api: check request signature in tracking code lookup API (#21858)

tests/test_api.py

@@ -1979,21 +1979,24 @@ def test_tracking_code(pub):
     code.formdata = formdata
     code.store()
 
-    resp = get_app(pub).get('/api/code/foobar', status=404)
+    # missing signature
+    get_app(pub).get('/api/code/foobar', status=403)
+
+    resp = get_app(pub).get(sign_url('/api/code/foobar?orig=coucou', '1234'), status=404)
     assert resp.json['err'] == 1
 
-    resp = get_app(pub).get('/api/code/%s' % code.id, status=200)
+    resp = get_app(pub).get(sign_url('/api/code/%s?orig=coucou' % code.id, '1234'), status=200)
     assert resp.json['err'] == 0
     assert resp.json['url'] == 'http://example.net/test/%s' % formdata.id
 
     formdef.enable_tracking_codes = False
     formdef.store()
-    resp = get_app(pub).get('/api/code/%s' % code.id, status=404)
+    resp = get_app(pub).get(sign_url('/api/code/%s?orig=coucou' % code.id, '1234'), status=404)
 
     formdef.enable_tracking_codes = True
     formdef.store()
     formdata.remove_self()
-    resp = get_app(pub).get('/api/code/%s' % code.id, status=404)
+    resp = get_app(pub).get(sign_url('/api/code/%s?orig=coucou' % code.id, '1234'), status=404)
 
 def test_validate_expression(pub):
     resp = get_app(pub).get('/api/validate-expression?expression=hello')

wcs/api.py

@@ -645,6 +645,8 @@ class ApiUsersDirectory(Directory):
 class ApiTrackingCodeDirectory(Directory):
     def _q_lookup(self, component):
         get_response().set_content_type('application/json')
+        if not is_url_signed():
+            raise AccessForbiddenError('missing signature')
         try:
             tracking_code = get_publisher().tracking_code_class.get(component)
         except KeyError: