feat: authorize requests to create sparkles

1 files changed, 38 insertions, 20 deletions

diff --git a/app/controllers/sparkles/controller_test.go b/app/controllers/sparkles/controller_test.go
index 006c3fa..64b4dc5 100644
--- a/app/controllers/sparkles/controller_test.go
+++ b/app/controllers/sparkles/controller_test.go
@@ -62,16 +62,16 @@ func TestSparkles(t *testing.T) {
 	})
 
 	t.Run("POST /sparkles", func(t *testing.T) {
-		t.Run("when a user is logged in", func(t *testing.T) {
+		t.Run("when a user is authenticated", func(t *testing.T) {
 			currentUser := domain.NewUser(domain.WithID[*domain.User](domain.ID("1")))
+			repository := db.NewRepository[*domain.Sparkle]()
 
-			t.Run("when the user is authorized to create sparkles", func(t *testing.T) {
-				t.Run("saves a new sparkle", func(t *testing.T) {
-					repository := db.NewRepository[*domain.Sparkle]()
-					mux := http.NewServeMux()
-					controller := New(repository, stub.AllowWith(t, "user:1", "create", "sparkle:*"))
-					controller.MountTo(mux)
+			t.Run("when the user is authorized", func(t *testing.T) {
+				mux := http.NewServeMux()
+				controller := New(repository, stub.AllowWith(t, "user:1", "create", "sparkle:*"))
+				controller.MountTo(mux)
 
+				t.Run("saves a new sparkle", func(t *testing.T) {
 					sparkle, _ := domain.NewSparkle("@tanuki for reviewing my code!")
 					request, response := test.RequestResponse(
 						"POST",
@@ -103,24 +103,42 @@ func TestSparkles(t *testing.T) {
 						assert.Equal(t, currentUser, item.Author)
 					})
 				})
+
+				t.Run("prevents double WriteHeader when serialization fails", func(t *testing.T) {
+					currentUser := domain.NewUser(domain.WithID[*domain.User](domain.ID("1")))
+					sparkle, _ := domain.NewSparkle("@user for testing")
+
+					request, response := test.RequestResponse(
+						"POST",
+						"/sparkles",
+						test.WithAcceptHeader(serde.JSON),
+						test.WithContentType(sparkle, serde.JSON),
+						test.WithContextKeyValue(t.Context(), cfg.CurrentUser, currentUser),
+					)
+
+					mux.ServeHTTP(&FailingResponseWriter{T: t, ResponseRecorder: response}, request)
+				})
 			})
 
-			t.Run("prevents double WriteHeader when serialization fails", func(t *testing.T) {
-				repository := db.NewRepository[*domain.Sparkle]()
-				controller := New(repository, stub.Allow())
+			t.Run("when the user is not authorized", func(t *testing.T) {
+				mux := http.NewServeMux()
+				controller := New(repository, stub.Deny())
+				controller.MountTo(mux)
 
-				currentUser := domain.NewUser(domain.WithID[*domain.User](domain.ID("1")))
-				sparkle, _ := domain.NewSparkle("@user for testing")
+				t.Run("returns an error", func(t *testing.T) {
+					sparkle, _ := domain.NewSparkle("@tanuki for reviewing my code!")
+					request, response := test.RequestResponse(
+						"POST",
+						"/sparkles",
+						test.WithAcceptHeader(serde.JSON),
+						test.WithContentType(sparkle, serde.JSON),
+						test.WithContextKeyValue(t.Context(), cfg.CurrentUser, currentUser),
+					)
 
-				request, response := test.RequestResponse(
-					"POST",
-					"/sparkles",
-					test.WithAcceptHeader(serde.JSON),
-					test.WithContentType(sparkle, serde.JSON),
-					test.WithContextKeyValue(t.Context(), cfg.CurrentUser, currentUser),
-				)
+					mux.ServeHTTP(response, request)
 
-				controller.Create(&FailingResponseWriter{T: t, ResponseRecorder: response}, request)
+					require.Equal(t, http.StatusForbidden, response.Code)
+				})
 			})
 		})
 	})