feat: added incoming requests verification

ExpressApp · Feb 26, 2024 · c66dce3 · c66dce3
1 parent ba15c96
commit c66dce3
Show file tree

Hide file tree

Showing 2 changed files with 32 additions and 5 deletions.
diff --git a/app/api/endpoints/botx.py b/app/api/endpoints/botx.py
@@ -9,8 +9,10 @@
     BotXMethodCallbackNotFoundError,
     UnknownBotAccountError,
     UnknownSystemEventError,
+    UnverifiedRequestError,
     build_bot_disabled_response,
     build_command_accepted_response,
+    build_unverified_request_response,
 )
 
 from app.api.dependencies.bot import bot_dependency
@@ -23,8 +25,11 @@
 async def command_handler(request: Request, bot: Bot = bot_dependency) -> JSONResponse:
     """Receive commands from users. Max timeout - 5 seconds."""
     logger.debug(f"Command headers: {request.headers}")
-    try:
-        bot.async_execute_raw_bot_command(await request.json())
+    try:  # noqa: WPS225
+        bot.async_execute_raw_bot_command(
+            await request.json(),
+            request_headers=request.headers,
+        )
     except UnknownSystemEventError as unknown_event_exc:
         logger.warning(f"Received unknown system event `{unknown_event_exc.type_name}`")
 
@@ -48,6 +53,14 @@ async def command_handler(request: Request, bot: Bot = bot_dependency) -> JSONRe
             build_bot_disabled_response(error_label),
             status_code=HTTPStatus.SERVICE_UNAVAILABLE,
         )
+    except UnverifiedRequestError as exc:
+        logger.warning(f"UnverifiedRequestError: {exc.args[0]}")
+        return JSONResponse(
+            content=build_unverified_request_response(
+                status_message=exc.args[0],
+            ),
+            status_code=HTTPStatus.UNAUTHORIZED,
+        )
 
     return JSONResponse(
         build_command_accepted_response(), status_code=HTTPStatus.ACCEPTED
@@ -57,7 +70,10 @@ async def command_handler(request: Request, bot: Bot = bot_dependency) -> JSONRe
 @router.get("/status")
 async def status_handler(request: Request, bot: Bot = bot_dependency) -> JSONResponse:
     try:
-        status = await bot.raw_get_status(dict(request.query_params))
+        status = await bot.raw_get_status(
+            dict(request.query_params),
+            request_headers=request.headers,
+        )
     except UnknownBotAccountError as exc:
         error_label = f"Unknown bot_id: {exc.bot_id}"
         logger.warning(error_label)
@@ -66,14 +82,25 @@ async def status_handler(request: Request, bot: Bot = bot_dependency) -> JSONRes
             build_bot_disabled_response(error_label),
             status_code=HTTPStatus.SERVICE_UNAVAILABLE,
         )
+    except UnverifiedRequestError as exc:
+        logger.warning(f"UnverifiedRequestError: {exc.args[0]}")
+        return JSONResponse(
+            content=build_unverified_request_response(
+                status_message=exc.args[0],
+            ),
+            status_code=HTTPStatus.UNAUTHORIZED,
+        )
 
     return JSONResponse(status)
 
 
 @router.post("/notification/callback")
 async def callback_handler(request: Request, bot: Bot = bot_dependency) -> JSONResponse:
     try:
-        await bot.set_raw_botx_method_result(await request.json())
+        await bot.set_raw_botx_method_result(
+            await request.json(),
+            verify_request=False,
+        )
     except BotXMethodCallbackNotFoundError as exc:
         error_label = f"Unexpected callback with sync_id: {exc.sync_id}"
         logger.warning(error_label)

diff --git a/pybotx-submodule b/pybotx-submodule