Merge pull request #95 from netlify/checkauth-panic

Florian Hines · web-flow · commit 4d128d69637a · 2019-09-24T14:25:49.000-05:00
CheckAuth should return if validation fails
diff --git a/router/middleware.go b/router/middleware.go
@@ -38,15 +38,18 @@ func CheckAuth(secret string) Middleware {
 			authHeader := r.Header.Get("Authorization")
 			if authHeader == "" {
 				HandleError(UnauthorizedError("This endpoint requires a Bearer token"), w, r)
+				return
 			}
 
 			matches := bearerRegexp.FindStringSubmatch(authHeader)
 			if len(matches) != 2 {
 				HandleError(UnauthorizedError("This endpoint requires a Bearer token"), w, r)
+				return
 			}
 
 			if secret != matches[1] {
 				HandleError(UnauthorizedError("This endpoint requires a Bearer token"), w, r)
+				return
 			}
 		}
 
diff --git a/router/middleware_test.go b/router/middleware_test.go
@@ -0,0 +1,73 @@
+package router
+
+import (
+	"fmt"
+	"net/http"
+	"net/http/httptest"
+	"testing"
+
+	"github.com/sirupsen/logrus"
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+)
+
+func TestCheckAuth(t *testing.T) {
+	validKey := "testkey"
+	invalidKey := "nopekey"
+	emptyKey := ""
+
+	makeRequest := func(req *http.Request) *httptest.ResponseRecorder {
+		r := New(logrus.WithField("test", "CheckAuth"))
+		r.Use(CheckAuth(validKey))
+		r.Get("/", func(w http.ResponseWriter, r *http.Request) *HTTPError {
+			return nil
+		})
+		rec := httptest.NewRecorder()
+		r.ServeHTTP(rec, req)
+		return rec
+	}
+
+	t.Run("valid key", func(t *testing.T) {
+		req, err := http.NewRequest("GET", "/", nil)
+		require.NoError(t, err)
+		req.Header.Set("Authorization", fmt.Sprintf("Bearer %s", validKey))
+		rsp := makeRequest(req)
+		assert.Equal(t, http.StatusOK, rsp.Code)
+	})
+	t.Run("lower case bearer", func(t *testing.T) {
+		req, err := http.NewRequest("GET", "/", nil)
+		require.NoError(t, err)
+		req.Header.Set("Authorization", fmt.Sprintf("bearer %s", validKey))
+		rsp := makeRequest(req)
+		assert.Equal(t, http.StatusOK, rsp.Code)
+	})
+
+	t.Run("invalid key", func(t *testing.T) {
+		req, err := http.NewRequest("GET", "/", nil)
+		require.NoError(t, err)
+		req.Header.Set("Authorization", fmt.Sprintf("Bearer %s", invalidKey))
+		rsp := makeRequest(req)
+		assert.Equal(t, http.StatusUnauthorized, rsp.Code)
+	})
+	t.Run("no header", func(t *testing.T) {
+		req, err := http.NewRequest("GET", "/", nil)
+		require.NoError(t, err)
+		rsp := makeRequest(req)
+		assert.Equal(t, http.StatusUnauthorized, rsp.Code)
+	})
+	t.Run("empty key", func(t *testing.T) {
+		req, err := http.NewRequest("GET", "/", nil)
+		require.NoError(t, err)
+		req.Header.Set("Authorization", fmt.Sprintf("Bearer %s", emptyKey))
+		rsp := makeRequest(req)
+		assert.Equal(t, http.StatusUnauthorized, rsp.Code)
+	})
+	t.Run("invalid Authorization value", func(t *testing.T) {
+		req, err := http.NewRequest("GET", "/", nil)
+		require.NoError(t, err)
+		req.Header.Set("Authorization", fmt.Sprintf("what even is this %s", invalidKey))
+		rsp := makeRequest(req)
+		assert.Equal(t, http.StatusUnauthorized, rsp.Code)
+	})
+
+}

Original file line number	Diff line number	Diff line change
`@@ -38,15 +38,18 @@ func CheckAuth(secret string) Middleware {`
`38`	`38`	`authHeader := r.Header.Get("Authorization")`
`39`	`39`	`if authHeader == "" {`
`40`	`40`	`HandleError(UnauthorizedError("This endpoint requires a Bearer token"), w, r)`
	`41`	`+ return`
`41`	`42`	`}`
`42`	`43`
`43`	`44`	`matches := bearerRegexp.FindStringSubmatch(authHeader)`
`44`	`45`	`if len(matches) != 2 {`
`45`	`46`	`HandleError(UnauthorizedError("This endpoint requires a Bearer token"), w, r)`
	`47`	`+ return`
`46`	`48`	`}`
`47`	`49`
`48`	`50`	`if secret != matches[1] {`
`49`	`51`	`HandleError(UnauthorizedError("This endpoint requires a Bearer token"), w, r)`
	`52`	`+ return`
`50`	`53`	`}`
`51`	`54`	`}`
`52`	`55`