Merge pull request #20 from integer-net/unauthorized-response

Return correct HTTP status code for unauthorized requests

Author: DavidLambauer

Test/Integration/Controller/IndexControllerTest.php

@@ -0,0 +1,40 @@
+<?php
+declare(strict_types=1);
+
+namespace RunAsRoot\PrometheusExporter\Test\Integration\Controller;
+
+use Magento\TestFramework\TestCase\AbstractController;
+use Magento\Framework\App\Request;
+use Magento\Framework\App\Response;
+
+/**
+ * @method Request\Http getRequest()
+ * @method Response\Http getResponse()
+ */
+class IndexControllerTest extends AbstractController
+{
+    /**
+     * @magentoAppArea frontend
+     */
+    public function testUnauthorizedResponse()
+    {
+        $this->dispatch('metrics/index/index');
+        $this->assertEquals(401, $this->getResponse()->getStatusCode(), 'Status code should be 401 Unauthorized');
+        $this->assertEquals(
+            'You are not allowed to see these metrics.',
+            $this->getResponse()->getBody(),
+            'Body should be error message'
+        );
+    }
+
+    /**
+     * @magentoAppArea frontend
+     * @magentoConfigFixture current_store metric_configuration/security/token supersecrettokenxxx
+     */
+    public function testAuthorizedResponse()
+    {
+        $this->getRequest()->getHeaders()->addHeaderLine('Authorization: Bearer supersecrettokenxxx');
+        $this->dispatch('metrics/index/index');
+        $this->assertEquals(200, $this->getResponse()->getStatusCode(), 'Status code should be 200 OK');
+    }
+}

src/Controller/Index/Index.php

@@ -4,8 +4,10 @@
 
 namespace RunAsRoot\PrometheusExporter\Controller\Index;
 
+use Laminas\Http\Response;
 use Magento\Framework\App\Action\Action;
 use Magento\Framework\App\Action\Context;
+use Magento\Framework\App\Response\Http;
 use Magento\Framework\Controller\ResultFactory;
 use Magento\Framework\Controller\ResultInterface;
 use RunAsRoot\PrometheusExporter\Data\Config;
@@ -33,11 +35,12 @@ public function execute(): ResultInterface
         $authorizationHeader = $this->getRequest()->getHeader('Authorization');
 
         if ($token !== $authorizationHeader) {
-            /** @var \Magento\Framework\Controller\Result\Raw $response */
-            $response = $this->resultFactory->create(ResultFactory::TYPE_RAW);
-            $response->setContents('You are not allowed to see these metrics.');
+            /** @var \Magento\Framework\Controller\Result\Raw $result */
+            $result = $this->resultFactory->create(ResultFactory::TYPE_RAW);
+            $result->setHttpResponseCode(Http::STATUS_CODE_401);
+            $result->setContents('You are not allowed to see these metrics.');
 
-            return $response;
+            return $result;
         }
 
         return $this->prometheusResultFactory->create();