Skip to content

Commit

Permalink
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Add authorization for VBS API in copay controller (#12784)
Browse files Browse the repository at this point in the history
Scott James authored May 26, 2023
1 parent 9eaf935 commit 5ecee59
Showing 4 changed files with 45 additions and 3 deletions.
13 changes: 13 additions & 0 deletions app/controllers/v0/medical_copays_controller.rb
Original file line number Diff line number Diff line change
@@ -5,6 +5,8 @@ class MedicalCopaysController < ApplicationController
before_action(except: :send_statement_notifications) { authorize :medical_copays, :access? }
before_action(only: :send_statement_notifications) { authorize :medical_copays, :access_notifications? }

before_action :authorize_vbs_api, only: [:send_statement_notifications]

skip_before_action :verify_authenticity_token, only: [:send_statement_notifications]
skip_before_action :authenticate, only: [:send_statement_notifications]
skip_after_action :set_csrf_header, only: [:send_statement_notifications]
@@ -36,6 +38,17 @@ def send_statement_notifications

private

def authorization_error
Common::Exceptions::Unauthorized.new(detail: 'Invalid API key')
end

def authorize_vbs_api
request_key = request.headers['apiKey']
raise authorization_error if request_key.blank?

raise authorization_error unless request_key == Settings.mcp.vbs_client_key
end

def statement_params
params.permit(:file_name)
end
1 change: 1 addition & 0 deletions config/settings.yml
Original file line number Diff line number Diff line change
@@ -90,6 +90,7 @@ dmc:
debts_endpoint: debt-letter/get

mcp:
vbs_client_key: abcd1234abcd1234abcd1234abcd1234abcd1234
vbs:
url: https://fake_url.com:9000
host: fake_url.com:9000
30 changes: 27 additions & 3 deletions spec/controllers/v0/medical_copays_controller_spec.rb
Original file line number Diff line number Diff line change
@@ -77,9 +77,33 @@
end

describe '#send_statement_notifications' do
it 'returns a success message when notifications are sent' do
post(:send_statement_notifications, params: { statements: [] })
expect(response).to have_http_status(:ok)
context 'client api is authorized' do
before do
request.headers['apiKey'] = 'abcd1234abcd1234abcd1234abcd1234abcd1234'
end

it 'returns a success message when notifications are sent' do
post(:send_statement_notifications, params: { statements: [] })
expect(response).to have_http_status(:ok)
end
end

context 'client api is unauthorzied' do
before do
request.headers['apiKey'] = 'bad-key'
end

it 'returns an unauthorized message when endpoint is reached' do
post(:send_statement_notifications, params: { statements: [] })
expect(response).to have_http_status(:unauthorized)
end
end

context 'request is missing api key header' do
it 'returns an unauthorized message when endpoint is reached' do
post(:send_statement_notifications, params: { statements: [] })
expect(response).to have_http_status(:unauthorized)
end
end
end
end
4 changes: 4 additions & 0 deletions spec/requests/swagger_spec.rb
Original file line number Diff line number Diff line change
@@ -670,6 +670,10 @@
end

context 'medical copays send_statement_notifications' do
let(:headers) do
{ '_headers' => { 'apiKey' => 'abcd1234abcd1234abcd1234abcd1234abcd1234' } }
end

it 'validates the route' do
expect(subject).to validate(
:post,

0 comments on commit 5ecee59

Please sign in to comment.