tests

Author: cryptomail

lib/zendesk_api/middleware/request/api_token_impersonate.rb

@@ -13,10 +13,17 @@ def call(env)
             current_u_p_encoded = env[:request_headers][:authorization].split(/\s+/)[1]
             current_u_p = Base64.urlsafe_decode64(current_u_p_encoded)
             unless current_u_p.include?("/token:")
-              raise ZendeskAPI::Error, "You must use an API token to impersonate a user."
+              warn "WARNING: ApiTokenImpersonate passed in invalid format. It should be in the format username/token:APITOKEN"
+              return @app.call(env)
             end
 
             parts = current_u_p.split(":")
+
+            unless parts.length == 2 && parts[0].include?("/token")
+              warn "WARNING: ApiTokenImpersonate passed in invalid format. It should be in the format username/token:APITOKEN"
+              return @app.call(env)
+            end
+
             next_u_p = "#{Thread.current[:local_username]}/token:#{parts[1]}"
             env[:request_headers][:authorization] = "Basic #{Base64.urlsafe_encode64(next_u_p)}"
           end

spec/core/middleware/request/api_token_impersonate_spec.rb

@@ -0,0 +1,63 @@
+require 'core/spec_helper'
+
+RSpec.describe ZendeskAPI::Middleware::Request::ApiTokenImpersonate do
+  let(:app) { ->(env) { env } }
+  let(:middleware) { described_class.new(app) }
+  let(:username) { 'impersonated_user' }
+  let(:token) { 'abc123' }
+  let(:original_username) { 'original_user/token' }
+  let(:encoded_auth) { Base64.urlsafe_encode64("#{original_username}:#{token}") }
+  let(:env) do
+    {
+      request_headers: {
+        authorization: "Basic #{encoded_auth}"
+      }
+    }
+  end
+
+  after { Thread.current[:local_username] = nil }
+
+  context 'when local_username is set and authorization is a valid API token' do
+    it 'impersonates the user by modifying the Authorization header' do
+      Thread.current[:local_username] = username
+      result = middleware.call(env)
+      new_auth = result[:request_headers][:authorization]
+      decoded = Base64.urlsafe_decode64(new_auth.split.last)
+      expect(decoded).to eq("#{username}/token:#{token}")
+    end
+  end
+
+  context 'when local_username is not set' do
+    it 'does not modify the Authorization header' do
+      result = middleware.call(env)
+      expect(result[:request_headers][:authorization]).to eq(env[:request_headers][:authorization])
+    end
+  end
+
+  context 'when authorization header is not Basic' do
+    it 'does not modify the Authorization header' do
+      Thread.current[:local_username] = username
+      env[:request_headers][:authorization] = 'Bearer something'
+      result = middleware.call(env)
+      expect(result[:request_headers][:authorization]).to eq('Bearer something')
+    end
+  end
+
+  context 'when authorization does not contain /token:' do
+    it 'raises an error' do
+      Thread.current[:local_username] = username
+      env[:request_headers][:authorization] = "Basic #{Base64.urlsafe_encode64('user:abc123')}"
+      result = middleware.call(env)
+      expect(result[:request_headers][:authorization]).to eq("Basic #{Base64.urlsafe_encode64('user:abc123')}")
+    end
+  end
+
+  context 'when authorization is not in valid format' do
+    it 'raises an error' do
+      Thread.current[:local_username] = username
+      env[:request_headers][:authorization] = "Basic #{Base64.urlsafe_encode64('user/token:abc123:extra')}"
+      result = middleware.call(env)
+      expect(result[:request_headers][:authorization]).to eq("Basic #{Base64.urlsafe_encode64('user/token:abc123:extra')}")
+    end
+  end
+end