Commit ecbe1b30 authored by alinamihaila's avatar alinamihaila

Use CSRF token verification

parent aa7f162b
...@@ -330,16 +330,10 @@ Implemented using Redis methods [PFADD](https://redis.io/commands/pfadd) and [PF ...@@ -330,16 +330,10 @@ Implemented using Redis methods [PFADD](https://redis.io/commands/pfadd) and [PF
Return 200 if tracking failed for any reason. Return 200 if tracking failed for any reason.
- `401 Unauthorized` if not authorized - `403 Forbidden` if invalid CSRF token is provided
- `400 Bad request` if name parameter is missing - `400 Bad request` if name parameter is missing
- `200` if event was tracked or any errors - `200` if event was tracked or any errors
Example usage:
```shell
curl --header "Authorization: Bearer OAUTH-TOKEN" "https://gitlab.example.com/api/v4/usage_data/increment_unique_users" --data "name=event_name&values[]=value1&values[]=value2"
```
1. Track event using base module `Gitlab::UsageDataCounters::HLLRedisCounter.track_event(entity_id, event_name)`. 1. Track event using base module `Gitlab::UsageDataCounters::HLLRedisCounter.track_event(entity_id, event_name)`.
Arguments: Arguments:
......
...@@ -2,7 +2,9 @@ ...@@ -2,7 +2,9 @@
module API module API
class UsageData < Grape::API::Instance class UsageData < Grape::API::Instance
before { authenticate! } before do
forbidden!('Invalid CSRF token is provided') unless verified_request?
end
namespace 'usage_data' do namespace 'usage_data' do
desc 'Track usage data events' do desc 'Track usage data events' do
......
...@@ -10,35 +10,43 @@ RSpec.describe API::UsageData do ...@@ -10,35 +10,43 @@ RSpec.describe API::UsageData do
let(:known_event) { 'g_compliance_dashboard' } let(:known_event) { 'g_compliance_dashboard' }
let(:unknown_event) { 'unknown' } let(:unknown_event) { 'unknown' }
context 'when unauthenticated' do context 'without CSRF token' do
it 'retruns 401 response' do it 'returns 401 response' do
allow(Gitlab::RequestForgeryProtection).to receive(:verified?).and_return(false)
post api(endpoint), params: { values: [user.id] } post api(endpoint), params: { values: [user.id] }
expect(response).to have_gitlab_http_status(:unauthorized) expect(response).to have_gitlab_http_status(:forbidden)
end end
end end
context 'when name is missing from params' do context 'without CSRF token' do
it 'returns bad request' do before do
post api(endpoint, user), params: { values: [user.id] } allow(Gitlab::RequestForgeryProtection).to receive(:verified?).and_return(true)
end
context 'when name is missing from params' do
it 'returns bad request' do
post api(endpoint), params: { values: [user.id] }
expect(response).to have_gitlab_http_status(:bad_request) expect(response).to have_gitlab_http_status(:bad_request)
end
end end
end
context 'with correct params' do context 'with correct params' do
it 'returns status ok' do it 'returns status ok' do
post api(endpoint, user), params: { name: known_event, values: [user.id] } post api(endpoint), params: { name: known_event, values: [user.id] }
expect(response).to have_gitlab_http_status(:ok) expect(response).to have_gitlab_http_status(:ok)
end
end end
end
context 'with unknown event' do context 'with unknown event' do
it 'returns status ok' do it 'returns status ok' do
post api(endpoint, user), params: { name: unknown_event, values: [user.id] } post api(endpoint), params: { name: unknown_event, values: [user.id] }
expect(response).to have_gitlab_http_status(:ok) expect(response).to have_gitlab_http_status(:ok)
end
end end
end end
end end
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment