handle auth in qp

akto-api-security · Sep 10, 2024 · 50a28f9 · 50a28f9
1 parent 00f90f0
commit 50a28f9
Show file tree

Hide file tree

Showing 3 changed files with 18 additions and 2 deletions.
diff --git a/apps/api-runtime/src/main/java/com/akto/runtime/policies/AuthPolicy.java b/apps/api-runtime/src/main/java/com/akto/runtime/policies/AuthPolicy.java
@@ -5,6 +5,7 @@
 import com.akto.dto.HttpResponseParams;
 import com.akto.dto.runtime_filters.RuntimeFilter;
 import com.akto.dto.type.KeyTypes;
+import com.akto.dto.type.RequestTemplate;
 import com.akto.util.JSONUtils;
 
 import com.mongodb.BasicDBObject;
@@ -84,7 +85,19 @@ public static boolean findAuthType(HttpResponseParams httpResponseParams, ApiInf
             if(!customAuthTypePayloadKeys.isEmpty() ){
                 BasicDBObject flattenedPayload = null;
                 try{
-                    BasicDBObject basicDBObject = BasicDBObject.parse(httpResponseParams.getRequestParams().getPayload());
+                    BasicDBObject basicDBObject = new BasicDBObject();
+                    try {
+                        basicDBObject = BasicDBObject.parse(httpResponseParams.getRequestParams().getPayload());   
+                    } catch (Exception e) {
+                        // TODO: handle exception
+                    }
+                    BasicDBObject queryParamObj = new BasicDBObject();
+                    try {
+                        queryParamObj = RequestTemplate.getQueryJSON(httpResponseParams.getRequestParams().getURL());
+                    } catch (Exception e) {
+                        // TODO: handle exception
+                    }
+                    basicDBObject.putAll(queryParamObj.toMap());
                     flattenedPayload = JSONUtils.flattenWithDots(basicDBObject);
                 } catch (Exception e){
                 }
@@ -133,7 +146,6 @@ public static boolean findAuthType(HttpResponseParams httpResponseParams, ApiInf
                 }
             }
         }
-
         boolean returnValue = false;
         if (authTypes.isEmpty()) {
             authTypes.add(ApiInfo.AuthType.UNAUTHENTICATED);

diff --git a/apps/testing/src/main/java/com/akto/test_editor/auth/AuthValidator.java b/apps/testing/src/main/java/com/akto/test_editor/auth/AuthValidator.java
@@ -89,6 +89,7 @@ public static ExecutionResult checkAuth(Auth auth, RawApi rawApi, TestingRunConf
             List<String> customAuthTypePayloadKeys = customAuthType.getPayloadKeys();
             for (String payloadAuthKey: customAuthTypePayloadKeys) {
                 Operations.deleteBodyParam(rawApi, payloadAuthKey);
+                Operations.deleteQueryParam(rawApi, payloadAuthKey).getErrMsg().isEmpty();
             }
         }
 

diff --git a/apps/testing/src/main/java/com/akto/test_editor/execution/Executor.java b/apps/testing/src/main/java/com/akto/test_editor/execution/Executor.java
@@ -440,6 +440,7 @@ private static boolean removeAuthIfNotChanged(RawApi originalRawApi, RawApi test
         for (String payloadAuthKey: authBodyParams) {
             if (unchangedBodyKeys.contains(payloadAuthKey)) {
                 removed = Operations.deleteBodyParam(testRawApi, payloadAuthKey).getErrMsg().isEmpty() || removed;
+                removed = Operations.deleteQueryParam(testRawApi, authMechanismHeaderKey).getErrMsg().isEmpty() || removed;
             }
         }
 
@@ -457,7 +458,9 @@ private static boolean removeCustomAuth(RawApi rawApi, List<CustomAuthType> cust
             List<String> customAuthTypePayloadKeys = customAuthType.getPayloadKeys();
             for (String payloadAuthKey: customAuthTypePayloadKeys) {
                 removed = Operations.deleteBodyParam(rawApi, payloadAuthKey).getErrMsg().isEmpty() || removed;
+                removed = Operations.deleteQueryParam(rawApi, payloadAuthKey).getErrMsg().isEmpty() || removed;
             }
+
         }
         return removed;
     }