Merge pull request #1982 from yeti-switch/test/admin-api-auth-regression

Fivell · web-flow · commit fbcbdf4f1f08 · 2026-04-11T15:01:48.000+02:00
Add regression test: admin API auth in OIDC mode
diff --git a/app/models/concerns/admin_user_oidc_handler.rb b/app/models/concerns/admin_user_oidc_handler.rb
@@ -15,8 +15,10 @@ module AdminUserOidcHandler
     # which would shadow a method defined earlier in the ancestor chain.
     define_method(:valid_password?) { |_password| false }
 
-    # REST API auth calls admin_user.authenticate(password) — alias it
-    # so it returns false instead of raising NoMethodError.
-    alias_method :authenticate, :valid_password?
+    # Keep web password sign-in disabled while preserving the legacy
+    # password-backed admin JWT API authentication path.
+    define_method(:authenticate) do |password|
+      Devise::Encryptor.compare(self.class, encrypted_password, password)
+    end
   end
 end
diff --git a/spec/models/concerns/admin_user_oidc_handler_spec.rb b/spec/models/concerns/admin_user_oidc_handler_spec.rb
@@ -56,6 +56,16 @@ class DummyOidcUser < ActiveRecord::Base
     end
   end
 
+  describe '#authenticate' do
+    it 'checks the encrypted password for API auth callers' do
+      user = DummyOidcUser.new(username: 'alice')
+      user.password = 'Password123!'
+
+      expect(user.authenticate('Password123!')).to be(true)
+      expect(user.authenticate('wrong-password')).to be(false)
+    end
+  end
+
   describe 'oidc_raw_info serialization' do
     it 'round-trips a hash through JSON' do
       user = DummyOidcUser.new(username: 'alice')
diff --git a/spec/requests/api/rest/admin/auth_controller_spec.rb b/spec/requests/api/rest/admin/auth_controller_spec.rb
@@ -82,6 +82,22 @@
           expect(response_json).to match(jwt: a_kind_of(String))
         end
       end
+
+      context 'oidc mode', oidc_mode: true do
+        it 'still authenticates via password' do
+          subject
+          expect(response.status).to eq(201)
+          expect(response_json).to match(jwt: a_kind_of(String))
+        end
+      end
+
+      context 'ldap mode', :ldap do
+        it 'still authenticates via password' do
+          subject
+          expect(response.status).to eq(201)
+          expect(response_json).to match(jwt: a_kind_of(String))
+        end
+      end
     end
 
     context 'when attributes are invalid' do
