diff --git a/TeachingRecordSystem/src/TeachingRecordSystem.AuthorizeAccess/Pages/RequestTrn/Index.cshtml.cs b/TeachingRecordSystem/src/TeachingRecordSystem.AuthorizeAccess/Pages/RequestTrn/Index.cshtml.cs index ce54b678f..24c5aeb88 100644 --- a/TeachingRecordSystem/src/TeachingRecordSystem.AuthorizeAccess/Pages/RequestTrn/Index.cshtml.cs +++ b/TeachingRecordSystem/src/TeachingRecordSystem.AuthorizeAccess/Pages/RequestTrn/Index.cshtml.cs @@ -1,10 +1,24 @@ +using Microsoft.AspNetCore.Mvc; using Microsoft.AspNetCore.Mvc.RazorPages; using TeachingRecordSystem.UiCommon.FormFlow; namespace TeachingRecordSystem.AuthorizeAccess.Pages.RequestTrn; [Journey(RequestTrnJourneyState.JourneyName), ActivatesJourney, RequireJourneyInstance] -public class IndexModel : PageModel +public class IndexModel(IConfiguration configuration) : PageModel { public JourneyInstance? JourneyInstance { get; set; } + + [FromQuery] + public string? AccessToken { get; set; } + + public ActionResult OnGet() + { + var whitelistedAccessToken = configuration.GetRequiredValue("RequestTrnAccessToken"); + if (!whitelistedAccessToken.Equals(AccessToken, StringComparison.Ordinal)) + { + return BadRequest(); + } + return Page(); + } } diff --git a/TeachingRecordSystem/src/TeachingRecordSystem.AuthorizeAccess/appsettings.Testing.json b/TeachingRecordSystem/src/TeachingRecordSystem.AuthorizeAccess/appsettings.Testing.json index a1507c044..03f632c95 100644 --- a/TeachingRecordSystem/src/TeachingRecordSystem.AuthorizeAccess/appsettings.Testing.json +++ b/TeachingRecordSystem/src/TeachingRecordSystem.AuthorizeAccess/appsettings.Testing.json @@ -7,5 +7,6 @@ "Microsoft.AspNetCore": "Fatal" } } - } + }, + "RequestTrnAccessToken": "n8hhN5MSrNXxCzRo" } diff --git a/TeachingRecordSystem/tests/TeachingRecordSystem.AuthorizeAccess.Tests/PageTests/RequestTrn/IndexTests.cs b/TeachingRecordSystem/tests/TeachingRecordSystem.AuthorizeAccess.Tests/PageTests/RequestTrn/IndexTests.cs index abfbd4c7c..860e274db 100644 --- a/TeachingRecordSystem/tests/TeachingRecordSystem.AuthorizeAccess.Tests/PageTests/RequestTrn/IndexTests.cs +++ b/TeachingRecordSystem/tests/TeachingRecordSystem.AuthorizeAccess.Tests/PageTests/RequestTrn/IndexTests.cs @@ -6,10 +6,11 @@ public class IndexTests(HostFixture hostFixture) : TestBase(hostFixture) public async Task Get_ValidRequest_RendersExpectedContent() { // Arrange + var accessToken = HostFixture.Services.GetRequiredService().GetValue("RequestTrnAccessToken"); var state = CreateNewState(); var journeyInstance = await CreateJourneyInstance(state); - var request = new HttpRequestMessage(HttpMethod.Get, $"/request-trn?{journeyInstance.GetUniqueIdQueryParameter()}"); + var request = new HttpRequestMessage(HttpMethod.Get, $"/request-trn?{journeyInstance.GetUniqueIdQueryParameter()}&AccessToken={accessToken}"); // Act var response = await HttpClient.SendAsync(request); @@ -17,4 +18,20 @@ public async Task Get_ValidRequest_RendersExpectedContent() // Assert await AssertEx.HtmlResponseAsync(response); } + + [Fact] + public async Task Get_MissingAccessToken_ReturnsBadRequest() + { + // Arrange + var state = CreateNewState(); + var journeyInstance = await CreateJourneyInstance(state); + + var request = new HttpRequestMessage(HttpMethod.Get, $"/request-trn?{journeyInstance.GetUniqueIdQueryParameter()}&AccessToken="); + + // Act + var response = await HttpClient.SendAsync(request); + + // Assert + Assert.Equal(StatusCodes.Status400BadRequest, (int)response.StatusCode); + } }