Merge pull request #16980 from overleaf/jpa-join-project-remove-sl-2

[misc] joinProject: pass userId and anonymous access token in body 2/2 GitOrigin-RevId: b1a11941a6d9c7cc779769d1e97d3a0f03bed610
2025-04-08 18:40:35 +00:00 · 2024-02-12 10:37:06 +00:00 · 2024-02-12 10:37:06 +00:00 · 385d3f9c1b
commit 385d3f9c1b
parent 8523c21158
11 changed files with 18 additions and 112 deletions
--- a/services/real-time/app/js/WebApiManager.js
+++ b/services/real-time/app/js/WebApiManager.js
@ -14,14 +14,9 @@ module.exports = {
    const userId = user._id
    logger.debug({ projectId, userId }, 'sending join project request to web')
    const url = `${settings.apis.web.url}/project/${projectId}/join`
-    const headers = {}
-    if (user.anonymousAccessToken) {
-      headers['x-sl-anonymous-access-token'] = user.anonymousAccessToken
-    }
    request.post(
      {
        url,
-        qs: { user_id: userId },
        auth: {
          user: settings.apis.web.user,
          pass: settings.apis.web.pass,
@ -32,7 +27,6 @@ module.exports = {
          anonymousAccessToken: user.anonymousAccessToken,
        },
        jar: false,
-        headers,
      },
      function (error, response, data) {
        if (error) {
--- a/services/real-time/test/acceptance/js/helpers/MockWebServer.js
+++ b/services/real-time/test/acceptance/js/helpers/MockWebServer.js
@ -12,6 +12,7 @@
 let MockWebServer
 const sinon = require('sinon')
 const express = require('express')
+const bodyParser = require('body-parser')

 module.exports = MockWebServer = {
  projects: {},
@ -43,8 +44,7 @@ module.exports = MockWebServer = {

  joinProjectRequest(req, res, next) {
    const { project_id: projectId } = req.params
-    const { user_id: userId } = req.query
-    const { 'x-sl-anonymous-access-token': anonymousAccessToken } = req.headers
+    const { anonymousAccessToken, userId } = req.body
    if (projectId === '404404404404404404404404') {
      // not-found
      return res.status(404).send()
@ -89,6 +89,7 @@ module.exports = MockWebServer = {
      return callback()
    }
    const app = express()
+    app.use(bodyParser.json())
    app.post('/project/:project_id/join', MockWebServer.joinProjectRequest)
    return app
      .listen(3000, error => {
--- a/services/real-time/test/unit/js/WebApiManagerTests.js
+++ b/services/real-time/test/unit/js/WebApiManagerTests.js
@ -60,9 +60,6 @@ describe('WebApiManager', function () {
        return this.request.post
          .calledWith({
            url: `${this.settings.apis.web.url}/project/${this.project_id}/join`,
-            qs: {
-              user_id: this.user_id,
-            },
            auth: {
              user: this.settings.apis.web.user,
              pass: this.settings.apis.web.pass,
@ -73,7 +70,6 @@ describe('WebApiManager', function () {
              anonymousAccessToken: undefined,
            },
            jar: false,
-            headers: {},
          })
          .should.equal(true)
      })
@ -122,9 +118,6 @@ describe('WebApiManager', function () {
      it('should send a request to web to join the project', function () {
        this.request.post.should.have.been.calledWith({
          url: `${this.settings.apis.web.url}/project/${this.project_id}/join`,
-          qs: {
-            user_id: this.user_id,
-          },
          auth: {
            user: this.settings.apis.web.user,
            pass: this.settings.apis.web.pass,
@ -135,7 +128,6 @@ describe('WebApiManager', function () {
            anonymousAccessToken: this.token,
          },
          jar: false,
-          headers: { 'x-sl-anonymous-access-token': this.token },
        })
      })

--- a/services/web/app/src/Features/Editor/EditorHttpController.js
+++ b/services/web/app/src/Features/Editor/EditorHttpController.js
@ -57,7 +57,7 @@ const unsupportedSpellcheckLanguages = [

 async function joinProject(req, res, next) {
  const projectId = req.params.Project_id
-  let userId = req.body.userId || req.query.user_id // keep schema in sync with router
+  let userId = req.body.userId // keep schema in sync with router
  if (userId === 'anonymous-user') {
    userId = null
  }
@ -177,8 +177,7 @@ async function _buildJoinProjectView(req, projectId, userId) {
    await CollaboratorsGetter.promises.getInvitedMembersWithPrivilegeLevels(
      projectId
    )
-  const token =
-    req.body.anonymousAccessToken || req.headers['x-sl-anonymous-access-token']
+  const token = req.body.anonymousAccessToken
  const privilegeLevel =
    await AuthorizationManager.promises.getPrivilegeLevelForProject(
      userId,
--- a/services/web/app/src/Features/Editor/EditorRouter.js
+++ b/services/web/app/src/Features/Editor/EditorRouter.js
@ -3,6 +3,7 @@ const AuthenticationController = require('../Authentication/AuthenticationContro
 const AuthorizationMiddleware = require('../Authorization/AuthorizationMiddleware')
 const { RateLimiter } = require('../../infrastructure/RateLimiter')
 const RateLimiterMiddleware = require('../Security/RateLimiterMiddleware')
+const { validate, Joi } = require('../../infrastructure/Validation')

 const rateLimiters = {
  addDocToProject: new RateLimiter('add-doc-to-project', {
@ -71,7 +72,13 @@ module.exports = {
      RateLimiterMiddleware.rateLimit(rateLimiters.joinProject, {
        params: ['Project_id'],
        // keep schema in sync with controller
-        getUserId: req => req.body.userId || req.query.user_id,
+        getUserId: req => req.body.userId,
+      }),
+      validate({
+        body: Joi.object({
+          userId: Joi.string().required(),
+          anonymousAccessToken: Joi.string().optional(),
+        }),
      }),
      EditorHttpController.joinProject
    )
--- a/services/web/test/acceptance/src/AuthorizationTests.js
+++ b/services/web/test/acceptance/src/AuthorizationTests.js
@ -166,13 +166,12 @@ function tryContentAccess(user, projectId, test, callback) {
  request.post(
    {
      url: `/project/${projectId}/join`,
-      qs: { user_id: userId },
      auth: {
        user: settings.apis.web.user,
        pass: settings.apis.web.pass,
        sendImmediately: true,
      },
-      json: true,
+      json: { userId },
      jar: false,
    },
    (error, response, body) => {
--- a/services/web/test/acceptance/src/ProjectFeaturesTests.js
+++ b/services/web/test/acceptance/src/ProjectFeaturesTests.js
@ -20,13 +20,12 @@ const joinProject = (userId, projectId, callback) =>
  request.post(
    {
      url: `/project/${projectId}/join`,
-      qs: { user_id: userId },
      auth: {
        user: settings.apis.web.user,
        pass: settings.apis.web.pass,
        sendImmediately: true,
      },
-      json: true,
+      json: { userId },
      jar: false,
    },
    callback
--- a/services/web/test/acceptance/src/ProjectInviteTests.js
+++ b/services/web/test/acceptance/src/ProjectInviteTests.js
@ -174,13 +174,12 @@ const tryJoinProject = (user, projectId, callback) => {
    user.request.post(
      {
        url: `/project/${projectId}/join`,
-        qs: { user_id: user._id },
        auth: {
          user: settings.apis.web.user,
          pass: settings.apis.web.pass,
          sendImmediately: true,
        },
-        json: true,
+        json: { userId: user._id },
        jar: false,
      },
      callback
--- a/services/web/test/acceptance/src/TokenAccessTests.js
+++ b/services/web/test/acceptance/src/TokenAccessTests.js
@ -160,46 +160,7 @@ const _doTryTokenAccept = (
  })
 }

-const tryContentAccess = (user, projectId, test, callback) => {
-  tryContentAccessQuery(user, projectId, test, err1 => {
-    tryContentAccessBody(user, projectId, test, err2 => {
-      callback(err1 || err2)
-    })
-  })
-}
-
-const tryContentAccessQuery = (user, projcetId, test, callback) => {
-  // The real-time service calls this end point to determine the user's
-  // permissions.
-  let userId
-  if (user.id != null) {
-    userId = user.id
-  } else {
-    userId = 'anonymous-user'
-  }
-  request.post(
-    {
-      url: `/project/${projcetId}/join`,
-      qs: { user_id: userId },
-      auth: {
-        user: settings.apis.web.user,
-        pass: settings.apis.web.pass,
-        sendImmediately: true,
-      },
-      json: true,
-      jar: false,
-    },
-    (error, response, body) => {
-      if (error != null) {
-        return callback(error)
-      }
-      test(response, body)
-      callback()
-    }
-  )
-}
-
-const tryContentAccessBody = (user, projcetId, test, callback) => {
+const tryContentAccess = (user, projcetId, test, callback) => {
  // The real-time service calls this end point to determine the user's
  // permissions.
  let userId
@ -232,48 +193,6 @@ const tryContentAccessBody = (user, projcetId, test, callback) => {
 }

 const tryAnonContentAccess = (user, projectId, token, test, callback) => {
-  tryAnonContentAccessHeader(user, projectId, token, test, err1 => {
-    tryAnonContentAccessBody(user, projectId, token, test, err2 => {
-      callback(err1 || err2)
-    })
-  })
-}
-
-const tryAnonContentAccessHeader = (user, projectId, token, test, callback) => {
-  // The real-time service calls this end point to determine the user's
-  // permissions.
-  let userId
-  if (user.id != null) {
-    userId = user.id
-  } else {
-    userId = 'anonymous-user'
-  }
-  request.post(
-    {
-      url: `/project/${projectId}/join`,
-      qs: { user_id: userId },
-      auth: {
-        user: settings.apis.web.user,
-        pass: settings.apis.web.pass,
-        sendImmediately: true,
-      },
-      headers: {
-        'x-sl-anonymous-access-token': token,
-      },
-      json: true,
-      jar: false,
-    },
-    (error, response, body) => {
-      if (error != null) {
-        return callback(error)
-      }
-      test(response, body)
-      callback()
-    }
-  )
-}
-
-const tryAnonContentAccessBody = (user, projectId, token, test, callback) => {
  // The real-time service calls this end point to determine the user's
  // permissions.
  let userId
--- a/services/web/test/acceptance/src/helpers/User.js
+++ b/services/web/test/acceptance/src/helpers/User.js
@ -680,13 +680,12 @@ class User {
    this.request.post(
      {
        url: `/project/${projectId}/join`,
-        qs: { user_id: this._id },
        auth: {
          user: settings.apis.web.user,
          pass: settings.apis.web.pass,
          sendImmediately: true,
        },
-        json: true,
+        json: { userId: this._id },
        jar: false,
      },
      (error, response, body) => {
--- a/services/web/test/unit/src/Editor/EditorHttpControllerTests.js
+++ b/services/web/test/unit/src/Editor/EditorHttpControllerTests.js
@ -256,8 +256,6 @@ describe('EditorHttpController', function () {
          userId: 'anonymous-user',
          anonymousAccessToken: this.token,
        }
-        this.req.query = { user_id: 'anonymous-user' }
-        this.req.headers = { 'x-sl-anonymous-access-token': this.token }
        this.res.callback = done
        this.AuthorizationManager.isRestrictedUser
          .withArgs(null, 'readOnly', false, false)