diff --git a/src/lib/routes/admin-api/project/api-token.ts b/src/lib/routes/admin-api/project/api-token.ts index 5509856175..0a2cf57c55 100644 --- a/src/lib/routes/admin-api/project/api-token.ts +++ b/src/lib/routes/admin-api/project/api-token.ts @@ -24,6 +24,7 @@ import { AccessService, ApiTokenService, OpenApiService, + ProjectService, ProxyService, } from '../../../services'; import { extractUsername } from '../../../util'; @@ -51,6 +52,8 @@ export class ProjectApiTokenController extends Controller { private openApiService: OpenApiService; + private projectService: ProjectService; + private logger: Logger; constructor( @@ -60,12 +63,14 @@ export class ProjectApiTokenController extends Controller { accessService, proxyService, openApiService, + projectService, }: Pick< IUnleashServices, | 'apiTokenService' | 'accessService' | 'proxyService' | 'openApiService' + | 'projectService' >, ) { super(config); @@ -73,6 +78,7 @@ export class ProjectApiTokenController extends Controller { this.accessService = accessService; this.proxyService = proxyService; this.openApiService = openApiService; + this.projectService = projectService; this.logger = config.getLogger('project-api-token-controller.js'); this.route({ @@ -110,7 +116,7 @@ export class ProjectApiTokenController extends Controller { 'Endpoint that allows creation of [project API tokens](https://docs.getunleash.io/reference/api-tokens-and-client-keys#api-token-visibility) for the specified project.', responses: { 201: resourceCreatedResponseSchema('apiTokenSchema'), - ...getStandardResponses(400, 401, 403), + ...getStandardResponses(400, 401, 403, 404), }, }), ], @@ -143,6 +149,8 @@ export class ProjectApiTokenController extends Controller { ): Promise { const { user } = req; const { projectId } = req.params; + await this.projectService.getProject(projectId); // Validates that the project exists + const projectTokens = await this.accessibleTokens(user, projectId); this.openApiService.respondWithValidation( 200, @@ -158,6 +166,8 @@ export class ProjectApiTokenController extends Controller { ): Promise { const createToken = await createApiToken.validateAsync(req.body); const { projectId } = req.params; + await this.projectService.getProject(projectId); // Validates that the project exists + const permissionRequired = CREATE_PROJECT_API_TOKEN; const hasPermission = await this.accessService.hasPermission( req.user, diff --git a/src/test/e2e/api/admin/project/project.api.tokens.e2e.test.ts b/src/test/e2e/api/admin/project/project.api.tokens.e2e.test.ts index bbb483da92..a1ad6ed8d1 100644 --- a/src/test/e2e/api/admin/project/project.api.tokens.e2e.test.ts +++ b/src/test/e2e/api/admin/project/project.api.tokens.e2e.test.ts @@ -38,6 +38,7 @@ test('Returns empty list of tokens', async () => { expect(res.body.tokens.length).toBe(0); }); }); + test('Returns list of tokens', async () => { const tokenSecret = 'random-secret'; @@ -62,9 +63,9 @@ test('Returns 404 when given non-existant projectId', async () => { return app.request .get('/api/admin/projects/wrong/api-tokens') .expect('Content-Type', /json/) - .expect(200) + .expect(404) .expect((res) => { - expect(res.body.tokens.length).toBe(0); + expect(res.body.tokens).toBe(undefined); }); }); @@ -78,7 +79,7 @@ test('fails to create new client token when given wrong project', async () => { environment: 'default', }) .set('Content-Type', 'application/json') - .expect(400); + .expect(404); }); test('creates new client token', async () => {