From e0234fecba0115a4cfe83ea6f45a3ac2511ea57e Mon Sep 17 00:00:00 2001
From: Leo Hemsted <leo.hemsted@digital.cabinet-office.gov.uk>
Date: Fri, 5 Mar 2021 12:38:14 +0000
Subject: [PATCH] add POST get user by email endpoint

the existing endpoint is a GET, and so leaves email addresses in log
files.

we've got an existing POST find_users_by_partial_email, but not one that
matches on a whole email address.
---
 app/user/rest.py            | 13 +++++++++++++
 tests/app/user/test_rest.py | 38 +++++++++++++++++++++++++++++++++++++
 2 files changed, 51 insertions(+)

diff --git a/app/user/rest.py b/app/user/rest.py
index 32aa7b532..1dabc95ee 100644
--- a/app/user/rest.py
+++ b/app/user/rest.py
@@ -417,6 +417,19 @@ def set_permissions(user_id, service_id):
     return jsonify({}), 204
 
 
+@user_blueprint.route('/email', methods=['POST'])
+def fetch_user_by_email():
+
+    email, errors = email_data_request_schema.load(request.get_json())
+    if errors:
+        raise InvalidRequest(message=errors, status_code=400)
+
+    fetched_user = get_user_by_email(email['email'])
+    result = fetched_user.serialize()
+    return jsonify(data=result)
+
+
+# TODO: Deprecate this GET endpoint
 @user_blueprint.route('/email', methods=['GET'])
 def get_by_email():
     email = request.args.get('email')
diff --git a/tests/app/user/test_rest.py b/tests/app/user/test_rest.py
index 64ad80d15..0528e57d5 100644
--- a/tests/app/user/test_rest.py
+++ b/tests/app/user/test_rest.py
@@ -410,6 +410,44 @@ def test_get_user_by_email_bad_url_returns_404(client, sample_user):
     assert json_resp['message'] == 'Invalid request. Email query string param required'
 
 
+def test_fetch_user_by_email(admin_request, notify_db_session):
+    user = create_user(email='foo@bar.com')
+
+    create_user(email='foo@bar.com.other_email')
+    create_user(email='other_email.foo@bar.com')
+
+    resp = admin_request.post(
+        'user.fetch_user_by_email',
+        _data={'email': user.email_address},
+        _expected_status=200
+    )
+
+    assert resp['data']['id'] == str(user.id)
+    assert resp['data']['email_address'] == user.email_address
+
+
+def test_fetch_user_by_email_not_found_returns_404(admin_request, notify_db_session):
+    create_user(email='foo@bar.com.other_email')
+
+    resp = admin_request.post(
+        'user.fetch_user_by_email',
+        _data={'email': 'doesnt@exist.com'},
+        _expected_status=404
+    )
+    assert resp['result'] == 'error'
+    assert resp['message'] == 'No result found'
+
+
+def test_fetch_user_by_email_without_email_returns_400(admin_request, notify_db_session):
+    resp = admin_request.post(
+        'user.fetch_user_by_email',
+        _data={},
+        _expected_status=400
+    )
+    assert resp['result'] == 'error'
+    assert resp['message'] == {'email': ['Missing data for required field.']}
+
+
 def test_get_user_with_permissions(client, sample_user_service_permission):
     header = create_authorization_header()
     response = client.get(url_for('user.get_user', user_id=str(sample_user_service_permission.user.id)),