Use expect for api/v1 and api/web push subs controllers (#33682)

2025-01-23 18:41:42 +01:00 · 2025-01-22 09:55:44 -05:00 · 2025-01-22 09:55:44 -05:00 · 607f65a0a5
commit 607f65a0a5
parent b18caff5b6
4 changed files with 42 additions and 4 deletions
--- a/app/controllers/api/v1/push/subscriptions_controller.rb
+++ b/app/controllers/api/v1/push/subscriptions_controller.rb
@ -56,12 +56,12 @@ class Api::V1::Push::SubscriptionsController < Api::BaseController
  end

  def subscription_params
-    params.require(:subscription).permit(:endpoint, :standard, keys: [:auth, :p256dh])
+    params.expect(subscription: [:endpoint, :standard, keys: [:auth, :p256dh]])
  end

  def data_params
    return {} if params[:data].blank?

-    params.require(:data).permit(:policy, alerts: Notification::TYPES)
+    params.expect(data: [:policy, alerts: Notification::TYPES])
  end
 end
--- a/app/controllers/api/web/push_subscriptions_controller.rb
+++ b/app/controllers/api/web/push_subscriptions_controller.rb
@ -66,7 +66,7 @@ class Api::Web::PushSubscriptionsController < Api::Web::BaseController
  end

  def subscription_params
-    @subscription_params ||= params.require(:subscription).permit(:standard, :endpoint, keys: [:auth, :p256dh])
+    @subscription_params ||= params.expect(subscription: [:standard, :endpoint, keys: [:auth, :p256dh]])
  end

  def web_push_subscription_params
@ -82,6 +82,6 @@ class Api::Web::PushSubscriptionsController < Api::Web::BaseController
  end

  def data_params
-    @data_params ||= params.require(:data).permit(:policy, alerts: Notification::TYPES)
+    @data_params ||= params.expect(data: [:policy, alerts: Notification::TYPES])
  end
 end
--- a/spec/requests/api/v1/push/subscriptions_spec.rb
+++ b/spec/requests/api/v1/push/subscriptions_spec.rb
@ -107,6 +107,13 @@ RSpec.describe 'API V1 Push Subscriptions' do

      it_behaves_like 'validation error'
    end
+
+    it 'gracefully handles invalid nested params' do
+      post api_v1_push_subscription_path, params: { subscription: 'invalid' }, headers: headers
+
+      expect(response)
+        .to have_http_status(400)
+    end
  end

  describe 'PUT /api/v1/push/subscription' do
@ -133,6 +140,13 @@ RSpec.describe 'API V1 Push Subscriptions' do
          policy: alerts_payload[:data][:policy]
        )
    end
+
+    it 'gracefully handles invalid nested params' do
+      put api_v1_push_subscription_path(endpoint_push_subscription), params: { data: 'invalid' }, headers: headers
+
+      expect(response)
+        .to have_http_status(400)
+    end
  end

  describe 'GET /api/v1/push/subscription' do
--- a/spec/requests/api/web/push_subscriptions_spec.rb
+++ b/spec/requests/api/web/push_subscriptions_spec.rb
@ -52,4 +52,28 @@ RSpec.describe 'API Web Push Subscriptions' do
      end
    end
  end
+
+  describe 'POST /api/web/push_subscriptions' do
+    before { sign_in Fabricate :user }
+
+    it 'gracefully handles invalid nested params' do
+      post api_web_push_subscriptions_path, params: { subscription: 'invalid' }
+
+      expect(response)
+        .to have_http_status(400)
+    end
+  end
+
+  describe 'PUT /api/web/push_subscriptions' do
+    before { sign_in Fabricate :user }
+
+    let(:subscription) { Fabricate :web_push_subscription }
+
+    it 'gracefully handles invalid nested params' do
+      put api_web_push_subscription_path(subscription), params: { data: 'invalid' }
+
+      expect(response)
+        .to have_http_status(400)
+    end
+  end
 end