have auth not freak out on GH error

2015-03-12 17:54:36 +01:00 · 2015-03-12 17:54:36 +01:00 · 1b3bbca5a5
commit 1b3bbca5a5
parent bf6384e50e
2 changed files with 12 additions and 0 deletions
--- a/lib/travis/api/app/endpoint/authorization.rb
+++ b/lib/travis/api/app/endpoint/authorization.rb
@ -274,6 +274,9 @@ class Travis::Api::App
          user   = manager.fetch
          halt 403, 'not a Travis user' if user.nil?
          user
+        rescue GH::Error
+          # not a valid token actually, but we don't want to expose that info
+          halt 403, 'not a Travis user'
        end

        def get_token(endpoint, values)
--- a/spec/unit/endpoint/authorization_spec.rb
+++ b/spec/unit/endpoint/authorization_spec.rb
@ -138,9 +138,18 @@ describe Travis::Api::App::Endpoint::Authorization do
    end

    it "errors if no token is given" do
+      User.stubs(:find_by_github_id).with(111).returns(user)
      post("/auth/github").should_not be_ok
      last_response.status.should == 422
      body.should_not include("access_token")
    end
+
+    it "errors if github throws an error" do
+      GH.stubs(:with).raises(GH::Error)
+      post("/auth/github", github_token: 'foo bar').should_not be_ok
+      last_response.status.should == 403
+      body.should_not include("access_token")
+      body.should include("not a Travis user")
+    end
  end
 end