form_spec.rb 9.7 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217
  1. # Copyright (C) 2012-2023 Zammad Foundation, https://zammad-foundation.org/
  2. require 'rails_helper'
  3. RSpec.describe 'Form', type: :request do
  4. describe 'request handling' do
  5. it 'does get config call' do
  6. post '/api/v1/form_config', params: {}, as: :json
  7. expect(response).to have_http_status(:forbidden)
  8. expect(json_response).to be_a(Hash)
  9. expect(json_response['error']).to eq('Not authorized')
  10. end
  11. it 'does get config call' do
  12. Setting.set('form_ticket_create', true)
  13. post '/api/v1/form_config', params: {}, as: :json
  14. expect(response).to have_http_status(:forbidden)
  15. expect(json_response).to be_a(Hash)
  16. expect(json_response['error']).to eq('Not authorized')
  17. end
  18. it 'does get config call & do submit' do
  19. Setting.set('form_ticket_create', true)
  20. fingerprint = SecureRandom.hex(40)
  21. post '/api/v1/form_config', params: { fingerprint: fingerprint }, as: :json
  22. expect(response).to have_http_status(:ok)
  23. expect(json_response).to be_a(Hash)
  24. expect(json_response['enabled']).to be(true)
  25. expect(json_response['endpoint']).to eq('http://zammad.example.com/api/v1/form_submit')
  26. expect(json_response['token']).to be_truthy
  27. token = json_response['token']
  28. post '/api/v1/form_submit', params: { fingerprint: fingerprint, token: 'invalid' }, as: :json
  29. expect(response).to have_http_status(:unauthorized)
  30. expect(json_response).to be_a(Hash)
  31. expect(json_response['error']).to eq('Authorization failed')
  32. post '/api/v1/form_submit', params: { fingerprint: fingerprint, token: token }, as: :json
  33. expect(response).to have_http_status(:ok)
  34. expect(json_response).to be_a(Hash)
  35. expect(json_response['errors']).to be_truthy
  36. expect(json_response['errors']['name']).to eq('required')
  37. expect(json_response['errors']['email']).to eq('required')
  38. expect(json_response['errors']['title']).to eq('required')
  39. expect(json_response['errors']['body']).to eq('required')
  40. post '/api/v1/form_submit', params: { fingerprint: fingerprint, token: token, email: 'some' }, as: :json
  41. expect(response).to have_http_status(:ok)
  42. expect(json_response).to be_a(Hash)
  43. expect(json_response['errors']).to be_truthy
  44. expect(json_response['errors']['name']).to eq('required')
  45. expect(json_response['errors']['email']).to eq('invalid')
  46. expect(json_response['errors']['title']).to eq('required')
  47. expect(json_response['errors']['body']).to eq('required')
  48. post '/api/v1/form_submit', params: { fingerprint: fingerprint, token: token, name: 'Bob Smith', email: 'discard@zammad.com', title: 'test', body: 'hello' }, as: :json
  49. expect(response).to have_http_status(:ok)
  50. expect(json_response).to be_a(Hash)
  51. expect(json_response['errors']).to be_falsey
  52. expect(json_response['ticket']).to be_truthy
  53. expect(json_response['ticket']['id']).to be_truthy
  54. expect(json_response['ticket']['number']).to be_truthy
  55. travel 5.hours
  56. post '/api/v1/form_submit', params: { fingerprint: fingerprint, token: token, name: 'Bob Smith', email: 'discard@zammad.com', title: 'test', body: 'hello' }, as: :json
  57. expect(response).to have_http_status(:ok)
  58. expect(json_response).to be_a(Hash)
  59. expect(json_response['errors']).to be_falsey
  60. expect(json_response['ticket']).to be_truthy
  61. expect(json_response['ticket']['id']).to be_truthy
  62. expect(json_response['ticket']['number']).to be_truthy
  63. travel 20.hours
  64. post '/api/v1/form_submit', params: { fingerprint: fingerprint, token: token, name: 'Bob Smith', email: 'discard@zammad.com', title: 'test', body: 'hello' }, as: :json
  65. expect(response).to have_http_status(:unauthorized)
  66. end
  67. it 'does get config call & do submit' do
  68. Setting.set('form_ticket_create', true)
  69. fingerprint = SecureRandom.hex(40)
  70. post '/api/v1/form_config', params: { fingerprint: fingerprint }, as: :json
  71. expect(response).to have_http_status(:ok)
  72. expect(json_response).to be_a(Hash)
  73. expect(json_response['enabled']).to be(true)
  74. expect(json_response['endpoint']).to eq('http://zammad.example.com/api/v1/form_submit')
  75. expect(json_response['token']).to be_truthy
  76. token = json_response['token']
  77. post '/api/v1/form_submit', params: { fingerprint: fingerprint, token: 'invalid' }, as: :json
  78. expect(response).to have_http_status(:unauthorized)
  79. expect(json_response).to be_a(Hash)
  80. expect(json_response['error']).to eq('Authorization failed')
  81. post '/api/v1/form_submit', params: { fingerprint: fingerprint, token: token }, as: :json
  82. expect(response).to have_http_status(:ok)
  83. expect(json_response).to be_a(Hash)
  84. expect(json_response['errors']).to be_truthy
  85. expect(json_response['errors']['name']).to eq('required')
  86. expect(json_response['errors']['email']).to eq('required')
  87. expect(json_response['errors']['title']).to eq('required')
  88. expect(json_response['errors']['body']).to eq('required')
  89. post '/api/v1/form_submit', params: { fingerprint: fingerprint, token: token, email: 'some' }, as: :json
  90. expect(response).to have_http_status(:ok)
  91. expect(json_response).to be_a(Hash)
  92. expect(json_response['errors']).to be_truthy
  93. expect(json_response['errors']['name']).to eq('required')
  94. expect(json_response['errors']['email']).to eq('invalid')
  95. expect(json_response['errors']['title']).to eq('required')
  96. expect(json_response['errors']['body']).to eq('required')
  97. post '/api/v1/form_submit', params: { fingerprint: fingerprint, token: token, name: 'Bob Smith', email: 'somebody@somedomainthatisinvalid.com', title: 'test', body: 'hello' }, as: :json
  98. expect(response).to have_http_status(:ok)
  99. expect(json_response).to be_a(Hash)
  100. expect(json_response['errors']).to be_truthy
  101. expect(json_response['errors']['email']).to eq('invalid')
  102. end
  103. it 'does limits', :rack_attack do
  104. Setting.set('form_ticket_create_by_ip_per_hour', 2)
  105. Setting.set('form_ticket_create', true)
  106. fingerprint = SecureRandom.hex(40)
  107. post '/api/v1/form_config', params: { fingerprint: fingerprint }, as: :json
  108. expect(response).to have_http_status(:ok)
  109. expect(json_response['token']).to be_truthy
  110. token = json_response['token']
  111. post '/api/v1/form_submit', params: { fingerprint: fingerprint, token: token, name: 'Bob Smith', email: 'discard@zammad.com', title: 'test', body: 'hello' }, as: :json
  112. expect(response).to have_http_status(:ok)
  113. 3.times do |count|
  114. post '/api/v1/form_submit', params: { fingerprint: fingerprint, token: token, name: 'Bob Smith', email: 'discard@zammad.com', title: "test#{count}", body: 'hello' }, as: :json
  115. end
  116. expect(response).to have_http_status(:too_many_requests)
  117. @headers = { 'ACCEPT' => 'application/json', 'CONTENT_TYPE' => 'application/json', 'REMOTE_ADDR' => '1.2.3.5' }
  118. post '/api/v1/form_submit', params: { fingerprint: fingerprint, token: token, name: 'Bob Smith', email: 'discard@zammad.com', title: 'test-2', body: 'hello' }, as: :json
  119. expect(response).to have_http_status(:ok)
  120. 3.times do |count|
  121. post '/api/v1/form_submit', params: { fingerprint: fingerprint, token: token, name: 'Bob Smith', email: 'discard@zammad.com', title: "test-2-#{count}", body: 'hello' }, as: :json
  122. end
  123. expect(response).to have_http_status(:too_many_requests)
  124. @headers = { 'ACCEPT' => 'application/json', 'CONTENT_TYPE' => 'application/json', 'REMOTE_ADDR' => '::1' }
  125. post '/api/v1/form_submit', params: { fingerprint: fingerprint, token: token, name: 'Bob Smith', email: 'discard@zammad.com', title: 'test-3', body: 'hello' }, as: :json
  126. 3.times do |count|
  127. post '/api/v1/form_submit', params: { fingerprint: fingerprint, token: token, name: 'Bob Smith', email: 'discard@zammad.com', title: "test-3-#{count}", body: 'hello' }, as: :json
  128. end
  129. expect(response).to have_http_status(:too_many_requests)
  130. end
  131. it 'does customer_ticket_create false disables form' do
  132. Setting.set('form_ticket_create', false)
  133. Setting.set('customer_ticket_create', true)
  134. fingerprint = SecureRandom.hex(40)
  135. post '/api/v1/form_config', params: { fingerprint: fingerprint }, as: :json
  136. token = json_response['token']
  137. params = {
  138. fingerprint: fingerprint,
  139. token: token,
  140. name: 'Bob Smith',
  141. email: 'discard@zammad.com',
  142. title: 'test',
  143. body: 'hello'
  144. }
  145. post '/api/v1/form_submit', params: params, as: :json
  146. expect(response).to have_http_status(:forbidden)
  147. end
  148. context 'when ApplicationHandleInfo context' do
  149. let(:fingerprint) { SecureRandom.hex(40) }
  150. let(:token) { json_response['token'] }
  151. before do
  152. Setting.set('form_ticket_create', true)
  153. post '/api/v1/form_config', params: { fingerprint: fingerprint }, as: :json
  154. end
  155. it 'gets switched to "form"' do
  156. allow(ApplicationHandleInfo).to receive('context=')
  157. post '/api/v1/form_submit', params: { fingerprint: fingerprint, token: token, name: 'Bob Smith', email: 'discard@zammad.com', title: 'test-last', body: 'hello' }, as: :json
  158. expect(ApplicationHandleInfo).to have_received('context=').with('form').at_least(1)
  159. end
  160. it 'reverts back to default' do
  161. allow(ApplicationHandleInfo).to receive('context=')
  162. post '/api/v1/form_submit', params: { fingerprint: fingerprint, token: token, name: 'Bob Smith', email: 'discard@zammad.com', title: 'test-last', body: 'hello' }, as: :json
  163. expect(ApplicationHandleInfo.context).not_to eq 'form'
  164. end
  165. end
  166. end
  167. end