Reject login/out GETs with 405 response. (#2846)

2023-03-21 16:34:54 -07:00 · 2023-03-21 16:34:54 -07:00 · 0189c08ce2
--- a/api/features_api_test.py
+++ b/api/features_api_test.py
@ -220,25 +220,25 @@ class FeaturesAPITestGet_NewSchema(testing_config.CustomTestCase):
    url = self.request_path + '?start=bad'
    with test_app.test_request_context(url):
      with self.assertRaises(werkzeug.exceptions.BadRequest):
-        actual = self.handler.do_get()
+        self.handler.do_get()

    # Malformed num parameter
    url = self.request_path + '?num=bad'
    with test_app.test_request_context(url):
      with self.assertRaises(werkzeug.exceptions.BadRequest):
-        actual = self.handler.do_get()
+        self.handler.do_get()

    # User wants a negative number of results
    url = self.request_path + '?num=-1'
    with test_app.test_request_context(url):
      with self.assertRaises(werkzeug.exceptions.BadRequest):
-        actual = self.handler.do_get()
+        self.handler.do_get()

    # User wants a negative offset
    url = self.request_path + '?start=-1'
    with test_app.test_request_context(url):
      with self.assertRaises(werkzeug.exceptions.BadRequest):
-        actual = self.handler.do_get()
+        self.handler.do_get()

  def test_get__all_unlisted_no_perms(self):
    """JSON feed does not include unlisted features for users who can't edit."""
@ -447,18 +447,16 @@ class FeaturesAPITestGet_OldSchema(testing_config.CustomTestCase):
    self.assertEqual(0, actual['total_count'])
    self.assertEqual(0, len(actual['features_by_type']['Enabled by default']))

-  @mock.patch('flask.abort')
-  def test_get__in_milestone_invalid_query(self, mock_abort):
+  def test_get__in_milestone_invalid_query(self):
    """Invalid value of milestone should not be processed."""
-    mock_abort.side_effect = werkzeug.exceptions.BadRequest
-
-    # Feature is present in milestone
    with test_app.test_request_context(
        self.request_path+'?milestone=chromium'):
-      with self.assertRaises(werkzeug.exceptions.BadRequest):
-        actual = self.handler.do_get()
-        mock_abort.assert_called_once_with(
-            400, msg="Request parameter 'milestone' was not an int")
+      with self.assertRaises(werkzeug.exceptions.BadRequest) as cm:
+        self.handler.do_get()
+      self.assertEqual(400, cm.exception.code)
+      self.assertEqual(
+          "Request parameter 'milestone' was not an int",
+          cm.exception.description)

  def test_get__specific_id__found(self):
    """JSON feed has just the feature requested."""
--- a/api/login_api.py
+++ b/api/login_api.py
@ -26,6 +26,10 @@ import settings
 class LoginAPI(basehandlers.APIHandler):
  """Create a session using the credential generated by Sign-In With Google."""

+  def do_get(self, **kwargs):
+    """Reject unneeded GET requests without triggering Error Reporting."""
+    self.abort(405, valid_methods=['POST'])
+
  def do_post(self, **kwargs):
    # TODO(jrobbins): Remove id_token after next deployment.
    token = (self.get_param('id_token', required=False) or
--- a/api/login_api_test.py
+++ b/api/login_api_test.py
@ -32,6 +32,12 @@ class LoginAPITest(testing_config.CustomTestCase):
    self.handler = login_api.LoginAPI()
    self.request_path = '/api/v0/login'

+  def test_get(self):
+    """We reject all GETs to this endpoint."""
+    with test_app.test_request_context(self.request_path):
+      with self.assertRaises(werkzeug.exceptions.MethodNotAllowed):
+        self.handler.do_get()
+
  def test_post__missing_credential_token(self):
    """We reject login requests that don't have any credential_token."""
    params = {}
--- a/api/logout_api.py
+++ b/api/logout_api.py
@ -23,6 +23,10 @@ from framework import basehandlers
 class LogoutAPI(basehandlers.APIHandler):
  """Clear the session when the user signs out."""

+  def do_get(self, **kwargs):
+    """Reject unneeded GET requests without triggering Error Reporting."""
+    self.abort(405, valid_methods=['POST'])
+
  def do_post(self, **kwargs):
    session.clear()
    return {'message': 'Done'}
--- a/api/logout_api_test.py
+++ b/api/logout_api_test.py
@ -31,6 +31,12 @@ class LogoutAPITest(testing_config.CustomTestCase):
    self.handler = logout_api.LogoutAPI()
    self.request_path = '/api/v0/logout'

+  def test_get(self):
+    """We reject all GETs to this endpoint."""
+    with test_app.test_request_context(self.request_path):
+      with self.assertRaises(werkzeug.exceptions.MethodNotAllowed):
+        self.handler.do_get()
+
  def test_post__normal(self):
    """We log out the user whenever they request that."""
    params = {}