Add OPTIONS preflight support for 3rd party auth.

- Explicitly add wildcard CORS header within the middleware. - Accept all OPTIONS preflight requests within the middlware. - Add success tests for the OPTIONS request. - Add failure tests for GET requests.
4 years ago · 509c658080
2 changed files with 91 additions and 26 deletions
--- a/router/middleware/auth.go
+++ b/router/middleware/auth.go
@ -56,6 +56,12 @@ func accessDenied(w http.ResponseWriter) {
				@@ -56,6 +56,12 @@ func accessDenied(w http.ResponseWriter) {
 // RequireExternalAPIAccessToken will validate a 3rd party access token.
 func RequireExternalAPIAccessToken(scope string, handler ExternalAccessTokenHandlerFunc) http.HandlerFunc {
 	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		// We should accept 3rd party preflight OPTIONS requests.
+		if r.Method == "OPTIONS" {
+			w.WriteHeader(http.StatusOK)
+			return
+		}
+
 		authHeader := strings.Split(r.Header.Get("Authorization"), "Bearer ")
 		token := strings.Join(authHeader, "")

@ -71,6 +77,9 @@ func RequireExternalAPIAccessToken(scope string, handler ExternalAccessTokenHand
				@@ -71,6 +77,9 @@ func RequireExternalAPIAccessToken(scope string, handler ExternalAccessTokenHand
 			return
 		}

+		// All valid 3rd party requests should have a wildcard CORS header.
+		w.Header().Set("Access-Control-Allow-Origin", "*")
+
 		handler(*integration, w, r)

 		if err := user.SetExternalAPIUserAccessTokenAsUsed(token); err != nil {
--- a/test/automated/integrations.test.js
+++ b/test/automated/integrations.test.js
@ -10,7 +10,7 @@ const events = ['CHAT'];
				@@ -10,7 +10,7 @@ const events = ['CHAT'];
 test('create webhook', async (done) => {
    const res = await sendIntegrationsChangePayload('webhooks/create', {
        url: webhook,
-        events: events, 
+        events: events,
    });

    expect(res.body.url).toBe(webhook);
@ -20,8 +20,10 @@ test('create webhook', async (done) => {
				@@ -20,8 +20,10 @@ test('create webhook', async (done) => {
 });

 test('check webhooks', (done) => {
-    request.get('/api/admin/webhooks')
-        .auth('admin', 'abc123').expect(200)
+    request
+        .get('/api/admin/webhooks')
+        .auth('admin', 'abc123')
+        .expect(200)
        .then((res) => {
            expect(res.body).toHaveLength(1);
            expect(res.body[0].url).toBe(webhook);
@ -40,8 +42,10 @@ test('delete webhook', async (done) => {
				@@ -40,8 +42,10 @@ test('delete webhook', async (done) => {
 });

 test('check that webhook was deleted', (done) => {
-    request.get('/api/admin/webhooks')
-        .auth('admin', 'abc123').expect(200)
+    request
+        .get('/api/admin/webhooks')
+        .auth('admin', 'abc123')
+        .expect(200)
        .then((res) => {
            expect(res.body).toHaveLength(0);
            done();
@ -50,10 +54,14 @@ test('check that webhook was deleted', (done) => {
				@@ -50,10 +54,14 @@ test('check that webhook was deleted', (done) => {

 test('create access token', async (done) => {
    const name = 'Automated integration test';
-    const scopes = ['CAN_SEND_SYSTEM_MESSAGES', 'CAN_SEND_MESSAGES'];
+    const scopes = [
+        'CAN_SEND_SYSTEM_MESSAGES',
+        'CAN_SEND_MESSAGES',
+        'HAS_ADMIN_ACCESS',
+    ];
    const res = await sendIntegrationsChangePayload('accesstokens/create', {
        name: name,
-        scopes: scopes, 
+        scopes: scopes,
    });

    expect(res.body.accessToken).toBeTruthy();
@ -61,38 +69,80 @@ test('create access token', async (done) => {
				@@ -61,38 +69,80 @@ test('create access token', async (done) => {
    expect(res.body.displayName).toBe(name);
    expect(res.body.scopes).toStrictEqual(scopes);
    accessToken = res.body.accessToken;
+
    done();
 });

 test('check access tokens', async (done) => {
-    const res = await request.get('/api/admin/accesstokens')
-        .auth('admin', 'abc123').expect(200)
-    const tokenCheck = res.body.filter((token) => token.accessToken === accessToken)
+    const res = await request
+        .get('/api/admin/accesstokens')
+        .auth('admin', 'abc123')
+        .expect(200);
+    const tokenCheck = res.body.filter(
+        (token) => token.accessToken === accessToken
+    );
    expect(tokenCheck).toHaveLength(1);
    done();
 });

 test('send a system message using access token', async (done) => {
-    const payload = {body: 'This is a test system message from the automated integration test'};
-    const res = await request.post('/api/integrations/chat/system')
+    const payload = {
+        body: 'This is a test system message from the automated integration test',
+    };
+    const res = await request
+        .post('/api/integrations/chat/system')
        .set('Authorization', 'Bearer ' + accessToken)
-        .send(payload).expect(200);
+        .send(payload)
+        .expect(200);
    done();
 });

 test('send an external integration message using access token', async (done) => {
-    const payload = {body: 'This is a test external message from the automated integration test'};
-    const res = await request.post('/api/integrations/chat/send')
+    const payload = {
+        body: 'This is a test external message from the automated integration test',
+    };
+    const res = await request
+        .post('/api/integrations/chat/send')
        .set('Authorization', 'Bearer ' + accessToken)
-        .send(payload).expect(200);
+        .send(payload)
+        .expect(200);
    done();
 });

 test('send an external integration action using access token', async (done) => {
-    const payload = {body: 'This is a test external action from the automated integration test'};
-    const res = await request.post('/api/integrations/chat/action')
+    const payload = {
+        body: 'This is a test external action from the automated integration test',
+    };
+    const res = await request
+        .post('/api/integrations/chat/action')
        .set('Authorization', 'Bearer ' + accessToken)
-        .send(payload).expect(200);
+        .send(payload)
+        .expect(200);
+    done();
+});
+
+test('test fetch chat history using access token', async (done) => {
+    const res = await request
+        .get('/api/integrations/chat')
+        .set('Authorization', 'Bearer ' + accessToken)
+        .expect(200);
+    done();
+});
+
+
+test('test fetch chat history failure using invalid access token', async (done) => {
+    const res = await request
+        .get('/api/integrations/chat')
+        .set('Authorization', 'Bearer ' + 'invalidToken')
+        .expect(401);
+    done();
+});
+
+test('test fetch chat history OPTIONS request', async (done) => {
+    const res = await request
+        .options('/api/integrations/chat')
+        .set('Authorization', 'Bearer ' + accessToken)
+        .expect(200);
    done();
 });

@ -105,18 +155,24 @@ test('delete access token', async (done) => {
				@@ -105,18 +155,24 @@ test('delete access token', async (done) => {
 });

 test('check token delete was successful', async (done) => {
-    const res = await request.get('/api/admin/accesstokens')
-        .auth('admin', 'abc123').expect(200)
-    const tokenCheck = res.body.filter((token) => token.accessToken === accessToken)
+    const res = await request
+        .get('/api/admin/accesstokens')
+        .auth('admin', 'abc123')
+        .expect(200);
+    const tokenCheck = res.body.filter(
+        (token) => token.accessToken === accessToken
+    );
    expect(tokenCheck).toHaveLength(0);
    done();
 });

 async function sendIntegrationsChangePayload(endpoint, payload) {
    const url = '/api/admin/' + endpoint;
-    const res = await request.post(url)
+    const res = await request
+        .post(url)
        .auth('admin', 'abc123')
-        .send(payload).expect(200);
+        .send(payload)
+        .expect(200);

-    return res
-}
+    return res;
+}