From 22ccb5ac60466d8e53fae8e26569dd065df1f1e7 Mon Sep 17 00:00:00 2001
From: SamTV12345 <40429738+samtv12345@users.noreply.github.com>
Date: Mon, 25 Mar 2024 23:13:10 +0100
Subject: [PATCH] Removed api key from existance.

---
 src/node/hooks/express/openapi.ts                |  1 -
 src/node/utils/Cli.ts                            |  5 -----
 src/tests/backend/common.ts                      | 13 +++++++++++++
 src/tests/backend/fuzzImportTest.ts              | 10 +++++++---
 src/tests/backend/specs/api/api.ts               |  1 -
 src/tests/backend/specs/api/characterEncoding.ts | 12 +++++++++---
 src/tests/backend/specs/api/pad.ts               |  3 +--
 src/tests/backend/specs/api/restoreRevision.ts   |  2 +-
 src/tests/container/specs/api/pad.js             |  4 ++--
 9 files changed, 33 insertions(+), 18 deletions(-)

diff --git a/src/node/hooks/express/openapi.ts b/src/node/hooks/express/openapi.ts
index 85dd37360..a55e67871 100644
--- a/src/node/hooks/express/openapi.ts
+++ b/src/node/hooks/express/openapi.ts
@@ -632,7 +632,6 @@ exports.expressPreSession = async (hookName:string, {app}:any) => {
           let data;
           try {
             data = await apiHandler.handle(version, funcName, fields, req, res);
-            console.log(app._router.stack)
           } catch (err) {
             const errCaused = err as ErrorCaused
             // convert all errors to http errors
diff --git a/src/node/utils/Cli.ts b/src/node/utils/Cli.ts
index 1579dd3ce..1b2938196 100644
--- a/src/node/utils/Cli.ts
+++ b/src/node/utils/Cli.ts
@@ -45,10 +45,5 @@ for (let i = 0; i < argv.length; i++) {
     exports.argv.sessionkey = arg;
   }
 
-  // Override location of APIKEY.txt file
-  if (prevArg === '--apikey') {
-    exports.argv.apikey = arg;
-  }
-
   prevArg = arg;
 }
diff --git a/src/tests/backend/common.ts b/src/tests/backend/common.ts
index bf6de7919..21fb01e2f 100644
--- a/src/tests/backend/common.ts
+++ b/src/tests/backend/common.ts
@@ -52,6 +52,19 @@ export const generateJWTToken =  () => {
   return jwt.sign(privateKeyExported!)
 }
 
+
+export const generateJWTTokenUser =  () => {
+  const jwt = new SignJWT({
+    sub: 'admin',
+    jti: '123',
+    exp: Math.floor(Date.now() / 1000) + 60 * 60,
+    aud: 'account',
+    iss: 'http://localhost:9001',
+  })
+  jwt.setProtectedHeader({alg: 'RS256'})
+  return jwt.sign(privateKeyExported!)
+}
+
 export const init = async function () {
   if (agentPromise != null) return await agentPromise;
   let agentResolve;
diff --git a/src/tests/backend/fuzzImportTest.ts b/src/tests/backend/fuzzImportTest.ts
index 8366e62d8..5b959bbc2 100644
--- a/src/tests/backend/fuzzImportTest.ts
+++ b/src/tests/backend/fuzzImportTest.ts
@@ -7,13 +7,12 @@ const common = require('./common');
 const host = `http://${settings.ip}:${settings.port}`;
 const froth = require('mocha-froth');
 const axios = require('axios');
-const apiKey = common.apiKey;
 const apiVersion = 1;
 const testPadId = `TEST_fuzz${makeid()}`;
 
 const endPoint = function (point: string, version?:number) {
     version = version || apiVersion;
-    return `/api/${version}/${point}?apikey=${apiKey}`;
+    return `/api/${version}/${point}}`;
 };
 
 console.log('Testing against padID', testPadId);
@@ -29,7 +28,12 @@ setTimeout(() => {
 }, 5000); // wait 5 seconds
 
 async function runTest(number: number) {
-    await axios.get(`${host + endPoint('createPad')}&padID=${testPadId}`)
+    await axios
+        .get(`${host + endPoint('createPad')}?padID=${testPadId}`, {
+            headers: {
+                Authorization: await common.generateJWTToken(),
+            }
+        })
         .then(() => {
             const req = axios.post(`${host}/p/${testPadId}/import`)
                 .then(() => {
diff --git a/src/tests/backend/specs/api/api.ts b/src/tests/backend/specs/api/api.ts
index 294d38e90..bab70b47c 100644
--- a/src/tests/backend/specs/api/api.ts
+++ b/src/tests/backend/specs/api/api.ts
@@ -12,7 +12,6 @@ const common = require('../../common');
 const validateOpenAPI = require('openapi-schema-validation').validate;
 
 let agent: any;
-const apiKey = common.apiKey;
 let apiVersion = 1;
 
 const makeid = () => {
diff --git a/src/tests/backend/specs/api/characterEncoding.ts b/src/tests/backend/specs/api/characterEncoding.ts
index df6e09555..80093437b 100644
--- a/src/tests/backend/specs/api/characterEncoding.ts
+++ b/src/tests/backend/specs/api/characterEncoding.ts
@@ -6,7 +6,7 @@
  * TODO: maybe unify those two files and merge in a single one.
  */
 
-import {generateJWTToken} from "../../common";
+import {generateJWTToken, generateJWTTokenUser} from "../../common";
 
 const assert = require('assert').strict;
 const common = require('../../common');
@@ -38,13 +38,19 @@ describe(__filename, function () {
       assert(apiVersion);
     });
 
-    it('errors with invalid APIKey', async function () {
+    it('errors with invalid OAuth token', async function () {
       // This is broken because Etherpad doesn't handle HTTP codes properly see #2343
-      // If your APIKey is password you deserve to fail all tests anyway
       await agent.get(`/api/${apiVersion}/createPad?padID=test`)
           .set("Authorization", (await generateJWTToken()).substring(0,10))
           .expect(401);
     });
+
+    it('errors with unprivileged OAuth token', async function () {
+      // This is broken because Etherpad doesn't handle HTTP codes properly see #2343
+      await agent.get(`/api/${apiVersion}/createPad?padID=test`)
+          .set("Authorization", (await generateJWTTokenUser()).substring(0,10))
+          .expect(401);
+    });
   });
 
   describe('Tests', function () {
diff --git a/src/tests/backend/specs/api/pad.ts b/src/tests/backend/specs/api/pad.ts
index 4e36762c4..f4d081ef4 100644
--- a/src/tests/backend/specs/api/pad.ts
+++ b/src/tests/backend/specs/api/pad.ts
@@ -59,9 +59,8 @@ describe(__filename, function () {
   });
 
   describe('Sanity checks', function () {
-    it('errors with invalid APIKey', async function () {
+    it('errors with invalid oauth token', async function () {
       // This is broken because Etherpad doesn't handle HTTP codes properly see #2343
-      // If your APIKey is password you deserve to fail all tests anyway
       await agent.get(`/api/${apiVersion}/createPad?padID=test`)
           .set("Authorization", (await common.generateJWTToken()).substring(0, 10))
           .expect(401);
diff --git a/src/tests/backend/specs/api/restoreRevision.ts b/src/tests/backend/specs/api/restoreRevision.ts
index a779766da..e30c8aa25 100644
--- a/src/tests/backend/specs/api/restoreRevision.ts
+++ b/src/tests/backend/specs/api/restoreRevision.ts
@@ -14,8 +14,8 @@ describe(__filename, function () {
   let pad: PadType;
 
   const restoreRevision = async (v:string, padId: string, rev: number, authorId:string|null = null) => {
+    // @ts-ignore
     const p = new URLSearchParams(Object.entries({
-      apikey: common.apiKey,
       padID: padId,
       rev,
       ...(authorId == null ? {} : {authorId}),
diff --git a/src/tests/container/specs/api/pad.js b/src/tests/container/specs/api/pad.js
index 04067f0e3..f6ff8ebf5 100644
--- a/src/tests/container/specs/api/pad.js
+++ b/src/tests/container/specs/api/pad.js
@@ -31,8 +31,8 @@ describe('API Versioning', function () {
 });
 
 describe('Permission', function () {
-  it('errors with invalid APIKey', function (done) {
-    api.get(`/api/${apiVersion}/createPad?apikey=wrong_password&padID=test`)
+  it('errors with invalid OAuth token', function (done) {
+    api.get(`/api/${apiVersion}/createPad?padID=test`)
         .expect(401, done);
   });
 });