From e9f50676535216b74a467fab4623daf6d0c39fce Mon Sep 17 00:00:00 2001
From: JakobDev <jakobdev@gmx.de>
Date: Tue, 5 Sep 2023 16:43:34 +0200
Subject: [PATCH] Add missing `reqToken()` to notifications endpoints (#26914)

They currently throw a Internal Server Error when you use them without a
token. Now they correctly return a `token is required` error.

This is no security issue. If you use this endpoints with a token that
don't have the correct permission, you get the correct error. This is
not affected by this PR.
---
 routers/api/v1/api.go                      | 6 +++---
 tests/integration/api_notification_test.go | 6 ++++++
 2 files changed, 9 insertions(+), 3 deletions(-)

diff --git a/routers/api/v1/api.go b/routers/api/v1/api.go
index 22899c0d31..74e68e9ee2 100644
--- a/routers/api/v1/api.go
+++ b/routers/api/v1/api.go
@@ -776,11 +776,11 @@ func Routes() *web.Route {
 		// Notifications (requires 'notifications' scope)
 		m.Group("/notifications", func() {
 			m.Combo("").
-				Get(notify.ListNotifications).
+				Get(reqToken(), notify.ListNotifications).
 				Put(reqToken(), notify.ReadNotifications)
-			m.Get("/new", notify.NewAvailable)
+			m.Get("/new", reqToken(), notify.NewAvailable)
 			m.Combo("/threads/{id}").
-				Get(notify.GetThread).
+				Get(reqToken(), notify.GetThread).
 				Patch(reqToken(), notify.ReadThread)
 		}, tokenRequiresScopes(auth_model.AccessTokenScopeCategoryNotification))
 
diff --git a/tests/integration/api_notification_test.go b/tests/integration/api_notification_test.go
index 52d6e6d84a..222b2c2e07 100644
--- a/tests/integration/api_notification_test.go
+++ b/tests/integration/api_notification_test.go
@@ -30,6 +30,8 @@ func TestAPINotification(t *testing.T) {
 	session := loginUser(t, user2.Name)
 	token := getTokenForLoggedInUser(t, session, auth_model.AccessTokenScopeWriteNotification, auth_model.AccessTokenScopeWriteRepository)
 
+	MakeRequest(t, NewRequest(t, "GET", "/api/v1/notifications"), http.StatusUnauthorized)
+
 	// -- GET /notifications --
 	// test filter
 	since := "2000-01-01T00%3A50%3A01%2B00%3A00" // 946687801
@@ -80,6 +82,8 @@ func TestAPINotification(t *testing.T) {
 	assert.False(t, apiNL[1].Unread)
 	assert.True(t, apiNL[1].Pinned)
 
+	MakeRequest(t, NewRequest(t, "GET", fmt.Sprintf("/api/v1/notifications/threads/%d", 1)), http.StatusUnauthorized)
+
 	// -- GET /notifications/threads/{id} --
 	// get forbidden
 	req = NewRequest(t, "GET", fmt.Sprintf("/api/v1/notifications/threads/%d?token=%s", 1, token))
@@ -99,6 +103,8 @@ func TestAPINotification(t *testing.T) {
 	assert.EqualValues(t, thread5.Issue.APIURL(), apiN.Subject.URL)
 	assert.EqualValues(t, thread5.Repository.HTMLURL(), apiN.Repository.HTMLURL)
 
+	MakeRequest(t, NewRequest(t, "GET", "/api/v1/notifications/new"), http.StatusUnauthorized)
+
 	new := struct {
 		New int64 `json:"new"`
 	}{}