Fixes #419; make legacy project lookup allow missing request body

sillsdev · Apr 22, 2024 · 6eb63d6 · 6eb63d6
1 parent 90c9fb4
commit 6eb63d6
Show file tree

Hide file tree

Showing 2 changed files with 11 additions and 2 deletions.
diff --git a/backend/LexBoxApi/Controllers/LegacyProjectApiController.cs b/backend/LexBoxApi/Controllers/LegacyProjectApiController.cs
@@ -42,9 +42,9 @@ public async Task<ActionResult<LegacyApiProject[]>> ProjectsForm(string userName
     [ProducesResponseType(typeof(LegacyApiError), StatusCodes.Status403Forbidden)]
     [ProducesResponseType(typeof(LegacyApiProject[]), StatusCodes.Status200OK)]
     [Consumes(MediaTypeNames.Application.Json)]
-    public async Task<ActionResult<LegacyApiProject[]>> Projects(string userName, ProjectsInput input)
+    public async Task<ActionResult<LegacyApiProject[]>> Projects(string userName, ProjectsInput? input)
     {
-        var password = input.Password;
+        var password = input?.Password ?? string.Empty;
 
         var user = await _lexBoxDbContext.Users.FilterByEmailOrUsername(userName)
             .Select(user => new

diff --git a/backend/Testing/SyncReverseProxy/LegacyProjectApiTests.cs b/backend/Testing/SyncReverseProxy/LegacyProjectApiTests.cs
@@ -119,4 +119,13 @@ public async Task TestInvalidUser()
         responseObject.ShouldContainKey("error");
         responseObject["error"]!.GetValue<string>().ShouldBe("Unknown user");
     }
+
+    // LF sends lots of requests with no password/request body. Chorus might as well.
+    // Requests between our software shouldn't be "Bad requests" (400).
+    [Fact]
+    public async Task MissingPasswordReturns403()
+    {
+        var response = await Client.PostAsJsonAsync<object?>($"{_baseUrl}/api/user/{TestData.User}/projects", null);
+        response.StatusCode.ShouldBe(HttpStatusCode.Forbidden);
+    }
 }