Merge pull request #1365 from GSA/USN-COMPLY-50-Verify_Nonce_for_Invite

US-NOTIFY-COMPLY 50: Verify Nonce For Invite

app/service_invite/rest.py

@@ -32,7 +32,7 @@ service_invite = Blueprint("service_invite", __name__)
 register_errors(service_invite)
 
 
-def _create_service_invite(invited_user, invite_link_host):
+def _create_service_invite(invited_user, nonce):
 
     template_id = current_app.config["INVITATION_EMAIL_TEMPLATE_ID"]
 
@@ -40,12 +40,6 @@ def _create_service_invite(invited_user, invite_link_host):
 
     service = Service.query.get(current_app.config["NOTIFY_SERVICE_ID"])
 
-    token = generate_token(
-        str(invited_user.email_address),
-        current_app.config["SECRET_KEY"],
-        current_app.config["DANGEROUS_SALT"],
-    )
-
     # The raw permissions are in the form "a,b,c,d"
     # but need to be in the form ["a", "b", "c", "d"]
     data = {}
@@ -59,7 +53,8 @@ def _create_service_invite(invited_user, invite_link_host):
     data["invited_user_email"] = invited_user.email_address
 
     url = os.environ["LOGIN_DOT_GOV_REGISTRATION_URL"]
-    url = url.replace("NONCE", token)
+
+    url = url.replace("NONCE", nonce)  # handed from data sent from admin.
 
     user_data_url_safe = get_user_data_url_safe(data)
 
@@ -94,10 +89,16 @@ def _create_service_invite(invited_user, invite_link_host):
 @service_invite.route("/service/<service_id>/invite", methods=["POST"])
 def create_invited_user(service_id):
     request_json = request.get_json()
+    try:
+        nonce = request_json.pop("nonce")
+    except KeyError:
+        current_app.logger.exception("nonce not found in submitted data.")
+        raise
+
     invited_user = invited_user_schema.load(request_json)
     save_invited_user(invited_user)
 
-    _create_service_invite(invited_user, request_json.get("invite_link_host"))
+    _create_service_invite(invited_user, nonce)
 
     return jsonify(data=invited_user_schema.dump(invited_user)), 201
 

tests/app/service_invite/test_service_invite_rest.py

@@ -45,6 +45,7 @@ def test_create_invited_user(
         permissions="send_messages,manage_service,manage_api_keys",
         auth_type=AuthType.EMAIL,
         folder_permissions=["folder_1", "folder_2", "folder_3"],
+        nonce="FakeNonce",
         **extra_args,
     )
 
@@ -108,6 +109,7 @@ def test_create_invited_user_without_auth_type(
         "from_user": str(invite_from.id),
         "permissions": "send_messages,manage_service,manage_api_keys",
         "folder_permissions": [],
+        "nonce": "FakeNonce",
     }
 
     json_resp = admin_request.post(
@@ -131,6 +133,7 @@ def test_create_invited_user_invalid_email(client, sample_service, mocker, fake_
         "from_user": str(invite_from.id),
         "permissions": "send_messages,manage_service,manage_api_keys",
         "folder_permissions": [fake_uuid, fake_uuid],
+        "nonce": "FakeNonce",
     }
 
     data = json.dumps(data)