test: add api token tests

2025-11-10 16:05:49 +01:00 · 2021-11-26 18:59:29 -05:00
parent 1e53552874
commit 7434cbf66f
2 changed files with 83 additions and 1 deletions
--- a/src/middleware/user.js
+++ b/src/middleware/user.js
@@ -44,7 +44,6 @@ module.exports = function (middleware) {
 			const user = await passportAuthenticateAsync(req, res);
 			if (!user) { return true; }

-			// If the token received was a master token, a _uid must also be present for all calls
 			if (user.hasOwnProperty('uid')) {
 				await loginAsync(user);
 				await controllers.authentication.onSuccessfulLogin(req, user.uid);
@@ -52,6 +51,7 @@ module.exports = function (middleware) {
 				req.loggedIn = req.uid > 0;
 				return true;
 			} else if (user.hasOwnProperty('master') && user.master === true) {
+				// If the token received was a master token, a _uid must also be present for all calls
 				if (req.body.hasOwnProperty('_uid') || req.query.hasOwnProperty('_uid')) {
 					user.uid = req.body._uid || req.query._uid;
 					delete user.master;
--- a/test/authentication.js
+++ b/test/authentication.js
@@ -529,4 +529,86 @@ describe('authentication', () => {
 		const valid = await user.reset.validate(code);
 		assert.strictEqual(valid, false);
 	});
+
+	describe('api tokens', () => {
+		let newUid;
+		let userToken;
+		let masterToken;
+		before(async () => {
+			newUid = await user.create({ username: 'apiUserTarget' });
+			const settings = await meta.settings.get('core.api');
+			settings.tokens = settings.tokens || [];
+			userToken = {
+				token: utils.generateUUID(),
+				uid: newUid,
+				description: `api token for uid ${newUid}`,
+				timestamp: Date.now(),
+			};
+			settings.tokens.push(userToken);
+			masterToken = {
+				token: utils.generateUUID(),
+				uid: 0,
+				description: 'api master token',
+				timestamp: Date.now(),
+			};
+			settings.tokens.push(masterToken);
+
+			await meta.settings.set('core.api', settings);
+		});
+
+		it('should fail with invalid token', async () => {
+			const { res, body } = await helpers.request('get', `/api/self`, {
+				form: {
+					_uid: newUid,
+				},
+				json: true,
+				jar: jar,
+				headers: {
+					Authorization: `Bearer sdfhaskfdja-jahfdaksdf`,
+				},
+			});
+			assert.strictEqual(res.statusCode, 401);
+			assert.strictEqual(body, 'not-authorized');
+		});
+
+		it('should use a token tied to an uid', async () => {
+			const { res, body } = await helpers.request('get', `/api/self`, {
+				json: true,
+				headers: {
+					Authorization: `Bearer ${userToken.token}`,
+				},
+			});
+
+			assert.strictEqual(res.statusCode, 200);
+			assert.strictEqual(body.username, 'apiUserTarget');
+		});
+
+		it('should fail if _uid is not passed in with master token', async () => {
+			const { res, body } = await helpers.request('get', `/api/self`, {
+				form: {},
+				json: true,
+				headers: {
+					Authorization: `Bearer ${masterToken.token}`,
+				},
+			});
+
+			assert.strictEqual(res.statusCode, 500);
+			assert.strictEqual(body.error, '[[error:api.master-token-no-uid]]');
+		});
+
+		it('should use master api token and _uid', async () => {
+			const { res, body } = await helpers.request('get', `/api/self`, {
+				form: {
+					_uid: newUid,
+				},
+				json: true,
+				headers: {
+					Authorization: `Bearer ${masterToken.token}`,
+				},
+			});
+
+			assert.strictEqual(res.statusCode, 200);
+			assert.strictEqual(body.username, 'apiUserTarget');
+		});
+	});
 });