Add OPTIONS preflight support for 3rd party auth.
- Explicitly add wildcard CORS header within the middleware. - Accept all OPTIONS preflight requests within the middlware. - Add success tests for the OPTIONS request. - Add failure tests for GET requests.
This commit is contained in:
parent
031a848b7a
commit
509c658080
@ -56,6 +56,12 @@ func accessDenied(w http.ResponseWriter) {
|
||||
// RequireExternalAPIAccessToken will validate a 3rd party access token.
|
||||
func RequireExternalAPIAccessToken(scope string, handler ExternalAccessTokenHandlerFunc) http.HandlerFunc {
|
||||
return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
||||
// We should accept 3rd party preflight OPTIONS requests.
|
||||
if r.Method == "OPTIONS" {
|
||||
w.WriteHeader(http.StatusOK)
|
||||
return
|
||||
}
|
||||
|
||||
authHeader := strings.Split(r.Header.Get("Authorization"), "Bearer ")
|
||||
token := strings.Join(authHeader, "")
|
||||
|
||||
@ -71,6 +77,9 @@ func RequireExternalAPIAccessToken(scope string, handler ExternalAccessTokenHand
|
||||
return
|
||||
}
|
||||
|
||||
// All valid 3rd party requests should have a wildcard CORS header.
|
||||
w.Header().Set("Access-Control-Allow-Origin", "*")
|
||||
|
||||
handler(*integration, w, r)
|
||||
|
||||
if err := user.SetExternalAPIUserAccessTokenAsUsed(token); err != nil {
|
||||
|
@ -20,8 +20,10 @@ test('create webhook', async (done) => {
|
||||
});
|
||||
|
||||
test('check webhooks', (done) => {
|
||||
request.get('/api/admin/webhooks')
|
||||
.auth('admin', 'abc123').expect(200)
|
||||
request
|
||||
.get('/api/admin/webhooks')
|
||||
.auth('admin', 'abc123')
|
||||
.expect(200)
|
||||
.then((res) => {
|
||||
expect(res.body).toHaveLength(1);
|
||||
expect(res.body[0].url).toBe(webhook);
|
||||
@ -40,8 +42,10 @@ test('delete webhook', async (done) => {
|
||||
});
|
||||
|
||||
test('check that webhook was deleted', (done) => {
|
||||
request.get('/api/admin/webhooks')
|
||||
.auth('admin', 'abc123').expect(200)
|
||||
request
|
||||
.get('/api/admin/webhooks')
|
||||
.auth('admin', 'abc123')
|
||||
.expect(200)
|
||||
.then((res) => {
|
||||
expect(res.body).toHaveLength(0);
|
||||
done();
|
||||
@ -50,7 +54,11 @@ test('check that webhook was deleted', (done) => {
|
||||
|
||||
test('create access token', async (done) => {
|
||||
const name = 'Automated integration test';
|
||||
const scopes = ['CAN_SEND_SYSTEM_MESSAGES', 'CAN_SEND_MESSAGES'];
|
||||
const scopes = [
|
||||
'CAN_SEND_SYSTEM_MESSAGES',
|
||||
'CAN_SEND_MESSAGES',
|
||||
'HAS_ADMIN_ACCESS',
|
||||
];
|
||||
const res = await sendIntegrationsChangePayload('accesstokens/create', {
|
||||
name: name,
|
||||
scopes: scopes,
|
||||
@ -61,38 +69,80 @@ test('create access token', async (done) => {
|
||||
expect(res.body.displayName).toBe(name);
|
||||
expect(res.body.scopes).toStrictEqual(scopes);
|
||||
accessToken = res.body.accessToken;
|
||||
|
||||
done();
|
||||
});
|
||||
|
||||
test('check access tokens', async (done) => {
|
||||
const res = await request.get('/api/admin/accesstokens')
|
||||
.auth('admin', 'abc123').expect(200)
|
||||
const tokenCheck = res.body.filter((token) => token.accessToken === accessToken)
|
||||
const res = await request
|
||||
.get('/api/admin/accesstokens')
|
||||
.auth('admin', 'abc123')
|
||||
.expect(200);
|
||||
const tokenCheck = res.body.filter(
|
||||
(token) => token.accessToken === accessToken
|
||||
);
|
||||
expect(tokenCheck).toHaveLength(1);
|
||||
done();
|
||||
});
|
||||
|
||||
test('send a system message using access token', async (done) => {
|
||||
const payload = {body: 'This is a test system message from the automated integration test'};
|
||||
const res = await request.post('/api/integrations/chat/system')
|
||||
const payload = {
|
||||
body: 'This is a test system message from the automated integration test',
|
||||
};
|
||||
const res = await request
|
||||
.post('/api/integrations/chat/system')
|
||||
.set('Authorization', 'Bearer ' + accessToken)
|
||||
.send(payload).expect(200);
|
||||
.send(payload)
|
||||
.expect(200);
|
||||
done();
|
||||
});
|
||||
|
||||
test('send an external integration message using access token', async (done) => {
|
||||
const payload = {body: 'This is a test external message from the automated integration test'};
|
||||
const res = await request.post('/api/integrations/chat/send')
|
||||
const payload = {
|
||||
body: 'This is a test external message from the automated integration test',
|
||||
};
|
||||
const res = await request
|
||||
.post('/api/integrations/chat/send')
|
||||
.set('Authorization', 'Bearer ' + accessToken)
|
||||
.send(payload).expect(200);
|
||||
.send(payload)
|
||||
.expect(200);
|
||||
done();
|
||||
});
|
||||
|
||||
test('send an external integration action using access token', async (done) => {
|
||||
const payload = {body: 'This is a test external action from the automated integration test'};
|
||||
const res = await request.post('/api/integrations/chat/action')
|
||||
const payload = {
|
||||
body: 'This is a test external action from the automated integration test',
|
||||
};
|
||||
const res = await request
|
||||
.post('/api/integrations/chat/action')
|
||||
.set('Authorization', 'Bearer ' + accessToken)
|
||||
.send(payload).expect(200);
|
||||
.send(payload)
|
||||
.expect(200);
|
||||
done();
|
||||
});
|
||||
|
||||
test('test fetch chat history using access token', async (done) => {
|
||||
const res = await request
|
||||
.get('/api/integrations/chat')
|
||||
.set('Authorization', 'Bearer ' + accessToken)
|
||||
.expect(200);
|
||||
done();
|
||||
});
|
||||
|
||||
|
||||
test('test fetch chat history failure using invalid access token', async (done) => {
|
||||
const res = await request
|
||||
.get('/api/integrations/chat')
|
||||
.set('Authorization', 'Bearer ' + 'invalidToken')
|
||||
.expect(401);
|
||||
done();
|
||||
});
|
||||
|
||||
test('test fetch chat history OPTIONS request', async (done) => {
|
||||
const res = await request
|
||||
.options('/api/integrations/chat')
|
||||
.set('Authorization', 'Bearer ' + accessToken)
|
||||
.expect(200);
|
||||
done();
|
||||
});
|
||||
|
||||
@ -105,18 +155,24 @@ test('delete access token', async (done) => {
|
||||
});
|
||||
|
||||
test('check token delete was successful', async (done) => {
|
||||
const res = await request.get('/api/admin/accesstokens')
|
||||
.auth('admin', 'abc123').expect(200)
|
||||
const tokenCheck = res.body.filter((token) => token.accessToken === accessToken)
|
||||
const res = await request
|
||||
.get('/api/admin/accesstokens')
|
||||
.auth('admin', 'abc123')
|
||||
.expect(200);
|
||||
const tokenCheck = res.body.filter(
|
||||
(token) => token.accessToken === accessToken
|
||||
);
|
||||
expect(tokenCheck).toHaveLength(0);
|
||||
done();
|
||||
});
|
||||
|
||||
async function sendIntegrationsChangePayload(endpoint, payload) {
|
||||
const url = '/api/admin/' + endpoint;
|
||||
const res = await request.post(url)
|
||||
const res = await request
|
||||
.post(url)
|
||||
.auth('admin', 'abc123')
|
||||
.send(payload).expect(200);
|
||||
.send(payload)
|
||||
.expect(200);
|
||||
|
||||
return res
|
||||
return res;
|
||||
}
|
Loading…
x
Reference in New Issue
Block a user