feat: allow agent bots to toggle typing status (#13705)

Agent bot conversations now feel more natural because AgentBot tokens can toggle typing status, so end users see a live typing indicator in the widget while the bot is preparing a reply. This keeps the interaction responsive and human-like without weakening token authorization boundaries. ## Closes - https://github.com/chatwoot/chatwoot/issues/8928 - https://linear.app/chatwoot/issue/CW-5205 ## How to test 1. Open the widget and start a conversation as a customer. 2. Connect an AgentBot to the same inbox. 3. Trigger `toggle_typing_status` with the AgentBot token (`typing_status: on`). 4. Confirm the customer sees the typing indicator in the widget. 5. Trigger `toggle_typing_status` with `typing_status: off` and confirm the indicator disappears. ## What changed - Added `toggle_typing_status` to bot-accessible conversation endpoints. - Restricted bot-accessible endpoint usage to `AgentBot` token owners only (non-user tokens like `PlatformApp` remain unauthorized). - Updated typing status flow to preserve AgentBot identity in dispatch/broadcast paths. - Added request coverage for AgentBot success and PlatformApp unauthorized behavior. - Added Swagger documentation for `POST /api/v1/accounts/{account_id}/conversations/{conversation_id}/toggle_typing_status` and regenerated swagger artifacts.
2026-03-05 08:13:52 -08:00
parent fd69b4c8f2
commit 397b0bcc9d
11 changed files with 279 additions and 7 deletions
--- a/spec/controllers/api/v1/accounts/conversations_controller_spec.rb
+++ b/spec/controllers/api/v1/accounts/conversations_controller_spec.rb
@@ -647,6 +647,37 @@ RSpec.describe 'Conversations API', type: :request do
          .with(Conversation::CONVERSATION_TYPING_ON, kind_of(Time), { conversation: conversation, user: agent, is_private: true })
      end
    end
+
+    context 'when it is an authenticated bot' do
+      let(:agent_bot) { create(:agent_bot, account: account) }
+
+      it 'toggles the conversation typing status' do
+        create(:agent_bot_inbox, inbox: conversation.inbox, agent_bot: agent_bot)
+        allow(Rails.configuration.dispatcher).to receive(:dispatch)
+
+        post "/api/v1/accounts/#{account.id}/conversations/#{conversation.display_id}/toggle_typing_status",
+             headers: { api_access_token: agent_bot.access_token.token },
+             params: { typing_status: 'on', is_private: false },
+             as: :json
+
+        expect(response).to have_http_status(:success)
+        expect(Rails.configuration.dispatcher).to have_received(:dispatch)
+          .with(Conversation::CONVERSATION_TYPING_ON, kind_of(Time), { conversation: conversation, user: agent_bot, is_private: false })
+      end
+    end
+
+    context 'when it is an authenticated platform app token' do
+      let(:platform_app) { create(:platform_app) }
+
+      it 'returns unauthorized' do
+        post "/api/v1/accounts/#{account.id}/conversations/#{conversation.display_id}/toggle_typing_status",
+             headers: { api_access_token: platform_app.access_token.token },
+             params: { typing_status: 'on', is_private: false },
+             as: :json
+
+        expect(response).to have_http_status(:unauthorized)
+      end
+    end
  end

  describe 'POST /api/v1/accounts/{account.id}/conversations/:id/update_last_seen' do