hedgedoc/backend/test/private-api/tokens.e2e-spec.ts

/*
 * SPDX-FileCopyrightText: 2022 The HedgeDoc developers (see AUTHORS file)
 *
 * SPDX-License-Identifier: AGPL-3.0-only
 */
import request from 'supertest';

import {
  password1,
  password2,
  TestSetup,
  TestSetupBuilder,
  username1,
  username2,
} from '../test-setup';

describe('Tokens', () => {
  let testSetup: TestSetup;
  let agent: request.SuperAgentTest;

  let keyId: string;

  beforeAll(async () => {
    testSetup = await TestSetupBuilder.create().withUsers().build();
    await testSetup.app.init();

    agent = request.agent(testSetup.app.getHttpServer());
    await agent
      .post('/api/private/auth/local/login')
      .send({ username: username1, password: password1 })
      .expect(201);
  });

  afterAll(async () => {
    await testSetup.cleanup();
  });

  it(`POST /tokens`, async () => {
    const tokenName = 'testToken';
    const response = await agent
      .post('/api/private/tokens')
      .send({
        label: tokenName,
        validUntil: 0,
      })
      .expect('Content-Type', /json/)
      .expect(201);
    keyId = response.body.keyId;
    expect(response.body.label).toBe(tokenName);
    expect(new Date(response.body.validUntil).getTime()).toBeGreaterThan(
      Date.now(),
    );
    expect(response.body.lastUsedAt).toBe(null);
    expect(response.body.secret.length).toBe(102);
  });

  it(`GET /tokens`, async () => {
    const tokenName = 'test';
    const response = await agent
      .get('/api/private/tokens/')
      .expect('Content-Type', /json/)
      .expect(200);
    expect(response.body[0].label).toBe(tokenName);
    expect(new Date(response.body[0].validUntil).getTime()).toBeGreaterThan(
      Date.now(),
    );
    expect(response.body[0].lastUsedAt).toBe(null);
    expect(response.body[0].secret).not.toBeDefined();
  });
  it(`DELETE /tokens/:keyid`, async () => {
    // try to delete token with wrong user
    const agent2 = request.agent(testSetup.app.getHttpServer());
    await agent2
      .post('/api/private/auth/local/login')
      .send({ username: username2, password: password2 })
      .expect(201);
    let response = await agent2
      .delete('/api/private/tokens/' + keyId)
      .expect(401);
    expect(response.body.statusCode).toEqual(401);

    // delete token with correct user
    response = await agent.delete('/api/private/tokens/' + keyId).expect(204);
    expect(response.body).toStrictEqual({});

    // token should be deleted
    response = await agent
      .get('/api/private/tokens/')
      .expect('Content-Type', /json/)
      .expect(200);
    const tokenList: { keyId: string }[] = response.body;
    expect(
      tokenList.find((token) => {
        return token.keyId === keyId;
      }),
    ).toBeUndefined();
  });
});
Add e2e tests for tokens Signed-off-by: Yannick Bungers <git@innay.de> 2021-10-08 07:06:44 -04:00			`/*`
test: fix test and use stronger passwords Signed-off-by: Philip Molares <philip.molares@udo.edu> 2022-09-24 20:05:30 -04:00			`* SPDX-FileCopyrightText: 2022 The HedgeDoc developers (see AUTHORS file)`
Add e2e tests for tokens Signed-off-by: Yannick Bungers <git@innay.de> 2021-10-08 07:06:44 -04:00			`*`
			`* SPDX-License-Identifier: AGPL-3.0-only`
			`*/`
			`import request from 'supertest';`

test: use constant credentials Signed-off-by: David Mehren <git@herrmehren.de> 2022-12-30 06:48:24 -05:00			`import {`
			`password1,`
			`password2,`
			`TestSetup,`
			`TestSetupBuilder,`
			`username1,`
			`username2,`
			`} from '../test-setup';`
Add e2e tests for tokens Signed-off-by: Yannick Bungers <git@innay.de> 2021-10-08 07:06:44 -04:00
			`describe('Tokens', () => {`
Move common test preparations into TestSetup class Signed-off-by: David Mehren <git@herrmehren.de> 2021-10-14 14:17:28 -04:00			`let testSetup: TestSetup;`
Add e2e tests for tokens Signed-off-by: Yannick Bungers <git@innay.de> 2021-10-08 07:06:44 -04:00			`let agent: request.SuperAgentTest;`
Move common test preparations into TestSetup class Signed-off-by: David Mehren <git@herrmehren.de> 2021-10-14 14:17:28 -04:00
Add e2e tests for tokens Signed-off-by: Yannick Bungers <git@innay.de> 2021-10-08 07:06:44 -04:00			`let keyId: string;`

			`beforeAll(async () => {`
test(e2e/private/tokens): check token can't be deleted by wrong user Signed-off-by: David Mehren <git@herrmehren.de> 2022-06-26 17:26:21 -04:00			`testSetup = await TestSetupBuilder.create().withUsers().build();`
Move common test preparations into TestSetup class Signed-off-by: David Mehren <git@herrmehren.de> 2021-10-14 14:17:28 -04:00			`await testSetup.app.init();`

			`agent = request.agent(testSetup.app.getHttpServer());`
Add e2e tests for tokens Signed-off-by: Yannick Bungers <git@innay.de> 2021-10-08 07:06:44 -04:00			`await agent`
Separate private and public API in TestSetup Including both PublicApiModule and PrivateApiModule in the test setup lead to the API routes overwriting each other. This adds a router to separate the APIs as they are in the normal app. Signed-off-by: David Mehren <git@herrmehren.de> 2021-10-15 10:44:43 -04:00			`.post('/api/private/auth/local/login')`
test: use constant credentials Signed-off-by: David Mehren <git@herrmehren.de> 2022-12-30 06:48:24 -05:00			`.send({ username: username1, password: password1 })`
Add e2e tests for tokens Signed-off-by: Yannick Bungers <git@innay.de> 2021-10-08 07:06:44 -04:00			`.expect(201);`
			`});`

test: ensure testSetup.cleanup is called Signed-off-by: David Mehren <git@herrmehren.de> 2022-03-04 07:13:46 -05:00			`afterAll(async () => {`
			`await testSetup.cleanup();`
			`});`

Add e2e tests for tokens Signed-off-by: Yannick Bungers <git@innay.de> 2021-10-08 07:06:44 -04:00			it(`POST /tokens`, async () => {
			`const tokenName = 'testToken';`
			`const response = await agent`
Separate private and public API in TestSetup Including both PublicApiModule and PrivateApiModule in the test setup lead to the API routes overwriting each other. This adds a router to separate the APIs as they are in the normal app. Signed-off-by: David Mehren <git@herrmehren.de> 2021-10-15 10:44:43 -04:00			`.post('/api/private/tokens')`
Add e2e tests for tokens Signed-off-by: Yannick Bungers <git@innay.de> 2021-10-08 07:06:44 -04:00			`.send({`
			`label: tokenName,`
refactor(api/private/tokens): validate POST data with DTO This adds a `AuthTokenCreateDto` which allows to fully validate incoming JSON data. Signed-off-by: David Mehren <git@herrmehren.de> 2022-03-04 12:01:45 -05:00			`validUntil: 0,`
Add e2e tests for tokens Signed-off-by: Yannick Bungers <git@innay.de> 2021-10-08 07:06:44 -04:00			`})`
			`.expect('Content-Type', /json/)`
			`.expect(201);`
			`keyId = response.body.keyId;`
			`expect(response.body.label).toBe(tokenName);`
refactor(api/private/tokens): validate POST data with DTO This adds a `AuthTokenCreateDto` which allows to fully validate incoming JSON data. Signed-off-by: David Mehren <git@herrmehren.de> 2022-03-04 12:01:45 -05:00			`expect(new Date(response.body.validUntil).getTime()).toBeGreaterThan(`
			`Date.now(),`
			`);`
refactor(auth-token): rename lastUsed to lastUsedAt This is part of an effort to name all date attributes consistently. Signed-off-by: David Mehren <git@herrmehren.de> 2022-01-16 15:52:15 -05:00			`expect(response.body.lastUsedAt).toBe(null);`
enhancement(api-tokens): add prefix and more strict validation Signed-off-by: Erik Michelson <github@erik.michelson.eu> 2024-03-22 20:14:41 -04:00			`expect(response.body.secret.length).toBe(102);`
Add e2e tests for tokens Signed-off-by: Yannick Bungers <git@innay.de> 2021-10-08 07:06:44 -04:00			`});`

			it(`GET /tokens`, async () => {
test(e2e/private/tokens): check token can't be deleted by wrong user Signed-off-by: David Mehren <git@herrmehren.de> 2022-06-26 17:26:21 -04:00			`const tokenName = 'test';`
Add e2e tests for tokens Signed-off-by: Yannick Bungers <git@innay.de> 2021-10-08 07:06:44 -04:00			`const response = await agent`
Separate private and public API in TestSetup Including both PublicApiModule and PrivateApiModule in the test setup lead to the API routes overwriting each other. This adds a router to separate the APIs as they are in the normal app. Signed-off-by: David Mehren <git@herrmehren.de> 2021-10-15 10:44:43 -04:00			`.get('/api/private/tokens/')`
Add e2e tests for tokens Signed-off-by: Yannick Bungers <git@innay.de> 2021-10-08 07:06:44 -04:00			`.expect('Content-Type', /json/)`
			`.expect(200);`
			`expect(response.body[0].label).toBe(tokenName);`
refactor(api/private/tokens): validate POST data with DTO This adds a `AuthTokenCreateDto` which allows to fully validate incoming JSON data. Signed-off-by: David Mehren <git@herrmehren.de> 2022-03-04 12:01:45 -05:00			`expect(new Date(response.body[0].validUntil).getTime()).toBeGreaterThan(`
			`Date.now(),`
			`);`
refactor(auth-token): rename lastUsed to lastUsedAt This is part of an effort to name all date attributes consistently. Signed-off-by: David Mehren <git@herrmehren.de> 2022-01-16 15:52:15 -05:00			`expect(response.body[0].lastUsedAt).toBe(null);`
Add e2e tests for tokens Signed-off-by: Yannick Bungers <git@innay.de> 2021-10-08 07:06:44 -04:00			`expect(response.body[0].secret).not.toBeDefined();`
			`});`
			it(`DELETE /tokens/:keyid`, async () => {
test(e2e/private/tokens): check token can't be deleted by wrong user Signed-off-by: David Mehren <git@herrmehren.de> 2022-06-26 17:26:21 -04:00			`// try to delete token with wrong user`
			`const agent2 = request.agent(testSetup.app.getHttpServer());`
			`await agent2`
			`.post('/api/private/auth/local/login')`
test: use constant credentials Signed-off-by: David Mehren <git@herrmehren.de> 2022-12-30 06:48:24 -05:00			`.send({ username: username2, password: password2 })`
test(e2e/private/tokens): check token can't be deleted by wrong user Signed-off-by: David Mehren <git@herrmehren.de> 2022-06-26 17:26:21 -04:00			`.expect(201);`
			`let response = await agent2`
Separate private and public API in TestSetup Including both PublicApiModule and PrivateApiModule in the test setup lead to the API routes overwriting each other. This adds a router to separate the APIs as they are in the normal app. Signed-off-by: David Mehren <git@herrmehren.de> 2021-10-15 10:44:43 -04:00			`.delete('/api/private/tokens/' + keyId)`
test(e2e/private/tokens): check token can't be deleted by wrong user Signed-off-by: David Mehren <git@herrmehren.de> 2022-06-26 17:26:21 -04:00			`.expect(401);`
			`expect(response.body.statusCode).toEqual(401);`

			`// delete token with correct user`
			`response = await agent.delete('/api/private/tokens/' + keyId).expect(204);`
Add e2e tests for tokens Signed-off-by: Yannick Bungers <git@innay.de> 2021-10-08 07:06:44 -04:00			`expect(response.body).toStrictEqual({});`
test(e2e/private/tokens): check token can't be deleted by wrong user Signed-off-by: David Mehren <git@herrmehren.de> 2022-06-26 17:26:21 -04:00
			`// token should be deleted`
			`response = await agent`
Separate private and public API in TestSetup Including both PublicApiModule and PrivateApiModule in the test setup lead to the API routes overwriting each other. This adds a router to separate the APIs as they are in the normal app. Signed-off-by: David Mehren <git@herrmehren.de> 2021-10-15 10:44:43 -04:00			`.get('/api/private/tokens/')`
Add e2e tests for tokens Signed-off-by: Yannick Bungers <git@innay.de> 2021-10-08 07:06:44 -04:00			`.expect('Content-Type', /json/)`
			`.expect(200);`
style: fix linting errors Signed-off-by: David Mehren <git@herrmehren.de> 2022-09-11 12:19:20 -04:00			`const tokenList: { keyId: string }[] = response.body;`
test(e2e/private/tokens): check token can't be deleted by wrong user Signed-off-by: David Mehren <git@herrmehren.de> 2022-06-26 17:26:21 -04:00			`expect(`
style: fix linting errors Signed-off-by: David Mehren <git@herrmehren.de> 2022-09-11 12:19:20 -04:00			`tokenList.find((token) => {`
test(e2e/private/tokens): check token can't be deleted by wrong user Signed-off-by: David Mehren <git@herrmehren.de> 2022-06-26 17:26:21 -04:00			`return token.keyId === keyId;`
			`}),`
			`).toBeUndefined();`
Add e2e tests for tokens Signed-off-by: Yannick Bungers <git@innay.de> 2021-10-08 07:06:44 -04:00			`});`
			`});`