Remove support for passing orgKey as query param, require use of raze…

…e-org-key header (#1332) * remove use of orgKey in query params, require razee-org-key header * package updates * test updates * allowlist low severity audit issue * package updates * fix package-lock.json
razee-io · Jun 23, 2023 · 1b410a6 · 1b410a6
1 parent 59039fd
commit 1b410a6
Show file tree

Hide file tree

Showing 5 changed files with 60 additions and 15 deletions.
diff --git a/app/apollo/models/organization.local.schema.js b/app/apollo/models/organization.local.schema.js
@@ -71,9 +71,8 @@ OrganizationLocalSchema.statics.getRegistrationUrl = async function(org_id, cont
     host = process.env.EXTERNAL_HOST;
   }
   const orgKey = bestOrgKey(org).key;
-  // Return the orgKey as both url query param and as header.  Once all GUI/CLI/API clients are updated to recognize and use 'headers', the orgKey will be removed as a query parameter in a new major version (as it will be a breaking change).
   return {
-    url: `${protocol}://${host}/api/install/razeedeploy-job?orgKey=${orgKey}`,
+    url: `${protocol}://${host}/api/install/razeedeploy-job`,
     headers: {
       'razee-org-key': orgKey
     }

diff --git a/app/apollo/test/externalAuth/organization.local.schema.js b/app/apollo/test/externalAuth/organization.local.schema.js
@@ -74,7 +74,7 @@ OrganizationLocalSchema.statics.getRegistrationUrl = async function(org_id, cont
     bestOrgKeyValue = ( org.orgKeys2.find( key => { return key.primary; } ) || org.orgKeys2[0] ).key;
   }
   return {
-    url: `${protocol}://${host}/api/install/razeedeploy-job?orgKey=${bestOrgKeyValue}`,
+    url: `${protocol}://${host}/api/install/razeedeploy-job`,
     headers: {
       'razee-org-key': bestOrgKeyValue
     }

diff --git a/app/apollo/test/organization.spec.js b/app/apollo/test/organization.spec.js
@@ -532,7 +532,7 @@ describe('organization graphql test suite', () => {
       }
     });
 
-    it('registering a Cluster should return URL containing the remaining new OrgKey', async () => {
+    it('registering a Cluster should return URL and headers containing the remaining new OrgKey', async () => {
       token = await signInUser(models, api, rootData);
       try {
         const response = await clusterApi.registerCluster(token, {
@@ -544,7 +544,8 @@ describe('organization graphql test suite', () => {
         const registerCluster = response.data.data.registerCluster;
 
         expect(registerCluster.url).to.be.an('string');
-        expect(registerCluster.url).contains(orgKeyVal1);
+        expect(registerCluster.url).to.not.contain(orgKeyVal1); // orgKey no longer passed as URL query parameter
+        expect(registerCluster.headers['razee-org-key']).to.equal(orgKeyVal1);
       } catch (error) {
         if (error.response) {
           console.error('error encountered:  ', error.response.data);

diff --git a/app/routes/index.js b/app/routes/index.js
@@ -90,10 +90,7 @@ router.use('/cleanup', Cleanup);
 router.use(async (req, res, next) => {
   let orgKey = req.get('razee-org-key');
   if(!orgKey){
-    orgKey = req.query.orgKey;
-    if(!orgKey){
-      return res.status(401).json('{"msg": "razee-org-key required"}');
-    }
+    return res.status(401).json('{"msg": "razee-org-key required"}');
   }
 
   // Ensure sensitive information is removed before handling possible errors by redacting 'razee-org-key'

diff --git a/package-lock.json b/package-lock.json