From 9f7f3c6af07af8cf7d03a6eda7b18140104ac199 Mon Sep 17 00:00:00 2001
From: Grzegorz Zagata <grekkq97@gmail.com>
Date: Mon, 13 Mar 2023 11:46:41 +0100
Subject: [PATCH] Change response from 400 Bad Request to 403 Forbidden if
 accessKey/sessionToken have bad format

---
 .../scala/com/ing/wbaa/rokku/sts/api/UserApi.scala | 13 +++++++++----
 .../com/ing/wbaa/rokku/sts/api/UserApiTest.scala   | 14 +++-----------
 2 files changed, 12 insertions(+), 15 deletions(-)

diff --git a/src/main/scala/com/ing/wbaa/rokku/sts/api/UserApi.scala b/src/main/scala/com/ing/wbaa/rokku/sts/api/UserApi.scala
index e8518f7..3368b7c 100644
--- a/src/main/scala/com/ing/wbaa/rokku/sts/api/UserApi.scala
+++ b/src/main/scala/com/ing/wbaa/rokku/sts/api/UserApi.scala
@@ -26,8 +26,13 @@ trait UserApi extends JwtToken {
   implicit val userGroup: RootJsonFormat[UserGroup] = jsonFormat(UserGroup, "value")
   implicit val userInfoJsonFormat: RootJsonFormat[UserInfoToReturn] = jsonFormat5(UserInfoToReturn)
 
-  def containsOnlyAlphanumeric(value: String): Boolean = {
-    value.matches("""^[\w\d]*$""")
+  def containsOnlyAlphanumeric(value: String, errorMessage: String)(inner: Route)(implicit id: RequestId): Route = {
+    if (value.matches("""^[\w\d]*$""")) {
+      inner
+    } else {
+      logger.warn(errorMessage)
+      complete(StatusCodes.Forbidden, errorMessage)
+    }
   }
 
   def isCredentialActive: Route = logRequestResult("debug") {
@@ -42,8 +47,8 @@ trait UserApi extends JwtToken {
 
             verifyInternalToken(bearerToken) {
               parameters("accessKey", "sessionToken".?) { (accessKey, sessionToken) =>
-                validate(containsOnlyAlphanumeric(accessKey), s"bad accessKey format=$accessKey") {
-                  validate(containsOnlyAlphanumeric(sessionToken getOrElse ""), s"bad sessionToken format=${sessionToken.get}") {
+                containsOnlyAlphanumeric(accessKey, s"bad accessKey format=$accessKey") {
+                  containsOnlyAlphanumeric(sessionToken getOrElse "", s"bad sessionToken format=${sessionToken.get}") {
 
                     onSuccess(isCredentialActive(AwsAccessKey(accessKey), sessionToken.map(AwsSessionToken))) {
                       case Some(userInfo) =>
diff --git a/src/test/scala/com/ing/wbaa/rokku/sts/api/UserApiTest.scala b/src/test/scala/com/ing/wbaa/rokku/sts/api/UserApiTest.scala
index 6401436..a6c88c8 100644
--- a/src/test/scala/com/ing/wbaa/rokku/sts/api/UserApiTest.scala
+++ b/src/test/scala/com/ing/wbaa/rokku/sts/api/UserApiTest.scala
@@ -3,7 +3,7 @@ package com.ing.wbaa.rokku.sts.api
 import akka.actor.ActorSystem
 import akka.http.scaladsl.model.StatusCodes
 import akka.http.scaladsl.model.headers.RawHeader
-import akka.http.scaladsl.server.{ MissingHeaderRejection, MalformedHeaderRejection, AuthorizationFailedRejection, MissingQueryParamRejection, ValidationRejection, Route }
+import akka.http.scaladsl.server.{ MissingHeaderRejection, MalformedHeaderRejection, AuthorizationFailedRejection, MissingQueryParamRejection, Route }
 import akka.http.scaladsl.testkit.ScalatestRouteTest
 import com.auth0.jwt.JWT
 import com.auth0.jwt.algorithms.Algorithm
@@ -102,22 +102,14 @@ class UserApiTest extends AnyWordSpec
       "check credential and return status bad request because the accessKey contains non-alphanumeric characters" in {
         Get(s"/isCredentialActive?accessKey=access-key!with@special*characters&sessionToken=session")
           .addHeader(RawHeader("Authorization", generateBearerToken())) ~> testRoute ~> check {
-            assert(rejection == ValidationRejection("bad accessKey format=access-key!with@special*characters"))
-          }
-        Get(s"/isCredentialActive?accessKey=access-key!with@special*characters&sessionToken=session")
-          .addHeader(RawHeader("Authorization", generateBearerToken())) ~> Route.seal(testRoute) ~> check {
-            assert(status == StatusCodes.BadRequest)
+            assert(status == StatusCodes.Forbidden)
           }
       }
 
       "check credential and return status bad request because the sessionToken contains non-alphanumeric characters" in {
         Get(s"/isCredentialActive?accessKey=access&sessionToken=session!with@special*characters")
           .addHeader(RawHeader("Authorization", generateBearerToken())) ~> testRoute ~> check {
-            assert(rejection == ValidationRejection("bad sessionToken format=session!with@special*characters"))
-          }
-        Get(s"/isCredentialActive?accessKey=access&sessionToken=session!with@special*characters")
-          .addHeader(RawHeader("Authorization", generateBearerToken())) ~> Route.seal(testRoute) ~> check {
-            assert(status == StatusCodes.BadRequest)
+            assert(status == StatusCodes.Forbidden)
           }
       }