[headless] Add tests to ensure that remote contact adding needs auth token

briar-headless/README.md

@@ -87,7 +87,7 @@ outside of Briar via an external channel.
 Once you have received the link of your future contact, you can add them
 by posting the link together with an arbitrary nickname (or alias):
 
-`POST /v1/contacts/add`
+`POST /v1/contacts/add/pending`
 
 The link and the alias should be posted as a JSON object:
 

briar-headless/src/main/java/org/briarproject/briar/headless/Router.kt

@@ -65,12 +65,12 @@ constructor(
                 path("/contacts") {
                     get { ctx -> contactController.list(ctx) }
                     path("add") {
-                        post { ctx -> contactController.addPendingContact(ctx) }
                         path("link") {
                             get { ctx -> contactController.link(ctx) }
                         }
                         path("pending") {
                             get { ctx -> contactController.listPendingContacts(ctx) }
+                            post { ctx -> contactController.addPendingContact(ctx) }
                             delete { ctx -> contactController.removePendingContact(ctx) }
                         }
                     }

briar-headless/src/test/java/org/briarproject/briar/headless/IntegrationTest.kt

@@ -59,6 +59,10 @@ abstract class IntegrationTest {
         return khttp.post(url, getAuthTokenHeader(token), data = data)
     }
 
+    protected fun postWithWrongToken(url: String) : Response {
+        return khttp.post(url, getAuthTokenHeader("wrongToken"), data = "")
+    }
+
     protected fun delete(url: String) : Response {
         return khttp.delete(url, getAuthTokenHeader(token))
     }

briar-headless/src/test/java/org/briarproject/briar/headless/contact/ContactControllerIntegrationTest.kt

@@ -45,6 +45,12 @@ class ContactControllerIntegrationTest: IntegrationTest() {
         assertEquals(BASE32_LINK_BYTES + 8, link.length)
     }
 
+    @Test
+    fun `returning own handshake link needs authentication token`() {
+        val response = getWithWrongToken("$url/contacts/add/link")
+        assertEquals(401, response.statusCode)
+    }
+
     @Test
     fun `returns list of pending contacts`() {
         // retrieve empty list of pending contacts
@@ -58,7 +64,7 @@ class ContactControllerIntegrationTest: IntegrationTest() {
             "link": "${getRealHandshakeLink(crypto)}",
             "alias": "$alias"
         }"""
-        response = post("$url/contacts/add", json)
+        response = post("$url/contacts/add/pending", json)
         assertEquals(200, response.statusCode)
 
         // get added contact as only list item
@@ -81,6 +87,24 @@ class ContactControllerIntegrationTest: IntegrationTest() {
         assertEquals(0, response.jsonArray.length())
     }
 
+    @Test
+    fun `returning list of pending contacts needs authentication token`() {
+        val response = getWithWrongToken("$url/contacts/add/pending")
+        assertEquals(401, response.statusCode)
+    }
+
+    @Test
+    fun `adding pending contacts needs authentication token`() {
+        val response = postWithWrongToken("$url/contacts/add/pending")
+        assertEquals(401, response.statusCode)
+    }
+
+    @Test
+    fun `removing a pending contact needs authentication token`() {
+        val response = deleteWithWrongToken("$url/contacts/add/pending")
+        assertEquals(401, response.statusCode)
+    }
+
     @Test
     fun `deleting contact need authentication token`() {
         val response = deleteWithWrongToken("$url/contacts/1")