diff options
author | Sean McGivern <sean@gitlab.com> | 2016-11-01 14:40:06 +0300 |
---|---|---|
committer | Sean McGivern <sean@gitlab.com> | 2016-11-01 14:40:06 +0300 |
commit | f77be11cb9caa62cdd4690a53c73b6d34e102148 (patch) | |
tree | e36511f907c20daed701d882e4e08f0b07fff04c /spec | |
parent | c85c146aa2042710caddc6666ce8f9e07b2fe5ca (diff) |
Ensure hook tokens are write-only in the API
Diffstat (limited to 'spec')
-rw-r--r-- | spec/requests/api/project_hooks_spec.rb | 36 |
1 files changed, 32 insertions, 4 deletions
diff --git a/spec/requests/api/project_hooks_spec.rb b/spec/requests/api/project_hooks_spec.rb index 53113c62996..5f39329a1b8 100644 --- a/spec/requests/api/project_hooks_spec.rb +++ b/spec/requests/api/project_hooks_spec.rb @@ -36,7 +36,6 @@ describe API::API, 'ProjectHooks', api: true do expect(json_response.first['pipeline_events']).to eq(true) expect(json_response.first['wiki_page_events']).to eq(true) expect(json_response.first['enable_ssl_verification']).to eq(true) - expect(json_response.first['token']).to eq('S3cr3t') end end @@ -63,7 +62,6 @@ describe API::API, 'ProjectHooks', api: true do expect(json_response['pipeline_events']).to eq(hook.pipeline_events) expect(json_response['wiki_page_events']).to eq(hook.wiki_page_events) expect(json_response['enable_ssl_verification']).to eq(hook.enable_ssl_verification) - expect(json_response['token']).to eq(hook.token) end it "returns a 404 error if hook id is not available" do @@ -90,6 +88,7 @@ describe API::API, 'ProjectHooks', api: true do expect do post api("/projects/#{project.id}/hooks", user), url: "http://example.com", issues_events: true end.to change {project.hooks.count}.by(1) + expect(response).to have_http_status(201) expect(json_response['url']).to eq('http://example.com') expect(json_response['issues_events']).to eq(true) @@ -101,7 +100,24 @@ describe API::API, 'ProjectHooks', api: true do expect(json_response['pipeline_events']).to eq(false) expect(json_response['wiki_page_events']).to eq(false) expect(json_response['enable_ssl_verification']).to eq(true) - expect(json_response['token']).to eq('S3cr3t') + expect(json_response).not_to include('token') + end + + it "adds the token without including it in the response" do + token = "secret token" + + expect do + post api("/projects/#{project.id}/hooks", user), url: "http://example.com", token: token + end.to change {project.hooks.count}.by(1) + + expect(response).to have_http_status(201) + expect(json_response["url"]).to eq("http://example.com") + expect(json_response).not_to include("token") + + hook = project.hooks.find(json_response["id"]) + + expect(hook.url).to eq("http://example.com") + expect(hook.token).to eq(token) end it "returns a 400 error if url not given" do @@ -130,7 +146,19 @@ describe API::API, 'ProjectHooks', api: true do expect(json_response['pipeline_events']).to eq(hook.pipeline_events) expect(json_response['wiki_page_events']).to eq(hook.wiki_page_events) expect(json_response['enable_ssl_verification']).to eq(hook.enable_ssl_verification) - expect(json_response['token']).to eq(hook.token) + end + + it "adds the token without including it in the response" do + token = "secret token" + + put api("/projects/#{project.id}/hooks/#{hook.id}", user), url: "http://example.org", token: token + + expect(response).to have_http_status(200) + expect(json_response["url"]).to eq("http://example.org") + expect(json_response).not_to include("token") + + expect(hook.reload.url).to eq("http://example.org") + expect(hook.reload.token).to eq(token) end it "returns 404 error if hook id not found" do |