Merge pull request #486 from NHSDigital/add-csrf-exempt-to-notifications-callback-endpoint

Add csrf exempt to notifications callback endpoint

Author: steventux

manage_breast_screening/notifications/tests/integration/test_callback_endpoint.py

@@ -0,0 +1,62 @@
+import hashlib
+import hmac
+import json
+from unittest.mock import MagicMock, patch
+
+import pytest
+from django.test import TestCase
+from test.support.os_helper import EnvironmentVarGuard
+
+
+@pytest.mark.integration
+class TestCallbackEndpoint(TestCase):
+    def setUp(self):
+        self.env = EnvironmentVarGuard()
+        self.env.set("NHS_NOTIFY_APPLICATION_ID", "application_id")
+        self.env.set("NHS_NOTIFY_API_KEY", "api_key")
+
+    def test_endpoint_responds_with_json_400(self):
+        response = self.client.post(
+            "/notifications/message-status/create",
+            {},
+            enforce_csrf_checks=True,
+            content_type="application/json",
+        )
+        assert response.status_code == 400
+        assert response.json() == {
+            "error": {
+                "message": "Missing API key header",
+            },
+        }
+
+    def test_endpoint_responds_with_200(self):
+        body = {"some": "data"}
+        signature = hmac.new(
+            bytes("application_id.api_key", "ASCII"),
+            msg=bytes(json.dumps(body), "ASCII"),
+            digestmod=hashlib.sha256,
+        ).hexdigest()
+        headers = {
+            "X-Api-Key": "api_key",
+            "X-HMAC-sha256-signature": signature,
+        }
+
+        with patch(
+            "manage_breast_screening.notifications.views.Queue.MessageStatusUpdates"
+        ) as mock_queue:
+            queue_instance = MagicMock()
+            mock_queue.return_value = queue_instance
+
+            response = self.client.post(
+                "/notifications/message-status/create",
+                body,
+                enforce_csrf_checks=True,
+                content_type="application/json",
+                headers=headers,
+            )
+        assert response.status_code == 200
+        assert response.json() == {
+            "result": {
+                "message": "Message status update queued",
+            },
+        }

manage_breast_screening/notifications/views.py

@@ -2,6 +2,7 @@
 
 from django.contrib.auth.decorators import login_not_required
 from django.http import JsonResponse
+from django.views.decorators.csrf import csrf_exempt
 from django.views.decorators.http import require_http_methods
 
 from manage_breast_screening.core.decorators import (
@@ -16,6 +17,7 @@
 @require_http_methods(["POST"])
 @login_not_required
 @basic_auth_exempt
+@csrf_exempt
 def create_message_status(request):
     valid, message = RequestValidator(request).valid()