From def5f8e669fac479cc6b3739c00c1c79c65a1f6b Mon Sep 17 00:00:00 2001
From: Robert Barrow <merefield@gmail.com>
Date: Wed, 5 Jun 2019 22:23:15 +0100
Subject: [PATCH] added validation for endpoint body JSON in API admin and
 fixed error handling in actual API calls

---
 .../discourse/models/custom-wizard.js.es6     | 11 +++++
 config/locales/client.en.yml                  |  1 +
 lib/api/endpoint.rb                           |  9 +++--
 lib/builder.rb                                |  4 +-
 lib/test_harness.rb                           | 40 +++++++++++++++++++
 5 files changed, 60 insertions(+), 5 deletions(-)
 create mode 100644 lib/test_harness.rb

diff --git a/assets/javascripts/discourse/models/custom-wizard.js.es6 b/assets/javascripts/discourse/models/custom-wizard.js.es6
index 34248250..6cb18535 100644
--- a/assets/javascripts/discourse/models/custom-wizard.js.es6
+++ b/assets/javascripts/discourse/models/custom-wizard.js.es6
@@ -17,6 +17,7 @@ const wizardProperties = [
 const CustomWizard = Discourse.Model.extend({
   save() {
     return new Ember.RSVP.Promise((resolve, reject) => {
+
       const id = this.get('id');
       if (!id || !id.underscore()) return reject({ error: 'id_required' });
 
@@ -127,6 +128,16 @@ const CustomWizard = Discourse.Model.extend({
             error = 'id_required';
             return;
           }
+          //check if api_body is valid JSON
+          let api_body = a.get('api_body');
+          if (api_body != '') {
+            try {
+              JSON.parse(api_body);
+            } catch (e) {
+              error = 'invalid_api_body';
+              return;
+            }
+          }
 
           a.set('id', id.underscore());
 
diff --git a/config/locales/client.en.yml b/config/locales/client.en.yml
index e3388f57..8062302d 100644
--- a/config/locales/client.en.yml
+++ b/config/locales/client.en.yml
@@ -59,6 +59,7 @@ en:
           name_required: "Wizards must have a name."
           steps_required: "Wizards must have at least one step."
           id_required: "All wizards, steps, fields and actions need an id."
+          invalid_api_body: "Request body JSON needs to be a valid JSON."
           type_required: "All fields need a type."
           after_time_need_time: "After time is enabled but no time is set."
           after_time_invalid: "After time is invalid."
diff --git a/lib/api/endpoint.rb b/lib/api/endpoint.rb
index 3f475301..fc378df6 100644
--- a/lib/api/endpoint.rb
+++ b/lib/api/endpoint.rb
@@ -85,8 +85,11 @@ class CustomWizard::Api::Endpoint
       params[:body] = body
     end
 
-    response = connection.request(params)
-
-    JSON.parse(response.body)
+    begin
+      response = connection.request(params)
+      return JSON.parse(response.body)
+    rescue
+      return JSON.parse "[{\"error\":\"API request failed\"}]"
+    end
   end
 end
diff --git a/lib/builder.rb b/lib/builder.rb
index 654ff58b..3aeb2ede 100644
--- a/lib/builder.rb
+++ b/lib/builder.rb
@@ -408,8 +408,8 @@ class CustomWizard::Builder
 
     result = CustomWizard::Api::Endpoint.request(action['api'], action['api_endpoint'], api_body)
 
-    if result['error']
-      updater.errors.add(:send_message, result['error'])
+    if result[0].has_key? 'error'
+      updater.errors.add(:send_message, result[0]['error'])
     else
       ## add validation callback
     end
diff --git a/lib/test_harness.rb b/lib/test_harness.rb
new file mode 100644
index 00000000..7d34b2cb
--- /dev/null
+++ b/lib/test_harness.rb
@@ -0,0 +1,40 @@
+require 'excon'
+# require 'httplog'
+
+class CustomWizard::APITestHarness
+
+  def self.basic
+
+    CustomWizard::Authorization.set_authentication_protocol("chargify", "basic_authentication")
+    CustomWizard::Authorization.set_username("chargify", "W2iA5khmmRso3oySy1KUeJP17ilUuN6OZkgT8PPwk")
+    CustomWizard::Authorization.set_password("chargify", "X")
+    authentication_string = CustomWizard::Authorization.get_header_authorization_string("chargify")
+    puts 'authentication string is ' + authentication_string
+    response = Excon.get(
+      "https://merefield-technology.chargify.com/subscriptions.json",
+      :headers => {
+        "Authorization" => "#{authentication_string}"
+      }
+    )
+    JSON.parse(response.body)
+  end
+
+  def self.oauth_two
+
+    CustomWizard::Authorization.set_authentication_protocol("google", "OAuth2_authentication")
+    CustomWizard::Authorization.set_client_id("chargify", "W2iA5khmmRso3oySy1KUeJP17ilUuN6OZkgT8PPwk")
+    CustomWizard::Authorization.set_client_secret("chargify", "X")
+
+    puts curl
+    authentication_string = CustomWizard::Authorization.get_header_authorization_string("chargify")
+    puts 'authentication string is ' + authentication_string
+    response = Excon.get(
+      "https://merefield-technology.chargify.com/subscriptions.json",
+      :headers => {
+        "Authorization" => "#{authentication_string}"
+      }
+    )
+    JSON.parse(response.body)
+  end
+
+end