Add OPTIONS preflight support for 3rd party auth.
- Explicitly add wildcard CORS header within the middleware. - Accept all OPTIONS preflight requests within the middlware. - Add success tests for the OPTIONS request. - Add failure tests for GET requests.
This commit is contained in:
Gabe Kangas
@@ -56,6 +56,12 @@ func accessDenied(w http.ResponseWriter) {
|
|||||||
// RequireExternalAPIAccessToken will validate a 3rd party access token.
|
// RequireExternalAPIAccessToken will validate a 3rd party access token.
|
||||||
func RequireExternalAPIAccessToken(scope string, handler ExternalAccessTokenHandlerFunc) http.HandlerFunc {
|
func RequireExternalAPIAccessToken(scope string, handler ExternalAccessTokenHandlerFunc) http.HandlerFunc {
|
||||||
return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
||||||
|
// We should accept 3rd party preflight OPTIONS requests.
|
||||||
|
if r.Method == "OPTIONS" {
|
||||||
|
w.WriteHeader(http.StatusOK)
|
||||||
|
return
|
||||||
|
}
|
||||||
|
|
||||||
authHeader := strings.Split(r.Header.Get("Authorization"), "Bearer ")
|
authHeader := strings.Split(r.Header.Get("Authorization"), "Bearer ")
|
||||||
token := strings.Join(authHeader, "")
|
token := strings.Join(authHeader, "")
|
||||||
|
|
||||||
@@ -71,6 +77,9 @@ func RequireExternalAPIAccessToken(scope string, handler ExternalAccessTokenHand
|
|||||||
return
|
return
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// All valid 3rd party requests should have a wildcard CORS header.
|
||||||
|
w.Header().Set("Access-Control-Allow-Origin", "*")
|
||||||
|
|
||||||
handler(*integration, w, r)
|
handler(*integration, w, r)
|
||||||
|
|
||||||
if err := user.SetExternalAPIUserAccessTokenAsUsed(token); err != nil {
|
if err := user.SetExternalAPIUserAccessTokenAsUsed(token); err != nil {
|
||||||
|
|||||||
@@ -10,7 +10,7 @@ const events = ['CHAT'];
|
|||||||
test('create webhook', async (done) => {
|
test('create webhook', async (done) => {
|
||||||
const res = await sendIntegrationsChangePayload('webhooks/create', {
|
const res = await sendIntegrationsChangePayload('webhooks/create', {
|
||||||
url: webhook,
|
url: webhook,
|
||||||
events: events,
|
events: events,
|
||||||
});
|
});
|
||||||
|
|
||||||
expect(res.body.url).toBe(webhook);
|
expect(res.body.url).toBe(webhook);
|
||||||
@@ -20,8 +20,10 @@ test('create webhook', async (done) => {
|
|||||||
});
|
});
|
||||||
|
|
||||||
test('check webhooks', (done) => {
|
test('check webhooks', (done) => {
|
||||||
request.get('/api/admin/webhooks')
|
request
|
||||||
.auth('admin', 'abc123').expect(200)
|
.get('/api/admin/webhooks')
|
||||||
|
.auth('admin', 'abc123')
|
||||||
|
.expect(200)
|
||||||
.then((res) => {
|
.then((res) => {
|
||||||
expect(res.body).toHaveLength(1);
|
expect(res.body).toHaveLength(1);
|
||||||
expect(res.body[0].url).toBe(webhook);
|
expect(res.body[0].url).toBe(webhook);
|
||||||
@@ -40,8 +42,10 @@ test('delete webhook', async (done) => {
|
|||||||
});
|
});
|
||||||
|
|
||||||
test('check that webhook was deleted', (done) => {
|
test('check that webhook was deleted', (done) => {
|
||||||
request.get('/api/admin/webhooks')
|
request
|
||||||
.auth('admin', 'abc123').expect(200)
|
.get('/api/admin/webhooks')
|
||||||
|
.auth('admin', 'abc123')
|
||||||
|
.expect(200)
|
||||||
.then((res) => {
|
.then((res) => {
|
||||||
expect(res.body).toHaveLength(0);
|
expect(res.body).toHaveLength(0);
|
||||||
done();
|
done();
|
||||||
@@ -50,10 +54,14 @@ test('check that webhook was deleted', (done) => {
|
|||||||
|
|
||||||
test('create access token', async (done) => {
|
test('create access token', async (done) => {
|
||||||
const name = 'Automated integration test';
|
const name = 'Automated integration test';
|
||||||
const scopes = ['CAN_SEND_SYSTEM_MESSAGES', 'CAN_SEND_MESSAGES'];
|
const scopes = [
|
||||||
|
'CAN_SEND_SYSTEM_MESSAGES',
|
||||||
|
'CAN_SEND_MESSAGES',
|
||||||
|
'HAS_ADMIN_ACCESS',
|
||||||
|
];
|
||||||
const res = await sendIntegrationsChangePayload('accesstokens/create', {
|
const res = await sendIntegrationsChangePayload('accesstokens/create', {
|
||||||
name: name,
|
name: name,
|
||||||
scopes: scopes,
|
scopes: scopes,
|
||||||
});
|
});
|
||||||
|
|
||||||
expect(res.body.accessToken).toBeTruthy();
|
expect(res.body.accessToken).toBeTruthy();
|
||||||
@@ -61,38 +69,80 @@ test('create access token', async (done) => {
|
|||||||
expect(res.body.displayName).toBe(name);
|
expect(res.body.displayName).toBe(name);
|
||||||
expect(res.body.scopes).toStrictEqual(scopes);
|
expect(res.body.scopes).toStrictEqual(scopes);
|
||||||
accessToken = res.body.accessToken;
|
accessToken = res.body.accessToken;
|
||||||
|
|
||||||
done();
|
done();
|
||||||
});
|
});
|
||||||
|
|
||||||
test('check access tokens', async (done) => {
|
test('check access tokens', async (done) => {
|
||||||
const res = await request.get('/api/admin/accesstokens')
|
const res = await request
|
||||||
.auth('admin', 'abc123').expect(200)
|
.get('/api/admin/accesstokens')
|
||||||
const tokenCheck = res.body.filter((token) => token.accessToken === accessToken)
|
.auth('admin', 'abc123')
|
||||||
|
.expect(200);
|
||||||
|
const tokenCheck = res.body.filter(
|
||||||
|
(token) => token.accessToken === accessToken
|
||||||
|
);
|
||||||
expect(tokenCheck).toHaveLength(1);
|
expect(tokenCheck).toHaveLength(1);
|
||||||
done();
|
done();
|
||||||
});
|
});
|
||||||
|
|
||||||
test('send a system message using access token', async (done) => {
|
test('send a system message using access token', async (done) => {
|
||||||
const payload = {body: 'This is a test system message from the automated integration test'};
|
const payload = {
|
||||||
const res = await request.post('/api/integrations/chat/system')
|
body: 'This is a test system message from the automated integration test',
|
||||||
|
};
|
||||||
|
const res = await request
|
||||||
|
.post('/api/integrations/chat/system')
|
||||||
.set('Authorization', 'Bearer ' + accessToken)
|
.set('Authorization', 'Bearer ' + accessToken)
|
||||||
.send(payload).expect(200);
|
.send(payload)
|
||||||
|
.expect(200);
|
||||||
done();
|
done();
|
||||||
});
|
});
|
||||||
|
|
||||||
test('send an external integration message using access token', async (done) => {
|
test('send an external integration message using access token', async (done) => {
|
||||||
const payload = {body: 'This is a test external message from the automated integration test'};
|
const payload = {
|
||||||
const res = await request.post('/api/integrations/chat/send')
|
body: 'This is a test external message from the automated integration test',
|
||||||
|
};
|
||||||
|
const res = await request
|
||||||
|
.post('/api/integrations/chat/send')
|
||||||
.set('Authorization', 'Bearer ' + accessToken)
|
.set('Authorization', 'Bearer ' + accessToken)
|
||||||
.send(payload).expect(200);
|
.send(payload)
|
||||||
|
.expect(200);
|
||||||
done();
|
done();
|
||||||
});
|
});
|
||||||
|
|
||||||
test('send an external integration action using access token', async (done) => {
|
test('send an external integration action using access token', async (done) => {
|
||||||
const payload = {body: 'This is a test external action from the automated integration test'};
|
const payload = {
|
||||||
const res = await request.post('/api/integrations/chat/action')
|
body: 'This is a test external action from the automated integration test',
|
||||||
|
};
|
||||||
|
const res = await request
|
||||||
|
.post('/api/integrations/chat/action')
|
||||||
.set('Authorization', 'Bearer ' + accessToken)
|
.set('Authorization', 'Bearer ' + accessToken)
|
||||||
.send(payload).expect(200);
|
.send(payload)
|
||||||
|
.expect(200);
|
||||||
|
done();
|
||||||
|
});
|
||||||
|
|
||||||
|
test('test fetch chat history using access token', async (done) => {
|
||||||
|
const res = await request
|
||||||
|
.get('/api/integrations/chat')
|
||||||
|
.set('Authorization', 'Bearer ' + accessToken)
|
||||||
|
.expect(200);
|
||||||
|
done();
|
||||||
|
});
|
||||||
|
|
||||||
|
|
||||||
|
test('test fetch chat history failure using invalid access token', async (done) => {
|
||||||
|
const res = await request
|
||||||
|
.get('/api/integrations/chat')
|
||||||
|
.set('Authorization', 'Bearer ' + 'invalidToken')
|
||||||
|
.expect(401);
|
||||||
|
done();
|
||||||
|
});
|
||||||
|
|
||||||
|
test('test fetch chat history OPTIONS request', async (done) => {
|
||||||
|
const res = await request
|
||||||
|
.options('/api/integrations/chat')
|
||||||
|
.set('Authorization', 'Bearer ' + accessToken)
|
||||||
|
.expect(200);
|
||||||
done();
|
done();
|
||||||
});
|
});
|
||||||
|
|
||||||
@@ -105,18 +155,24 @@ test('delete access token', async (done) => {
|
|||||||
});
|
});
|
||||||
|
|
||||||
test('check token delete was successful', async (done) => {
|
test('check token delete was successful', async (done) => {
|
||||||
const res = await request.get('/api/admin/accesstokens')
|
const res = await request
|
||||||
.auth('admin', 'abc123').expect(200)
|
.get('/api/admin/accesstokens')
|
||||||
const tokenCheck = res.body.filter((token) => token.accessToken === accessToken)
|
.auth('admin', 'abc123')
|
||||||
|
.expect(200);
|
||||||
|
const tokenCheck = res.body.filter(
|
||||||
|
(token) => token.accessToken === accessToken
|
||||||
|
);
|
||||||
expect(tokenCheck).toHaveLength(0);
|
expect(tokenCheck).toHaveLength(0);
|
||||||
done();
|
done();
|
||||||
});
|
});
|
||||||
|
|
||||||
async function sendIntegrationsChangePayload(endpoint, payload) {
|
async function sendIntegrationsChangePayload(endpoint, payload) {
|
||||||
const url = '/api/admin/' + endpoint;
|
const url = '/api/admin/' + endpoint;
|
||||||
const res = await request.post(url)
|
const res = await request
|
||||||
|
.post(url)
|
||||||
.auth('admin', 'abc123')
|
.auth('admin', 'abc123')
|
||||||
.send(payload).expect(200);
|
.send(payload)
|
||||||
|
.expect(200);
|
||||||
|
|
||||||
return res
|
return res;
|
||||||
}
|
}
|
||||||
|
|||||||
Reference in New Issue
Block a user