Ensure hook tokens are write-only in the API

f77be11c · Sean McGivern · c85c146a · f77be11c · f77be11c · f77be11c
Commit f77be11c authored Nov 01, 2016 by Sean McGivern
Showing with 35 additions and 7 deletions

doc/api/projects.md doc/api/projects.md +2 -2

lib/api/entities.rb lib/api/entities.rb +1 -1

spec/requests/api/project_hooks_spec.rb spec/requests/api/project_hooks_spec.rb +32 -4

No files found.
--- a/doc/api/projects.md
+++ b/doc/api/projects.md
@@ -1139,7 +1139,7 @@ Parameters:
 | `pipeline_events` | boolean | no | Trigger hook on pipeline events |
 | `wiki_events` | boolean | no | Trigger hook on wiki events |
 | `enable_ssl_verification` | boolean | no | Do SSL verification when triggering the hook |
-| `token` | string | no | Secret token to validate received payloads |
+| `token` | string | no | Secret token to validate received payloads; this will not be returned in the response |

 ### Edit project hook

@@ -1165,7 +1165,7 @@ Parameters:
 | `pipeline_events` | boolean | no | Trigger hook on pipeline events |
 | `wiki_events` | boolean | no | Trigger hook on wiki events |
 | `enable_ssl_verification` | boolean | no | Do SSL verification when triggering the hook |
-| `token` | string | no | Secret token to validate received payloads |
+| `token` | string | no | Secret token to validate received payloads; this will not be returned in the response |

 ### Delete project hook


--- a/lib/api/entities.rb
+++ b/lib/api/entities.rb
@@ -50,7 +50,7 @@ module API
      expose :project_id, :push_events
      expose :issues_events, :merge_requests_events, :tag_push_events
      expose :note_events, :build_events, :pipeline_events, :wiki_page_events
-      expose :enable_ssl_verification, :token
+      expose :enable_ssl_verification
    end

    class BasicProjectDetails < Grape::Entity

--- a/spec/requests/api/project_hooks_spec.rb
+++ b/spec/requests/api/project_hooks_spec.rb
@@ -36,7 +36,6 @@ describe API::API, 'ProjectHooks', api: true do
        expect(json_response.first['pipeline_events']).to eq(true)
        expect(json_response.first['wiki_page_events']).to eq(true)
        expect(json_response.first['enable_ssl_verification']).to eq(true)
-        expect(json_response.first['token']).to eq('S3cr3t')
      end
    end

@@ -63,7 +62,6 @@ describe API::API, 'ProjectHooks', api: true do
        expect(json_response['pipeline_events']).to eq(hook.pipeline_events)
        expect(json_response['wiki_page_events']).to eq(hook.wiki_page_events)
        expect(json_response['enable_ssl_verification']).to eq(hook.enable_ssl_verification)
-        expect(json_response['token']).to eq(hook.token)
      end

      it "returns a 404 error if hook id is not available" do
@@ -90,6 +88,7 @@ describe API::API, 'ProjectHooks', api: true do
      expect do
        post api("/projects/#{project.id}/hooks", user), url: "http://example.com", issues_events: true
      end.to change {project.hooks.count}.by(1)
+
      expect(response).to have_http_status(201)
      expect(json_response['url']).to eq('http://example.com')
      expect(json_response['issues_events']).to eq(true)
@@ -101,7 +100,24 @@ describe API::API, 'ProjectHooks', api: true do
      expect(json_response['pipeline_events']).to eq(false)
      expect(json_response['wiki_page_events']).to eq(false)
      expect(json_response['enable_ssl_verification']).to eq(true)
-      expect(json_response['token']).to eq('S3cr3t')
+      expect(json_response).not_to include('token')
+    end
+
+    it "adds the token without including it in the response" do
+      token = "secret token"
+
+      expect do
+        post api("/projects/#{project.id}/hooks", user), url: "http://example.com", token: token
+      end.to change {project.hooks.count}.by(1)
+
+      expect(response).to have_http_status(201)
+      expect(json_response["url"]).to eq("http://example.com")
+      expect(json_response).not_to include("token")
+
+      hook = project.hooks.find(json_response["id"])
+
+      expect(hook.url).to eq("http://example.com")
+      expect(hook.token).to eq(token)
    end

    it "returns a 400 error if url not given" do
@@ -130,7 +146,19 @@ describe API::API, 'ProjectHooks', api: true do
      expect(json_response['pipeline_events']).to eq(hook.pipeline_events)
      expect(json_response['wiki_page_events']).to eq(hook.wiki_page_events)
      expect(json_response['enable_ssl_verification']).to eq(hook.enable_ssl_verification)
-      expect(json_response['token']).to eq(hook.token)
+    end
+
+    it "adds the token without including it in the response" do
+      token = "secret token"
+
+      put api("/projects/#{project.id}/hooks/#{hook.id}", user), url: "http://example.org", token: token
+
+      expect(response).to have_http_status(200)
+      expect(json_response["url"]).to eq("http://example.org")
+      expect(json_response).not_to include("token")
+
+      expect(hook.reload.url).to eq("http://example.org")
+      expect(hook.reload.token).to eq(token)
    end

    it "returns 404 error if hook id not found" do