diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 383fc0fdbc8..a4da1b5b421 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -151,6 +151,39 @@ jobs: name: api-test-lcov path: | api-lcov.info + security-api-tests: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@develop + + - name: Install HTTPie + run: | + sudo apt-get update + sudo apt-get install -y httpie + + - name: Run the Web App + run: | + npm run serve + + - name: Test for authentication requirement on POST for basket + run: | + http POST http://localhost:3000/rest/basket + --expect '401 Unauthorized' + + - name: Test for authentication requirement on PUT for basket + run: | + http PUT http://localhost:3000/rest/basket/4 + --expect '401 Unauthorized' + + - name: Test for authentication requirement on GET for basket + run: | + http GET http://localhost:3000/rest/basket/4 + --expect '401 Unauthorized' + + - name: Test for authentication requirement on POST for feedback + run: | + http POST http://localhost:3000/rest/feedbacks + --expect '401 Unauthorized' coverage-report: needs: [test, api-test] runs-on: ubuntu-latest diff --git a/routes/basket.ts b/routes/basket.ts index b212a97be1e..5958244c0eb 100644 --- a/routes/basket.ts +++ b/routes/basket.ts @@ -22,6 +22,12 @@ module.exports = function retrieveBasket () { const user = security.authenticatedUsers.from(req) return user && id && id !== 'undefined' && id !== 'null' && id !== 'NaN' && user.bid && user.bid != id // eslint-disable-line eqeqeq }) + const user = security.authenticatedUsers.from(req) + // check if the correct user is making the request + if (user && id && id !== 'undefined' && id !== 'null' && id !== 'NaN' && user.bid && user.bid != id) { // eslint-disable-line eqeqeq + res.status(403).send({ error: 'wrong user' }) + return + } if (basket?.Products && basket.Products.length > 0) { for (let i = 0; i < basket.Products.length; i++) { basket.Products[i].name = req.__(basket.Products[i].name)