From 4b29bcb92b0a10229511db92e8bcf84e0f1def98 Mon Sep 17 00:00:00 2001
From: Achilleas Buisman <accounts@abuisman.nl>
Date: Mon, 11 Sep 2023 23:05:49 +0200
Subject: [PATCH] Rework API key into token per query

---
 lib/blazer/sharing.rb           |  4 ++--
 test/internal/config/blazer.yml |  4 ++++
 test/internal/config/routes.rb  |  2 ++
 test/queries_test.rb            | 14 ++++++++++----
 4 files changed, 18 insertions(+), 6 deletions(-)

diff --git a/lib/blazer/sharing.rb b/lib/blazer/sharing.rb
index f4f62885e..248a8d4f9 100644
--- a/lib/blazer/sharing.rb
+++ b/lib/blazer/sharing.rb
@@ -19,9 +19,9 @@ def enabled?
       enabled
     end
 
-    def share_path(query_id, format: nil)
+    def share_path(query_id, format: nil, token: nil)
       query = Query.find(query_id)
-      "#{path}/#{query.secret_token}/#{query_id}#{".#{format}" if format}"
+      "#{path}/#{token}/#{query_id}#{".#{format}" if format}"
     end
 
     def url_for(query_id, current_url, format: 'csv')
diff --git a/test/internal/config/blazer.yml b/test/internal/config/blazer.yml
index 07c7b09d6..d3b55d652 100644
--- a/test/internal/config/blazer.yml
+++ b/test/internal/config/blazer.yml
@@ -161,3 +161,7 @@ uploads:
   url: postgres://localhost/blazer_test
   schema: uploads
   data_source: main
+
+sharing:
+  path: /blazer_share
+  enabled: true
diff --git a/test/internal/config/routes.rb b/test/internal/config/routes.rb
index fc4c62b3e..d0932527b 100644
--- a/test/internal/config/routes.rb
+++ b/test/internal/config/routes.rb
@@ -1,3 +1,5 @@
 Rails.application.routes.draw do
   mount Blazer::Engine, at: "/"
+
+  get Blazer.sharing.route_path, to: Blazer.sharing.to_controller, as: :share_query if Blazer.sharing.enabled?
 end
diff --git a/test/queries_test.rb b/test/queries_test.rb
index b088ec31b..3cf99f387 100644
--- a/test/queries_test.rb
+++ b/test/queries_test.rb
@@ -78,11 +78,18 @@ def test_variables_time_range
 
   def test_correct_token
     query = create_query(statement: "SELECT 1")
-    get blazer.query_path(query, token: query.secret_token)
+    get share_query_path(query.id, token: query.secret_token, format: 'csv')
+
     assert_response :success
+    assert_equal "text/csv", response.content_type
+  end
 
-    get blazer.query_path(query, token: "x")
-    assert_response :redirect
+  def test_incorrect_token
+    query = create_query(statement: "SELECT 1")
+    get share_query_path(query.id, token: "x")
+
+    assert_response :forbidden
+    assert_match "Access denied", response.body
   end
 
   def test_variable_defaults
@@ -123,7 +130,6 @@ def test_share
     get blazer.query_share_path(query_id: query.id, token: query.secret_token, format: 'csv')
 
     assert_response :success
-    assert_match query.name, response.body
   end
 
   def test_url