From 6eb63d68f9fb527aa71515759d773765f465bdc0 Mon Sep 17 00:00:00 2001
From: Tim Haasdyk <tim_haasdyk@sil.org>
Date: Mon, 22 Apr 2024 14:13:09 +0200
Subject: [PATCH] Fixes #419; make legacy project lookup allow missing request
 body

---
 .../LexBoxApi/Controllers/LegacyProjectApiController.cs  | 4 ++--
 .../Testing/SyncReverseProxy/LegacyProjectApiTests.cs    | 9 +++++++++
 2 files changed, 11 insertions(+), 2 deletions(-)

diff --git a/backend/LexBoxApi/Controllers/LegacyProjectApiController.cs b/backend/LexBoxApi/Controllers/LegacyProjectApiController.cs
index 2530391d1..323256006 100644
--- a/backend/LexBoxApi/Controllers/LegacyProjectApiController.cs
+++ b/backend/LexBoxApi/Controllers/LegacyProjectApiController.cs
@@ -42,9 +42,9 @@ public async Task<ActionResult<LegacyApiProject[]>> ProjectsForm(string userName
     [ProducesResponseType(typeof(LegacyApiError), StatusCodes.Status403Forbidden)]
     [ProducesResponseType(typeof(LegacyApiProject[]), StatusCodes.Status200OK)]
     [Consumes(MediaTypeNames.Application.Json)]
-    public async Task<ActionResult<LegacyApiProject[]>> Projects(string userName, ProjectsInput input)
+    public async Task<ActionResult<LegacyApiProject[]>> Projects(string userName, ProjectsInput? input)
     {
-        var password = input.Password;
+        var password = input?.Password ?? string.Empty;
 
         var user = await _lexBoxDbContext.Users.FilterByEmailOrUsername(userName)
             .Select(user => new
diff --git a/backend/Testing/SyncReverseProxy/LegacyProjectApiTests.cs b/backend/Testing/SyncReverseProxy/LegacyProjectApiTests.cs
index f7e32d670..0a5aec96a 100644
--- a/backend/Testing/SyncReverseProxy/LegacyProjectApiTests.cs
+++ b/backend/Testing/SyncReverseProxy/LegacyProjectApiTests.cs
@@ -119,4 +119,13 @@ public async Task TestInvalidUser()
         responseObject.ShouldContainKey("error");
         responseObject["error"]!.GetValue<string>().ShouldBe("Unknown user");
     }
+
+    // LF sends lots of requests with no password/request body. Chorus might as well.
+    // Requests between our software shouldn't be "Bad requests" (400).
+    [Fact]
+    public async Task MissingPasswordReturns403()
+    {
+        var response = await Client.PostAsJsonAsync<object?>($"{_baseUrl}/api/user/{TestData.User}/projects", null);
+        response.StatusCode.ShouldBe(HttpStatusCode.Forbidden);
+    }
 }