ruby-grape · dblock · Jan 8, 2019 · Jan 3, 2019
diff --git a/.rubocop_todo.yml b/.rubocop_todo.yml
@@ -22,7 +22,7 @@ Gemspec/RequiredRubyVersion:
 
 # Offense count: 30
 Metrics/AbcSize:
-  Max: 57
+  Max: 59
 
 # Offense count: 10
 Metrics/CyclomaticComplexity:
@@ -31,7 +31,7 @@ Metrics/CyclomaticComplexity:
 # Offense count: 22
 # Configuration parameters: CountComments, ExcludedMethods.
 Metrics/MethodLength:
-  Max: 44
+  Max: 45
 
 # Offense count: 7
 Metrics/PerceivedComplexity:

diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -7,6 +7,7 @@
 #### Fixes
 
 * Your contribution here.
+* [#737](https://github.com/ruby-grape/grape-swagger/pull/737): Add swagger endpoint guard to both doc endpoints - [@urkle](https://github.com/urkle).
 
 ### 0.32.1 (December 7, 2018)
 

diff --git a/lib/grape-swagger/doc_methods.rb b/lib/grape-swagger/doc_methods.rb
@@ -45,8 +45,6 @@ def setup(options)
 
       desc api_doc.delete(:desc), api_doc
 
-      instance_eval(guard) unless guard.nil?
-
       output_path_definitions = proc do |combi_routes, endpoint|
         output = endpoint.swagger_object(
           target_class,
@@ -64,6 +62,8 @@ def setup(options)
         output
       end
 
+      instance_eval(guard) unless guard.nil?
+
       get mount_path do
         header['Access-Control-Allow-Origin']   = '*'
         header['Access-Control-Request-Method'] = '*'
@@ -79,6 +79,8 @@ def setup(options)
         optional :locale, type: Symbol, desc: 'Locale of API documentation'
       end
 
+      instance_eval(guard) unless guard.nil?
+
       get "#{mount_path}/:name" do
         I18n.locale = params[:locale] || I18n.default_locale
 

diff --git a/spec/swagger_v2/guarded_endpoint_spec.rb b/spec/swagger_v2/guarded_endpoint_spec.rb
@@ -68,47 +68,95 @@ def app
     GuardedApi
   end
 
-  context 'when a correct token is passed with the request' do
-    subject do
-      get '/swagger_doc.json', {}, 'HTTP_AUTHORIZATION' => '12345'
-      JSON.parse(last_response.body)
-    end
+  let(:endpoint) { '/swagger_doc.json' }
+  let(:auth_token) { nil }
+
+  subject do
+    get endpoint, {}, 'HTTP_AUTHORIZATION' => auth_token
+    JSON.parse(last_response.body)
+  end
 
-    it 'retrieves swagger-documentation for the endpoint' do
-      expect(subject).to eq(
-        'info' => { 'title' => 'API title', 'version' => '0.0.1' },
-        'swagger' => '2.0',
-        'produces' => ['application/xml', 'application/json', 'application/octet-stream', 'text/plain'],
-        'host' => 'example.org',
-        'tags' => [{ 'name' => 'auth', 'description' => 'Operations about auths' }],
-        'paths' => {
-          '/auth' => {
-            'get' => {
-              'description' => 'Show endpoint if authenticated',
-              'produces' => ['application/json'],
-              'tags' => ['auth'],
-              'operationId' => 'getAuth',
-              'responses' => { '200' => { 'description' => 'Show endpoint if authenticated' } }
+  context 'accessing the main doc endpoint' do
+    let(:endpoint) { '/swagger_doc.json' }
+
+    context 'when a correct token is passed with the request' do
+      let(:auth_token) { '12345' }
+
+      it 'retrieves swagger-documentation for the endpoint' do
+        expect(subject).to eq(
+          'info' => { 'title' => 'API title', 'version' => '0.0.1' },
+          'swagger' => '2.0',
+          'produces' => ['application/xml', 'application/json', 'application/octet-stream', 'text/plain'],
+          'host' => 'example.org',
+          'tags' => [{ 'name' => 'auth', 'description' => 'Operations about auths' }],
+          'paths' => {
+            '/auth' => {
+              'get' => {
+                'description' => 'Show endpoint if authenticated',
+                'produces' => ['application/json'],
+                'tags' => ['auth'],
+                'operationId' => 'getAuth',
+                'responses' => { '200' => { 'description' => 'Show endpoint if authenticated' } }
+              }
             }
           }
-        }
-      )
+        )
+      end
+    end
+
+    context 'when a bad token is passed with the request' do
+      let(:auth_token) { '123456' }
+
+      it 'does not retrieve swagger-documentation for the endpoint - only the info_object' do
+        expect(subject).to eq(
+          'info' => { 'title' => 'API title', 'version' => '0.0.1' },
+          'swagger' => '2.0',
+          'produces' => ['application/xml', 'application/json', 'application/octet-stream', 'text/plain'],
+          'host' => 'example.org'
+        )
+      end
     end
   end
 
-  context 'when a bad token is passed with the request' do
-    subject do
-      get '/swagger_doc.json', {}, 'HTTP_AUTHORIZATION' => '123456'
-      JSON.parse(last_response.body)
+  context 'accessing the tag specific endpoint' do
+    let(:endpoint) { '/swagger_doc/auth.json' }
+
+    context 'when a correct token is passed with the request' do
+      let(:auth_token) { '12345' }
+
+      it 'retrieves swagger-documentation for the endpoint' do
+        expect(subject).to eq(
+          'info' => { 'title' => 'API title', 'version' => '0.0.1' },
+          'swagger' => '2.0',
+          'produces' => ['application/xml', 'application/json', 'application/octet-stream', 'text/plain'],
+          'host' => 'example.org',
+          'tags' => [{ 'name' => 'auth', 'description' => 'Operations about auths' }],
+          'paths' => {
+            '/auth' => {
+              'get' => {
+                'description' => 'Show endpoint if authenticated',
+                'produces' => ['application/json'],
+                'tags' => ['auth'],
+                'operationId' => 'getAuth',
+                'responses' => { '200' => { 'description' => 'Show endpoint if authenticated' } }
+              }
+            }
+          }
+        )
+      end
     end
 
-    it 'does not retrieve swagger-documentation for the endpoint - only the info_object' do
-      expect(subject).to eq(
-        'info' => { 'title' => 'API title', 'version' => '0.0.1' },
-        'swagger' => '2.0',
-        'produces' => ['application/xml', 'application/json', 'application/octet-stream', 'text/plain'],
-        'host' => 'example.org'
-      )
+    context 'when a bad token is passed with the request' do
+      let(:auth_token) { '123456' }
+
+      it 'does not retrieve swagger-documentation for the endpoint - only the info_object' do
+        expect(subject).to eq(
+          'info' => { 'title' => 'API title', 'version' => '0.0.1' },
+          'swagger' => '2.0',
+          'produces' => ['application/xml', 'application/json', 'application/octet-stream', 'text/plain'],
+          'host' => 'example.org'
+        )
+      end
     end
   end
 end