123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132 |
- # Copyright (C) 2012-2024 Zammad Foundation, https://zammad-foundation.org/
- require 'rails_helper'
- RSpec.describe 'Twitter channel API endpoints', type: :request do
- let!(:twitter_channel) { create(:twitter_channel) }
- let(:twitter_credential) { ExternalCredential.find(twitter_channel.options[:auth][:external_credential_id]) }
- let(:hash_signature) { %(sha256=#{Base64.strict_encode64(OpenSSL::HMAC.digest('sha256', consumer_secret, payload))}) }
- let(:consumer_secret) { twitter_credential.credentials[:consumer_secret] }
- # What's this all about? See the "Challenge-Response Checks" section of this article:
- # https://developer.twitter.com/en/docs/accounts-and-users/subscribe-account-activity/guides/securing-webhooks
- describe 'GET /api/v1/channels_twitter_webhook' do
- let(:payload) { params[:crc_token] }
- let(:params) { { crc_token: 'foo' } }
- context 'with consumer secret and "crc_token" param' do
- it 'responds with { response_token: <hash_signature> }' do
- get '/api/v1/channels_twitter_webhook', params: params, as: :json
- expect(json_response).to eq('response_token' => hash_signature)
- end
- end
- context 'without valid twitter credentials in the DB' do
- before do
- twitter_credential.credentials.delete(:consumer_secret)
- twitter_credential.save!
- end
- it 'responds 422 Unprocessable Entity' do
- get '/api/v1/channels_twitter_webhook', params: params, as: :json
- expect(response).to have_http_status(:unprocessable_entity)
- end
- end
- context 'without "crc_token" param' do
- before { params.delete(:crc_token) }
- it 'responds 422 Unprocessable Entity' do
- get '/api/v1/channels_twitter_webhook', params: params, as: :json
- expect(response).to have_http_status(:unprocessable_entity)
- end
- end
- end
- describe 'POST /api/v1/channels_twitter_webhook' do
- let(:payload) { params.stringify_keys.to_s.gsub(%r{=>}, ':').delete(' ') }
- let(:headers) { { 'x-twitter-webhooks-signature': hash_signature } }
- let(:params) { { foo: 'bar', for_user_id: twitter_channel.options[:user][:id] } }
- # What's this all about? See the "Optional signature header validation" section of this article:
- # https://developer.twitter.com/en/docs/accounts-and-users/subscribe-account-activity/guides/securing-webhooks
- describe 'hash signature validation' do
- context 'with valid params and headers (i.e., not one of the failure cases below)' do
- it 'responds 200 OK' do
- post '/api/v1/channels_twitter_webhook', params: params, headers: headers, as: :json
- expect(response).to have_http_status(:ok)
- end
- end
- describe '"x-twitter-webhooks-signature" header' do
- context 'when absent' do
- let(:headers) { {} }
- it 'responds 422 Unprocessable Entity' do
- post '/api/v1/channels_twitter_webhook', params: params, headers: headers, as: :json
- expect(response).to have_http_status(:unprocessable_entity)
- end
- end
- context 'when invalid (not based on consumer secret + payload)' do
- let(:headers) { { 'x-twitter-webhooks-signature': 'Not a valid signature' } }
- it 'responds 401 Not Authorized' do
- post '/api/v1/channels_twitter_webhook', params: params, headers: headers, as: :json
- expect(response).to have_http_status(:unauthorized)
- end
- end
- end
- describe '"for_user_id" param' do
- context 'when absent' do
- let(:params) { { foo: 'bar' } }
- it 'responds 422 Unprocessable Entity' do
- post '/api/v1/channels_twitter_webhook', params: params, headers: headers, as: :json
- expect(response).to have_http_status(:unprocessable_entity)
- end
- end
- context 'without corresponding Channel' do
- let(:params) { { foo: 'bar', for_user_id: 'no_such_user' } }
- it 'responds 422 Unprocessable Entity' do
- post '/api/v1/channels_twitter_webhook', params: params, headers: headers, as: :json
- expect(response).to have_http_status(:unprocessable_entity)
- end
- end
- end
- end
- describe 'core behavior' do
- before do
- allow(TwitterSync).to receive(:new).and_return(twitter_sync)
- allow(twitter_sync).to receive(:process_webhook)
- end
- let(:twitter_sync) { instance_double(TwitterSync) }
- it 'delegates to TwitterSync#process_webhook' do
- post '/api/v1/channels_twitter_webhook', params: params, headers: headers, as: :json
- expect(twitter_sync).to have_received(:process_webhook).with(twitter_channel)
- end
- it 'responds with an empty hash' do
- post '/api/v1/channels_twitter_webhook', params: params, headers: headers, as: :json
- expect(json_response).to eq({})
- end
- end
- end
- end
|