-
Notifications
You must be signed in to change notification settings - Fork 397
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
fix: apply authorized email restriction to non-admin routes (#1778)
## What kind of change does this PR introduce? * Move the email restriction validation to the middleware rather than doing it in the `validateEmail` function * Excludes requests made to the `/admin` endpoints and any `GET` and `DELETE` requests ## What is the current behavior? Please link any relevant issues here. ## What is the new behavior? Feel free to include screenshots if it includes visual changes. ## Additional context Add any other context or screenshots.
- Loading branch information
1 parent
ba00f75
commit 1af203f
Showing
6 changed files
with
91 additions
and
54 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -48,41 +48,6 @@ func (ts *MailTestSuite) SetupTest() { | |
require.NoError(ts.T(), ts.API.db.Create(u), "Error saving new user") | ||
} | ||
|
||
func (ts *MailTestSuite) TestValidateEmailAuthorizedAddresses() { | ||
ts.Config.External.Email.AuthorizedAddresses = []string{"[email protected]", "[email protected]"} | ||
defer func() { | ||
ts.Config.External.Email.AuthorizedAddresses = nil | ||
}() | ||
|
||
positiveExamples := []string{ | ||
"[email protected]", | ||
"[email protected]", | ||
"[email protected]", | ||
"[email protected]", | ||
"[email protected]", | ||
"[email protected]", | ||
"[email protected]", | ||
"[email protected]", | ||
} | ||
|
||
negativeExamples := []string{ | ||
"[email protected]", | ||
"[email protected]", | ||
"[email protected]", | ||
"[email protected]", | ||
} | ||
|
||
for _, example := range positiveExamples { | ||
_, err := ts.API.validateEmail(example) | ||
require.NoError(ts.T(), err) | ||
} | ||
|
||
for _, example := range negativeExamples { | ||
_, err := ts.API.validateEmail(example) | ||
require.Error(ts.T(), err) | ||
} | ||
} | ||
|
||
func (ts *MailTestSuite) TestGenerateLink() { | ||
// create admin jwt | ||
claims := &AccessTokenClaims{ | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -515,3 +515,52 @@ func (ts *MiddlewareTestSuite) TestLimitHandlerWithSharedLimiter() { | |
}) | ||
} | ||
} | ||
|
||
func (ts *MiddlewareTestSuite) TestIsValidAuthorizedEmail() { | ||
ts.API.config.External.Email.AuthorizedAddresses = []string{"[email protected]"} | ||
|
||
cases := []struct { | ||
desc string | ||
reqPath string | ||
body map[string]interface{} | ||
}{ | ||
{ | ||
desc: "bypass check for admin endpoints", | ||
reqPath: "/admin", | ||
body: map[string]interface{}{ | ||
"email": "[email protected]", | ||
}, | ||
}, | ||
{ | ||
desc: "bypass check if no email in request body", | ||
reqPath: "/signup", | ||
body: map[string]interface{}{}, | ||
}, | ||
{ | ||
desc: "email not in authorized list", | ||
reqPath: "/signup", | ||
body: map[string]interface{}{ | ||
"email": "[email protected]", | ||
}, | ||
}, | ||
{ | ||
desc: "email in authorized list", | ||
reqPath: "/signup", | ||
body: map[string]interface{}{ | ||
"email": "[email protected]", | ||
}, | ||
}, | ||
} | ||
|
||
for _, c := range cases { | ||
ts.Run(c.desc, func() { | ||
var buffer bytes.Buffer | ||
require.NoError(ts.T(), json.NewEncoder(&buffer).Encode(c.body)) | ||
req := httptest.NewRequest(http.MethodPost, "http://localhost"+c.reqPath, &buffer) | ||
w := httptest.NewRecorder() | ||
if _, err := ts.API.isValidAuthorizedEmail(w, req); err != nil { | ||
require.Equal(ts.T(), err.(*HTTPError).ErrorCode, ErrorCodeEmailAddressNotAuthorized) | ||
} | ||
}) | ||
} | ||
} |