re-scope the reporting API controller to be under /reporting-api/, and inherit a base_controller which handles the auth and ensures that reporting_app feature flag is enabled. Fixes MAV-1558 and MAV-1588

Alistair Davidson · Alistair Davidson · commit 9fd926955f04 · 2025-07-24T11:59:25.000+01:00
diff --git a/app/controllers/reporting/totals_controller.rb b/app/controllers/reporting/totals_controller.rb
diff --git a/app/controllers/reporting_api/base_controller.rb b/app/controllers/reporting_api/base_controller.rb
@@ -0,0 +1,19 @@
+# frozen_string_literal: true
+
+class ReportingAPI::BaseController < ActionController::API
+  # we need to still include the AuthenticationConcern even though
+  # we're not using the authenticate_user! callback, because we call it
+  # explicitly after validating the users' JWT in order to use the 
+  # CIS2 organisation/workgroup validation code
+  include AuthenticationConcern
+  include TokenAuthenticationConcern
+
+  before_action :ensure_reporting_app_feature_enabled
+  before_action :authenticate_user_by_jwt!
+
+  private
+
+  def ensure_reporting_app_feature_enabled
+    render status: :forbidden and return unless Flipper.enabled?(:reporting_app)
+  end
+end
diff --git a/app/controllers/reporting_api/totals_controller.rb b/app/controllers/reporting_api/totals_controller.rb
@@ -0,0 +1,9 @@
+# frozen_string_literal: true
+
+module ReportingAPI
+  class TotalsController < ::ReportingAPI::BaseController
+    def index
+      render json: { total: "some total" }
+    end
+  end
+end
diff --git a/config/routes.rb b/config/routes.rb
@@ -320,7 +320,7 @@
 
   # for commissioner reporting app
   post "/tokens/authorize", controller: :one_time_tokens, action: "authorize"
-  namespace :reporting do
+  namespace :reporting_api, path: '/reporting-api/' do
     get "totals", controller: :totals, action: :index
   end
 
diff --git a/docs/diagrams/reporting_auth/user-logs-in-to-mavis-with-local-pwd.puml b/docs/diagrams/reporting_auth/user-logs-in-to-mavis-with-local-pwd.puml
@@ -20,7 +20,7 @@ if (CIS2 login enabled?) is (N) then
     :choose role;
     |Mavis|
     :store user & role info in session as 'cis2_info';
-    :store pwd_auth_session_token in DB;
+    :store reporting_app_session_token in DB;
     :respond with cookie and redirect;
     |User|
     :access redirected URL;
diff --git a/spec/controllers/reporting/totals_controller_spec.rb b/spec/controllers/reporting/totals_controller_spec.rb
diff --git a/spec/controllers/reporting_api/totals_controller_spec.rb b/spec/controllers/reporting_api/totals_controller_spec.rb
@@ -0,0 +1,91 @@
+# frozen_string_literal: true
+
+require "spec_helper"
+
+RSpec.describe ReportingAPI::TotalsController do
+  let(:user) { create(:user) }
+  let(:org) { user.organisations.first }
+
+  let(:valid_payload) do
+      {
+        data: {
+          user: user.as_json,
+          cis2_info: {
+            selected_org: {
+              name: org.name,
+              code: org.ods_code
+            },
+            selected_role: {
+              code: "S8000:G8000:R8001",
+              workgroups: ["schoolagedimmunisations"]
+            }
+          }
+        }
+      }
+    end
+
+  let(:invalid_payload) { { user: { id: -1 } } }
+
+  context "when the :reporting_app feature flag is not enabled" do
+    before { Flipper.disable(:reporting_app) }
+
+    describe "#index" do
+      context "when the request has a JWT param" do
+        let(:params) { { jwt: jwt } }
+
+        context "which is valid" do
+          let(:jwt) do
+            JWT.encode(
+              valid_payload,
+              Settings.mavis_reporting_app.secret,
+              "HS512"
+            )
+          end
+
+          it "responds with status :forbidden" do
+            get :index, params: { jwt: jwt }
+            expect(response.status).to eq(403)
+          end
+        end
+      end
+    end
+  end
+  context "when the :reporting_app feature flag is enabled" do
+    before { Flipper.enable(:reporting_app) }
+    describe "#index" do
+      context "when the request has a JWT param" do
+        let(:params) { { jwt: jwt } }
+
+        context "which is valid" do
+          let(:jwt) do
+            JWT.encode(
+              valid_payload,
+              Settings.mavis_reporting_app.secret,
+              "HS512"
+            )
+          end
+
+          it "responds with status 200" do
+            get :index, params: { jwt: jwt }
+            expect(response.status).to eq(200)
+          end
+        end
+
+        context "which is not valid" do
+          let(:jwt) do
+            JWT.encode(
+              invalid_payload,
+              Settings.mavis_reporting_app.secret,
+              "HS512"
+            )
+          end
+
+          it "responds with status :forbidden" do
+            get :index, params: { jwt: jwt }
+            expect(response.status).to eq(403)
+          end
+        end
+      end
+    end
+  end
+end
