[BCF-2711] Randomize web auth tests (#11047)

- And return early if the access key is empty
smartcontractkit · Oct 24, 2023 · dcf2ea2 · dcf2ea2
1 parent a5e734c
commit dcf2ea2
Show file tree

Hide file tree

Showing 4 changed files with 40 additions and 11 deletions.
diff --git a/core/internal/cltest/cltest.go b/core/internal/cltest/cltest.go
@@ -98,10 +98,6 @@ import (
 )
 
 const (
-	// APIKey of the fixture API user
-	APIKey = "2d25e62eaf9143e993acaf48691564b2"
-	// APISecret of the fixture API user.
-	APISecret = "1eCP/w0llVkchejFaoBpfIGaLRxZK54lTXBCT22YLW+pdzE4Fafy/XO5LoJ2uwHi"
 	// Collection of test fixture DB user emails per role
 	APIEmailAdmin    = "[email protected]"
 	APIEmailEdit     = "[email protected]"

diff --git a/core/internal/features/features_test.go b/core/internal/features/features_test.go
@@ -265,15 +265,16 @@ func TestIntegration_AuthToken(t *testing.T) {
 
 	// set up user
 	mockUser := cltest.MustRandomUser(t)
-	apiToken := auth.Token{AccessKey: cltest.APIKey, Secret: cltest.APISecret}
+	key, secret := uuid.New().String(), uuid.New().String()
+	apiToken := auth.Token{AccessKey: key, Secret: secret}
 	orm := app.SessionORM()
 	require.NoError(t, orm.CreateUser(&mockUser))
 	require.NoError(t, orm.SetAuthToken(&mockUser, &apiToken))
 
 	url := app.Server.URL + "/users"
 	headers := make(map[string]string)
-	headers[webauth.APIKey] = cltest.APIKey
-	headers[webauth.APISecret] = cltest.APISecret
+	headers[webauth.APIKey] = key
+	headers[webauth.APISecret] = secret
 
 	resp, cleanup := cltest.UnauthenticatedGet(t, url, headers)
 	defer cleanup()

diff --git a/core/web/auth/auth.go b/core/web/auth/auth.go
@@ -79,6 +79,10 @@ func AuthenticateByToken(c *gin.Context, authr Authenticator) error {
 		Secret:    c.GetHeader(APISecret),
 	}
 
+	if token.AccessKey == "" {
+		return auth.ErrorAuthFailed
+	}
+
 	// We need to first load the user row so we can compare tokens using the stored salt
 	user, err := authr.FindUserByAPIToken(token.AccessKey)
 	if err != nil {

diff --git a/core/web/auth/auth_test.go b/core/web/auth/auth_test.go
@@ -7,6 +7,7 @@ import (
 	"testing"
 
 	"github.com/gin-gonic/gin"
+	"github.com/google/uuid"
 	"github.com/pkg/errors"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
@@ -59,7 +60,8 @@ func (u userFindSuccesser) FindUserByAPIToken(token string) (sessions.User, erro
 
 func TestAuthenticateByToken_Success(t *testing.T) {
 	user := cltest.MustRandomUser(t)
-	apiToken := auth.Token{AccessKey: cltest.APIKey, Secret: cltest.APISecret}
+	key, secret := uuid.New().String(), uuid.New().String()
+	apiToken := auth.Token{AccessKey: key, Secret: secret}
 	err := user.SetAuthToken(&apiToken)
 	require.NoError(t, err)
 	authr := userFindSuccesser{user: user}
@@ -74,8 +76,8 @@ func TestAuthenticateByToken_Success(t *testing.T) {
 
 	w := httptest.NewRecorder()
 	req, _ := http.NewRequest("GET", "/", nil)
-	req.Header.Set(webauth.APIKey, cltest.APIKey)
-	req.Header.Set(webauth.APISecret, cltest.APISecret)
+	req.Header.Set(webauth.APIKey, key)
+	req.Header.Set(webauth.APISecret, secret)
 	router.ServeHTTP(w, req)
 
 	assert.True(t, called)
@@ -95,14 +97,40 @@ func TestAuthenticateByToken_AuthFailed(t *testing.T) {
 
 	w := httptest.NewRecorder()
 	req, _ := http.NewRequest("GET", "/", nil)
-	req.Header.Set(webauth.APIKey, cltest.APIKey)
+	req.Header.Set(webauth.APIKey, "bad-key")
 	req.Header.Set(webauth.APISecret, "bad-secret")
 	router.ServeHTTP(w, req)
 
 	assert.False(t, called)
 	assert.Equal(t, http.StatusText(http.StatusUnauthorized), http.StatusText(w.Code))
 }
 
+func TestAuthenticateByToken_RejectsBlankAccessKey(t *testing.T) {
+	user := cltest.MustRandomUser(t)
+	key, secret := "", uuid.New().String()
+	apiToken := auth.Token{AccessKey: key, Secret: secret}
+	err := user.SetAuthToken(&apiToken)
+	require.NoError(t, err)
+	authr := userFindSuccesser{user: user}
+
+	called := false
+	router := gin.New()
+	router.Use(webauth.Authenticate(authr, webauth.AuthenticateByToken))
+	router.GET("/", func(c *gin.Context) {
+		called = true
+		c.String(http.StatusOK, "")
+	})
+
+	w := httptest.NewRecorder()
+	req, _ := http.NewRequest("GET", "/", nil)
+	req.Header.Set(webauth.APIKey, key)
+	req.Header.Set(webauth.APISecret, secret)
+	router.ServeHTTP(w, req)
+
+	assert.False(t, called)
+	assert.Equal(t, http.StatusText(http.StatusUnauthorized), http.StatusText(w.Code))
+}
+
 func TestRequireAuth_NoneRequired(t *testing.T) {
 	called := false
 	var authr webauth.Authenticator