From 2e6253123223449588f3d077bf59ab039bca792f Mon Sep 17 00:00:00 2001 From: Maikel Linke Date: Fri, 5 Dec 2025 11:14:00 +1100 Subject: [PATCH] Authenticate only as platform to call webhooks --- .../dfc_provider/events_controller.rb | 20 +++++++++++++ .../dfc_provider/spec/requests/events_spec.rb | 30 +++++++++++++++++-- swagger/dfc.yaml | 9 ++++++ 3 files changed, 56 insertions(+), 3 deletions(-) diff --git a/engines/dfc_provider/app/controllers/dfc_provider/events_controller.rb b/engines/dfc_provider/app/controllers/dfc_provider/events_controller.rb index 8df30b416c..c90b259672 100644 --- a/engines/dfc_provider/app/controllers/dfc_provider/events_controller.rb +++ b/engines/dfc_provider/app/controllers/dfc_provider/events_controller.rb @@ -13,6 +13,15 @@ module DfcProvider # It means that our permissions to access data on another platform changed. # We will need to pull the updated data. def create + unless current_user.is_a? ApiUser + unauthorized "You need to authenticate as authorised platform (client_id)." + return + end + unless current_user.id == "lf-dev" + unauthorized "Your client_id is not authorised on this platform." + return + end + event = JSON.parse(request.body.read) enterprises_url = event["enterpriseUrlid"] @@ -23,7 +32,18 @@ module DfcProvider } return end + render json: { success: true } end + + private + + def unauthorized(message) + render_message(:unauthorized, message) + end + + def render_message(status, message) + render status:, json: { success: false, message: } + end end end diff --git a/engines/dfc_provider/spec/requests/events_spec.rb b/engines/dfc_provider/spec/requests/events_spec.rb index be79453235..9e3514d354 100644 --- a/engines/dfc_provider/spec/requests/events_spec.rb +++ b/engines/dfc_provider/spec/requests/events_spec.rb @@ -3,9 +3,11 @@ require_relative "../swagger_helper" RSpec.describe "Events", swagger_doc: "dfc.yaml" do - let!(:user) { create(:oidc_user) } - - before { login_as user } + include_context "authenticated as platform" do + let(:access_token) { + file_fixture("fdc_access_token.jwt").read + } + end path "/api/dfc/events" do post "Create Event" do @@ -45,6 +47,28 @@ RSpec.describe "Events", swagger_doc: "dfc.yaml" do end end + response "401", "unauthorised" do + describe "as normal user" do + let(:Authorization) { nil } + let(:event) { { eventType: "refresh" } } + + before { login_as create(:oidc_user) } + + run_test! + end + + describe "as other platform" do + let(:access_token) { + file_fixture("startinblox_access_token.jwt").read + } + let(:event) { { eventType: "refresh" } } + + before { login_as create(:oidc_user) } + + run_test! + end + end + response "200", "success" do let(:event) do |example| example.metadata[:operation][:parameters].first[:schema][:example] diff --git a/swagger/dfc.yaml b/swagger/dfc.yaml index c8a33750f4..230dab3147 100644 --- a/swagger/dfc.yaml +++ b/swagger/dfc.yaml @@ -595,6 +595,15 @@ paths: value: success: false message: Missing parameter `enterpriseUrlid` + '401': + description: unauthorised + content: + application/json: + examples: + test_example: + value: + success: false + message: Your client_id is not authorised on this platform. '200': description: success content: