Use hash in invite url

To prevent the invite id from showing up in various logs along the way, we change to use an anchor in the invite url, and a post request to the backend. Invite links are now on the form /invitelink/#<uuid> and the frontend redirects to /invite as usual after the session has been created. Resolves: GREG-90

Use hash in invite url
To prevent the invite id from showing up in various logs along the way, we change to use an anchor in the invite url, and a post request to the backend. Invite links are now on the form /invitelink/#<uuid> and the frontend redirects to /invite as usual after the session has been created. Resolves: GREG-90
8a9a26c3 · Andreas Ellewsen · e7b064a1 · 8a9a26c3 · 8a9a26c3 · 8a9a26c3
Verified Commit 8a9a26c3 authored 3 years ago by Andreas Ellewsen
--- a/frontend/src/routes/index.tsx
+++ b/frontend/src/routes/index.tsx
@@ -64,7 +64,7 @@ export default function App() {
          <ProtectedRoute path="/register">
            <Register />
          </ProtectedRoute>
-          <Route path="/invite/:id" component={InviteLink} />
+          <Route path="/invitelink/" component={InviteLink} />
          <Route path="/invite/" component={Invite} />
          <Route path="/guestregister/" component={GuestRegister} />
          <Route>

--- a/frontend/src/routes/invitelink/index.tsx
+++ b/frontend/src/routes/invitelink/index.tsx
 import { useEffect } from 'react'
-import { Redirect, useParams } from 'react-router-dom'
+import { Redirect } from 'react-router-dom'
+import { submitJsonOpts } from 'utils'
-type TParams = { id: string }
 function InviteLink() {
  // Fetch backend endpoint to preserve invite_id in backend session then redirect
  // to generic invite page with info about feide login or manual with passport.
-  const { id } = useParams<TParams>()
+  const id = window.location.hash.slice(1)
  useEffect(() => {
-    fetch(`/api/ui/v1/invited/${id}`)
+    fetch('/api/ui/v1/invitecheck/', submitJsonOpts('POST', { uuid: id }))
  }, [])
  return <Redirect to="/invite" />
 }

--- a/gregui/api/urls.py
+++ b/gregui/api/urls.py
@@ -20,7 +20,7 @@ urlpatterns += [
    re_path(r"roletypes/$", RoleTypeViewSet.as_view(), name="role-types"),
    re_path(r"units/$", UnitsViewSet.as_view(), name="units"),
    path("invited/", InvitedGuestView.as_view(), name="invited-info"),
-    path("invited/<uuid>", CheckInvitationView.as_view(), name="invite-verify"),
+    path("invitecheck/", CheckInvitationView.as_view(), name="invite-verify"),
    path("invite/", InvitationView.as_view(), name="invitation"),
    path("person/<int:id>", PersonView.as_view(), name="person-get"),
    path(

--- a/gregui/api/views/invitation.py
+++ b/gregui/api/views/invitation.py
@@ -97,7 +97,7 @@ class CheckInvitationView(APIView):
    authentication_classes = []
    permission_classes = [AllowAny]
-    def get(self, request, *args, **kwargs):
+    def post(self, request, *args, **kwargs):
        """
        Endpoint for verifying and setting invite_id in session.
@@ -105,8 +105,12 @@ class CheckInvitationView(APIView):
        page you get to by following the invitation url to the frontend. This way a
        session is created keeping the invite id safe, until the user returns from
        feide login if they choose to use it.
+        Uses post to prevent invite id from showing up in various logs.
        """
-        invite_id = kwargs["uuid"]
+        invite_id = request.data.get("uuid")
+        if not invite_id:
+            return Response(status=status.HTTP_403_FORBIDDEN)
        try:
            invite_link = InvitationLink.objects.get(uuid=invite_id)
        except (InvitationLink.DoesNotExist, exceptions.ValidationError):

--- a/gregui/tests/api/test_invitation.py
+++ b/gregui/tests/api/test_invitation.py
@@ -10,17 +10,15 @@ from greg.models import InvitationLink, Person, Identity
 @pytest.mark.django_db
 def test_get_invite(client):
    """Forbid access with bad invitation link uuid"""
-    response = client.get(
+    response = client.post(reverse("gregui-v1:invite-verify"), data={"uuid": "baduuid"})
-        reverse("gregui-v1:invite-verify", kwargs={"uuid": "baduuid"})
-    )
    assert response.status_code == status.HTTP_403_FORBIDDEN
 @pytest.mark.django_db
 def test_get_invite_ok(client, invitation_link):
    """Access okay with valid invitation link"""
-    response = client.get(
+    response = client.post(
-        reverse("gregui-v1:invite-verify", kwargs={"uuid": invitation_link.uuid})
+        reverse("gregui-v1:invite-verify"), data={"uuid": invitation_link.uuid}
    )
    assert response.status_code == status.HTTP_200_OK
@@ -28,10 +26,8 @@ def test_get_invite_ok(client, invitation_link):
 @pytest.mark.django_db
 def test_get_invite_expired(client, invitation_link_expired):
    """Forbid access with expired invite link"""
-    response = client.get(
+    response = client.post(
-        reverse(
+        reverse("gregui-v1:invite-verify"), data={"uuid": invitation_link_expired.uuid}
-            "gregui-v1:invite-verify", kwargs={"uuid": invitation_link_expired.uuid}
-        )
    )
    assert response.status_code == status.HTTP_403_FORBIDDEN
@@ -47,9 +43,7 @@ def test_get_invited_info_session_okay(
    client, invitation_link, person_foo_data, sponsor_guy_data, role_type_foo, unit_foo
 ):
    # get a session
-    client.get(
+    client.post(reverse("gregui-v1:invite-verify"), data={"uuid": invitation_link.uuid})
-        reverse("gregui-v1:invite-verify", kwargs={"uuid": invitation_link.uuid})
-    )
    # Get info
    response = client.get(reverse("gregui-v1:invited-info"))
    assert response.status_code == status.HTTP_200_OK
@@ -82,9 +76,7 @@ def test_get_invited_info_expired_link(
    client, invitation_link, invitation_expired_date
 ):
    # Get a session while link is valid
-    client.get(
+    client.get(reverse("gregui-v1:invite-verify"), data={"uuid": invitation_link.uuid})
-        reverse("gregui-v1:invite-verify", kwargs={"uuid": invitation_link.uuid})
-    )
    # Set expire link to expire long ago
    invlink = InvitationLink.objects.get(uuid=invitation_link.uuid)
    invlink.expire = invitation_expired_date
@@ -100,9 +92,7 @@ def test_invited_guest_can_post_information(
    client: APIClient, invitation_link, person_foo_data
 ):
    # get a session
-    client.get(
+    client.post(reverse("gregui-v1:invite-verify"), data={"uuid": invitation_link.uuid})
-        reverse("gregui-v1:invite-verify", kwargs={"uuid": invitation_link.uuid})
-    )
    person = invitation_link.invitation.role.person
    assert person.private_mobile is None
@@ -129,9 +119,7 @@ def test_post_invited_info_expired_session(
    client, invitation_link, invitation_expired_date
 ):
    # get a session
-    client.get(
+    client.post(reverse("gregui-v1:invite-verify"), data={"uuid": invitation_link.uuid})
-        reverse("gregui-v1:invite-verify", kwargs={"uuid": invitation_link.uuid})
-    )
    # Set expire link to expire long ago
    invlink = InvitationLink.objects.get(uuid=invitation_link.uuid)
    invlink.expire = invitation_expired_date
@@ -145,9 +133,7 @@ def test_post_invited_info_expired_session(
 @pytest.mark.django_db
 def test_post_invited_info_deleted_inv_link(client, invitation_link):
    # get a session
-    client.get(
+    client.post(reverse("gregui-v1:invite-verify"), data={"uuid": invitation_link.uuid})
-        reverse("gregui-v1:invite-verify", kwargs={"uuid": invitation_link.uuid})
-    )
    # Delete link
    invlink = InvitationLink.objects.get(uuid=invitation_link.uuid)
    invlink.delete()