From afe29811ac8b493cf49923b5768cad587f6d3c68 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Timoth=C3=A9e=20Jaussoin?=
 <timothee.jaussoin@belledonne-communications.com>
Date: Mon, 3 Jun 2024 13:19:43 +0000
Subject: [PATCH] Fix FLEXIAPI-180 Fix the token and activation flow for the
 provisioning with...

---
 CHANGELOG.md                                  |  1 +
 .../Account/ProvisioningController.php        | 11 ++++++-
 flexiapi/app/ProvisioningToken.php            |  4 +++
 .../database/factories/AccountFactory.php     |  7 ++++
 .../tests/Feature/AccountProvisioningTest.php | 33 ++++++++++++++++++-
 5 files changed, 54 insertions(+), 2 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index b3733cf..5281829 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -2,6 +2,7 @@
 
 v1.5
 ----
+- Fix FLEXIAPI-180 Fix the token and activation flow for the provisioning with token endpoint when the header is missing
 - Fix FLEXIAPI-178 Show the unused code in the Activity tab of the accounts in the admin panel
 - Fix FLEXIAPI-177 Complete vcards-storage and devices related endpoints with their User/Admin ones
 - Fix FLEXIAPI-176 Improve logs for the deprecated endpoints and AccountCreationToken related serialization
diff --git a/flexiapi/app/Http/Controllers/Account/ProvisioningController.php b/flexiapi/app/Http/Controllers/Account/ProvisioningController.php
index 067a3c6..cb8b0a1 100644
--- a/flexiapi/app/Http/Controllers/Account/ProvisioningController.php
+++ b/flexiapi/app/Http/Controllers/Account/ProvisioningController.php
@@ -96,6 +96,8 @@ class ProvisioningController extends Controller
      */
     public function me(Request $request)
     {
+        $this->checkProvisioningHeader($request);
+
         return $this->generateProvisioning($request, $request->user());
     }
 
@@ -104,6 +106,8 @@ class ProvisioningController extends Controller
      */
     public function show(Request $request)
     {
+        $this->checkProvisioningHeader($request);
+
         return $this->generateProvisioning($request);
     }
 
@@ -112,6 +116,8 @@ class ProvisioningController extends Controller
      */
     public function provision(Request $request, string $provisioningToken)
     {
+        $this->checkProvisioningHeader($request);
+
         $account = Account::withoutGlobalScopes()
             ->where('id', function ($query) use ($provisioningToken) {
                 $query->select('account_id')
@@ -132,13 +138,16 @@ class ProvisioningController extends Controller
         return $this->generateProvisioning($request, $account);
     }
 
-    private function generateProvisioning(Request $request, Account $account = null)
+    private function checkProvisioningHeader(Request $request)
     {
         if (!$request->hasHeader('x-linphone-provisioning')
           && config('app.provisioning_use_x_linphone_provisioning_header')) {
             abort(400, 'x-linphone-provisioning header is missing');
         }
+    }
 
+    private function generateProvisioning(Request $request, Account $account = null)
+    {
         // Load the hooks if they exists
         $provisioningHooks = config_path('provisioning_hooks.php');
 
diff --git a/flexiapi/app/ProvisioningToken.php b/flexiapi/app/ProvisioningToken.php
index 3bb23be..4e51af7 100644
--- a/flexiapi/app/ProvisioningToken.php
+++ b/flexiapi/app/ProvisioningToken.php
@@ -25,6 +25,10 @@ class ProvisioningToken extends Consommable
 {
     use HasFactory;
 
+    protected $casts = [
+        'used' => 'boolean',
+    ];
+
     public function consume()
     {
         $this->used = true;
diff --git a/flexiapi/database/factories/AccountFactory.php b/flexiapi/database/factories/AccountFactory.php
index 5959f97..b105915 100644
--- a/flexiapi/database/factories/AccountFactory.php
+++ b/flexiapi/database/factories/AccountFactory.php
@@ -55,6 +55,13 @@ class AccountFactory extends Factory
         ]);
     }
 
+    public function deactivated()
+    {
+        return $this->state(fn (array $attributes) => [
+            'activated' => false,
+        ]);
+    }
+
     public function withEmail()
     {
         return $this->state(fn (array $attributes) => [
diff --git a/flexiapi/tests/Feature/AccountProvisioningTest.php b/flexiapi/tests/Feature/AccountProvisioningTest.php
index f3e4b14..42fa7bd 100644
--- a/flexiapi/tests/Feature/AccountProvisioningTest.php
+++ b/flexiapi/tests/Feature/AccountProvisioningTest.php
@@ -56,6 +56,35 @@ class AccountProvisioningTest extends TestCase
             ->assertDontSee('ha1');
     }
 
+    public function testDontProvisionHeaderDisabled()
+    {
+        $account = Account::factory()->deactivated()->create();
+        $account->generateApiKey();
+
+        $this->assertEquals(false, $account->activated);
+        $this->assertFalse($account->currentProvisioningToken->used);
+
+        // /provisioning/me
+        $this->keyAuthenticated($account)
+            ->get($this->accountRoute)
+            ->assertStatus(400);
+
+        $account->refresh();
+
+        $this->assertEquals(false, $account->activated);
+        $this->assertFalse($account->currentProvisioningToken->used);
+
+        // /provisioning/{token}
+        $this->keyAuthenticated($account)
+            ->get($this->route . '/' . $account->currentProvisioningToken->token)
+            ->assertStatus(400);
+
+        $account->refresh();
+
+        $this->assertEquals(false, $account->activated);
+        $this->assertFalse($account->currentProvisioningToken->used);
+    }
+
     public function testXLinphoneProvisioningHeader()
     {
         $this->withHeaders([
@@ -166,7 +195,9 @@ class AccountProvisioningTest extends TestCase
 
     public function testConfirmationKeyProvisioning()
     {
-        $response = $this->get($this->route . '/1234');
+        $response = $this->withHeaders([
+            'x-linphone-provisioning' => true,
+        ])->get($this->route . '/1234');
         $response->assertStatus(404);
 
         $password = Password::factory()->create();