Merge pull request #20 from cpoile/MM-18219-require-user-id-to-match-…

…requester [MM-18219] Add authentication to all api calls
mattermost-community · Sep 27, 2019 · bf05e4d · bf05e4d
2 parents 1b21802 + 1b3a000
commit bf05e4d
Show file tree

Hide file tree

Showing 2 changed files with 16 additions and 8 deletions.
diff --git a/go.sum b/go.sum
@@ -388,6 +388,7 @@ golang.org/x/tools v0.0.0-20190311212946-11955173bddd/go.mod h1:LCzVGOaR6xXOjkQ3
 golang.org/x/tools v0.0.0-20190312170243-e65039ee4138/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs=
 golang.org/x/tools v0.0.0-20190328211700-ab21143f2384/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs=
 golang.org/x/tools v0.0.0-20190524140312-2c0ae7006135/go.mod h1:RgjU9mgBXZiqYHBnxXauZ1Gv1EHHAz9KjViQ78xBX0Q=
+golang.org/x/tools v0.0.0-20190606124116-d0a3d012864b h1:mSUCVIwDx4hfXJfWsOPfdzEHxzb2Xjl6BQ8YgPnazQA=
 golang.org/x/tools v0.0.0-20190606124116-d0a3d012864b/go.mod h1:/rFqwRUd4F7ZHNgwSSTFct+R/Kf4OFW1sUzUTQQTgfc=
 google.golang.org/api v0.0.0-20180910000450-7ca32eb868bf/go.mod h1:4mhQ8q/RsB7i+udVvVy5NUi08OU8ZlA0gRVgrF7VFY0=
 google.golang.org/api v0.0.0-20181030000543-1d582fd0359e/go.mod h1:4mhQ8q/RsB7i+udVvVy5NUi08OU8ZlA0gRVgrF7VFY0=

diff --git a/server/http_hooks.go b/server/http_hooks.go
@@ -13,7 +13,14 @@ import (
 func (p *Plugin) ServeHTTP(c *plugin.Context, w http.ResponseWriter, r *http.Request) {
 	var action *Action
 	if err := json.NewDecoder(r.Body).Decode(&action); err != nil || action == nil {
-		p.encodeEphermalMessage(w, "WelcomeBot Error: We could not decode the action")
+		p.encodeEphemeralMessage(w, "WelcomeBot Error: We could not decode the action")
+		return
+	}
+
+	mattermostUserId := r.Header.Get("Mattermost-User-Id")
+	if mattermostUserId == "" || mattermostUserId != action.Context.UserID {
+		p.API.LogError("http request not authenticated: no Mattermost-User-Id")
+		http.Error(w, "not authenticated", http.StatusUnauthorized)
 		return
 	}
 
@@ -22,19 +29,19 @@ func (p *Plugin) ServeHTTP(c *plugin.Context, w http.ResponseWriter, r *http.Req
 
 	if data.User, err = p.API.GetUser(action.Context.UserID); err != nil {
 		p.API.LogError("failed to query user", "user_id", action.Context.UserID)
-		p.encodeEphermalMessage(w, "WelcomeBot Error: We could not find the supplied user")
+		p.encodeEphemeralMessage(w, "WelcomeBot Error: We could not find the supplied user")
 		return
 	}
 
 	if data.Team, err = p.API.GetTeam(action.Context.TeamID); err != nil {
 		p.API.LogError("failed to query team", "team_id", action.Context.TeamID)
-		p.encodeEphermalMessage(w, "WelcomeBot Error: We could not find the supplied team")
+		p.encodeEphemeralMessage(w, "WelcomeBot Error: We could not find the supplied team")
 		return
 	}
 
 	if data.DirectMessage, err = p.API.GetDirectChannel(action.Context.UserID, p.botUserID); err != nil {
 		p.API.LogError("failed to query direct message channel", "user_id", action.Context.UserID)
-		p.encodeEphermalMessage(w, "WelcomeBot Error: We could not find the welcome bot direct message channel")
+		p.encodeEphemeralMessage(w, "WelcomeBot Error: We could not find the welcome bot direct message channel")
 		return
 	}
 
@@ -43,7 +50,7 @@ func (p *Plugin) ServeHTTP(c *plugin.Context, w http.ResponseWriter, r *http.Req
 	// Check to make sure you're still in the team
 	if teamMember, err := p.API.GetTeamMember(action.Context.TeamID, action.Context.UserID); err != nil || teamMember == nil || teamMember.DeleteAt > 0 {
 		p.API.LogError("Didn't have access to team", "user_id", action.Context.UserID, "team_id", action.Context.TeamID)
-		p.encodeEphermalMessage(w, "WelcomeBot Error: You do not appear to have access to this team")
+		p.encodeEphemeralMessage(w, "WelcomeBot Error: You do not appear to have access to this team")
 		return
 	}
 
@@ -54,20 +61,20 @@ func (p *Plugin) ServeHTTP(c *plugin.Context, w http.ResponseWriter, r *http.Req
 				for _, ac := range wm.Actions {
 					if ac.ActionName == action.Context.Action {
 						p.processActionMessage(*data, action, *ac)
-						p.encodeEphermalMessage(w, "")
+						p.encodeEphemeralMessage(w, "")
 						return
 					}
 				}
 			}
 		}
 
-		p.encodeEphermalMessage(w, "WelcomeBot Error: The action wasn't found for "+action.Context.Action)
+		p.encodeEphemeralMessage(w, "WelcomeBot Error: The action wasn't found for "+action.Context.Action)
 	default:
 		http.NotFound(w, r)
 	}
 }
 
-func (p *Plugin) encodeEphermalMessage(w http.ResponseWriter, message string) {
+func (p *Plugin) encodeEphemeralMessage(w http.ResponseWriter, message string) {
 	w.Header().Set("Content-Type", "application/json")
 
 	resp := model.PostActionIntegrationResponse{