Authenticate only as platform to call webhooks

2026-01-11 18:26:50 +00:00 · 2025-12-05 11:14:00 +11:00
parent d811103a71
commit 2e62531232
3 changed files with 56 additions and 3 deletions
--- a/engines/dfc_provider/app/controllers/dfc_provider/events_controller.rb
+++ b/engines/dfc_provider/app/controllers/dfc_provider/events_controller.rb
@@ -13,6 +13,15 @@ module DfcProvider
    # It means that our permissions to access data on another platform changed.
    # We will need to pull the updated data.
    def create
+      unless current_user.is_a? ApiUser
+        unauthorized "You need to authenticate as authorised platform (client_id)."
+        return
+      end
+      unless current_user.id == "lf-dev"
+        unauthorized "Your client_id is not authorised on this platform."
+        return
+      end
+
      event = JSON.parse(request.body.read)
      enterprises_url = event["enterpriseUrlid"]

@@ -23,7 +32,18 @@ module DfcProvider
        }
        return
      end
+
      render json: { success: true }
    end
+
+    private
+
+    def unauthorized(message)
+      render_message(:unauthorized, message)
+    end
+
+    def render_message(status, message)
+      render status:, json: { success: false, message: }
+    end
  end
 end
--- a/engines/dfc_provider/spec/requests/events_spec.rb
+++ b/engines/dfc_provider/spec/requests/events_spec.rb
@@ -3,9 +3,11 @@
 require_relative "../swagger_helper"

 RSpec.describe "Events", swagger_doc: "dfc.yaml" do
-  let!(:user) { create(:oidc_user) }
-
-  before { login_as user }
+  include_context "authenticated as platform" do
+    let(:access_token) {
+      file_fixture("fdc_access_token.jwt").read
+    }
+  end

  path "/api/dfc/events" do
    post "Create Event" do
@@ -45,6 +47,28 @@ RSpec.describe "Events", swagger_doc: "dfc.yaml" do
        end
      end

+      response "401", "unauthorised" do
+        describe "as normal user" do
+          let(:Authorization) { nil }
+          let(:event) { { eventType: "refresh" } }
+
+          before { login_as create(:oidc_user) }
+
+          run_test!
+        end
+
+        describe "as other platform" do
+          let(:access_token) {
+            file_fixture("startinblox_access_token.jwt").read
+          }
+          let(:event) { { eventType: "refresh" } }
+
+          before { login_as create(:oidc_user) }
+
+          run_test!
+        end
+      end
+
      response "200", "success" do
        let(:event) do |example|
          example.metadata[:operation][:parameters].first[:schema][:example]
--- a/swagger/dfc.yaml
+++ b/swagger/dfc.yaml
@@ -595,6 +595,15 @@ paths:
                  value:
                    success: false
                    message: Missing parameter `enterpriseUrlid`
+        '401':
+          description: unauthorised
+          content:
+            application/json:
+              examples:
+                test_example:
+                  value:
+                    success: false
+                    message: Your client_id is not authorised on this platform.
        '200':
          description: success
          content: