From eaa32f108fee2bb8013299043c0e3cb5883ac875 Mon Sep 17 00:00:00 2001
From: Benjamin Armintor <armintor@gmail.com>
Date: Fri, 31 Jan 2025 15:56:42 -0500
Subject: [PATCH] distinguish non-interactive token services by url (DLC-1177)

---
 .../iiif/authz/base_access_token_service.rb   |  6 ++-
 .../iiif/authz/v2/external_access_service.rb  |  2 +-
 .../iiif/authz/v2/local_access_service.rb     |  2 +-
 .../authz/v2/access_token_service_spec.rb     | 47 +++++++++++++++++++
 4 files changed, 53 insertions(+), 4 deletions(-)
 create mode 100644 spec/models/iiif/authz/v2/access_token_service_spec.rb

diff --git a/app/models/iiif/authz/base_access_token_service.rb b/app/models/iiif/authz/base_access_token_service.rb
index 838b3934..85d4d756 100644
--- a/app/models/iiif/authz/base_access_token_service.rb
+++ b/app/models/iiif/authz/base_access_token_service.rb
@@ -2,9 +2,11 @@ class Iiif::Authz::BaseAccessTokenService
   attr_reader :id, :canvas, :route_helper
   JWT_HEADER = { alg: 'HS256', typ: 'JWT' }.freeze
 
-  def initialize(canvas, route_helper:, format: nil)
+  def initialize(canvas, route_helper:, format: nil, profile: 'active')
     @canvas = canvas
-    @id = route_helper.bytestream_token_url({catalog_id: canvas.solr_document.id, bytestream_id: 'content', format: format}.compact)
+    id_params = {catalog_id: canvas.solr_document.id, bytestream_id: 'content', format: format}
+    id_params[:profile] = profile unless profile == 'active'
+    @id = route_helper.bytestream_token_url(id_params.compact)
     @route_helper = route_helper
   end
 
diff --git a/app/models/iiif/authz/v2/external_access_service.rb b/app/models/iiif/authz/v2/external_access_service.rb
index 70c55c25..452ca9f0 100644
--- a/app/models/iiif/authz/v2/external_access_service.rb
+++ b/app/models/iiif/authz/v2/external_access_service.rb
@@ -11,7 +11,7 @@ def initialize(canvas, route_helper:, **_args)
   end
 
   def token_service
-    Iiif::Authz::V2::AccessTokenService.new(canvas, route_helper: route_helper).to_h
+    Iiif::Authz::V2::AccessTokenService.new(canvas, route_helper: route_helper, profile: PROFILE).to_h
   end
 
   def to_h
diff --git a/app/models/iiif/authz/v2/local_access_service.rb b/app/models/iiif/authz/v2/local_access_service.rb
index 48f6529e..9a946aaf 100644
--- a/app/models/iiif/authz/v2/local_access_service.rb
+++ b/app/models/iiif/authz/v2/local_access_service.rb
@@ -15,7 +15,7 @@ def initialize(canvas, route_helper:, profile:)
   end
 
   def token_service
-    Iiif::Authz::V2::AccessTokenService.new(canvas, route_helper: route_helper).to_h
+    Iiif::Authz::V2::AccessTokenService.new(canvas, route_helper: route_helper, profile: @profile).to_h
   end
 
   def to_h
diff --git a/spec/models/iiif/authz/v2/access_token_service_spec.rb b/spec/models/iiif/authz/v2/access_token_service_spec.rb
new file mode 100644
index 00000000..f4a860e1
--- /dev/null
+++ b/spec/models/iiif/authz/v2/access_token_service_spec.rb
@@ -0,0 +1,47 @@
+require 'rails_helper'
+
+describe Iiif::Authz::V2::AccessTokenService do
+  subject(:access_token_service) {
+    described_class.new(
+      canvas, route_helper: routes, format: format, profile: profile
+    )
+  }
+  let(:canvas) { instance_double(Iiif::Canvas) }
+  let(:expected_id) { 'expected_id' }
+  let(:format) { nil }
+  let(:routes) { instance_double(ApplicationController) }
+  let(:solr_document_id) { 'solr_document_id' }
+
+  before do
+    allow(canvas).to receive(:solr_document).and_return(SolrDocument.new({id: solr_document_id}))
+    allow(routes).to receive(:bytestream_token_url).with(id_params).and_return(expected_id)
+  end
+
+  context 'profile is external' do
+    let(:profile) { 'external' }
+    let(:id_params) { {catalog_id: solr_document_id, bytestream_id: 'content', profile: profile} }
+
+    it "creates a hashable token service with the expected id" do
+      expect(access_token_service.to_h['id']).to be expected_id
+    end
+  end
+
+  context 'profile is kiosk' do
+    let(:profile) { 'kiosk' }
+    let(:id_params) { {catalog_id: solr_document_id, bytestream_id: 'content', profile: profile} }
+
+    it "creates a hashable token service with the expected id" do
+      expect(access_token_service.to_h['id']).to be expected_id
+    end
+  end
+
+  context 'profile is active' do
+    let(:profile) { 'active' }
+    # active profile should not include additional query params to distinguish it
+    let(:id_params) { {catalog_id: solr_document_id, bytestream_id: 'content'} }
+
+    it "creates a hashable token service with the expected id" do
+      expect(access_token_service.to_h['id']).to be expected_id
+    end
+  end
+end