From 52a98989e0fc3648944a75f8faaa7567eb5909b8 Mon Sep 17 00:00:00 2001
From: Maikel Linke <maikel@email.org.au>
Date: Thu, 3 Nov 2022 16:28:24 +1100
Subject: [PATCH] Allow logged in users to access DFC API

It makes testing in development so much easier.
---
 .../dfc_provider/base_controller.rb           |  6 +----
 .../dfc_provider/authorization_control.rb     | 22 +++++++++++++++----
 .../catalog_items_controller_spec.rb          |  8 +++++++
 3 files changed, 27 insertions(+), 9 deletions(-)

diff --git a/engines/dfc_provider/app/controllers/dfc_provider/base_controller.rb b/engines/dfc_provider/app/controllers/dfc_provider/base_controller.rb
index 84703f53d4..94051ceaac 100644
--- a/engines/dfc_provider/app/controllers/dfc_provider/base_controller.rb
+++ b/engines/dfc_provider/app/controllers/dfc_provider/base_controller.rb
@@ -39,12 +39,8 @@ module DfcProvider
       @current_user ||= authorization_control.process
     end
 
-    def access_token
-      request.headers['Authorization'].to_s.split(' ').last
-    end
-
     def authorization_control
-      DfcProvider::AuthorizationControl.new(access_token)
+      DfcProvider::AuthorizationControl.new(request)
     end
 
     def not_found
diff --git a/engines/dfc_provider/app/services/dfc_provider/authorization_control.rb b/engines/dfc_provider/app/services/dfc_provider/authorization_control.rb
index c3bec17480..e0d66ce16c 100644
--- a/engines/dfc_provider/app/services/dfc_provider/authorization_control.rb
+++ b/engines/dfc_provider/app/services/dfc_provider/authorization_control.rb
@@ -4,20 +4,30 @@
 # It controls an OICD Access token and an enterprise.
 module DfcProvider
   class AuthorizationControl
-    def initialize(access_token)
-      @access_token = access_token
+    def initialize(request)
+      @request = request
     end
 
     def process
-      return unless @access_token
+      oidc_user || ofn_user
+    end
+
+    private
+
+    def oidc_user
+      return unless access_token
 
       decode_token
       find_ofn_user
     end
 
+    def ofn_user
+      @request.env['warden'].user
+    end
+
     def decode_token
       data = JWT.decode(
-        @access_token,
+        access_token,
         nil,
         false
       )
@@ -26,6 +36,10 @@ module DfcProvider
       @payload = data.first
     end
 
+    def access_token
+      @request.headers['Authorization'].to_s.split(' ').last
+    end
+
     def find_ofn_user
       Spree::User.where(email: @payload['email']).first
     end
diff --git a/engines/dfc_provider/spec/controllers/dfc_provider/catalog_items_controller_spec.rb b/engines/dfc_provider/spec/controllers/dfc_provider/catalog_items_controller_spec.rb
index 5e7984bff1..32ef8cd7b8 100644
--- a/engines/dfc_provider/spec/controllers/dfc_provider/catalog_items_controller_spec.rb
+++ b/engines/dfc_provider/spec/controllers/dfc_provider/catalog_items_controller_spec.rb
@@ -98,6 +98,14 @@ describe DfcProvider::CatalogItemsController, type: :controller do
         expect(response).to be_unauthorized
       end
     end
+
+    context "when logged in as app user" do
+      it "is successful" do
+        sign_in user
+        api_get :index, enterprise_id: enterprise.id
+        expect(response).to be_successful
+      end
+    end
   end
 
   describe '.show' do