Bug 1551952: Check Authorization on all get requests r=leplatrem
authorEthan Glasser-Camp <ethan@betacantrips.com>
Thu, 16 May 2019 13:11:30 +0000
changeset 474060 14b42e8bd2b5bd973323690c11e823237a8f08a4
parent 474059 7cc38bae111155727ac9ccb6963caa338b4c8288
child 474061 20457619f22b5c08a94f5423c0388f84312f6a43
push id36022
push userncsoregi@mozilla.com
push dateThu, 16 May 2019 21:55:16 +0000
treeherdermozilla-central@96802be91766 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersleplatrem
bugs1551952
milestone68.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 1551952: Check Authorization on all get requests r=leplatrem Depends on D31378 Differential Revision: https://phabricator.services.mozilla.com/D31379
toolkit/components/extensions/test/xpcshell/test_ext_storage_sync.js
--- a/toolkit/components/extensions/test/xpcshell/test_ext_storage_sync.js
+++ b/toolkit/components/extensions/test/xpcshell/test_ext_storage_sync.js
@@ -87,17 +87,18 @@ class KintoServer {
     return this.deletedBuckets;
   }
 
   rejectNextAuthWith(response) {
     this.rejectNextAuthResponse = response;
   }
 
   checkAuth(request, response) {
-    // FIXME: assert auth is "Bearer ...token..."
+    equal(request.getHeader("Authorization"), "Bearer some-access-token");
+
     if (this.rejectNextAuthResponse) {
       response.setStatusLine(null, 401, "Unauthorized");
       response.write(this.rejectNextAuthResponse);
       this.rejectNextAuthResponse = false;
       this.failedAuths.push(request);
       return true;
     }
     return false;
@@ -262,16 +263,20 @@ class KintoServer {
     this.collections.add(collectionId);
     const remoteCollectionPath = "/v1" + collectionPath(encodeURIComponent(collectionId));
     this.httpServer.registerPathHandler(remoteCollectionPath, this.handleGetCollection.bind(this, collectionId));
     const remoteRecordsPath = "/v1" + collectionRecordsPath(encodeURIComponent(collectionId));
     this.httpServer.registerPathHandler(remoteRecordsPath, this.handleGetRecords.bind(this, collectionId));
   }
 
   handleGetCollection(collectionId, request, response) {
+    if (this.checkAuth(request, response)) {
+      return;
+    }
+
     response.setStatusLine(null, 200, "OK");
     response.setHeader("Content-Type", "application/json; charset=UTF-8");
     response.setHeader("Date", (new Date()).toUTCString());
     response.write(JSON.stringify({
       data: {
         id: collectionId,
       },
     }));