fix: Ensure HMAC mandatory when enabled (#3350)

Add missing condition checking if HMAC is mandatory. Fixes #3349
2025-10-31 19:17:48 +00:00 · 2021-11-11 05:18:38 +01:00
parent c0f5a59cf8
commit b3e313a200
2 changed files with 51 additions and 2 deletions
--- a/app/controllers/api/v1/widget/contacts_controller.rb
+++ b/app/controllers/api/v1/widget/contacts_controller.rb
@@ -14,8 +14,9 @@ class Api::V1::Widget::ContactsController < Api::V1::Widget::BaseController
  private
  def process_hmac
-    return if params[:identifier_hash].blank?
+    return if params[:identifier_hash].blank? && !@web_widget.hmac_mandatory
-    raise StandardError, 'HMAC failed: Invalid Identifier Hash Provided' unless valid_hmac?
+
    render json: { error: 'HMAC failed: Invalid Identifier Hash Provided' }, status: :unauthorized unless valid_hmac?
    @contact_inbox.update(hmac_verified: true)
  end
--- a/spec/controllers/api/v1/widget/contacts_controller_spec.rb
+++ b/spec/controllers/api/v1/widget/contacts_controller_spec.rb
@@ -38,5 +38,53 @@ RSpec.describe '/api/v1/widget/contacts', type: :request do
        expect(identify_action).to have_received(:perform)
      end
    end
    context 'with mandatory hmac' do
      let(:identify_action) { double }
      let(:web_widget) { create(:channel_widget, account: account, hmac_mandatory: true) }
      let(:correct_identifier_hash) { OpenSSL::HMAC.hexdigest('sha256', web_widget.hmac_token, params[:identifier].to_s) }
      let(:incorrect_identifier_hash) { 'test' }
      before do
        allow(ContactIdentifyAction).to receive(:new).and_return(identify_action)
        allow(identify_action).to receive(:perform)
      end
      it 'returns success when correct identifier hash is provided' do
        patch '/api/v1/widget/contact',
              params: params.merge(identifier_hash: correct_identifier_hash),
              headers: { 'X-Auth-Token' => token },
              as: :json
        expect(response).to have_http_status(:success)
      end
      it 'returns error when incorrect identifier hash is provided' do
        patch '/api/v1/widget/contact',
              params: params.merge(identifier_hash: incorrect_identifier_hash),
              headers: { 'X-Auth-Token' => token },
              as: :json
        expect(response).to have_http_status(:unauthorized)
      end
      it 'returns error when identifier hash is blank' do
        patch '/api/v1/widget/contact',
              params: params.merge(identifier_hash: ''),
              headers: { 'X-Auth-Token' => token },
              as: :json
        expect(response).to have_http_status(:unauthorized)
      end
      it 'returns error when identifier hash is not provided' do
        patch '/api/v1/widget/contact',
              params: params,
              headers: { 'X-Auth-Token' => token },
              as: :json
        expect(response).to have_http_status(:unauthorized)
      end
    end
  end
 end