diff --git a/services/real-time/app/js/WebApiManager.js b/services/real-time/app/js/WebApiManager.js index 943d8021b1..efc7092987 100644 --- a/services/real-time/app/js/WebApiManager.js +++ b/services/real-time/app/js/WebApiManager.js @@ -14,14 +14,9 @@ module.exports = { const userId = user._id logger.debug({ projectId, userId }, 'sending join project request to web') const url = `${settings.apis.web.url}/project/${projectId}/join` - const headers = {} - if (user.anonymousAccessToken) { - headers['x-sl-anonymous-access-token'] = user.anonymousAccessToken - } request.post( { url, - qs: { user_id: userId }, auth: { user: settings.apis.web.user, pass: settings.apis.web.pass, @@ -32,7 +27,6 @@ module.exports = { anonymousAccessToken: user.anonymousAccessToken, }, jar: false, - headers, }, function (error, response, data) { if (error) { diff --git a/services/real-time/test/acceptance/js/helpers/MockWebServer.js b/services/real-time/test/acceptance/js/helpers/MockWebServer.js index 4fb8cff73b..138db1fe08 100644 --- a/services/real-time/test/acceptance/js/helpers/MockWebServer.js +++ b/services/real-time/test/acceptance/js/helpers/MockWebServer.js @@ -12,6 +12,7 @@ let MockWebServer const sinon = require('sinon') const express = require('express') +const bodyParser = require('body-parser') module.exports = MockWebServer = { projects: {}, @@ -43,8 +44,7 @@ module.exports = MockWebServer = { joinProjectRequest(req, res, next) { const { project_id: projectId } = req.params - const { user_id: userId } = req.query - const { 'x-sl-anonymous-access-token': anonymousAccessToken } = req.headers + const { anonymousAccessToken, userId } = req.body if (projectId === '404404404404404404404404') { // not-found return res.status(404).send() @@ -89,6 +89,7 @@ module.exports = MockWebServer = { return callback() } const app = express() + app.use(bodyParser.json()) app.post('/project/:project_id/join', MockWebServer.joinProjectRequest) return app .listen(3000, error => { diff --git a/services/real-time/test/unit/js/WebApiManagerTests.js b/services/real-time/test/unit/js/WebApiManagerTests.js index 3cb8e22d7f..b68661c774 100644 --- a/services/real-time/test/unit/js/WebApiManagerTests.js +++ b/services/real-time/test/unit/js/WebApiManagerTests.js @@ -60,9 +60,6 @@ describe('WebApiManager', function () { return this.request.post .calledWith({ url: `${this.settings.apis.web.url}/project/${this.project_id}/join`, - qs: { - user_id: this.user_id, - }, auth: { user: this.settings.apis.web.user, pass: this.settings.apis.web.pass, @@ -73,7 +70,6 @@ describe('WebApiManager', function () { anonymousAccessToken: undefined, }, jar: false, - headers: {}, }) .should.equal(true) }) @@ -122,9 +118,6 @@ describe('WebApiManager', function () { it('should send a request to web to join the project', function () { this.request.post.should.have.been.calledWith({ url: `${this.settings.apis.web.url}/project/${this.project_id}/join`, - qs: { - user_id: this.user_id, - }, auth: { user: this.settings.apis.web.user, pass: this.settings.apis.web.pass, @@ -135,7 +128,6 @@ describe('WebApiManager', function () { anonymousAccessToken: this.token, }, jar: false, - headers: { 'x-sl-anonymous-access-token': this.token }, }) }) diff --git a/services/web/app/src/Features/Editor/EditorHttpController.js b/services/web/app/src/Features/Editor/EditorHttpController.js index 83080ba6a4..bd0ca113ea 100644 --- a/services/web/app/src/Features/Editor/EditorHttpController.js +++ b/services/web/app/src/Features/Editor/EditorHttpController.js @@ -57,7 +57,7 @@ const unsupportedSpellcheckLanguages = [ async function joinProject(req, res, next) { const projectId = req.params.Project_id - let userId = req.body.userId || req.query.user_id // keep schema in sync with router + let userId = req.body.userId // keep schema in sync with router if (userId === 'anonymous-user') { userId = null } @@ -177,8 +177,7 @@ async function _buildJoinProjectView(req, projectId, userId) { await CollaboratorsGetter.promises.getInvitedMembersWithPrivilegeLevels( projectId ) - const token = - req.body.anonymousAccessToken || req.headers['x-sl-anonymous-access-token'] + const token = req.body.anonymousAccessToken const privilegeLevel = await AuthorizationManager.promises.getPrivilegeLevelForProject( userId, diff --git a/services/web/app/src/Features/Editor/EditorRouter.js b/services/web/app/src/Features/Editor/EditorRouter.js index f57121f421..6cc83a6808 100644 --- a/services/web/app/src/Features/Editor/EditorRouter.js +++ b/services/web/app/src/Features/Editor/EditorRouter.js @@ -3,6 +3,7 @@ const AuthenticationController = require('../Authentication/AuthenticationContro const AuthorizationMiddleware = require('../Authorization/AuthorizationMiddleware') const { RateLimiter } = require('../../infrastructure/RateLimiter') const RateLimiterMiddleware = require('../Security/RateLimiterMiddleware') +const { validate, Joi } = require('../../infrastructure/Validation') const rateLimiters = { addDocToProject: new RateLimiter('add-doc-to-project', { @@ -71,7 +72,13 @@ module.exports = { RateLimiterMiddleware.rateLimit(rateLimiters.joinProject, { params: ['Project_id'], // keep schema in sync with controller - getUserId: req => req.body.userId || req.query.user_id, + getUserId: req => req.body.userId, + }), + validate({ + body: Joi.object({ + userId: Joi.string().required(), + anonymousAccessToken: Joi.string().optional(), + }), }), EditorHttpController.joinProject ) diff --git a/services/web/test/acceptance/src/AuthorizationTests.js b/services/web/test/acceptance/src/AuthorizationTests.js index 885dbabde5..a8a584fd33 100644 --- a/services/web/test/acceptance/src/AuthorizationTests.js +++ b/services/web/test/acceptance/src/AuthorizationTests.js @@ -166,13 +166,12 @@ function tryContentAccess(user, projectId, test, callback) { request.post( { url: `/project/${projectId}/join`, - qs: { user_id: userId }, auth: { user: settings.apis.web.user, pass: settings.apis.web.pass, sendImmediately: true, }, - json: true, + json: { userId }, jar: false, }, (error, response, body) => { diff --git a/services/web/test/acceptance/src/ProjectFeaturesTests.js b/services/web/test/acceptance/src/ProjectFeaturesTests.js index 93f1737ea2..af066b4c52 100644 --- a/services/web/test/acceptance/src/ProjectFeaturesTests.js +++ b/services/web/test/acceptance/src/ProjectFeaturesTests.js @@ -20,13 +20,12 @@ const joinProject = (userId, projectId, callback) => request.post( { url: `/project/${projectId}/join`, - qs: { user_id: userId }, auth: { user: settings.apis.web.user, pass: settings.apis.web.pass, sendImmediately: true, }, - json: true, + json: { userId }, jar: false, }, callback diff --git a/services/web/test/acceptance/src/ProjectInviteTests.js b/services/web/test/acceptance/src/ProjectInviteTests.js index 356420606d..7c84f699c3 100644 --- a/services/web/test/acceptance/src/ProjectInviteTests.js +++ b/services/web/test/acceptance/src/ProjectInviteTests.js @@ -174,13 +174,12 @@ const tryJoinProject = (user, projectId, callback) => { user.request.post( { url: `/project/${projectId}/join`, - qs: { user_id: user._id }, auth: { user: settings.apis.web.user, pass: settings.apis.web.pass, sendImmediately: true, }, - json: true, + json: { userId: user._id }, jar: false, }, callback diff --git a/services/web/test/acceptance/src/TokenAccessTests.js b/services/web/test/acceptance/src/TokenAccessTests.js index d037ffe3c3..4bf308bfff 100644 --- a/services/web/test/acceptance/src/TokenAccessTests.js +++ b/services/web/test/acceptance/src/TokenAccessTests.js @@ -160,46 +160,7 @@ const _doTryTokenAccept = ( }) } -const tryContentAccess = (user, projectId, test, callback) => { - tryContentAccessQuery(user, projectId, test, err1 => { - tryContentAccessBody(user, projectId, test, err2 => { - callback(err1 || err2) - }) - }) -} - -const tryContentAccessQuery = (user, projcetId, test, callback) => { - // The real-time service calls this end point to determine the user's - // permissions. - let userId - if (user.id != null) { - userId = user.id - } else { - userId = 'anonymous-user' - } - request.post( - { - url: `/project/${projcetId}/join`, - qs: { user_id: userId }, - auth: { - user: settings.apis.web.user, - pass: settings.apis.web.pass, - sendImmediately: true, - }, - json: true, - jar: false, - }, - (error, response, body) => { - if (error != null) { - return callback(error) - } - test(response, body) - callback() - } - ) -} - -const tryContentAccessBody = (user, projcetId, test, callback) => { +const tryContentAccess = (user, projcetId, test, callback) => { // The real-time service calls this end point to determine the user's // permissions. let userId @@ -232,48 +193,6 @@ const tryContentAccessBody = (user, projcetId, test, callback) => { } const tryAnonContentAccess = (user, projectId, token, test, callback) => { - tryAnonContentAccessHeader(user, projectId, token, test, err1 => { - tryAnonContentAccessBody(user, projectId, token, test, err2 => { - callback(err1 || err2) - }) - }) -} - -const tryAnonContentAccessHeader = (user, projectId, token, test, callback) => { - // The real-time service calls this end point to determine the user's - // permissions. - let userId - if (user.id != null) { - userId = user.id - } else { - userId = 'anonymous-user' - } - request.post( - { - url: `/project/${projectId}/join`, - qs: { user_id: userId }, - auth: { - user: settings.apis.web.user, - pass: settings.apis.web.pass, - sendImmediately: true, - }, - headers: { - 'x-sl-anonymous-access-token': token, - }, - json: true, - jar: false, - }, - (error, response, body) => { - if (error != null) { - return callback(error) - } - test(response, body) - callback() - } - ) -} - -const tryAnonContentAccessBody = (user, projectId, token, test, callback) => { // The real-time service calls this end point to determine the user's // permissions. let userId diff --git a/services/web/test/acceptance/src/helpers/User.js b/services/web/test/acceptance/src/helpers/User.js index 6677c5a94e..3bacdb97f9 100644 --- a/services/web/test/acceptance/src/helpers/User.js +++ b/services/web/test/acceptance/src/helpers/User.js @@ -680,13 +680,12 @@ class User { this.request.post( { url: `/project/${projectId}/join`, - qs: { user_id: this._id }, auth: { user: settings.apis.web.user, pass: settings.apis.web.pass, sendImmediately: true, }, - json: true, + json: { userId: this._id }, jar: false, }, (error, response, body) => { diff --git a/services/web/test/unit/src/Editor/EditorHttpControllerTests.js b/services/web/test/unit/src/Editor/EditorHttpControllerTests.js index 2b1b8cb500..b80c7dd6a8 100644 --- a/services/web/test/unit/src/Editor/EditorHttpControllerTests.js +++ b/services/web/test/unit/src/Editor/EditorHttpControllerTests.js @@ -256,8 +256,6 @@ describe('EditorHttpController', function () { userId: 'anonymous-user', anonymousAccessToken: this.token, } - this.req.query = { user_id: 'anonymous-user' } - this.req.headers = { 'x-sl-anonymous-access-token': this.token } this.res.callback = done this.AuthorizationManager.isRestrictedUser .withArgs(null, 'readOnly', false, false)