Fix FLEXIAPI-180 Fix the token and activation flow for the provisioning with...

2026-01-17 01:58:07 +00:00 · 2024-06-03 13:19:43 +00:00 · 2024-06-03 13:19:43 +00:00 · afe29811ac
commit afe29811ac
parent 3d1e313ca3
5 changed files with 54 additions and 2 deletions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@ -2,6 +2,7 @@

 v1.5
 ----
+- Fix FLEXIAPI-180 Fix the token and activation flow for the provisioning with token endpoint when the header is missing
 - Fix FLEXIAPI-178 Show the unused code in the Activity tab of the accounts in the admin panel
 - Fix FLEXIAPI-177 Complete vcards-storage and devices related endpoints with their User/Admin ones
 - Fix FLEXIAPI-176 Improve logs for the deprecated endpoints and AccountCreationToken related serialization
--- a/flexiapi/app/Http/Controllers/Account/ProvisioningController.php
+++ b/flexiapi/app/Http/Controllers/Account/ProvisioningController.php
@ -96,6 +96,8 @@ class ProvisioningController extends Controller
     */
    public function me(Request $request)
    {
+        $this->checkProvisioningHeader($request);
+
        return $this->generateProvisioning($request, $request->user());
    }

@ -104,6 +106,8 @@ class ProvisioningController extends Controller
     */
    public function show(Request $request)
    {
+        $this->checkProvisioningHeader($request);
+
        return $this->generateProvisioning($request);
    }

@ -112,6 +116,8 @@ class ProvisioningController extends Controller
     */
    public function provision(Request $request, string $provisioningToken)
    {
+        $this->checkProvisioningHeader($request);
+
        $account = Account::withoutGlobalScopes()
            ->where('id', function ($query) use ($provisioningToken) {
                $query->select('account_id')
@ -132,13 +138,16 @@ class ProvisioningController extends Controller
        return $this->generateProvisioning($request, $account);
    }

-    private function generateProvisioning(Request $request, Account $account = null)
+    private function checkProvisioningHeader(Request $request)
    {
        if (!$request->hasHeader('x-linphone-provisioning')
          && config('app.provisioning_use_x_linphone_provisioning_header')) {
            abort(400, 'x-linphone-provisioning header is missing');
        }
+    }

+    private function generateProvisioning(Request $request, Account $account = null)
+    {
        // Load the hooks if they exists
        $provisioningHooks = config_path('provisioning_hooks.php');

--- a/flexiapi/app/ProvisioningToken.php
+++ b/flexiapi/app/ProvisioningToken.php
@ -25,6 +25,10 @@ class ProvisioningToken extends Consommable
 {
    use HasFactory;

+    protected $casts = [
+        'used' => 'boolean',
+    ];
+
    public function consume()
    {
        $this->used = true;
--- a/flexiapi/database/factories/AccountFactory.php
+++ b/flexiapi/database/factories/AccountFactory.php
@ -55,6 +55,13 @@ class AccountFactory extends Factory
        ]);
    }

+    public function deactivated()
+    {
+        return $this->state(fn (array $attributes) => [
+            'activated' => false,
+        ]);
+    }
+
    public function withEmail()
    {
        return $this->state(fn (array $attributes) => [
--- a/flexiapi/tests/Feature/AccountProvisioningTest.php
+++ b/flexiapi/tests/Feature/AccountProvisioningTest.php
@ -56,6 +56,35 @@ class AccountProvisioningTest extends TestCase
            ->assertDontSee('ha1');
    }

+    public function testDontProvisionHeaderDisabled()
+    {
+        $account = Account::factory()->deactivated()->create();
+        $account->generateApiKey();
+
+        $this->assertEquals(false, $account->activated);
+        $this->assertFalse($account->currentProvisioningToken->used);
+
+        // /provisioning/me
+        $this->keyAuthenticated($account)
+            ->get($this->accountRoute)
+            ->assertStatus(400);
+
+        $account->refresh();
+
+        $this->assertEquals(false, $account->activated);
+        $this->assertFalse($account->currentProvisioningToken->used);
+
+        // /provisioning/{token}
+        $this->keyAuthenticated($account)
+            ->get($this->route . '/' . $account->currentProvisioningToken->token)
+            ->assertStatus(400);
+
+        $account->refresh();
+
+        $this->assertEquals(false, $account->activated);
+        $this->assertFalse($account->currentProvisioningToken->used);
+    }
+
    public function testXLinphoneProvisioningHeader()
    {
        $this->withHeaders([
@ -166,7 +195,9 @@ class AccountProvisioningTest extends TestCase

    public function testConfirmationKeyProvisioning()
    {
-        $response = $this->get($this->route . '/1234');
+        $response = $this->withHeaders([
+            'x-linphone-provisioning' => true,
+        ])->get($this->route . '/1234');
        $response->assertStatus(404);

        $password = Password::factory()->create();