a request with token authentication, in my intergration tests, as follows:
get "/v1/sites", nil, :authorization => "foo"
assert_response :success
For some reason, the headers don't get to my application:
get "/v1/sites", nil, :authorization => "foo"
assert_match response.headers, /foo/
Expected {"X-Frame-Options"=>"SAMEORIGIN", "X-XSS-Protection"=>"1; mode=block", "X-Content-Type-Options"=>"nosniff", "X-UA-Compatible"=>"chrome=1", "WWW-Authenticate"=>"Token realm=\"Application\"", "Content-Type"=>"text/html; charset=utf-8", "Cache-Control"=>"no-cache", "X-Request-Id"=>"23915302-9cfe-424d-86fe-5d60bc0d6b2c", "X-Runtime"=>"0.054857", "Content-Length"=>"27"} to match /foo/.
The authorization-header does not get through, which I can confirm when placing a throw response.headers
in the controller. When I
test with e.g. curl, I do see the header coming through. And there I
can even set the token and get access. The relevant code from the
controller is:
module V1
class SitesController < ApplicationController
before_filter :restrict_access, :only => :index
def index
head :success
end
private
def restrict_access
authenticate_or_request_with_http_token do |token, options|
token == "foo"
end
end
end
end
This is minitest, on Rails 4, using Rails-API
For reference, here is the Middleware stack, it is a lot slimmer then most default Rails apps.
use ActionDispatch::Static
use Rack::Lock
use #<ActiveSupport::Cache::Strategy::LocalCache::Middleware:0x992cd28>
use Rack::Runtime
use ActionDispatch::RequestId
use Rails::Rack::Logger
use ActionDispatch::ShowExceptions
use ActionDispatch::DebugExceptions
use ActionDispatch::RemoteIp
use ActionDispatch::Reloader
use ActionDispatch::Callbacks
use ActiveRecord::Migration::CheckPending
use ActiveRecord::ConnectionAdapters::ConnectionManagement
use ActiveRecord::QueryCache
use ActionDispatch::ParamsParser
use Rack::Head
use Rack::ConditionalGet
use Rack::ETag
run MyApp::Application.routes
Just for reference. Everything was right, I was just being stupid and testing the wrong thing while debugging:
Is obviously false, because this is the response. Correct is to test the request
This passes just fine.
You can set an header on the request object just before performing you request.