Skip to content

Commit

Permalink
Merge pull request #1365 from GSA/USN-COMPLY-50-Verify_Nonce_for_Invite
Browse files Browse the repository at this point in the history 
US-NOTIFY-COMPLY 50: Verify Nonce For Invite
  • Loading branch information
@ccostino
ccostino authored Oct 24, 2024
2 parents f4f6312 + 0b648c9 commit 2d22a44
Show file tree
Hide file tree
Showing 2 changed files with 13 additions and 9 deletions.
19 changes: 10 additions & 9 deletions app/service_invite/rest.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -32,20 +32,14 @@
register_errors(service_invite)


def _create_service_invite(invited_user, invite_link_host):
def _create_service_invite(invited_user, nonce):

template_id = current_app.config["INVITATION_EMAIL_TEMPLATE_ID"]

template = dao_get_template_by_id(template_id)

service = Service.query.get(current_app.config["NOTIFY_SERVICE_ID"])

token = generate_token(
str(invited_user.email_address),
current_app.config["SECRET_KEY"],
current_app.config["DANGEROUS_SALT"],
)

# The raw permissions are in the form "a,b,c,d"
# but need to be in the form ["a", "b", "c", "d"]
data = {}
Expand All @@ -59,7 +53,8 @@ def _create_service_invite(invited_user, invite_link_host):
data["invited_user_email"] = invited_user.email_address

url = os.environ["LOGIN_DOT_GOV_REGISTRATION_URL"]
url = url.replace("NONCE", token)

url = url.replace("NONCE", nonce) # handed from data sent from admin.

user_data_url_safe = get_user_data_url_safe(data)

Expand Down Expand Up @@ -94,10 +89,16 @@ def _create_service_invite(invited_user, invite_link_host):
@service_invite.route("/service/<service_id>/invite", methods=["POST"])
def create_invited_user(service_id):
request_json = request.get_json()
try:
nonce = request_json.pop("nonce")
except KeyError:
current_app.logger.exception("nonce not found in submitted data.")
raise

invited_user = invited_user_schema.load(request_json)
save_invited_user(invited_user)

_create_service_invite(invited_user, request_json.get("invite_link_host"))
_create_service_invite(invited_user, nonce)

return jsonify(data=invited_user_schema.dump(invited_user)), 201

Expand Down
3 changes: 3 additions & 0 deletions tests/app/service_invite/test_service_invite_rest.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -45,6 +45,7 @@ def test_create_invited_user(
permissions="send_messages,manage_service,manage_api_keys",
auth_type=AuthType.EMAIL,
folder_permissions=["folder_1", "folder_2", "folder_3"],
nonce="FakeNonce",
**extra_args,
)

Expand Down Expand Up @@ -108,6 +109,7 @@ def test_create_invited_user_without_auth_type(
"from_user": str(invite_from.id),
"permissions": "send_messages,manage_service,manage_api_keys",
"folder_permissions": [],
"nonce": "FakeNonce",
}

json_resp = admin_request.post(
Expand All @@ -131,6 +133,7 @@ def test_create_invited_user_invalid_email(client, sample_service, mocker, fake_
"from_user": str(invite_from.id),
"permissions": "send_messages,manage_service,manage_api_keys",
"folder_permissions": [fake_uuid, fake_uuid],
"nonce": "FakeNonce",
}

data = json.dumps(data)
Expand Down

0 comments on commit 2d22a44

Please sign in to comment.