From 1ae508bf2faae016b88d15e273b0dc01de4fd7af Mon Sep 17 00:00:00 2001
From: Eugen Rochko <eugen@zeonfederated.com>
Date: Wed, 26 Oct 2022 12:10:02 +0200
Subject: Change unauthenticated search to not support pagination in REST API
 (#19326)

- Only exact search matches for queries with < 5 characters
- Do not support queries with `offset` (pagination)
- Return HTTP 401 on truthy `resolve` instead of overriding to false
---
 spec/controllers/api/v2/search_controller_spec.rb | 62 ++++++++++++++++++++---
 1 file changed, 54 insertions(+), 8 deletions(-)

(limited to 'spec/controllers/api/v2/search_controller_spec.rb')

diff --git a/spec/controllers/api/v2/search_controller_spec.rb b/spec/controllers/api/v2/search_controller_spec.rb
index fa20e1e51..d417ea58c 100644
--- a/spec/controllers/api/v2/search_controller_spec.rb
+++ b/spec/controllers/api/v2/search_controller_spec.rb
@@ -5,18 +5,64 @@ require 'rails_helper'
 RSpec.describe Api::V2::SearchController, type: :controller do
   render_views
 
-  let(:user)  { Fabricate(:user) }
-  let(:token) { Fabricate(:accessible_access_token, resource_owner_id: user.id, scopes: 'read:search') }
+  context 'with token' do
+    let(:user)  { Fabricate(:user) }
+    let(:token) { Fabricate(:accessible_access_token, resource_owner_id: user.id, scopes: 'read:search') }
 
-  before do
-    allow(controller).to receive(:doorkeeper_token) { token }
+    before do
+      allow(controller).to receive(:doorkeeper_token) { token }
+    end
+
+    describe 'GET #index' do
+      before do
+        get :index, params: { q: 'test' }
+      end
+
+      it 'returns http success' do
+        expect(response).to have_http_status(200)
+      end
+    end
   end
 
-  describe 'GET #index' do
-    it 'returns http success' do
-      get :index, params: { q: 'test' }
+  context 'without token' do
+    describe 'GET #index' do
+      let(:search_params) {}
+
+      before do
+        get :index, params: search_params
+      end
+
+      context 'with a `q` shorter than 5 characters' do
+        let(:search_params) { { q: 'test' } }
+
+        it 'returns http success' do
+          expect(response).to have_http_status(200)
+        end
+      end
+
+      context 'with a `q` equal to or longer than 5 characters' do
+        let(:search_params) { { q: 'test1' } }
+
+        it 'returns http success' do
+          expect(response).to have_http_status(200)
+        end
+
+        context 'with truthy `resolve`' do
+          let(:search_params) { { q: 'test1', resolve: '1' } }
+
+          it 'returns http unauthorized' do
+            expect(response).to have_http_status(401)
+          end
+        end
+
+        context 'with `offset`' do
+          let(:search_params) { { q: 'test1', offset: 1 } }
 
-      expect(response).to have_http_status(200)
+          it 'returns http unauthorized' do
+            expect(response).to have_http_status(401)
+          end
+        end
+      end
     end
   end
 end
-- 
cgit