23942 - Add in valid redirect url (#1794)

bcgov · Oct 23, 2024 · 1066773 · 1066773
1 parent 01687be
commit 1066773
Show file tree

Hide file tree

Showing 2 changed files with 34 additions and 0 deletions.
diff --git a/pay-api/src/pay_api/resources/v1/transaction.py b/pay-api/src/pay_api/resources/v1/transaction.py
@@ -23,6 +23,7 @@
 from pay_api.utils.auth import jwt as _jwt
 from pay_api.utils.endpoints_enums import EndpointEnum
 from pay_api.utils.errors import Error
+from pay_api.utils.util import is_valid_redirect_url
 
 bp = Blueprint("TRANSACTIONS", __name__, url_prefix=f"{EndpointEnum.API_V1.value}")
 
@@ -126,3 +127,13 @@ def patch_transaction(invoice_id: int = None, payment_id: int = None, transactio
         return exception.response()
     current_app.logger.debug(">patch_transaction")
     return jsonify(response), status
+
+
+@bp.route("/valid-redirect-url", methods=["POST"])
+@cross_origin(origins="*")
+def post_is_valid_redirect_url():
+    """Check if the redirect URL is valid."""
+    current_app.logger.info("<is_valid_redirect_url")
+    is_valid = is_valid_redirect_url(request.get_json().get("redirectUrl", None))
+    current_app.logger.debug(">is_valid_redirect_url")
+    return jsonify({"isValid": is_valid}), HTTPStatus.OK
diff --git a/pay-api/tests/unit/api/test_transaction.py b/pay-api/tests/unit/api/test_transaction.py
@@ -504,3 +504,26 @@ def test_transaction_post_for_nsf_payment(session, client, jwt, app):
     assert rv.json.get("paymentId") == payment_2.id
 
     assert schema_utils.validate(rv.json, "transaction")[0]
+
+
+def test_valid_redirect_url(session, jwt, client, app):
+    """Assert the valid redirect url endpoint works."""
+    old_urls = app.config["VALID_REDIRECT_URLS"]
+    data = {"redirectUrl": "https://www.google.ca"}
+    headers = {"content-type": "application/json"}
+    rv = client.post(
+        "/api/v1/valid-redirect-url",
+        data=json.dumps(data),
+        headers=headers,
+    )
+    assert rv.status_code == 200
+    assert rv.json.get("isValid") is False
+    app.config["VALID_REDIRECT_URLS"] = ["https://www.google.ca"]
+    rv = client.post(
+        "/api/v1/valid-redirect-url",
+        data=json.dumps(data),
+        headers=headers,
+    )
+    assert rv.status_code == 200
+    assert rv.json.get("isValid") is True
+    app.config["VALID_REDIRECT_URLS"] = old_urls