secu(graphql): without a token, only persisted queries are allowed

2024-07-22 11:11:06 +02:00 · 2024-07-22 11:11:06 +02:00 · d6f9e57e77
commit d6f9e57e77
parent c31321d695
4 changed files with 28 additions and 2 deletions
--- a/app/controllers/api/v2/base_controller.rb
+++ b/app/controllers/api/v2/base_controller.rb
@ -10,6 +10,7 @@ class API::V2::BaseController < ApplicationController
  before_action :authenticate_from_token
  before_action :ensure_authorized_network, if: -> { @api_token.present? }
  before_action :ensure_token_is_not_expired, if: -> { @api_token.present? }
+  before_action :allow_only_persisted_queries, if: -> { @api_token.blank? }

  before_action do
    Current.browser = 'api'
@ -55,6 +56,12 @@ class API::V2::BaseController < ApplicationController
    end
  end

+  def allow_only_persisted_queries
+    if params[:queryId].blank?
+      render json: graphql_error('Without a token, only persisted queries are allowed', :forbidden), status: :forbidden
+    end
+  end
+
  def ensure_authorized_network
    if @api_token.forbidden_network?(request.remote_ip)
      address = IPAddr.new(request.remote_ip)
--- a/app/controllers/api/v2/dossiers_controller.rb
+++ b/app/controllers/api/v2/dossiers_controller.rb
@ -1,6 +1,7 @@
 class API::V2::DossiersController < API::V2::BaseController
  before_action :ensure_dossier_present
  skip_before_action :authenticate_from_token
+  skip_before_action :allow_only_persisted_queries

  def pdf
    @acls = PiecesJustificativesService.new(user_profile: Administrateur.new, export_template: nil).acl_for_dossier_export(dossier.procedure)
--- a/spec/controllers/api/v2/graphql_controller_spec.rb
+++ b/spec/controllers/api/v2/graphql_controller_spec.rb
@ -131,7 +131,7 @@ describe API::V2::GraphqlController do
        end

        it {
-          expect(gql_errors.first[:message]).to eq("An object of type Demarche was hidden due to permissions")
+          expect(gql_errors.first[:message]).to eq("Without a token, only persisted queries are allowed")
        }
      end

@ -158,7 +158,7 @@ describe API::V2::GraphqlController do

        it {
          expect(token).not_to be_nil
-          expect(gql_errors.first[:message]).to eq("An object of type Demarche was hidden due to permissions")
+          expect(gql_errors.first[:message]).to eq("Without a token, only persisted queries are allowed")
        }
      end

--- a/spec/controllers/api/v2/graphql_controller_stored_queries_spec.rb
+++ b/spec/controllers/api/v2/graphql_controller_stored_queries_spec.rb
@ -47,6 +47,24 @@ describe API::V2::GraphqlController do
    }
  end

+  describe 'when not authenticated' do
+    let(:variables) { { dossierNumber: dossier.id } }
+    let(:operation_name) { 'getDossier' }
+    let!(:authorization_header) { nil }
+
+    context 'with query' do
+      let(:query) { 'query getDossier($dossierNumber: Int!) { dossier(number: $dossierNumber) { id } }' }
+
+      it { expect(gql_errors.first[:message]).to eq('Without a token, only persisted queries are allowed') }
+    end
+
+    context 'with queryId' do
+      let(:query_id) { 'ds-query-v2' }
+
+      it { expect(gql_errors.first[:message]).to eq('An object of type Dossier was hidden due to permissions') }
+    end
+  end
+
  describe 'ds-query-v2' do
    let(:dossier) { create(:dossier, :en_construction, :with_individual, procedure:, depose_at: 4.days.ago) }
    let(:query_id) { 'ds-query-v2' }