Use CSRF token verification

ecbe1b30 · alinamihaila · aa7f162b · ecbe1b30 · ecbe1b30 · ecbe1b30
Commit ecbe1b30 authored Sep 08, 2020 by alinamihaila
3 changed files
--- a/doc/development/telemetry/usage_ping.md
+++ b/doc/development/telemetry/usage_ping.md
@@ -330,16 +330,10 @@ Implemented using Redis methods [PFADD](https://redis.io/commands/pfadd) and [PF

   Return 200 if tracking failed for any reason.

-   - `401 Unauthorized` if not authorized
+   - `403 Forbidden` if invalid CSRF token is provided
   - `400 Bad request` if name parameter is missing
   - `200` if event was tracked or any errors

-   Example usage:
-
-   ```shell
-   curl --header "Authorization: Bearer OAUTH-TOKEN" "https://gitlab.example.com/api/v4/usage_data/increment_unique_users" --data "name=event_name&values[]=value1&values[]=value2"
-   ```
-
 1. Track event using base module `Gitlab::UsageDataCounters::HLLRedisCounter.track_event(entity_id, event_name)`.

   Arguments:

--- a/lib/api/usage_data.rb
+++ b/lib/api/usage_data.rb
@@ -2,7 +2,9 @@

 module API
  class UsageData < Grape::API::Instance
-    before { authenticate! }
+    before do
+      forbidden!('Invalid CSRF token is provided') unless verified_request?
+    end

    namespace 'usage_data' do
      desc 'Track usage data events' do

--- a/spec/requests/api/usage_data_spec.rb
+++ b/spec/requests/api/usage_data_spec.rb
@@ -10,35 +10,43 @@ RSpec.describe API::UsageData do
    let(:known_event) { 'g_compliance_dashboard' }
    let(:unknown_event) { 'unknown' }

-    context 'when unauthenticated' do
-      it 'retruns 401 response' do
+    context 'without CSRF token' do
+      it 'returns 401 response' do
+        allow(Gitlab::RequestForgeryProtection).to receive(:verified?).and_return(false)
+
        post api(endpoint), params: { values: [user.id] }

-        expect(response).to have_gitlab_http_status(:unauthorized)
+        expect(response).to have_gitlab_http_status(:forbidden)
      end
    end

-    context 'when name is missing from params' do
-      it 'returns bad request' do
-        post api(endpoint, user), params: { values: [user.id] }
+    context 'without CSRF token' do
+      before do
+        allow(Gitlab::RequestForgeryProtection).to receive(:verified?).and_return(true)
+      end
+
+      context 'when name is missing from params' do
+        it 'returns bad request' do
+          post api(endpoint), params: { values: [user.id] }

-        expect(response).to have_gitlab_http_status(:bad_request)
+          expect(response).to have_gitlab_http_status(:bad_request)
+        end
      end
-    end

-    context 'with correct params' do
-      it 'returns status ok' do
-        post api(endpoint, user), params: { name: known_event, values: [user.id] }
+      context 'with correct params' do
+        it 'returns status ok' do
+          post api(endpoint), params: { name: known_event, values: [user.id] }

-        expect(response).to have_gitlab_http_status(:ok)
+          expect(response).to have_gitlab_http_status(:ok)
+        end
      end
-    end

-    context 'with unknown event' do
-      it 'returns status ok' do
-        post api(endpoint, user), params: { name: unknown_event, values: [user.id] }
+      context 'with unknown event' do
+        it 'returns status ok' do
+          post api(endpoint), params: { name: unknown_event, values: [user.id] }

-        expect(response).to have_gitlab_http_status(:ok)
+          expect(response).to have_gitlab_http_status(:ok)
+        end
      end
    end
  end