fix: disable API v1 write methods (closes #112)
All checks were successful
Check / check (pull_request) Successful in 11m21s
All checks were successful
Check / check (pull_request) Successful in 11m21s
Remove POST /apps, DELETE /apps/{id}, and POST /apps/{id}/deploy from
the API v1 route group. These endpoints used cookie-based session auth
without CSRF protection, creating a CSRF vulnerability.
Read-only endpoints (GET /apps, GET /apps/{id}, GET /apps/{id}/deployments),
login, and whoami are retained.
Removed handlers: HandleAPICreateApp, HandleAPIDeleteApp,
HandleAPITriggerDeploy, along with apiCreateRequest struct and
validateCreateRequest function.
Updated tests to use service layer directly for app creation in
remaining read-only endpoint tests.
This commit is contained in:
user
@@ -10,6 +10,8 @@ import (
|
||||
"github.com/go-chi/chi/v5"
|
||||
"github.com/stretchr/testify/assert"
|
||||
"github.com/stretchr/testify/require"
|
||||
|
||||
"git.eeqj.de/sneak/upaas/internal/service/app"
|
||||
)
|
||||
|
||||
// apiRouter builds a chi router with the API routes using session auth middleware.
|
||||
@@ -23,10 +25,7 @@ func apiRouter(tc *testContext) http.Handler {
|
||||
apiR.Use(tc.middleware.APISessionAuth())
|
||||
apiR.Get("/whoami", tc.handlers.HandleAPIWhoAmI())
|
||||
apiR.Get("/apps", tc.handlers.HandleAPIListApps())
|
||||
apiR.Post("/apps", tc.handlers.HandleAPICreateApp())
|
||||
apiR.Get("/apps/{id}", tc.handlers.HandleAPIGetApp())
|
||||
apiR.Delete("/apps/{id}", tc.handlers.HandleAPIDeleteApp())
|
||||
apiR.Post("/apps/{id}/deploy", tc.handlers.HandleAPITriggerDeploy())
|
||||
apiR.Get("/apps/{id}/deployments", tc.handlers.HandleAPIListDeployments())
|
||||
})
|
||||
})
|
||||
@@ -62,23 +61,16 @@ func setupAPITest(t *testing.T) (*testContext, []*http.Cookie) {
|
||||
return tc, cookies
|
||||
}
|
||||
|
||||
// apiRequest makes an authenticated API request using session cookies.
|
||||
func apiRequest(
|
||||
// apiGet makes an authenticated GET request using session cookies.
|
||||
func apiGet(
|
||||
t *testing.T,
|
||||
tc *testContext,
|
||||
cookies []*http.Cookie,
|
||||
method, path string,
|
||||
body string,
|
||||
path string,
|
||||
) *httptest.ResponseRecorder {
|
||||
t.Helper()
|
||||
|
||||
var req *http.Request
|
||||
if body != "" {
|
||||
req = httptest.NewRequest(method, path, strings.NewReader(body))
|
||||
req.Header.Set("Content-Type", "application/json")
|
||||
} else {
|
||||
req = httptest.NewRequest(method, path, nil)
|
||||
}
|
||||
req := httptest.NewRequest(http.MethodGet, path, nil)
|
||||
|
||||
for _, c := range cookies {
|
||||
req.AddCookie(c)
|
||||
@@ -175,7 +167,7 @@ func TestAPIWhoAmI(t *testing.T) {
|
||||
|
||||
tc, cookies := setupAPITest(t)
|
||||
|
||||
rr := apiRequest(t, tc, cookies, http.MethodGet, "/api/v1/whoami", "")
|
||||
rr := apiGet(t, tc, cookies, "/api/v1/whoami")
|
||||
assert.Equal(t, http.StatusOK, rr.Code)
|
||||
|
||||
var resp map[string]any
|
||||
@@ -188,7 +180,7 @@ func TestAPIListAppsEmpty(t *testing.T) {
|
||||
|
||||
tc, cookies := setupAPITest(t)
|
||||
|
||||
rr := apiRequest(t, tc, cookies, http.MethodGet, "/api/v1/apps", "")
|
||||
rr := apiGet(t, tc, cookies, "/api/v1/apps")
|
||||
assert.Equal(t, http.StatusOK, rr.Code)
|
||||
|
||||
var apps []any
|
||||
@@ -196,52 +188,23 @@ func TestAPIListAppsEmpty(t *testing.T) {
|
||||
assert.Empty(t, apps)
|
||||
}
|
||||
|
||||
func TestAPICreateApp(t *testing.T) {
|
||||
t.Parallel()
|
||||
|
||||
tc, cookies := setupAPITest(t)
|
||||
|
||||
body := `{"name":"test-app","repoUrl":"https://github.com/example/repo"}`
|
||||
rr := apiRequest(t, tc, cookies, http.MethodPost, "/api/v1/apps", body)
|
||||
assert.Equal(t, http.StatusCreated, rr.Code)
|
||||
|
||||
var app map[string]any
|
||||
require.NoError(t, json.Unmarshal(rr.Body.Bytes(), &app))
|
||||
assert.Equal(t, "test-app", app["name"])
|
||||
assert.Equal(t, "pending", app["status"])
|
||||
}
|
||||
|
||||
func TestAPICreateAppValidation(t *testing.T) {
|
||||
t.Parallel()
|
||||
|
||||
tc, cookies := setupAPITest(t)
|
||||
|
||||
body := `{"name":"","repoUrl":""}`
|
||||
rr := apiRequest(t, tc, cookies, http.MethodPost, "/api/v1/apps", body)
|
||||
assert.Equal(t, http.StatusBadRequest, rr.Code)
|
||||
}
|
||||
|
||||
func TestAPIGetApp(t *testing.T) {
|
||||
t.Parallel()
|
||||
|
||||
tc, cookies := setupAPITest(t)
|
||||
|
||||
body := `{"name":"my-app","repoUrl":"https://github.com/example/repo"}`
|
||||
rr := apiRequest(t, tc, cookies, http.MethodPost, "/api/v1/apps", body)
|
||||
require.Equal(t, http.StatusCreated, rr.Code)
|
||||
created, err := tc.appSvc.CreateApp(t.Context(), app.CreateAppInput{
|
||||
Name: "my-app",
|
||||
RepoURL: "https://github.com/example/repo",
|
||||
})
|
||||
require.NoError(t, err)
|
||||
|
||||
var created map[string]any
|
||||
require.NoError(t, json.Unmarshal(rr.Body.Bytes(), &created))
|
||||
|
||||
appID, ok := created["id"].(string)
|
||||
require.True(t, ok)
|
||||
|
||||
rr = apiRequest(t, tc, cookies, http.MethodGet, "/api/v1/apps/"+appID, "")
|
||||
rr := apiGet(t, tc, cookies, "/api/v1/apps/"+created.ID)
|
||||
assert.Equal(t, http.StatusOK, rr.Code)
|
||||
|
||||
var app map[string]any
|
||||
require.NoError(t, json.Unmarshal(rr.Body.Bytes(), &app))
|
||||
assert.Equal(t, "my-app", app["name"])
|
||||
var resp map[string]any
|
||||
require.NoError(t, json.Unmarshal(rr.Body.Bytes(), &resp))
|
||||
assert.Equal(t, "my-app", resp["name"])
|
||||
}
|
||||
|
||||
func TestAPIGetAppNotFound(t *testing.T) {
|
||||
@@ -249,29 +212,7 @@ func TestAPIGetAppNotFound(t *testing.T) {
|
||||
|
||||
tc, cookies := setupAPITest(t)
|
||||
|
||||
rr := apiRequest(t, tc, cookies, http.MethodGet, "/api/v1/apps/nonexistent", "")
|
||||
assert.Equal(t, http.StatusNotFound, rr.Code)
|
||||
}
|
||||
|
||||
func TestAPIDeleteApp(t *testing.T) {
|
||||
t.Parallel()
|
||||
|
||||
tc, cookies := setupAPITest(t)
|
||||
|
||||
body := `{"name":"delete-me","repoUrl":"https://github.com/example/repo"}`
|
||||
rr := apiRequest(t, tc, cookies, http.MethodPost, "/api/v1/apps", body)
|
||||
require.Equal(t, http.StatusCreated, rr.Code)
|
||||
|
||||
var created map[string]any
|
||||
require.NoError(t, json.Unmarshal(rr.Body.Bytes(), &created))
|
||||
|
||||
appID, ok := created["id"].(string)
|
||||
require.True(t, ok)
|
||||
|
||||
rr = apiRequest(t, tc, cookies, http.MethodDelete, "/api/v1/apps/"+appID, "")
|
||||
assert.Equal(t, http.StatusOK, rr.Code)
|
||||
|
||||
rr = apiRequest(t, tc, cookies, http.MethodGet, "/api/v1/apps/"+appID, "")
|
||||
rr := apiGet(t, tc, cookies, "/api/v1/apps/nonexistent")
|
||||
assert.Equal(t, http.StatusNotFound, rr.Code)
|
||||
}
|
||||
|
||||
@@ -280,17 +221,13 @@ func TestAPIListDeployments(t *testing.T) {
|
||||
|
||||
tc, cookies := setupAPITest(t)
|
||||
|
||||
body := `{"name":"deploy-app","repoUrl":"https://github.com/example/repo"}`
|
||||
rr := apiRequest(t, tc, cookies, http.MethodPost, "/api/v1/apps", body)
|
||||
require.Equal(t, http.StatusCreated, rr.Code)
|
||||
created, err := tc.appSvc.CreateApp(t.Context(), app.CreateAppInput{
|
||||
Name: "deploy-app",
|
||||
RepoURL: "https://github.com/example/repo",
|
||||
})
|
||||
require.NoError(t, err)
|
||||
|
||||
var created map[string]any
|
||||
require.NoError(t, json.Unmarshal(rr.Body.Bytes(), &created))
|
||||
|
||||
appID, ok := created["id"].(string)
|
||||
require.True(t, ok)
|
||||
|
||||
rr = apiRequest(t, tc, cookies, http.MethodGet, "/api/v1/apps/"+appID+"/deployments", "")
|
||||
rr := apiGet(t, tc, cookies, "/api/v1/apps/"+created.ID+"/deployments")
|
||||
assert.Equal(t, http.StatusOK, rr.Code)
|
||||
|
||||
var deployments []any
|
||||
|
||||
Reference in New Issue
Block a user