2015-11-04 18:20:11 +03:00
|
|
|
/* jshint expr:true */
|
2016-06-30 13:21:47 +03:00
|
|
|
import $ from 'jquery';
|
2017-05-29 21:50:03 +03:00
|
|
|
import OAuth2Authenticator from 'ghost-admin/authenticators/oauth2';
|
|
|
|
import destroyApp from '../helpers/destroy-app';
|
|
|
|
import ghostPaths from 'ghost-admin/utils/ghost-paths';
|
2015-11-04 18:20:11 +03:00
|
|
|
import startApp from '../helpers/start-app';
|
2016-05-24 15:06:59 +03:00
|
|
|
import windowProxy from 'ghost-admin/utils/window-proxy';
|
2017-05-29 21:50:03 +03:00
|
|
|
import {Response} from 'ember-cli-mirage';
|
|
|
|
import {afterEach, beforeEach, describe, it} from 'mocha';
|
|
|
|
import {authenticateSession, invalidateSession} from 'ghost-admin/tests/helpers/ember-simple-auth';
|
|
|
|
import {expect} from 'chai';
|
2017-08-22 10:53:26 +03:00
|
|
|
import {run} from '@ember/runloop';
|
2016-01-25 14:11:29 +03:00
|
|
|
|
|
|
|
const Ghost = ghostPaths();
|
2015-11-04 18:20:11 +03:00
|
|
|
|
|
|
|
describe('Acceptance: Authentication', function () {
|
|
|
|
let application,
|
|
|
|
originalReplaceLocation;
|
|
|
|
|
|
|
|
beforeEach(function () {
|
|
|
|
application = startApp();
|
|
|
|
});
|
|
|
|
|
|
|
|
afterEach(function () {
|
2015-11-30 20:21:39 +03:00
|
|
|
destroyApp(application);
|
2015-11-04 18:20:11 +03:00
|
|
|
});
|
|
|
|
|
2017-03-14 19:04:46 +03:00
|
|
|
describe('setup redirect', function () {
|
|
|
|
beforeEach(function () {
|
2017-10-13 12:39:49 +03:00
|
|
|
// ensure the /users/me route doesn't error
|
|
|
|
server.create('user');
|
|
|
|
|
2017-03-14 19:04:46 +03:00
|
|
|
server.get('authentication/setup', function () {
|
|
|
|
return {setup: [{status: false}]};
|
|
|
|
});
|
|
|
|
});
|
|
|
|
|
2017-04-24 15:29:48 +03:00
|
|
|
it('redirects to setup when setup isn\'t complete', async function () {
|
|
|
|
await visit('settings/labs');
|
2017-03-14 19:04:46 +03:00
|
|
|
|
2017-04-24 15:29:48 +03:00
|
|
|
expect(currentURL()).to.equal('/setup/one');
|
2017-03-14 19:04:46 +03:00
|
|
|
});
|
|
|
|
});
|
|
|
|
|
2017-02-10 16:35:45 +03:00
|
|
|
describe('token handling', function () {
|
|
|
|
beforeEach(function () {
|
|
|
|
// replace the default test authenticator with our own authenticator
|
|
|
|
application.register('authenticator:test', OAuth2Authenticator);
|
|
|
|
|
|
|
|
let role = server.create('role', {name: 'Administrator'});
|
|
|
|
server.create('user', {roles: [role], slug: 'test-user'});
|
|
|
|
});
|
|
|
|
|
2017-07-10 13:18:19 +03:00
|
|
|
it('refreshes tokens on boot if last refreshed > 24hrs ago', async function () {
|
2017-02-10 16:35:45 +03:00
|
|
|
/* eslint-disable camelcase */
|
2017-07-10 13:18:19 +03:00
|
|
|
// the tokens here don't matter, we're using the actual oauth
|
|
|
|
// authenticator so we get the tokens back from the mirage endpoint
|
|
|
|
await authenticateSession(application, {
|
|
|
|
access_token: 'access_token',
|
|
|
|
refresh_token: 'refresh_token'
|
2017-02-10 16:35:45 +03:00
|
|
|
});
|
2017-07-10 13:18:19 +03:00
|
|
|
|
|
|
|
// authenticating the session above will trigger a token refresh
|
|
|
|
// request so we need to clear it to ensure we aren't testing the
|
|
|
|
// test behaviour instead of application behaviour
|
|
|
|
server.pretender.handledRequests = [];
|
|
|
|
|
|
|
|
// fake a longer session so it appears that we last refreshed > 24hrs ago
|
|
|
|
let {__container__: container} = application;
|
|
|
|
let {session} = container.lookup('service:session');
|
|
|
|
let newSession = session.get('content');
|
|
|
|
newSession.authenticated.expires_in = 172800 * 2;
|
|
|
|
session.get('store').persist(newSession);
|
2017-02-10 16:35:45 +03:00
|
|
|
/* eslint-enable camelcase */
|
|
|
|
|
2017-04-24 15:29:48 +03:00
|
|
|
await visit('/');
|
2017-02-10 16:35:45 +03:00
|
|
|
|
2017-04-24 15:29:48 +03:00
|
|
|
let requests = server.pretender.handledRequests;
|
|
|
|
let refreshRequest = requests.findBy('url', '/ghost/api/v0.1/authentication/token');
|
2017-02-10 16:35:45 +03:00
|
|
|
|
2017-07-10 13:18:19 +03:00
|
|
|
expect(refreshRequest, 'token refresh request').to.exist;
|
2017-04-24 15:29:48 +03:00
|
|
|
expect(refreshRequest.method, 'method').to.equal('POST');
|
2017-02-10 16:35:45 +03:00
|
|
|
|
2017-04-24 15:29:48 +03:00
|
|
|
let requestBody = $.deparam(refreshRequest.requestBody);
|
2017-07-10 13:18:19 +03:00
|
|
|
expect(requestBody.grant_type, 'grant_type').to.equal('refresh_token');
|
|
|
|
expect(requestBody.refresh_token, 'refresh_token').to.equal('MirageRefreshToken');
|
|
|
|
});
|
|
|
|
|
|
|
|
it('doesn\'t refresh tokens on boot if last refreshed < 24hrs ago', async function () {
|
|
|
|
/* eslint-disable camelcase */
|
|
|
|
// the tokens here don't matter, we're using the actual oauth
|
|
|
|
// authenticator so we get the tokens back from the mirage endpoint
|
|
|
|
await authenticateSession(application, {
|
|
|
|
access_token: 'access_token',
|
|
|
|
refresh_token: 'refresh_token'
|
|
|
|
});
|
|
|
|
/* eslint-enable camelcase */
|
|
|
|
|
|
|
|
// authenticating the session above will trigger a token refresh
|
|
|
|
// request so we need to clear it to ensure we aren't testing the
|
|
|
|
// test behaviour instead of application behaviour
|
|
|
|
server.pretender.handledRequests = [];
|
|
|
|
|
|
|
|
// we've only just refreshed tokens above so we should always be < 24hrs
|
|
|
|
await visit('/');
|
|
|
|
|
|
|
|
let requests = server.pretender.handledRequests;
|
|
|
|
let refreshRequest = requests.findBy('url', '/ghost/api/v0.1/authentication/token');
|
|
|
|
|
|
|
|
expect(refreshRequest, 'refresh request').to.not.exist;
|
2017-02-10 16:35:45 +03:00
|
|
|
});
|
|
|
|
});
|
|
|
|
|
2015-11-04 18:20:11 +03:00
|
|
|
describe('general page', function () {
|
2017-04-24 15:29:48 +03:00
|
|
|
let newLocation;
|
|
|
|
|
2015-11-04 18:20:11 +03:00
|
|
|
beforeEach(function () {
|
|
|
|
originalReplaceLocation = windowProxy.replaceLocation;
|
|
|
|
windowProxy.replaceLocation = function (url) {
|
2017-01-25 23:05:28 +03:00
|
|
|
url = url.replace(/^\/ghost\//, '/');
|
2017-04-24 15:29:48 +03:00
|
|
|
newLocation = url;
|
2015-11-04 18:20:11 +03:00
|
|
|
};
|
2017-04-24 15:29:48 +03:00
|
|
|
newLocation = undefined;
|
2015-11-04 18:20:11 +03:00
|
|
|
|
2015-10-28 14:36:45 +03:00
|
|
|
let role = server.create('role', {name: 'Administrator'});
|
2016-11-14 16:16:51 +03:00
|
|
|
server.create('user', {roles: [role], slug: 'test-user'});
|
2015-11-04 18:20:11 +03:00
|
|
|
});
|
|
|
|
|
|
|
|
afterEach(function () {
|
|
|
|
windowProxy.replaceLocation = originalReplaceLocation;
|
|
|
|
});
|
|
|
|
|
2017-04-24 15:29:48 +03:00
|
|
|
it('invalidates session on 401 API response', async function () {
|
2016-05-14 04:02:55 +03:00
|
|
|
// return a 401 when attempting to retrieve users
|
2016-11-14 16:16:51 +03:00
|
|
|
server.get('/users/', () => {
|
2017-01-02 21:50:36 +03:00
|
|
|
return new Response(401, {}, {
|
2015-11-04 18:20:11 +03:00
|
|
|
errors: [
|
|
|
|
{message: 'Access denied.', errorType: 'UnauthorizedError'}
|
|
|
|
]
|
|
|
|
});
|
|
|
|
});
|
|
|
|
|
2017-04-24 15:29:48 +03:00
|
|
|
await authenticateSession(application);
|
|
|
|
await visit('/team');
|
2015-11-04 18:20:11 +03:00
|
|
|
|
2017-04-24 15:29:48 +03:00
|
|
|
// running `visit(url)` inside windowProxy.replaceLocation breaks
|
|
|
|
// the async behaviour so we need to run `visit` here to simulate
|
|
|
|
// the browser visiting the new page
|
|
|
|
if (newLocation) {
|
|
|
|
await visit(newLocation);
|
|
|
|
}
|
2017-03-14 19:04:46 +03:00
|
|
|
|
2017-04-24 15:29:48 +03:00
|
|
|
expect(currentURL(), 'url after 401').to.equal('/signin');
|
2015-11-04 18:20:11 +03:00
|
|
|
});
|
2016-05-14 04:02:55 +03:00
|
|
|
|
2017-04-24 15:29:48 +03:00
|
|
|
it('doesn\'t show navigation menu on invalid url when not authenticated', async function () {
|
2016-05-14 04:02:55 +03:00
|
|
|
invalidateSession(application);
|
|
|
|
|
2017-04-24 15:29:48 +03:00
|
|
|
await visit('/');
|
2016-05-14 04:02:55 +03:00
|
|
|
|
2017-04-24 15:29:48 +03:00
|
|
|
expect(currentURL(), 'current url').to.equal('/signin');
|
|
|
|
expect(find('nav.gh-nav').length, 'nav menu presence').to.equal(0);
|
2016-05-14 04:02:55 +03:00
|
|
|
|
2017-04-24 15:29:48 +03:00
|
|
|
await visit('/signin/invalidurl/');
|
2016-05-14 04:02:55 +03:00
|
|
|
|
2017-04-24 15:29:48 +03:00
|
|
|
expect(currentURL(), 'url after invalid url').to.equal('/signin/invalidurl/');
|
|
|
|
expect(currentPath(), 'path after invalid url').to.equal('error404');
|
|
|
|
expect(find('nav.gh-nav').length, 'nav menu presence').to.equal(0);
|
2016-05-14 04:02:55 +03:00
|
|
|
});
|
|
|
|
|
2017-04-24 15:29:48 +03:00
|
|
|
it('shows nav menu on invalid url when authenticated', async function () {
|
|
|
|
await authenticateSession(application);
|
|
|
|
await visit('/signin/invalidurl/');
|
2016-05-14 04:02:55 +03:00
|
|
|
|
2017-04-24 15:29:48 +03:00
|
|
|
expect(currentURL(), 'url after invalid url').to.equal('/signin/invalidurl/');
|
|
|
|
expect(currentPath(), 'path after invalid url').to.equal('error404');
|
|
|
|
expect(find('nav.gh-nav').length, 'nav menu presence').to.equal(1);
|
2016-05-14 04:02:55 +03:00
|
|
|
});
|
2015-11-04 18:20:11 +03:00
|
|
|
});
|
|
|
|
|
2017-01-02 21:50:36 +03:00
|
|
|
// TODO: re-enable once modal reappears correctly
|
2016-09-26 16:04:20 +03:00
|
|
|
describe.skip('editor', function () {
|
2016-06-11 19:52:36 +03:00
|
|
|
let origDebounce = run.debounce;
|
|
|
|
let origThrottle = run.throttle;
|
2015-11-04 18:20:11 +03:00
|
|
|
|
|
|
|
// we don't want the autosave interfering in this test
|
|
|
|
beforeEach(function () {
|
2016-06-11 19:52:36 +03:00
|
|
|
run.debounce = function () { };
|
|
|
|
run.throttle = function () { };
|
2015-11-04 18:20:11 +03:00
|
|
|
});
|
|
|
|
|
2017-04-24 15:29:48 +03:00
|
|
|
it('displays re-auth modal attempting to save with invalid session', async function () {
|
2015-10-28 14:36:45 +03:00
|
|
|
let role = server.create('role', {name: 'Administrator'});
|
2016-11-14 16:16:51 +03:00
|
|
|
server.create('user', {roles: [role]});
|
2015-11-04 18:20:11 +03:00
|
|
|
|
|
|
|
// simulate an invalid session when saving the edited post
|
2017-01-02 21:50:36 +03:00
|
|
|
server.put('/posts/:id/', function ({posts}, {params}) {
|
|
|
|
let post = posts.find(params.id);
|
|
|
|
let attrs = this.normalizedRequestAttrs();
|
2015-11-04 18:20:11 +03:00
|
|
|
|
2017-05-30 16:36:42 +03:00
|
|
|
if (attrs.mobiledoc.cards[0][1].markdown === 'Edited post body') {
|
2017-01-02 21:50:36 +03:00
|
|
|
return new Response(401, {}, {
|
2015-11-04 18:20:11 +03:00
|
|
|
errors: [
|
|
|
|
{message: 'Access denied.', errorType: 'UnauthorizedError'}
|
|
|
|
]
|
|
|
|
});
|
|
|
|
} else {
|
2017-01-02 21:50:36 +03:00
|
|
|
return post.update(attrs);
|
2015-11-04 18:20:11 +03:00
|
|
|
}
|
|
|
|
});
|
|
|
|
|
2017-04-24 15:29:48 +03:00
|
|
|
await authenticateSession(application);
|
2015-11-04 18:20:11 +03:00
|
|
|
|
2017-04-24 15:29:48 +03:00
|
|
|
await visit('/editor');
|
2015-11-04 18:20:11 +03:00
|
|
|
|
|
|
|
// create the post
|
2017-04-24 15:29:48 +03:00
|
|
|
await fillIn('#entry-title', 'Test Post');
|
|
|
|
await fillIn('.__mobiledoc-editor', 'Test post body');
|
|
|
|
await click('.js-publish-button');
|
|
|
|
|
|
|
|
// we shouldn't have a modal at this point
|
|
|
|
expect(find('.modal-container #login').length, 'modal exists').to.equal(0);
|
|
|
|
// we also shouldn't have any alerts
|
|
|
|
expect(find('.gh-alert').length, 'no of alerts').to.equal(0);
|
2015-11-04 18:20:11 +03:00
|
|
|
|
|
|
|
// update the post
|
2017-04-24 15:29:48 +03:00
|
|
|
await fillIn('.__mobiledoc-editor', 'Edited post body');
|
|
|
|
await click('.js-publish-button');
|
2015-11-04 18:20:11 +03:00
|
|
|
|
2017-04-24 15:29:48 +03:00
|
|
|
// we should see a re-auth modal
|
|
|
|
expect(find('.fullscreen-modal #login').length, 'modal exists').to.equal(1);
|
2015-11-04 18:20:11 +03:00
|
|
|
});
|
|
|
|
|
|
|
|
// don't clobber debounce/throttle for future tests
|
|
|
|
afterEach(function () {
|
2016-06-11 19:52:36 +03:00
|
|
|
run.debounce = origDebounce;
|
|
|
|
run.throttle = origThrottle;
|
2015-11-04 18:20:11 +03:00
|
|
|
});
|
|
|
|
});
|
2016-01-25 14:11:29 +03:00
|
|
|
|
2017-04-24 15:29:48 +03:00
|
|
|
it('adds auth headers to jquery ajax', async function (done) {
|
2016-01-25 14:11:29 +03:00
|
|
|
let role = server.create('role', {name: 'Administrator'});
|
2016-11-14 16:16:51 +03:00
|
|
|
server.create('user', {roles: [role]});
|
2016-01-25 14:11:29 +03:00
|
|
|
|
2017-01-02 21:50:36 +03:00
|
|
|
server.post('/uploads', (schema, request) => {
|
2016-01-25 14:11:29 +03:00
|
|
|
return request;
|
|
|
|
});
|
|
|
|
|
2016-11-14 16:16:51 +03:00
|
|
|
/* eslint-disable camelcase */
|
2016-01-25 14:11:29 +03:00
|
|
|
authenticateSession(application, {
|
|
|
|
access_token: 'test_token',
|
|
|
|
expires_in: 3600,
|
|
|
|
token_type: 'Bearer'
|
|
|
|
});
|
2016-11-14 16:16:51 +03:00
|
|
|
/* eslint-enable camelcase */
|
2016-01-25 14:11:29 +03:00
|
|
|
|
|
|
|
// necessary to visit a page to fully boot the app in testing
|
2017-04-24 15:29:48 +03:00
|
|
|
await visit('/');
|
|
|
|
|
2017-11-25 02:18:35 +03:00
|
|
|
/* eslint-disable ember/jquery-ember-run */
|
2017-04-24 15:29:48 +03:00
|
|
|
await $.ajax({
|
|
|
|
type: 'POST',
|
|
|
|
url: `${Ghost.apiRoot}/uploads/`,
|
|
|
|
data: {test: 'Test'}
|
|
|
|
}).then((request) => {
|
|
|
|
expect(request.requestHeaders.Authorization, 'Authorization header')
|
|
|
|
.to.exist;
|
|
|
|
expect(request.requestHeaders.Authorization, 'Authotization header content')
|
|
|
|
.to.equal('Bearer test_token');
|
|
|
|
}).always(() => {
|
|
|
|
done();
|
2016-01-25 14:11:29 +03:00
|
|
|
});
|
2017-11-25 02:18:35 +03:00
|
|
|
/* eslint-enable ember/jquery-ember-run */
|
2016-01-25 14:11:29 +03:00
|
|
|
});
|
2015-11-04 18:20:11 +03:00
|
|
|
});
|