test: fix scorm and auth tests with new tokens

app/api/authentication_api.rb

@@ -72,7 +72,7 @@ class AuthenticationApi < Grape::API
 
       # Return user details
       present :user, user, with: Entities::UserEntity
-      present :auth_token, user.generate_authentication_token!(remember).authentication_token
+      present :auth_token, user.generate_authentication_token!(remember: remember).authentication_token
     end
   end
 
@@ -238,18 +238,18 @@ class AuthenticationApi < Grape::API
       requires :auth_token, type: String, desc: 'The user\'s temporary auth token'
     end
     post '/auth' do
-      error!({ error: 'Invalid token.' }, 404) if params[:auth_token].nil?
-      logger.info "Get user via auth_token from #{request.ip}"
+      error!({ error: 'Invalid authentication details.' }, 404) if params[:auth_token].blank? || params[:username].blank?
+      logger.info "Get user via auth_token from #{request.ip} - #{params[:username]}"
 
       # Authenticate that the token is okay
       if authenticated?(:login)
         user = User.find_by(username: params[:username])
         token = user.token_for_text?(params[:auth_token], :login) unless user.nil?
-        error!({ error: 'Invalid token.' }, 404) if token.nil?
+        error!({ error: 'Invalid authentication details.' }, 404) if token.nil?
 
         # Invalidate the token and regenrate a new one
         token.destroy!
-        token = user.generate_authentication_token! true
+        token = user.generate_authentication_token!
 
         logger.info "Login #{params[:username]} from #{request.ip}"
 

app/models/user.rb

@@ -92,28 +92,24 @@ def authenticate?(data)
   # Force-generates a new authentication token, regardless of whether or not
   # it is actually expired
   #
-  def generate_authentication_token!(remember = false)
+  def generate_authentication_token!(remember: false, expiry: Time.zone.now + 2.hours, token_type: :general)
     # Ensure this user is saved... so it has an id
     self.save unless self.persisted?
-    AuthToken.generate(self, remember) # default timeout, and general token
+    AuthToken.generate(self, remember, expiry, token_type)
   end
 
   #
   # Generate an authentication token that will expire in 30 seconds
   #
   def generate_temporary_authentication_token!
-    # Ensure this user is saved... so it has an id
-    self.save unless self.persisted?
-    # Generate a short duration login token
-    AuthToken.generate(self, false, Time.zone.now + 30.seconds, :login)
+    generate_authentication_token!(expiry: Time.zone.now + 30.seconds, token_type: :login)
   end
 
   #
   # Generate an authentication token for scorm asset retrieval
   #
   def generate_scorm_authentication_token!
-    # generate a timed scorm token
-    AuthToken.generate(self, false, Time.zone.now + 2.hours, :scorm)
+    generate_authentication_token!(token_type: :scorm)
   end
 
   #

test/api/auth_test.rb

@@ -281,7 +281,7 @@ def test_scorm_auth
     # All users can access scorm resources
     get "api/auth/scorm"
     assert_equal 200, last_response.status
-    assert_equal 1, student.auth_tokens.where(token_type: :scorm).count
+    assert_equal 1, admin.auth_tokens.where(token_type: :scorm).count
 
     student = FactoryBot.create(:user, :student)
 

test/api/scorm_api_test.rb

@@ -40,35 +40,42 @@ def test_serve_scorm_content
     td.save!
 
     # When the task def does not have SCORM data
-    get "/api/scorm/#{td.id}/#{user.username}/#{auth_token(user)}/index.html"
+    get "/api/scorm/#{td.id}/#{user.username}/#{auth_token(user, :scorm)}/index.html"
     assert_equal 404, last_response.status
 
     td.add_scorm_data(test_file_path('numbas.zip'), copy: true)
     td.save!
 
     # When the file is missing
-    get "/api/scorm/#{td.id}/#{user.username}/#{auth_token(user)}/index1.html"
+    get "/api/scorm/#{td.id}/#{user.username}/#{auth_token(user, :scorm)}/index1.html"
     assert_equal 404, last_response.status
 
     # When the file is present - html
-    get "/api/scorm/#{td.id}/#{user.username}/#{auth_token(user)}/index.html"
+    get "/api/scorm/#{td.id}/#{user.username}/#{auth_token(user, :scorm)}/index.html"
     assert_equal 200, last_response.status
     assert_equal 'text/html', last_response.content_type
 
+    # Cannot access with the wrong token type
+    get "/api/scorm/#{td.id}/#{user.username}/#{auth_token(user, :general)}/index.html"
+    assert_equal 419, last_response.status
+
+    get "/api/scorm/#{td.id}/#{user.username}/#{auth_token(user, :login)}/index.html"
+    assert_equal 419, last_response.status
+
     # When the file is present - css
-    get "/api/scorm/#{td.id}/#{user.username}/#{auth_token(user)}/styles.css"
+    get "/api/scorm/#{td.id}/#{user.username}/#{auth_token(user, :scorm)}/styles.css"
     assert_equal 200, last_response.status
     assert_equal 'text/css', last_response.content_type
 
     # When the file is present - js
-    get "/api/scorm/#{td.id}/#{user.username}/#{auth_token(user)}/scripts.js"
+    get "/api/scorm/#{td.id}/#{user.username}/#{auth_token(user, :scorm)}/scripts.js"
     assert_equal 200, last_response.status
     assert_equal 'text/javascript', last_response.content_type
 
     tutor = FactoryBot.create(:user, :tutor, username: :test_tutor)
 
     # When the user is unauthorised
-    get "/api/scorm/#{td.id}/#{tutor.username}/#{auth_token(tutor)}/index.html"
+    get "/api/scorm/#{td.id}/#{tutor.username}/#{auth_token(tutor, :scorm)}/index.html"
     assert_equal 403, last_response.status
 
     tutor.destroy!

test/helpers/auth_helper.rb

@@ -13,11 +13,11 @@ def app
     #
     # Gets an auth token for the provided user
     #
-    def auth_token(user = User.first)
-      token = user.valid_auth_tokens().first
+    def auth_token(user = User.first, token_type = :general)
+      token = user.valid_auth_tokens.where(token_type: token_type).first
       return token.authentication_token unless token.nil?
 
-      return user.generate_authentication_token!().authentication_token
+      return user.generate_authentication_token!(token_type: token_type).authentication_token
     end
 
     #