diff --git a/packages/core/http/core-http-router-server-internal/src/request.ts b/packages/core/http/core-http-router-server-internal/src/request.ts index aa134c21ae95a..8c31635feb8c2 100644 --- a/packages/core/http/core-http-router-server-internal/src/request.ts +++ b/packages/core/http/core-http-router-server-internal/src/request.ts @@ -223,11 +223,10 @@ export class CoreKibanaRequest< options, }; } - /** infer route access from path if not declared */ + /** set route access to internal if not declared */ private getAccess(request: RawRequest): 'internal' | 'public' { return ( - ((request.route?.settings as RouteOptions)?.app as KibanaRouteOptions)?.access ?? - (request.path.startsWith('/internal') ? 'internal' : 'public') + ((request.route?.settings as RouteOptions)?.app as KibanaRouteOptions)?.access ?? 'internal' ); } diff --git a/packages/core/http/core-http-router-server-mocks/src/router.mock.ts b/packages/core/http/core-http-router-server-mocks/src/router.mock.ts index e82a51a14a332..4272cf130b38e 100644 --- a/packages/core/http/core-http-router-server-mocks/src/router.mock.ts +++ b/packages/core/http/core-http-router-server-mocks/src/router.mock.ts @@ -73,7 +73,7 @@ function createKibanaRequestMock

({ routeTags, routeAuthRequired, validation = {}, - kibanaRouteOptions = { xsrfRequired: true, access: 'public' }, + kibanaRouteOptions = { xsrfRequired: true, access: 'internal' }, kibanaRequestState = { requestId: '123', requestUuid: '123e4567-e89b-12d3-a456-426614174000', diff --git a/packages/core/http/core-http-server-internal/src/http_server.test.ts b/packages/core/http/core-http-server-internal/src/http_server.test.ts index 886349e0ea940..675d7e4fffcef 100644 --- a/packages/core/http/core-http-server-internal/src/http_server.test.ts +++ b/packages/core/http/core-http-server-internal/src/http_server.test.ts @@ -836,12 +836,12 @@ test('allows declaring route access to flag a route as public or internal', asyn registerRouter(router); await server.start(); - await supertest(innerServer.listener).get('/with-access').expect(200, { access }); + await supertest(innerServer.listener).get('/with-access').expect(200, { access: 'internal' }); - await supertest(innerServer.listener).get('/without-access').expect(200, { access: 'public' }); + await supertest(innerServer.listener).get('/without-access').expect(200, { access: 'internal' }); }); -test('infers access flag from path if not defined', async () => { +test(`sets access flag to 'internal' if not defined`, async () => { const { registerRouter, server: innerServer } = await server.setup(config); const router = new Router('', logger, enhanceWithContext, routerOptions); @@ -863,13 +863,13 @@ test('infers access flag from path if not defined', async () => { await server.start(); await supertest(innerServer.listener).get('/internal/foo').expect(200, { access: 'internal' }); - await supertest(innerServer.listener).get('/random/foo').expect(200, { access: 'public' }); + await supertest(innerServer.listener).get('/random/foo').expect(200, { access: 'internal' }); await supertest(innerServer.listener) .get('/random/internal/foo') - .expect(200, { access: 'public' }); + .expect(200, { access: 'internal' }); await supertest(innerServer.listener) .get('/api/foo/internal/my-foo') - .expect(200, { access: 'public' }); + .expect(200, { access: 'internal' }); }); test('exposes route details of incoming request to a route handler', async () => { @@ -888,7 +888,7 @@ test('exposes route details of incoming request to a route handler', async () => options: { authRequired: true, xsrfRequired: false, - access: 'public', + access: 'internal', tags: [], timeout: {}, }, @@ -1066,7 +1066,7 @@ test('exposes route details of incoming request to a route handler (POST + paylo options: { authRequired: true, xsrfRequired: true, - access: 'public', + access: 'internal', tags: [], timeout: { payload: 10000, diff --git a/packages/core/http/core-http-server-internal/src/http_server.ts b/packages/core/http/core-http-server-internal/src/http_server.ts index 747c477d1b41d..3ed8a73a38641 100644 --- a/packages/core/http/core-http-server-internal/src/http_server.ts +++ b/packages/core/http/core-http-server-internal/src/http_server.ts @@ -606,7 +606,7 @@ export class HttpServer { const kibanaRouteOptions: KibanaRouteOptions = { xsrfRequired: route.options.xsrfRequired ?? !isSafeMethod(route.method), - access: route.options.access ?? (route.path.startsWith('/internal') ? 'internal' : 'public'), + access: route.options.access ?? 'internal', }; // Log HTTP API target consumer. optionsLogger.debug( diff --git a/packages/core/http/core-http-server-internal/src/lifecycle_handlers.test.ts b/packages/core/http/core-http-server-internal/src/lifecycle_handlers.test.ts index b58fd1b299b06..9e1d0191d0f5e 100644 --- a/packages/core/http/core-http-server-internal/src/lifecycle_handlers.test.ts +++ b/packages/core/http/core-http-server-internal/src/lifecycle_handlers.test.ts @@ -174,7 +174,7 @@ describe('xsrf post-auth handler', () => { path: '/some-path', kibanaRouteOptions: { xsrfRequired: false, - access: 'public', + access: 'internal', }, }); diff --git a/packages/core/http/core-http-server/src/router/route.ts b/packages/core/http/core-http-server/src/router/route.ts index e2b11aec08e1a..349ad2e392453 100644 --- a/packages/core/http/core-http-server/src/router/route.ts +++ b/packages/core/http/core-http-server/src/router/route.ts @@ -126,9 +126,7 @@ export interface RouteConfigOptions { * In the future, may require an incomming request to contain a specified header. * - internal. The route is internal and intended for internal access only. * - * If not declared, infers access from route path: - * - access =`internal` for '/internal' route path prefix - * - access = `public` for everything else + * Defaults to 'internal' If not declared, */ access?: 'public' | 'internal';