From 72d4af63dca27adab9338a81dae9bc50c38bb9e8 Mon Sep 17 00:00:00 2001
From: Okke Harsta <oharsta@zilverline.com>
Date: Wed, 17 Jul 2024 16:52:04 +0200
Subject: [PATCH] Log error for invalid token
 https://www.pivotaltracker.com/story/show/187956690

---
 .../UserHandlerMethodArgumentResolver.java    |  2 +-
 .../access/api/UserRoleControllerTest.java    | 31 +++++++++++++++++++
 2 files changed, 32 insertions(+), 1 deletion(-)

diff --git a/server/src/main/java/access/security/UserHandlerMethodArgumentResolver.java b/server/src/main/java/access/security/UserHandlerMethodArgumentResolver.java
index e9db5ab5..25edb3ec 100755
--- a/server/src/main/java/access/security/UserHandlerMethodArgumentResolver.java
+++ b/server/src/main/java/access/security/UserHandlerMethodArgumentResolver.java
@@ -65,7 +65,7 @@ public User resolveArgument(MethodParameter methodParameter,
         } else if (userPrincipal instanceof OAuth2AuthenticationToken authenticationToken) {
             //The user has logged in with OpenIDConnect. Invite is acting as a backend server
             attributes = authenticationToken.getPrincipal().getAttributes();
-        } else if (StringUtils.hasText(apiTokenHeader) && apiTokenHeader.length() == 36) {
+        } else if (StringUtils.hasText(apiTokenHeader)) {
             //The user has obtained an API token (from her institution admin) and there is no state
             String hashedToken = HashGenerator.hashToken(apiTokenHeader);
             APIToken apiToken = apiTokenRepository.findByHashedValue(hashedToken)
diff --git a/server/src/test/java/access/api/UserRoleControllerTest.java b/server/src/test/java/access/api/UserRoleControllerTest.java
index 079a1d83..06fd856b 100644
--- a/server/src/test/java/access/api/UserRoleControllerTest.java
+++ b/server/src/test/java/access/api/UserRoleControllerTest.java
@@ -9,6 +9,7 @@
 import io.restassured.common.mapper.TypeRef;
 import io.restassured.http.ContentType;
 import org.junit.jupiter.api.Test;
+import org.springframework.http.HttpStatus;
 
 import java.time.Instant;
 import java.time.temporal.ChronoUnit;
@@ -239,6 +240,36 @@ void consequencesForDeletion() throws Exception {
         System.out.println(userRoles);
     }
 
+    @Test
+    void invalidAPIToken() {
+        List<Long> roleIdentifiers = List.of(
+                roleRepository.findByName("Network").get(0).getId(),
+                roleRepository.findByName("Wiki").get(0).getId()
+        );
+        UserRoleProvisioning userRoleProvisioning = new UserRoleProvisioning(
+                roleIdentifiers,
+                Authority.GUEST,
+                null,
+                "new_user@domain.org",
+                null,
+                null,
+                null,
+                "Charly Green",
+                null,
+                true
+        );
+        given()
+                .when()
+                .header(API_TOKEN_HEADER, "bogus")
+                .accept(ContentType.JSON)
+                .contentType(ContentType.JSON)
+                .body(userRoleProvisioning)
+                .post("/api/external/v1/user_roles/user_role_provisioning")
+                .then()
+                .statusCode(HttpStatus.FORBIDDEN.value());
+
+    }
+
     private void doUserRoleProvisioning(UserRoleProvisioning userRoleProvisioning, String expectedSub, int expectedUserRoleCount) throws JsonProcessingException {
         super.stubForManagerProvidersByIdIn(EntityType.SAML20_SP, List.of("1", "2"));
         super.stubForManageProvidersAllowedByIdP(ORGANISATION_GUID);