Merge pull request #16979 from overleaf/jpa-join-project-remove-sl-1

[misc] joinProject: pass userId and anonymous access token in body 1/2 GitOrigin-RevId: 5d7832246c7262c004c2cd465d62488384b35ee3
2024-11-21 20:47:08 -05:00 · 2024-02-09 11:26:16 +00:00 · 2024-02-09 11:26:16 +00:00 · 974069bf1c
commit 974069bf1c
parent 19ba6c6a15
9 changed files with 165 additions and 6 deletions
--- a/package-lock.json
+++ b/package-lock.json
@ -45571,6 +45571,7 @@
        "mocha": "^10.2.0",
        "sandboxed-module": "~0.3.0",
        "sinon": "^9.2.4",
        "sinon-chai": "^3.7.0",
        "timekeeper": "0.0.4",
        "typescript": "^5.0.4",
        "uid-safe": "^2.1.5"
@ -54587,6 +54588,7 @@
        "request": "^2.88.2",
        "sandboxed-module": "~0.3.0",
        "sinon": "^9.2.4",
        "sinon-chai": "^3.7.0",
        "socket.io": "github:overleaf/socket.io#0.9.19-overleaf-10",
        "socket.io-client": "github:overleaf/socket.io-client#0.9.17-overleaf-5",
        "timekeeper": "0.0.4",
--- a/services/real-time/app/js/WebApiManager.js
+++ b/services/real-time/app/js/WebApiManager.js
@ -27,7 +27,10 @@ module.exports = {
          pass: settings.apis.web.pass,
          sendImmediately: true,
        },
-        json: true,
+        json: {
          userId,
          anonymousAccessToken: user.anonymousAccessToken,
        },
        jar: false,
        headers,
      },
--- a/services/real-time/package.json
+++ b/services/real-time/package.json
@ -44,6 +44,7 @@
    "mocha": "^10.2.0",
    "sandboxed-module": "~0.3.0",
    "sinon": "^9.2.4",
    "sinon-chai": "^3.7.0",
    "timekeeper": "0.0.4",
    "typescript": "^5.0.4",
    "uid-safe": "^2.1.5"
--- a/services/real-time/test/setup.js
+++ b/services/real-time/test/setup.js
@ -1,9 +1,13 @@
 const chai = require('chai')
 const SandboxedModule = require('sandboxed-module')
 const sinon = require('sinon')
 const chaiAsPromised = require('chai-as-promised')
 const sinonChai = require('sinon-chai')
 // Chai configuration
 chai.should()
 chai.use(chaiAsPromised)
 chai.use(sinonChai)
 // Global stubs
 const sandbox = sinon.createSandbox()
--- a/services/real-time/test/unit/js/WebApiManagerTests.js
+++ b/services/real-time/test/unit/js/WebApiManagerTests.js
@ -68,7 +68,10 @@ describe('WebApiManager', function () {
              pass: this.settings.apis.web.pass,
              sendImmediately: true,
            },
-            json: true,
+            json: {
              userId: this.user_id,
              anonymousAccessToken: undefined,
            },
            jar: false,
            headers: {},
          })
@ -91,6 +94,65 @@ describe('WebApiManager', function () {
      })
    })
    describe('with anon user', function () {
      beforeEach(function () {
        this.user_id = 'anonymous-user'
        this.token = 'a-ro-token'
        this.user = {
          _id: this.user_id,
          anonymousAccessToken: this.token,
        }
        this.response = {
          project: { name: 'Test project' },
          privilegeLevel: 'readOnly',
          isRestrictedUser: true,
          isTokenMember: false,
          isInvitedMember: false,
        }
        this.request.post = sinon
          .stub()
          .yields(null, { statusCode: 200 }, this.response)
        this.WebApiManager.joinProject(
          this.project_id,
          this.user,
          this.callback
        )
      })
      it('should send a request to web to join the project', function () {
        this.request.post.should.have.been.calledWith({
          url: `${this.settings.apis.web.url}/project/${this.project_id}/join`,
          qs: {
            user_id: this.user_id,
          },
          auth: {
            user: this.settings.apis.web.user,
            pass: this.settings.apis.web.pass,
            sendImmediately: true,
          },
          json: {
            userId: this.user_id,
            anonymousAccessToken: this.token,
          },
          jar: false,
          headers: { 'x-sl-anonymous-access-token': this.token },
        })
      })
      it('should return the project, privilegeLevel, and restricted flag', function () {
        this.callback.should.have.been.calledWith(
          null,
          this.response.project,
          this.response.privilegeLevel,
          {
            isRestrictedUser: this.response.isRestrictedUser,
            isTokenMember: this.response.isTokenMember,
            isInvitedMember: this.response.isInvitedMember,
          }
        )
      })
    })
    describe('when web replies with a 403', function () {
      beforeEach(function () {
        this.request.post = sinon
--- a/services/web/app/src/Features/Editor/EditorHttpController.js
+++ b/services/web/app/src/Features/Editor/EditorHttpController.js
@ -57,7 +57,7 @@ const unsupportedSpellcheckLanguages = [
 async function joinProject(req, res, next) {
  const projectId = req.params.Project_id
-  let userId = req.query.user_id // keep schema in sync with router
+  let userId = req.body.userId || req.query.user_id // keep schema in sync with router
  if (userId === 'anonymous-user') {
    userId = null
  }
@ -177,7 +177,8 @@ async function _buildJoinProjectView(req, projectId, userId) {
    await CollaboratorsGetter.promises.getInvitedMembersWithPrivilegeLevels(
      projectId
    )
-  const token = req.headers['x-sl-anonymous-access-token']
+  const token =
    req.body.anonymousAccessToken || req.headers['x-sl-anonymous-access-token']
  const privilegeLevel =
    await AuthorizationManager.promises.getPrivilegeLevelForProject(
      userId,
--- a/services/web/app/src/Features/Editor/EditorRouter.js
+++ b/services/web/app/src/Features/Editor/EditorRouter.js
@ -71,7 +71,7 @@ module.exports = {
      RateLimiterMiddleware.rateLimit(rateLimiters.joinProject, {
        params: ['Project_id'],
        // keep schema in sync with controller
-        getUserId: req => req.query.user_id,
+        getUserId: req => req.body.userId || req.query.user_id,
      }),
      EditorHttpController.joinProject
    )
--- a/services/web/test/acceptance/src/TokenAccessTests.js
+++ b/services/web/test/acceptance/src/TokenAccessTests.js
@ -160,7 +160,15 @@ const _doTryTokenAccept = (
  })
 }
-const tryContentAccess = (user, projcetId, test, callback) => {
+const tryContentAccess = (user, projectId, test, callback) => {
  tryContentAccessQuery(user, projectId, test, err1 => {
    tryContentAccessBody(user, projectId, test, err2 => {
      callback(err1 || err2)
    })
  })
 }
 const tryContentAccessQuery = (user, projcetId, test, callback) => {
  // The real-time service calls this end point to determine the user's
  // permissions.
  let userId
@ -191,7 +199,47 @@ const tryContentAccess = (user, projcetId, test, callback) => {
  )
 }
 const tryContentAccessBody = (user, projcetId, test, callback) => {
  // The real-time service calls this end point to determine the user's
  // permissions.
  let userId
  if (user.id != null) {
    userId = user.id
  } else {
    userId = 'anonymous-user'
  }
  request.post(
    {
      url: `/project/${projcetId}/join`,
      auth: {
        user: settings.apis.web.user,
        pass: settings.apis.web.pass,
        sendImmediately: true,
      },
      json: {
        userId,
      },
      jar: false,
    },
    (error, response, body) => {
      if (error != null) {
        return callback(error)
      }
      test(response, body)
      callback()
    }
  )
 }
 const tryAnonContentAccess = (user, projectId, token, test, callback) => {
  tryAnonContentAccessHeader(user, projectId, token, test, err1 => {
    tryAnonContentAccessBody(user, projectId, token, test, err2 => {
      callback(err1 || err2)
    })
  })
 }
 const tryAnonContentAccessHeader = (user, projectId, token, test, callback) => {
  // The real-time service calls this end point to determine the user's
  // permissions.
  let userId
@ -225,6 +273,39 @@ const tryAnonContentAccess = (user, projectId, token, test, callback) => {
  )
 }
 const tryAnonContentAccessBody = (user, projectId, token, test, callback) => {
  // The real-time service calls this end point to determine the user's
  // permissions.
  let userId
  if (user.id != null) {
    userId = user.id
  } else {
    userId = 'anonymous-user'
  }
  request.post(
    {
      url: `/project/${projectId}/join`,
      auth: {
        user: settings.apis.web.user,
        pass: settings.apis.web.pass,
        sendImmediately: true,
      },
      json: {
        userId,
        anonymousAccessToken: token,
      },
      jar: false,
    },
    (error, response, body) => {
      if (error != null) {
        return callback(error)
      }
      test(response, body)
      callback()
    }
  )
 }
 const tryFetchProjectTokens = (user, projectId, callback) => {
  user.request.get(
    { url: `/project/${projectId}/tokens`, json: true },
--- a/services/web/test/unit/src/Editor/EditorHttpControllerTests.js
+++ b/services/web/test/unit/src/Editor/EditorHttpControllerTests.js
@ -167,6 +167,7 @@ describe('EditorHttpController', function () {
    beforeEach(function () {
      this.req.params = { Project_id: this.project._id }
      this.req.query = { user_id: this.user._id }
      this.req.body = { userId: this.user._id }
    })
    describe('successfully', function () {
@ -251,6 +252,10 @@ describe('EditorHttpController', function () {
      beforeEach(function (done) {
        this.token = 'token'
        this.TokenAccessHandler.getRequestToken.returns(this.token)
        this.req.body = {
          userId: 'anonymous-user',
          anonymousAccessToken: this.token,
        }
        this.req.query = { user_id: 'anonymous-user' }
        this.req.headers = { 'x-sl-anonymous-access-token': this.token }
        this.res.callback = done