From 1adb39f02b49dcdec1fd7ab13a1114954f03e205 Mon Sep 17 00:00:00 2001 From: izzy lyseggen Date: Wed, 21 Jul 2021 18:44:09 +0100 Subject: [PATCH] fix(server): webhooks mutations tests forgot to push this commit before merge ah sorry!!! --- .../webhooks/graph/resolvers/webhooks.js | 10 ++++++++++ .../modules/webhooks/tests/webhooks.spec.js | 17 +++++++++++++++++ 2 files changed, 27 insertions(+) diff --git a/packages/server/modules/webhooks/graph/resolvers/webhooks.js b/packages/server/modules/webhooks/graph/resolvers/webhooks.js index 943c9a954..f34948975 100644 --- a/packages/server/modules/webhooks/graph/resolvers/webhooks.js +++ b/packages/server/modules/webhooks/graph/resolvers/webhooks.js @@ -1,4 +1,6 @@ const appRoot = require( 'app-root-path' ) +const { ForbiddenError } = require( 'apollo-server-express' ) + const { authorizeResolver } = require( `${appRoot}/modules/shared` ) const { createWebhook, getWebhook, updateWebhook, deleteWebhook, getStreamWebhooks, getLastWebhookEvents, getWebhookEventsCount } = require( '../../services/webhooks' ) @@ -39,6 +41,10 @@ module.exports = { async webhookUpdate( parent, args, context, info ) { await authorizeResolver( context.userId, args.webhook.streamId, 'stream:owner' ) + let wh = await getWebhook( { id: args.webhook.id } ) + if ( args.webhook.streamId !== wh.streamId ) + throw new ForbiddenError( 'The webhook id and stream id do not match. Please check your inputs.' ) + let updated = await updateWebhook( { id: args.webhook.id, url: args.webhook.url, description: args.webhook.description, secret: args.webhook.secret, enabled: args.webhook.enabled !== false, triggers: args.webhook.triggers } ) return !!updated @@ -46,6 +52,10 @@ module.exports = { async webhookDelete( parent, args, context, info ) { await authorizeResolver( context.userId, args.webhook.streamId, 'stream:owner' ) + let wh = await getWebhook( { id: args.webhook.id } ) + if ( args.webhook.streamId !== wh.streamId ) + throw new ForbiddenError( 'The webhook id and stream id do not match. Please check your inputs.' ) + let deleted = await deleteWebhook( { id: args.webhook.id } ) return !!deleted diff --git a/packages/server/modules/webhooks/tests/webhooks.spec.js b/packages/server/modules/webhooks/tests/webhooks.spec.js index 21473dee1..37eb3b798 100644 --- a/packages/server/modules/webhooks/tests/webhooks.spec.js +++ b/packages/server/modules/webhooks/tests/webhooks.spec.js @@ -179,6 +179,22 @@ describe( 'Webhooks @webhooks', () => { expect( webhook.enabled ).to.equal( false ) } ) + it( 'Should *not* update or delete a webhook if the stream id and webhook id do not match', async () => { + const res1 = await sendRequest( userOne.token, { + query: `mutation { webhookDelete(webhook: { id: "${webhookTwo.id}", streamId: "${streamOne.id}" } ) }` + } ) + expect( res1.body.errors ).to.exist + expect( res1.body.errors[ 0 ].message ).to.equal( 'The webhook id and stream id do not match. Please check your inputs.' ) + expect( res1.body.errors[ 0 ].extensions.code ).to.equal( 'FORBIDDEN' ) + + const res2 = await sendRequest( userOne.token, { + query: `mutation { webhookUpdate(webhook: { id: "${webhookTwo.id}", streamId: "${streamOne.id}", description: "updated webhook", enabled: false }) }` + } ) + expect( res2.body.errors ).to.exist + expect( res2.body.errors[ 0 ].message ).to.equal( 'The webhook id and stream id do not match. Please check your inputs.' ) + expect( res2.body.errors[ 0 ].extensions.code ).to.equal( 'FORBIDDEN' ) + } ) + it( 'Should delete a webhook', async () => { const res = await sendRequest( userTwo.token, { query: `mutation { webhookDelete(webhook: { id: "${webhookTwo.id}", streamId: "${streamTwo.id}" } ) }` @@ -205,6 +221,7 @@ describe( 'Webhooks @webhooks', () => { expect( res.body.errors[ 0 ].extensions.code ).to.equal( 'FORBIDDEN' ) } ) + it( 'Should have a webhook limit for streams', async ( ) => { let limit = 100 for ( let i = 0; i < limit - 1; i++ ) {