From b5e5d39c3ad4e7763d42b837738955f8ded4dcd3 Mon Sep 17 00:00:00 2001
From: Miguel Serrano <mserranom@users.noreply.github.com>
Date: Mon, 8 Jul 2024 15:39:33 +0200
Subject: [PATCH] [web] Tighten check for spelling language (#19297)

* [web] Tighten check for spelling language

* spelling proxy only for `/check` requests

GitOrigin-RevId: c678e93cca9ad39682ec7ce6e49804ea74741acc
---
 .../Features/Spelling/SpellingController.js   | 35 ++++------
 services/web/app/src/router.js                |  2 +-
 .../src/Spelling/SpellingControllerTests.js   | 68 +++++--------------
 3 files changed, 33 insertions(+), 72 deletions(-)

diff --git a/services/web/app/src/Features/Spelling/SpellingController.js b/services/web/app/src/Features/Spelling/SpellingController.js
index 59008378cd..cdf28f36d9 100644
--- a/services/web/app/src/Features/Spelling/SpellingController.js
+++ b/services/web/app/src/Features/Spelling/SpellingController.js
@@ -28,40 +28,33 @@ module.exports = {
     })
   },
 
-  proxyRequestToSpellingApi(req, res) {
+  proxyCheckRequestToSpellingApi(req, res) {
     const { language } = req.body
 
-    let url = req.url.slice('/spelling'.length)
+    if (!language) {
+      logger.error({}, '"language" field should be included for spell checking')
+      return res.status(422).json({ misspellings: [] })
+    }
 
-    if (url === '/check') {
-      if (!language) {
-        logger.error(
-          {},
-          '"language" field should be included for spell checking'
-        )
-        return res.status(422).json({ misspellings: [] })
-      }
-
-      if (!languageCodeIsSupported(language)) {
-        // this log statement can be changed to 'error' once projects with
-        // unsupported languages are removed from the DB
-        logger.debug({ language }, 'language not supported')
-        return res.status(422).json({ misspellings: [] })
-      }
+    if (!languageCodeIsSupported(language)) {
+      // this log statement can be changed to 'error' once projects with
+      // unsupported languages are removed from the DB
+      logger.debug({ language }, 'language not supported')
+      return res.status(422).json({ misspellings: [] })
     }
 
     const userId = SessionManager.getLoggedInUserId(req.session)
-    url = `/user/${userId}${url}`
+    const url = `${Settings.apis.spelling.url}/user/${userId}/check`
     req.headers.Host = Settings.apis.spelling.host
     return request({
-      url: Settings.apis.spelling.url + url,
-      method: req.method,
+      url,
+      method: 'POST',
       headers: req.headers,
       json: req.body,
       timeout: TEN_SECONDS,
     })
       .on('error', function (error) {
-        logger.error({ err: error }, 'Spelling API error')
+        logger.error({ err: error }, 'Spelling Check API error')
         return res.status(500).end()
       })
       .pipe(res)
diff --git a/services/web/app/src/router.js b/services/web/app/src/router.js
index d48900bda9..4a92dcd118 100644
--- a/services/web/app/src/router.js
+++ b/services/web/app/src/router.js
@@ -1083,7 +1083,7 @@ function initialize(webRouter, privateApiRouter, publicApiRouter) {
   webRouter.post(
     '/spelling/check',
     AuthenticationController.requireLogin(),
-    SpellingController.proxyRequestToSpellingApi
+    SpellingController.proxyCheckRequestToSpellingApi
   )
   webRouter.post(
     '/spelling/learn',
diff --git a/services/web/test/unit/src/Spelling/SpellingControllerTests.js b/services/web/test/unit/src/Spelling/SpellingControllerTests.js
index ef3fe2f53a..aee062c3c9 100644
--- a/services/web/test/unit/src/Spelling/SpellingControllerTests.js
+++ b/services/web/test/unit/src/Spelling/SpellingControllerTests.js
@@ -56,12 +56,12 @@ describe('SpellingController', function () {
     this.res = new MockResponse()
   })
 
-  describe('proxyRequestToSpellingApi', function () {
+  describe('proxyCheckRequestToSpellingApi', function () {
     describe('on successful call', function () {
       beforeEach(function () {
         this.req.session.user._id = this.userId = 'user-id-123'
         this.req.body = { language: 'en', words: ['blab'] }
-        this.controller.proxyRequestToSpellingApi(this.req, this.res)
+        this.controller.proxyCheckRequestToSpellingApi(this.req, this.res)
       })
 
       it('should send a request to the spelling host', function () {
@@ -89,35 +89,19 @@ describe('SpellingController', function () {
       beforeEach(function () {
         this.req.session.user._id = this.userId = 'user-id-123'
         this.req.body = { language: 'fi', words: ['blab'] }
+        this.controller.proxyCheckRequestToSpellingApi(this.req, this.res)
       })
 
-      describe('when the request is a check request', function () {
-        beforeEach(function () {
-          this.controller.proxyRequestToSpellingApi(this.req, this.res)
-        })
-
-        it('should not send a request to the spelling host', function () {
-          this.request.called.should.equal(false)
-        })
-
-        it('should return an empty misspellings array', function () {
-          this.res.json.calledWith({ misspellings: [] }).should.equal(true)
-        })
-
-        it('should return a 422 status', function () {
-          this.res.status.calledWith(422).should.equal(true)
-        })
+      it('should not send a request to the spelling host', function () {
+        this.request.called.should.equal(false)
       })
 
-      describe('when the request is not a check request', function () {
-        beforeEach(function () {
-          this.req.url = '/spelling/learn'
-          this.controller.proxyRequestToSpellingApi(this.req, this.res)
-        })
+      it('should return an empty misspellings array', function () {
+        this.res.json.calledWith({ misspellings: [] }).should.equal(true)
+      })
 
-        it('should send a request to the spelling host', function () {
-          this.request.called.should.equal(true)
-        })
+      it('should return a 422 status', function () {
+        this.res.status.calledWith(422).should.equal(true)
       })
     })
 
@@ -125,35 +109,19 @@ describe('SpellingController', function () {
       beforeEach(function () {
         this.req.session.user._id = this.userId = 'user-id-123'
         this.req.body = { words: ['blab'] }
+        this.controller.proxyCheckRequestToSpellingApi(this.req, this.res)
       })
 
-      describe('when the request is a check request', function () {
-        beforeEach(function () {
-          this.controller.proxyRequestToSpellingApi(this.req, this.res)
-        })
-
-        it('should not send a request to the spelling host', function () {
-          this.request.called.should.equal(false)
-        })
-
-        it('should return an empty misspellings array', function () {
-          this.res.json.calledWith({ misspellings: [] }).should.equal(true)
-        })
-
-        it('should return a 422 status', function () {
-          this.res.status.calledWith(422).should.equal(true)
-        })
+      it('should not send a request to the spelling host', function () {
+        this.request.called.should.equal(false)
       })
 
-      describe('when the request is not a check request', function () {
-        beforeEach(function () {
-          this.req.url = '/spelling/learn'
-          this.controller.proxyRequestToSpellingApi(this.req, this.res)
-        })
+      it('should return an empty misspellings array', function () {
+        this.res.json.calledWith({ misspellings: [] }).should.equal(true)
+      })
 
-        it('should send a request to the spelling host', function () {
-          this.request.called.should.equal(true)
-        })
+      it('should return a 422 status', function () {
+        this.res.status.calledWith(422).should.equal(true)
       })
     })
   })