From 1ff315b0096eaa3878a8f22b0baf7b52d305b825 Mon Sep 17 00:00:00 2001 From: Steve Hobbs Date: Mon, 10 Oct 2022 11:07:29 +0100 Subject: [PATCH] fix: stop :get, :delete parameters from bleeding into subsequent requests (#388) * fix: stop :get, :delete parameters from bleeding into subsequent requests * chore: fix up integration fixtures * chore: renamed some vars in the test for output readability --- lib/auth0/mixins/httpproxy.rb | 12 +++---- ...the_client_with_the_correct_attributes.yml | 3 +- .../should_update_the_connection.yml | 2 +- ...update_the_disabled_rule_to_be_enabled.yml | 2 +- .../should_revert_the_tenant_name.yml | 2 +- ...tenant_settings_with_a_new_tenant_name.yml | 2 +- ...ould_add_a_Role_to_a_User_successfully.yml | 2 +- .../should_patch_the_User_successfully.yml | 2 +- spec/lib/auth0/mixins/httpproxy_spec.rb | 36 +++++++++++++++++++ 9 files changed, 49 insertions(+), 14 deletions(-) diff --git a/lib/auth0/mixins/httpproxy.rb b/lib/auth0/mixins/httpproxy.rb index 4d7a8042..744277c8 100644 --- a/lib/auth0/mixins/httpproxy.rb +++ b/lib/auth0/mixins/httpproxy.rb @@ -73,15 +73,13 @@ def request_with_retry(method, uri, body = {}, extra_headers = {}) def request(method, uri, body = {}, extra_headers = {}) result = if method == :get - # Mutate the headers property to add parameters. - add_headers({params: body}) - # Merge custom headers into existing ones for this req. - # This prevents future calls from using them. - get_headers = headers.merge extra_headers - # Make the call with extra_headers, if provided. + @headers ||= {} + get_headers = @headers.merge({params: body}).merge(extra_headers) call(:get, encode_uri(uri), timeout, get_headers) elsif method == :delete - call(:delete, encode_uri(uri), timeout, add_headers({params: body})) + @headers ||= {} + delete_headers = @headers.merge({ params: body }) + call(:delete, encode_uri(uri), timeout, delete_headers) elsif method == :delete_with_body call(:delete, encode_uri(uri), timeout, headers, body.to_json) elsif method == :post_file diff --git a/spec/fixtures/vcr_cassettes/Auth0_Api_V2_Clients/_patch_client/should_update_the_client_with_the_correct_attributes.yml b/spec/fixtures/vcr_cassettes/Auth0_Api_V2_Clients/_patch_client/should_update_the_client_with_the_correct_attributes.yml index 766a3754..64bd2463 100644 --- a/spec/fixtures/vcr_cassettes/Auth0_Api_V2_Clients/_patch_client/should_update_the_client_with_the_correct_attributes.yml +++ b/spec/fixtures/vcr_cassettes/Auth0_Api_V2_Clients/_patch_client/should_update_the_client_with_the_correct_attributes.yml @@ -2,7 +2,7 @@ http_interactions: - request: method: patch - uri: https://auth0-sdk-tests.auth0.com/api/v2/clients/SftKo9ySyHnMPezQUFd0C70GBoNFM21F?fields=jwt_configuration&include_fields=false + uri: https://auth0-sdk-tests.auth0.com/api/v2/clients/SftKo9ySyHnMPezQUFd0C70GBoNFM21F body: encoding: UTF-8 string: '{"custom_login_page_on":false,"sso":true}' @@ -12,6 +12,7 @@ http_interactions: User-Agent: - rest-client/2.1.0 (darwin19.6.0 x86_64) ruby/2.7.0p0 Content-Type: + - application/json Auth0-Client: - eyJuYW1lIjoicnVieS1hdXRoMCIsInZlcnNpb24iOiI1LjUuMCIsImVudiI6eyJydWJ5IjoiMi43LjAifX0= diff --git a/spec/fixtures/vcr_cassettes/Auth0_Api_V2_Connections/_update_connection/should_update_the_connection.yml b/spec/fixtures/vcr_cassettes/Auth0_Api_V2_Connections/_update_connection/should_update_the_connection.yml index 63452dbc..6b91f73e 100644 --- a/spec/fixtures/vcr_cassettes/Auth0_Api_V2_Connections/_update_connection/should_update_the_connection.yml +++ b/spec/fixtures/vcr_cassettes/Auth0_Api_V2_Connections/_update_connection/should_update_the_connection.yml @@ -2,7 +2,7 @@ http_interactions: - request: method: patch - uri: https://auth0-sdk-tests.auth0.com/api/v2/connections/con_WltM0fv20JCnxOuY?email=rubytest-210908-rubytest-210908-username@auth0.com + uri: https://auth0-sdk-tests.auth0.com/api/v2/connections/con_WltM0fv20JCnxOuY body: encoding: UTF-8 string: '{"options":{"mfa":{"active":true,"return_enroll_settings":true},"passwordPolicy":"excellent","strategy_version":2,"brute_force_protection":true}}' diff --git a/spec/fixtures/vcr_cassettes/Auth0_Api_V2_Rules/_update_rule/should_update_the_disabled_rule_to_be_enabled.yml b/spec/fixtures/vcr_cassettes/Auth0_Api_V2_Rules/_update_rule/should_update_the_disabled_rule_to_be_enabled.yml index d69bf0e0..aa051d59 100644 --- a/spec/fixtures/vcr_cassettes/Auth0_Api_V2_Rules/_update_rule/should_update_the_disabled_rule_to_be_enabled.yml +++ b/spec/fixtures/vcr_cassettes/Auth0_Api_V2_Rules/_update_rule/should_update_the_disabled_rule_to_be_enabled.yml @@ -2,7 +2,7 @@ http_interactions: - request: method: patch - uri: https://auth0-sdk-tests.auth0.com/api/v2/rules/rul_bsg64xEPZz4WOkXz?fields=stage&include_fields=false + uri: https://auth0-sdk-tests.auth0.com/api/v2/rules/rul_bsg64xEPZz4WOkXz body: encoding: UTF-8 string: '{"enabled":true}' diff --git a/spec/fixtures/vcr_cassettes/Auth0_Api_V2_Tenants/_update_tenant_settings/should_revert_the_tenant_name.yml b/spec/fixtures/vcr_cassettes/Auth0_Api_V2_Tenants/_update_tenant_settings/should_revert_the_tenant_name.yml index 22303639..c5865794 100644 --- a/spec/fixtures/vcr_cassettes/Auth0_Api_V2_Tenants/_update_tenant_settings/should_revert_the_tenant_name.yml +++ b/spec/fixtures/vcr_cassettes/Auth0_Api_V2_Tenants/_update_tenant_settings/should_revert_the_tenant_name.yml @@ -2,7 +2,7 @@ http_interactions: - request: method: patch - uri: https://auth0-sdk-tests.auth0.com/api/v2/tenants/settings?fields=support_email&include_fields=true + uri: https://auth0-sdk-tests.auth0.com/api/v2/tenants/settings body: encoding: UTF-8 string: '{"friendly_name":"Auth0"}' diff --git a/spec/fixtures/vcr_cassettes/Auth0_Api_V2_Tenants/_update_tenant_settings/should_update_the_tenant_settings_with_a_new_tenant_name.yml b/spec/fixtures/vcr_cassettes/Auth0_Api_V2_Tenants/_update_tenant_settings/should_update_the_tenant_settings_with_a_new_tenant_name.yml index 13019563..7f6e20a6 100644 --- a/spec/fixtures/vcr_cassettes/Auth0_Api_V2_Tenants/_update_tenant_settings/should_update_the_tenant_settings_with_a_new_tenant_name.yml +++ b/spec/fixtures/vcr_cassettes/Auth0_Api_V2_Tenants/_update_tenant_settings/should_update_the_tenant_settings_with_a_new_tenant_name.yml @@ -2,7 +2,7 @@ http_interactions: - request: method: patch - uri: https://auth0-sdk-tests.auth0.com/api/v2/tenants/settings?fields=support_email&include_fields=true + uri: https://auth0-sdk-tests.auth0.com/api/v2/tenants/settings body: encoding: UTF-8 string: '{"friendly_name":"Auth0-CHANGED"}' diff --git a/spec/fixtures/vcr_cassettes/Auth0_Api_V2_Users/_add_user_roles/should_add_a_Role_to_a_User_successfully.yml b/spec/fixtures/vcr_cassettes/Auth0_Api_V2_Users/_add_user_roles/should_add_a_Role_to_a_User_successfully.yml index 4ca2e8f2..7c511042 100644 --- a/spec/fixtures/vcr_cassettes/Auth0_Api_V2_Users/_add_user_roles/should_add_a_Role_to_a_User_successfully.yml +++ b/spec/fixtures/vcr_cassettes/Auth0_Api_V2_Users/_add_user_roles/should_add_a_Role_to_a_User_successfully.yml @@ -2,7 +2,7 @@ http_interactions: - request: method: post - uri: https://auth0-sdk-tests.auth0.com/api/v2/users/auth0%7C613282adac819400692c0dd9/roles?per_page=2 + uri: https://auth0-sdk-tests.auth0.com/api/v2/users/auth0%7C613282adac819400692c0dd9/roles body: encoding: UTF-8 string: '{"roles":["rol_2VZOCes8HgBar3Tp"]}' diff --git a/spec/fixtures/vcr_cassettes/Auth0_Api_V2_Users/_patch_user/should_patch_the_User_successfully.yml b/spec/fixtures/vcr_cassettes/Auth0_Api_V2_Users/_patch_user/should_patch_the_User_successfully.yml index d89a509e..9b33576d 100644 --- a/spec/fixtures/vcr_cassettes/Auth0_Api_V2_Users/_patch_user/should_patch_the_User_successfully.yml +++ b/spec/fixtures/vcr_cassettes/Auth0_Api_V2_Users/_patch_user/should_patch_the_User_successfully.yml @@ -2,7 +2,7 @@ http_interactions: - request: method: patch - uri: https://auth0-sdk-tests.auth0.com/api/v2/users/auth0%7C613282adac819400692c0dd9?fields=email&include_fields=true + uri: https://auth0-sdk-tests.auth0.com/api/v2/users/auth0%7C613282adac819400692c0dd9 body: encoding: UTF-8 string: '{"email_verified":true,"user_metadata":{"addresses":{"home_address":"742 diff --git a/spec/lib/auth0/mixins/httpproxy_spec.rb b/spec/lib/auth0/mixins/httpproxy_spec.rb index 6a5ba6c8..de427d99 100644 --- a/spec/lib/auth0/mixins/httpproxy_spec.rb +++ b/spec/lib/auth0/mixins/httpproxy_spec.rb @@ -596,4 +596,40 @@ end end end + + context 'Normal operation' do + let(:httpproxy_instance) { + DummyClassForTokens.new( + client_id: 'test-client-id', + client_secret: 'test-client-secret', + domain: 'auth0.com', + token: 'access_token', + token_expires_at: Time.now.to_i + 86400) + } + + # This sets up a test matrix to verify that both :get and :delete calls (the only two HTTP methods in the proxy that mutated headers) + # don't bleed query params into subsequent calls to :post :patch and :put. + %i(get delete).each do |http_get_delete| + %i(post patch put).each do |http_ppp| + it "should not bleed :#{http_get_delete} headers/parameters to the subsequent :#{http_ppp} request" do + expect(RestClient::Request).to receive(:execute).with(hash_including( + method: http_get_delete, + url: "https://auth0.com/test-#{http_get_delete}", + headers: hash_including(params: { email: 'test@test.com' }) + )).and_return(StubResponse.new('OK', true, 200)) + + # email: parameter that is sent in the GET request should not appear + # as a parameter in the `headers` hash for the subsequent PATCH request. + expect(RestClient::Request).to receive(:execute).with(hash_including( + method: http_ppp, + url: "https://auth0.com/test-#{http_ppp}", + headers: hash_not_including(:params) + )).and_return(StubResponse.new('OK', true, 200)) + + expect { httpproxy_instance.send(http_get_delete, "/test-#{http_get_delete}", { email: 'test@test.com' }) }.not_to raise_error + expect { httpproxy_instance.send(http_ppp, "/test-#{http_ppp}") }.not_to raise_error + end + end + end + end end