Require authentication for staleness bound

devksingh4 · devksingh4 · commit 2734738010f8 · 2025-07-11T11:36:38.000-04:00
diff --git a/src/api/index.ts b/src/api/index.ts
@@ -150,7 +150,7 @@ async function init(prettyPrint: boolean = false, initClients: boolean = true) {
             },
             {
               name: "Generic",
-              description: "Retrieve metadata about a user or ACM @ UIUC .",
+              description: "Retrieve metadata about a user or ACM @ UIUC.",
             },
             {
               name: "iCalendar Integration",
diff --git a/src/api/routes/events.ts b/src/api/routes/events.ts
@@ -185,6 +185,17 @@ const eventsPlugin: FastifyPluginAsyncZodOpenApi = async (
         const includeMetadata = request.query.includeMetadata || false;
         const host = request.query?.host;
         const ts = request.query?.ts; // we only use this to disable cache control
+        if (ts) {
+          // cache bypass requires auth
+          try {
+            await fastify.authorize(request, reply, [], false);
+          } catch (e) {
+            throw new UnauthenticatedError({
+              message:
+                "You must be authenticated to specify a staleness bound.",
+            });
+          }
+        }
         const projection = createProjectionParams(includeMetadata);
         try {
           const ifNoneMatch = request.headers["if-none-match"];
@@ -683,6 +694,16 @@ const eventsPlugin: FastifyPluginAsyncZodOpenApi = async (
     async (request, reply) => {
       const id = request.params.id;
       const ts = request.query?.ts;
+      if (ts) {
+        // cache bypass requires auth
+        try {
+          await fastify.authorize(request, reply, [], false);
+        } catch (e) {
+          throw new UnauthenticatedError({
+            message: "You must be authenticated to specify a staleness bound.",
+          });
+        }
+      }
       const includeMetadata = request.query?.includeMetadata || false;
 
       try {
diff --git a/src/ui/pages/events/ManageEvent.page.tsx b/src/ui/pages/events/ManageEvent.page.tsx
@@ -307,14 +307,19 @@ export const ManageEventPage: React.FC = () => {
       resourceDef={{ service: "core", validRoles: [AppRoles.EVENTS_MANAGER] }}
     >
       <Box maw={400} mx="auto" mt="xl">
-        <Title mb="sm" order={2}>
-          {isEditing ? `Edit` : `Create`} Event
-        </Title>
+        <Title order={2}>{isEditing ? `Edit` : `Create`} Event</Title>
+        {eventId && (
+          <Text size="xs" c="dimmed">
+            Event ID: <code>{eventId}</code>
+          </Text>
+        )}
         {Intl.DateTimeFormat().resolvedOptions().timeZone !==
           "America/Chicago" && (
           <Alert
             variant="light"
             color="red"
+            mt="xs"
+            mb="xs"
             title="Timezone Alert"
             icon={<IconInfoCircle />}
           >
diff --git a/tests/live/events.test.ts b/tests/live/events.test.ts
@@ -26,8 +26,15 @@ test("getting events for a given host", async () => {
 });
 
 test("metadata is included when includeMetadata query parameter is set", async () => {
+  const token = await createJwt();
   const response = await fetch(
     `${baseEndpoint}/api/v1/events?host=Infrastructure Committee&includeMetadata=true&ts=${Date.now()}`,
+    {
+      headers: {
+        Authorization: `Bearer ${token}`,
+        "Content-Type": "application/json",
+      },
+    },
   );
   expect(response.status).toBe(200);
 
@@ -38,8 +45,15 @@ test("metadata is included when includeMetadata query parameter is set", async (
 });
 
 test("metadata is not included when includeMetadata query parameter is unset", async () => {
+  const token = await createJwt();
   const response = await fetch(
     `${baseEndpoint}/api/v1/events?host=Infrastructure Committee&ts=${Date.now()}`,
+    {
+      headers: {
+        Authorization: `Bearer ${token}`,
+        "Content-Type": "application/json",
+      },
+    },
   );
   expect(response.status).toBe(200);
 
@@ -80,6 +94,7 @@ describe("Event lifecycle tests", async () => {
     expect(response.headers.get("location")).not.toBeNull();
   });
   test("Getting an event", { timeout: 30000 }, async () => {
+    const token = await createJwt();
     if (!createdEventUuid) {
       throw new Error("Event UUID not found");
     }
@@ -88,6 +103,7 @@ describe("Event lifecycle tests", async () => {
       {
         method: "GET",
         headers: {
+          Authorization: `Bearer ${token}`,
           "Content-Type": "application/json",
         },
       },
@@ -123,11 +139,13 @@ describe("Event lifecycle tests", async () => {
     if (!createdEventUuid) {
       throw new Error("Event UUID not found");
     }
+    const token = await createJwt();
     const response = await fetch(
       `${baseEndpoint}/api/v1/events/${createdEventUuid}?ts=${Date.now()}`,
       {
         method: "GET",
         headers: {
+          Authorization: `Bearer ${token}`,
           "Content-Type": "application/json",
         },
       },
@@ -162,10 +180,15 @@ describe("Event lifecycle tests", async () => {
     if (!createdEventUuid) {
       throw new Error("Event UUID not found");
     }
+    const token = await createJwt();
     const response = await fetch(
       `${baseEndpoint}/api/v1/events/${createdEventUuid}?ts=${Date.now()}`,
       {
         method: "GET",
+        headers: {
+          Authorization: `Bearer ${token}`,
+          "Content-Type": "application/json",
+        },
       },
     );
     expect(response.status).toBe(404);

Original file line number	Diff line number	Diff line change
`@@ -150,7 +150,7 @@ async function init(prettyPrint: boolean = false, initClients: boolean = true) {`
`150`	`150`	`},`
`151`	`151`	`{`
`152`	`152`	`name: "Generic",`
`153`		`- description: "Retrieve metadata about a user or ACM @ UIUC .",`
	`153`	`+ description: "Retrieve metadata about a user or ACM @ UIUC.",`
`154`	`154`	`},`
`155`	`155`	`{`
`156`	`156`	`name: "iCalendar Integration",`