Nemcio/NodeBB
1
0
Fork 0
mirror of https://github.com/NodeBB/NodeBB.git synced 2025-11-11 00:15:46 +01:00
Code Issues Packages Projects Releases Wiki Activity

test: add api token tests

Browse Source
This commit is contained in:
Barış Soner Uşaklı
2021-11-26 18:59:29 -05:00
parent 1e53552874
commit 7434cbf66f
2 changed files with 83 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
src/middleware/user.js
View File

@@ -44,7 +44,6 @@ module.exports = function (middleware) {
const user = await passportAuthenticateAsync(req, res); const user = await passportAuthenticateAsync(req, res);
if (!user) { return true; } if (!user) { return true; }
// If the token received was a master token, a _uid must also be present for all calls
if (user.hasOwnProperty('uid')) { if (user.hasOwnProperty('uid')) {
await loginAsync(user); await loginAsync(user);
await controllers.authentication.onSuccessfulLogin(req, user.uid); await controllers.authentication.onSuccessfulLogin(req, user.uid);
@@ -52,6 +51,7 @@ module.exports = function (middleware) {
req.loggedIn = req.uid > 0; req.loggedIn = req.uid > 0;
return true; return true;
} else if (user.hasOwnProperty('master') && user.master === true) { } else if (user.hasOwnProperty('master') && user.master === true) {
// If the token received was a master token, a _uid must also be present for all calls
if (req.body.hasOwnProperty('_uid') || req.query.hasOwnProperty('_uid')) { if (req.body.hasOwnProperty('_uid') || req.query.hasOwnProperty('_uid')) {
user.uid = req.body._uid || req.query._uid; user.uid = req.body._uid || req.query._uid;
delete user.master; delete user.master;

82
test/authentication.js
View File

@@ -529,4 +529,86 @@ describe('authentication', () => {
const valid = await user.reset.validate(code); const valid = await user.reset.validate(code);
assert.strictEqual(valid, false); assert.strictEqual(valid, false);
}); });
describe('api tokens', () => {
let newUid;
let userToken;
let masterToken;
before(async () => {
newUid = await user.create({ username: 'apiUserTarget' });
const settings = await meta.settings.get('core.api');
settings.tokens = settings.tokens || [];
userToken = {
token: utils.generateUUID(),
uid: newUid,
description: `api token for uid ${newUid}`,
timestamp: Date.now(),
};
settings.tokens.push(userToken);
masterToken = {
token: utils.generateUUID(),
uid: 0,
description: 'api master token',
timestamp: Date.now(),
};
settings.tokens.push(masterToken);
await meta.settings.set('core.api', settings);
});
it('should fail with invalid token', async () => {
const { res, body } = await helpers.request('get', `/api/self`, {
form: {
_uid: newUid,
},
json: true,
jar: jar,
headers: {
Authorization: `Bearer sdfhaskfdja-jahfdaksdf`,
},
});
assert.strictEqual(res.statusCode, 401);
assert.strictEqual(body, 'not-authorized');
});
it('should use a token tied to an uid', async () => {
const { res, body } = await helpers.request('get', `/api/self`, {
json: true,
headers: {
Authorization: `Bearer ${userToken.token}`,
},
});
assert.strictEqual(res.statusCode, 200);
assert.strictEqual(body.username, 'apiUserTarget');
});
it('should fail if _uid is not passed in with master token', async () => {
const { res, body } = await helpers.request('get', `/api/self`, {
form: {},
json: true,
headers: {
Authorization: `Bearer ${masterToken.token}`,
},
});
assert.strictEqual(res.statusCode, 500);
assert.strictEqual(body.error, '[[error:api.master-token-no-uid]]');
});
it('should use master api token and _uid', async () => {
const { res, body } = await helpers.request('get', `/api/self`, {
form: {
_uid: newUid,
},
json: true,
headers: {
Authorization: `Bearer ${masterToken.token}`,
},
});
assert.strictEqual(res.statusCode, 200);
assert.strictEqual(body.username, 'apiUserTarget');
});
});
}); });