diff --git a/app/controllers/inclusion_connect_controller.rb b/app/controllers/inclusion_connect_controller.rb index c0ba068f9..ecbb4c579 100644 --- a/app/controllers/inclusion_connect_controller.rb +++ b/app/controllers/inclusion_connect_controller.rb @@ -10,6 +10,7 @@ def auth def callback if params[:state] != session[:ic_state] + Sentry.capture_message("InclusionConnect states do not match", extra: { params_state: params[:state], session_ic_state: session[:ic_state] }) flash[:error] = "Nous n'avons pas pu vous authentifier. Contacter le support à l'adresse <#{current_domain.support_email}> si le problème persiste." redirect_to new_agent_session_path and return end diff --git a/app/services/inclusion_connect.rb b/app/services/inclusion_connect.rb index a23f37e49..010edaefd 100644 --- a/app/services/inclusion_connect.rb +++ b/app/services/inclusion_connect.rb @@ -39,9 +39,13 @@ def get_token(code, inclusion_connect_callback_url) } uri = URI("#{IC_BASE_URL}/token") - res = Net::HTTP.post_form(uri, data) + res = Typhoeus.post( + uri, + body: data, + headers: { "Content-Type" => "application/x-www-form-urlencoded" } + ) - return false unless res.is_a?(Net::HTTPSuccess) + return false unless res.success? JSON.parse(res.body)["access_token"] end @@ -49,14 +53,10 @@ def get_token(code, inclusion_connect_callback_url) def get_user_info(token) uri = URI("#{IC_BASE_URL}/userinfo") uri.query = URI.encode_www_form({ schema: "openid" }) - req = Net::HTTP::Get.new(uri) - req["Authorization"] = "Bearer #{token}" - res = Net::HTTP.start(uri.hostname, uri.port, use_ssl: uri.scheme == "https") do |http| - http.request(req) - end + res = Typhoeus.get(uri, headers: { "Authorization" => "Bearer #{token}" }) - return false unless res.is_a?(Net::HTTPSuccess) + return false unless res.success? JSON.parse(res.body) end diff --git a/config/initializers/typhoeus.rb b/config/initializers/typhoeus.rb index 437639883..f2dc3570d 100644 --- a/config/initializers/typhoeus.rb +++ b/config/initializers/typhoeus.rb @@ -1,13 +1,17 @@ # frozen_string_literal: true Typhoeus.before do |request| + filter_secrets_from_body = lambda do |body| + body.to_s.gsub(InclusionConnect::IC_CLIENT_SECRET || "", "filtered") + end + crumb = Sentry::Breadcrumb.new( message: "HTTP request", data: { method: request.options[:method], url: request.url, headers: request.options[:headers], - body: request.encoded_body, + body: filter_secrets_from_body.call(request.encoded_body), } ) Sentry.add_breadcrumb(crumb) diff --git a/spec/controllers/inclusion_connect_controller_spec.rb b/spec/controllers/inclusion_connect_controller_spec.rb index 5bf44e302..ee9341147 100644 --- a/spec/controllers/inclusion_connect_controller_spec.rb +++ b/spec/controllers/inclusion_connect_controller_spec.rb @@ -3,6 +3,8 @@ describe InclusionConnectController, type: :controller do let(:base_url) { "https://test.inclusion.connect.fr" } + stub_sentry_events + describe "#callback" do it "update first_name and last_name of agent" do now = Time.zone.parse("2022-08-22 11h34") @@ -17,11 +19,9 @@ stub_request(:get, "#{base_url}/userinfo?schema=openid").with( headers: { - "Accept" => "*/*", - "Accept-Encoding" => "gzip;q=1.0,deflate;q=0.6,identity;q=0.3", + "Expect" => "", "Authorization" => "Bearer zekfjzeklfjl", - "Host" => "test.inclusion.connect.fr", - "User-Agent" => "Ruby", + "User-Agent" => "Typhoeus - https://github.com/typhoeus/typhoeus", } ).to_return(status: 200, body: { email_verified: true, given_name: "Bob", family_name: "Eponge", email: "bob@demo.rdv-solidarites.fr" }.to_json, headers: {}) @@ -41,6 +41,10 @@ get :callback, params: { state: "zefjzelkf", session_state: "zfjzerklfjz", code: "klzefklzejlf" } expect(response).to redirect_to(new_agent_session_path) expect(flash[:error]).to eq("Nous n'avons pas pu vous authentifier. Contacter le support à l'adresse si le problème persiste.") + + # Error message is sent to Sentry + expect(sentry_events.last.message).to include("InclusionConnect states do not match") + expect(sentry_events.last.extra.keys).to match_array(%i[params_state session_ic_state]) end it "uses the current domain's support email address in the error message" do @@ -60,6 +64,9 @@ get :callback, params: { state: "a state", session_state: "a state", code: "klzefklzejlf" } expect(response).to redirect_to(new_agent_session_path) expect(flash[:error]).to eq("Nous n'avons pas pu vous authentifier. Contacter le support à l'adresse si le problème persiste.") + + # HTTP request is sent to Sentry as breadcrumbs + expect(sentry_events.last.breadcrumbs.compact.map(&:message)).to eq(["HTTP request", "HTTP response"]) end it "returns an error if token request doesn't contains token" do @@ -74,6 +81,9 @@ expect(response).to redirect_to(new_agent_session_path) expect(flash[:error]).to eq("Nous n'avons pas pu vous authentifier. Contacter le support à l'adresse si le problème persiste.") + + # HTTP request is sent to Sentry as breadcrumbs + expect(sentry_events.last.breadcrumbs.compact.map(&:message)).to eq(["HTTP request", "HTTP response"]) end it "returns an error if userinfo request doesnt work" do @@ -85,11 +95,9 @@ stub_request(:get, "#{base_url}/userinfo?schema=openid").with( headers: { - "Accept" => "*/*", - "Accept-Encoding" => "gzip;q=1.0,deflate;q=0.6,identity;q=0.3", + "Expect" => "", "Authorization" => "Bearer zekfjzeklfjl", - "Host" => "test.inclusion.connect.fr", - "User-Agent" => "Ruby", + "User-Agent" => "Typhoeus - https://github.com/typhoeus/typhoeus", } ).to_return(status: 500, body: "", headers: {}) @@ -98,6 +106,9 @@ expect(response).to redirect_to(new_agent_session_path) expect(flash[:error]).to eq("Nous n'avons pas pu vous authentifier. Contacter le support à l'adresse si le problème persiste.") + + # HTTP request is sent to Sentry as breadcrumbs + expect(sentry_events.last.breadcrumbs.compact.map(&:message).uniq).to eq(["HTTP request", "HTTP response"]) end it "returns an error if userinfo's email checked is false" do @@ -109,11 +120,9 @@ stub_request(:get, "#{base_url}/userinfo?schema=openid").with( headers: { - "Accept" => "*/*", - "Accept-Encoding" => "gzip;q=1.0,deflate;q=0.6,identity;q=0.3", + "Expect" => "", "Authorization" => "Bearer zekfjzeklfjl", - "Host" => "test.inclusion.connect.fr", - "User-Agent" => "Ruby", + "User-Agent" => "Typhoeus - https://github.com/typhoeus/typhoeus", } ).to_return(status: 200, body: { email_verified: false, given_name: "Bob", family_name: "Eponge", email: "bob@demo.rdv-solidarites.fr" }.to_json, headers: {}) @@ -122,6 +131,9 @@ expect(response).to redirect_to(new_agent_session_path) expect(flash[:error]).to eq("Nous n'avons pas pu vous authentifier. Contacter le support à l'adresse si le problème persiste.") + + # HTTP request is sent to Sentry as breadcrumbs + expect(sentry_events.last.breadcrumbs.compact.map(&:message).uniq).to eq(["HTTP request", "HTTP response"]) end it "call sentry about authentification failure" do @@ -148,11 +160,9 @@ def stub_token_request "redirect_uri" => inclusion_connect_callback_url, }, headers: { - "Accept" => "*/*", - "Accept-Encoding" => "gzip;q=1.0,deflate;q=0.6,identity;q=0.3", + "Expect" => "", + "User-Agent" => "Typhoeus - https://github.com/typhoeus/typhoeus", "Content-Type" => "application/x-www-form-urlencoded", - "Host" => "test.inclusion.connect.fr", - "User-Agent" => "Ruby", } ) end