Try to deal with web signups missing expected headers.

src/api-umbrella/web-app/actions/v1/users.lua

@@ -17,12 +17,14 @@ local is_array = require "api-umbrella.utils.is_array"
 local is_email = require "api-umbrella.utils.is_email"
 local is_empty = require "api-umbrella.utils.is_empty"
 local is_hash = require "api-umbrella.utils.is_hash"
+local json_encode = require "api-umbrella.utils.json_encode"
 local json_response = require "api-umbrella.web-app.utils.json_response"
 local known_domains = require "api-umbrella.web-app.utils.known_domains"
 local parse_post_for_pseudo_ie_cors = require "api-umbrella.web-app.utils.parse_post_for_pseudo_ie_cors"
 local require_admin = require "api-umbrella.web-app.utils.require_admin"
 local respond_to = require "api-umbrella.web-app.utils.respond_to"
 local startswith = require("pl.stringx").startswith
+local t = require("api-umbrella.web-app.utils.gettext").gettext
 local validation_ext = require "api-umbrella.web-app.utils.validation_ext"
 local wrapped_json_params = require "api-umbrella.web-app.utils.wrapped_json_params"
 
@@ -195,6 +197,18 @@ function _M.create(self)
     user_params["email_verified"] = false
   end
 
+  if not self.current_admin and request_headers["referer"] and (not request_headers["user-agent"] or not request_headers["origin"]) then
+    ngx.log(ngx.WARN, "Missing `User-Agent` or `Origin`: " .. json_encode(request_headers) .. "; " .. json_encode(user_params))
+    return coroutine.yield("error", {
+      {
+        code = "UNEXPECTED_ERROR",
+        field = "email",
+        field_label = "email",
+        message = t("An unexpected error occurred during signup. Please try again or contact us for assistance."),
+      },
+    })
+  end
+
   local api_user = assert(ApiUser:authorized_create(user_params))
   local response = {
     user = api_user:as_json({ allow_api_key = true }),

test/apis/v1/users/test_create.rb

@@ -744,6 +744,58 @@ def test_non_wrapped_form_encoded_body
     assert_response_code(422, response)
   end
 
+  def test_rejects_empty_user_agent_for_non_admins
+    attributes = FactoryBot.attributes_for(:api_user)
+    response = Typhoeus.post("https://127.0.0.1:9081/api-umbrella/v1/users.json", http_options.deep_merge(non_admin_key_creator_api_key).deep_merge({
+      :headers => {
+        "Content-Type" => "application/json",
+        "Referer" => "https://localhost/signup/",
+        "User-Agent" => "",
+      },
+      :body => MultiJson.dump(:user => attributes),
+    }))
+    assert_response_code(422, response)
+  end
+
+  def test_accepts_empty_user_agent_for_admins
+    attributes = FactoryBot.attributes_for(:api_user)
+    response = Typhoeus.post("https://127.0.0.1:9081/api-umbrella/v1/users.json", http_options.deep_merge(admin_token).deep_merge({
+      :headers => {
+        "Content-Type" => "application/json",
+        "Referer" => "https://localhost/signup/",
+        "User-Agent" => "",
+      },
+      :body => MultiJson.dump(:user => attributes),
+    }))
+    assert_response_code(201, response)
+  end
+
+  def test_rejects_empty_origin_for_non_admins
+    attributes = FactoryBot.attributes_for(:api_user)
+    response = Typhoeus.post("https://127.0.0.1:9081/api-umbrella/v1/users.json", http_options.deep_merge(non_admin_key_creator_api_key).deep_merge({
+      :headers => {
+        "Content-Type" => "application/json",
+        "Referer" => "https://localhost/signup/",
+        "Origin" => "",
+      },
+      :body => MultiJson.dump(:user => attributes),
+    }))
+    assert_response_code(422, response)
+  end
+
+  def test_accepts_empty_origin_for_admins
+    attributes = FactoryBot.attributes_for(:api_user)
+    response = Typhoeus.post("https://127.0.0.1:9081/api-umbrella/v1/users.json", http_options.deep_merge(admin_token).deep_merge({
+      :headers => {
+        "Content-Type" => "application/json",
+        "Referer" => "https://localhost/signup/",
+        "Origin" => "",
+      },
+      :body => MultiJson.dump(:user => attributes),
+    }))
+    assert_response_code(201, response)
+  end
+
   private
 
   def non_admin_key_creator_api_key