Use CSRF token verification

ecbe1b30 · alinamihaila · aa7f162b · ecbe1b30 · ecbe1b30 · ecbe1b30
Commit ecbe1b30 authored Sep 08, 2020 by alinamihaila
3 changed files
--- a/doc/development/telemetry/usage_ping.md
+++ b/doc/development/telemetry/usage_ping.md
@@ -330,16 +330,10 @@ Implemented using Redis methods [PFADD](https://redis.io/commands/pfadd) and [PF
   Return 200 if tracking failed for any reason.
-   - `401 Unauthorized` if not authorized
+   - `403 Forbidden` if invalid CSRF token is provided
   - `400 Bad request` if name parameter is missing
   - `200` if event was tracked or any errors
-   Example usage:
-   ```shell
-   curl --header "Authorization: Bearer OAUTH-TOKEN" "https://gitlab.example.com/api/v4/usage_data/increment_unique_users" --data "name=event_name&values[]=value1&values[]=value2"
-   ```
 1. Track event using base module `Gitlab::UsageDataCounters::HLLRedisCounter.track_event(entity_id, event_name)`.
   Arguments:

--- a/lib/api/usage_data.rb
+++ b/lib/api/usage_data.rb
@@ -2,7 +2,9 @@
 module API
  class UsageData < Grape::API::Instance
-    before { authenticate! }
+    before do
+      forbidden!('Invalid CSRF token is provided') unless verified_request?
+    end
    namespace 'usage_data' do
      desc 'Track usage data events' do

--- a/spec/requests/api/usage_data_spec.rb
+++ b/spec/requests/api/usage_data_spec.rb
@@ -10,17 +10,24 @@ RSpec.describe API::UsageData do
    let(:known_event) { 'g_compliance_dashboard' }
    let(:unknown_event) { 'unknown' }
-    context 'when unauthenticated' do
+    context 'without CSRF token' do
-      it 'retruns 401 response' do
+      it 'returns 401 response' do
+        allow(Gitlab::RequestForgeryProtection).to receive(:verified?).and_return(false)
        post api(endpoint), params: { values: [user.id] }
-        expect(response).to have_gitlab_http_status(:unauthorized)
+        expect(response).to have_gitlab_http_status(:forbidden)
+      end
    end
+    context 'without CSRF token' do
+      before do
+        allow(Gitlab::RequestForgeryProtection).to receive(:verified?).and_return(true)
      end
      context 'when name is missing from params' do
        it 'returns bad request' do
-        post api(endpoint, user), params: { values: [user.id] }
+          post api(endpoint), params: { values: [user.id] }
          expect(response).to have_gitlab_http_status(:bad_request)
        end
@@ -28,7 +35,7 @@ RSpec.describe API::UsageData do
      context 'with correct params' do
        it 'returns status ok' do
-        post api(endpoint, user), params: { name: known_event, values: [user.id] }
+          post api(endpoint), params: { name: known_event, values: [user.id] }
          expect(response).to have_gitlab_http_status(:ok)
        end
@@ -36,10 +43,11 @@ RSpec.describe API::UsageData do
      context 'with unknown event' do
        it 'returns status ok' do
-        post api(endpoint, user), params: { name: unknown_event, values: [user.id] }
+          post api(endpoint), params: { name: unknown_event, values: [user.id] }
          expect(response).to have_gitlab_http_status(:ok)
        end
      end
    end
+  end
 end