hedgedoc/test/public-api/alias.e2e-spec.ts

/*
 * SPDX-FileCopyrightText: 2022 The HedgeDoc developers (see AUTHORS file)
 *
 * SPDX-License-Identifier: AGPL-3.0-only
 */
import request from 'supertest';

import { AliasUpdateDto } from '../../src/notes/alias-update.dto';
import { TestSetup, TestSetupBuilder } from '../test-setup';

describe('Alias', () => {
  let testSetup: TestSetup;

  let forbiddenNoteId: string;
  let testAlias: string;
  let publicId: string;

  beforeEach(async () => {
    testSetup = await TestSetupBuilder.create().withUsers().withNotes().build();
    forbiddenNoteId =
      testSetup.configService.get('noteConfig').forbiddenNoteIds[0];

    await testSetup.app.init();

    testAlias = (await testSetup.ownedNotes[0].aliases)[0].name;
    publicId = testSetup.ownedNotes[0].publicId;
  });

  afterEach(async () => {
    await testSetup.app.close();
  });

  describe('POST /alias', () => {
    it('create with normal alias', async () => {
      const metadata = await request(testSetup.app.getHttpServer())
        .post(`/api/v2/alias`)
        .set('Authorization', `Bearer ${testSetup.authTokens[0].secret}`)
        .set('Content-Type', 'application/json')
        .send({
          noteIdOrAlias: testAlias,
          newAlias: 'normalAlias',
        })
        .expect(201);

      expect(metadata.body.name).toEqual('normalAlias');
      expect(metadata.body.primaryAlias).toBeFalsy();
      expect(metadata.body.noteId).toEqual(publicId);

      const note = await request(testSetup.app.getHttpServer())
        .get(`/api/v2/notes/normalAlias`)
        .set('Authorization', `Bearer ${testSetup.authTokens[0].secret}`)
        .expect(200);

      expect(note.body.metadata.aliases).toContain('normalAlias');
      expect(note.body.metadata.primaryAlias).toBeTruthy();
      expect(note.body.metadata.id).toEqual(publicId);
    });

    describe('does not create an alias', () => {
      it('because because it is already used', async () => {
        await request(testSetup.app.getHttpServer())
          .post(`/api/v2/alias`)
          .set('Authorization', `Bearer ${testSetup.authTokens[0].secret}`)
          .set('Content-Type', 'application/json')
          .send({
            noteIdOrAlias: testAlias,
            newAlias: 'testAlias1',
          })
          .expect(409);
      });
      it('because of a forbidden alias', async () => {
        await request(testSetup.app.getHttpServer())
          .post(`/api/v2/alias`)
          .set('Authorization', `Bearer ${testSetup.authTokens[0].secret}`)
          .set('Content-Type', 'application/json')
          .send({
            noteIdOrAlias: testAlias,
            newAlias: forbiddenNoteId,
          })
          .expect(400);
      });
      it('because of a alias that is a public id', async () => {
        await request(testSetup.app.getHttpServer())
          .post(`/api/v2/alias`)
          .set('Authorization', `Bearer ${testSetup.authTokens[0].secret}`)
          .set('Content-Type', 'application/json')
          .send({
            noteIdOrAlias: testAlias,
            newAlias: publicId,
          })
          .expect(409);
      });
      it('because the user is not an owner', async () => {
        await request(testSetup.app.getHttpServer())
          .post(`/api/v2/alias`)
          .set('Authorization', `Bearer ${testSetup.authTokens[1].secret}`)
          .set('Content-Type', 'application/json')
          .send({
            noteIdOrAlias: testAlias,
            newAlias: '',
          })
          .expect(401);
      });
    });
  });

  describe('PUT /alias/{alias}', () => {
    const changeAliasDto: AliasUpdateDto = {
      primaryAlias: true,
    };

    it('updates a note with a normal alias', async () => {
      const metadata = await request(testSetup.app.getHttpServer())
        .put(`/api/v2/alias/${testAlias}`)
        .set('Authorization', `Bearer ${testSetup.authTokens[0].secret}`)
        .set('Content-Type', 'application/json')
        .send(changeAliasDto)
        .expect(200);

      expect(metadata.body.name).toEqual(testAlias);
      expect(metadata.body.primaryAlias).toBeTruthy();
      expect(metadata.body.noteId).toEqual(publicId);

      const note = await request(testSetup.app.getHttpServer())
        .get(`/api/v2/notes/${testAlias}`)
        .set('Authorization', `Bearer ${testSetup.authTokens[0].secret}`)
        .expect(200);

      expect(note.body.metadata.aliases).toContain(testAlias);
      expect(note.body.metadata.primaryAlias).toBeTruthy();
      expect(note.body.metadata.id).toEqual(publicId);
    });

    describe('does not update', () => {
      it('a note with unknown alias', async () => {
        await request(testSetup.app.getHttpServer())
          .put(`/api/v2/alias/i_dont_exist`)
          .set('Authorization', `Bearer ${testSetup.authTokens[0].secret}`)
          .set('Content-Type', 'application/json')
          .send(changeAliasDto)
          .expect(404);
      });
      it('a note with a forbidden id', async () => {
        await request(testSetup.app.getHttpServer())
          .put(`/api/v2/alias/${forbiddenNoteId}`)
          .set('Authorization', `Bearer ${testSetup.authTokens[0].secret}`)
          .set('Content-Type', 'application/json')
          .send(changeAliasDto)
          .expect(400);
      });
      it('if the user is not an owner', async () => {
        await request(testSetup.app.getHttpServer())
          .put(`/api/v2/alias/${testAlias}`)
          .set('Authorization', `Bearer ${testSetup.authTokens[1].secret}`)
          .set('Content-Type', 'application/json')
          .send(changeAliasDto)
          .expect(401);
      });
      it('if the property primaryAlias is false', async () => {
        changeAliasDto.primaryAlias = false;

        await request(testSetup.app.getHttpServer())
          .put(`/api/v2/alias/${testAlias}`)
          .set('Authorization', `Bearer ${testSetup.authTokens[0].secret}`)
          .set('Content-Type', 'application/json')
          .send(changeAliasDto)
          .expect(400);
      });
    });
  });

  describe('DELETE /alias/{alias}', () => {
    const secondAlias = 'secondAlias';

    it('deletes a normal alias', async () => {
      await request(testSetup.app.getHttpServer())
        .delete(`/api/v2/alias/${testAlias}`)
        .set('Authorization', `Bearer ${testSetup.authTokens[0].secret}`)
        .expect(204);

      await request(testSetup.app.getHttpServer())
        .get(`/api/v2/notes/${testAlias}`)
        .set('Authorization', `Bearer ${testSetup.authTokens[0].secret}`)
        .expect(404);
    });

    it('does not delete an unknown alias', async () => {
      await request(testSetup.app.getHttpServer())
        .delete(`/api/v2/alias/i_dont_exist`)
        .set('Authorization', `Bearer ${testSetup.authTokens[0].secret}`)
        .expect(404);
    });

    it('errors on forbidden notes', async () => {
      await request(testSetup.app.getHttpServer())
        .delete(`/api/v2/alias/${forbiddenNoteId}`)
        .set('Authorization', `Bearer ${testSetup.authTokens[0].secret}`)
        .expect(400);
    });

    it('errors if the user is not the owner', async () => {
      await request(testSetup.app.getHttpServer())
        .delete(`/api/v2/alias/${testAlias}`)
        .set('Authorization', `Bearer ${testSetup.authTokens[1].secret}`)
        .expect(401);
    });

    it('does not delete a primary alias (if it is not the only one)', async () => {
      // add another alias
      await testSetup.aliasService.addAlias(
        testSetup.ownedNotes[0],
        secondAlias,
      );

      // try to delete the primary alias
      await request(testSetup.app.getHttpServer())
        .delete(`/api/v2/alias/${testAlias}`)
        .set('Authorization', `Bearer ${testSetup.authTokens[0].secret}`)
        .expect(400);
      await request(testSetup.app.getHttpServer())
        .get(`/api/v2/notes/${secondAlias}`)
        .set('Authorization', `Bearer ${testSetup.authTokens[0].secret}`)
        .expect(200);
    });

    it('deletes a primary alias (if it is the only one)', async () => {
      // add another alias
      await testSetup.aliasService.addAlias(
        testSetup.ownedNotes[0],
        secondAlias,
      );

      await request(testSetup.app.getHttpServer())
        .delete(`/api/v2/alias/${secondAlias}`)
        .set('Authorization', `Bearer ${testSetup.authTokens[0].secret}`)
        .expect(204);

      await request(testSetup.app.getHttpServer())
        .delete(`/api/v2/alias/${testAlias}`)
        .set('Authorization', `Bearer ${testSetup.authTokens[0].secret}`)
        .expect(204);
    });
  });
});