backend: Migrate secret parameter to REQ framework.

Instead of using request.POST to get any potential `secret`
parameter used in `authenticate_notify` for `internal_notify_view`
decorator, moves it to the REQ framework parameters as `req_secret`.

Updates existing tests to explicitly test for a request without
`secret` parameter, which defaults to `None`; this is also tested
in `test_event_system.py`.

zerver/decorator.py

@@ -827,11 +827,11 @@ def is_local_addr(addr: str) -> bool:
 # These views are used by the main Django server to notify the Tornado server
 # of events.  We protect them from the outside world by checking a shared
 # secret, and also the originating IP (for now).
-def authenticate_notify(request: HttpRequest) -> bool:
-    return (
-        is_local_addr(request.META["REMOTE_ADDR"])
-        and request.POST.get("secret") == settings.SHARED_SECRET
-    )
+@has_request_variables
+def authenticate_notify(
+    request: HttpRequest, secret: Optional[str] = REQ("secret", default=None)
+) -> bool:
+    return is_local_addr(request.META["REMOTE_ADDR"]) and secret == settings.SHARED_SECRET
 
 
 def client_is_exempt_from_rate_limiting(request: HttpRequest) -> bool:

zerver/tests/test_decorators.py

@@ -1578,6 +1578,17 @@ class TestInternalNotifyView(ZulipTestCase):
                 self.internal_notify(False, request)
 
     def test_internal_requests_with_broken_secret(self) -> None:
+        request = HostRequestMock(
+            post_data=dict(data="something"),
+            meta_data=dict(REMOTE_ADDR="127.0.0.1"),
+        )
+
+        with self.settings(SHARED_SECRET="random"):
+            self.assertFalse(authenticate_notify(request))
+            with self.assertRaises(AccessDeniedError) as context:
+                self.internal_notify(True, request)
+            self.assertEqual(context.exception.http_status_code, 403)
+
         secret = "random"
         request = HostRequestMock(
             post_data=dict(secret=secret),