feat: Ability to access user tokens via Platform API (#11537)

- Add Platform API for generating user tokens - Add the swagger documentation. --------- Co-authored-by: Muhsin Keloth <muhsinkeramam@gmail.com> Co-authored-by: Pranav <pranav@chatwoot.com>
2025-05-21 23:00:04 -07:00
parent 8565341682
commit 8697a30dc5
7 changed files with 182 additions and 3 deletions
--- a/spec/controllers/platform/api/v1/users_controller_spec.rb
+++ b/spec/controllers/platform/api/v1/users_controller_spec.rb
@@ -76,6 +76,54 @@ RSpec.describe 'Platform Users API', type: :request do
    end
  end

+  describe 'POST /platform/api/v1/users/{user_id}/token' do
+    context 'when it is an unauthenticated platform app' do
+      it 'returns unauthorized' do
+        post "/platform/api/v1/users/#{user.id}/token"
+        expect(response).to have_http_status(:unauthorized)
+      end
+    end
+
+    context 'when it is an invalid platform app token' do
+      it 'returns unauthorized' do
+        post "/platform/api/v1/users/#{user.id}/token", headers: { api_access_token: 'invalid' }, as: :json
+        expect(response).to have_http_status(:unauthorized)
+      end
+    end
+
+    context 'when it is an authenticated platform app' do
+      let(:platform_app) { create(:platform_app) }
+
+      it 'returns unauthorized when its not a permissible object' do
+        post "/platform/api/v1/users/#{user.id}/token", headers: { api_access_token: platform_app.access_token.token }, as: :json
+        expect(response).to have_http_status(:unauthorized)
+      end
+
+      it 'returns access token for the user with expiry and user info' do
+        create(:platform_app_permissible, platform_app: platform_app, permissible: user)
+
+        post "/platform/api/v1/users/#{user.id}/token",
+             headers: { api_access_token: platform_app.access_token.token }, as: :json
+
+        expect(response).to have_http_status(:success)
+        data = response.parsed_body
+
+        # Check access token and expiry
+        expect(data['access_token']).to eq(user.access_token.token)
+        expect(data['expiry']).to be_nil
+
+        # Check user info
+        expect(data['user']).to include(
+          'id' => user.id,
+          'name' => user.name,
+          'display_name' => user.display_name,
+          'email' => user.email,
+          'pubsub_token' => user.pubsub_token
+        )
+      end
+    end
+  end
+
  describe 'POST /platform/api/v1/users/' do
    context 'when it is an unauthenticated platform app' do
      it 'returns unauthorized' do