ABC-132: sign error page parameters (#8197)

* sign error page parameters

* add comments

1 files changed, 49 insertions, 0 deletions

diff --git a/utils/api_test.go b/utils/api_test.go
new file mode 100644
index 000000000..5e41c7bfe
--- /dev/null
+++ b/utils/api_test.go
@@ -0,0 +1,49 @@
+// Copyright (c) 2017-present Mattermost, Inc. All Rights Reserved.
+// See License.txt for license information.
+
+package utils
+
+import (
+	"crypto/ecdsa"
+	"crypto/elliptic"
+	"crypto/rand"
+	"crypto/sha256"
+	"encoding/asn1"
+	"encoding/base64"
+	"math/big"
+	"net/http"
+	"net/http/httptest"
+	"net/url"
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+)
+
+func TestRenderWebError(t *testing.T) {
+	r := httptest.NewRequest("GET", "http://foo", nil)
+	w := httptest.NewRecorder()
+	key, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
+	require.NoError(t, err)
+	RenderWebError(w, r, http.StatusTemporaryRedirect, url.Values{
+		"foo": []string{"bar"},
+	}, key)
+
+	resp := w.Result()
+	location, err := url.Parse(resp.Header.Get("Location"))
+	require.NoError(t, err)
+	require.NotEmpty(t, location.Query().Get("s"))
+
+	type ecdsaSignature struct {
+		R, S *big.Int
+	}
+	var rs ecdsaSignature
+	s, err := base64.URLEncoding.DecodeString(location.Query().Get("s"))
+	require.NoError(t, err)
+	_, err = asn1.Unmarshal(s, &rs)
+	require.NoError(t, err)
+
+	assert.Equal(t, "bar", location.Query().Get("foo"))
+	h := sha256.Sum256([]byte("/error?foo=bar"))
+	assert.True(t, ecdsa.Verify(&key.PublicKey, h[:], rs.R, rs.S))
+}