Add support for passing client token in params

jonallured · Jan 6, 2024 · d2805ef · d2805ef
1 parent 78158d2
commit d2805ef
Show file tree

Hide file tree

Showing 4 changed files with 48 additions and 2 deletions.
diff --git a/app/controllers/api_controller.rb b/app/controllers/api_controller.rb
@@ -1,5 +1,6 @@
 class ApiController < ActionController::Base
   CLIENT_TOKEN_HEADER = "X-MLI-CLIENT-TOKEN"
+  CLIENT_TOKEN_PARAM = :mli_client_token
 
   protect_from_forgery with: :null_session
 
@@ -8,7 +9,7 @@ class ApiController < ActionController::Base
   private
 
   def client_token_valid?
-    client_token = request.headers[CLIENT_TOKEN_HEADER]
+    client_token = request.headers[CLIENT_TOKEN_HEADER] || params[CLIENT_TOKEN_PARAM]
     Monolithium.config.client_token == client_token
   end
 

diff --git a/app/models/hook_request.rb b/app/models/hook_request.rb
@@ -3,6 +3,10 @@ class HookRequest
     ApiController::CLIENT_TOKEN_HEADER
   ]
 
+  SECRET_HEADER_PARAMS = [
+    ApiController::CLIENT_TOKEN_PARAM
+  ]
+
   def self.to_attrs(request, params)
     new(request, params).to_attrs
   end
@@ -45,6 +49,12 @@ def computed_headers
   end
 
   def computed_params
-    params.to_unsafe_hash
+    unsafe_params = params.to_unsafe_hash
+
+    SECRET_HEADER_PARAMS.each do |secret_param|
+      unsafe_params[secret_param] = "REDACTED" if unsafe_params.key? secret_param
+    end
+
+    unsafe_params
   end
 end
diff --git a/spec/models/hook_request_spec.rb b/spec/models/hook_request_spec.rb
@@ -64,5 +64,14 @@
         expect(attrs[:params][:unsafe]).to eq "don't ignore me!"
       end
     end
+
+    context "with a client token param" do
+      let(:parameters) { {ApiController::CLIENT_TOKEN_PARAM => "shhh"} }
+
+      it "redacts that header value" do
+        attrs = HookRequest.to_attrs(request, params)
+        expect(attrs[:params][ApiController::CLIENT_TOKEN_PARAM]).to eq "REDACTED"
+      end
+    end
   end
 end
diff --git a/spec/requests/api/v1/post_bin_spec.rb b/spec/requests/api/v1/post_bin_spec.rb
@@ -24,4 +24,30 @@
       expect(PostBinRequest.count).to eq 1
     end
   end
+
+  context "with an invalid client token param" do
+    it "returns an empty 404" do
+      params = {ApiController::CLIENT_TOKEN_PARAM => "invalid"}
+      post "/api/v1/post_bin", params: params
+      expect(response.status).to eq 404
+    end
+  end
+
+  context "with a valid client token param" do
+    it "returns an empty 201 and creates a PostBin record" do
+      params = {ApiController::CLIENT_TOKEN_PARAM => Monolithium.config.client_token}
+      post "/api/v1/post_bin", params: params
+      expect(response.status).to eq 201
+      expect(PostBinRequest.count).to eq 1
+    end
+  end
+
+  context "with an invalid client token header and a valid client token param" do
+    it "returns an empty 404" do
+      params = {ApiController::CLIENT_TOKEN_PARAM => Monolithium.config.client_token}
+      headers = {ApiController::CLIENT_TOKEN_HEADER => "invalid"}
+      post "/api/v1/post_bin", params: params, headers: headers
+      expect(response.status).to eq 404
+    end
+  end
 end