Ghost/ghost/admin/tests/acceptance/authentication-test.js

192 lines
7.5 KiB
JavaScript
Raw Normal View History

import ctrlOrCmd from 'ghost-admin/utils/ctrl-or-cmd';
import windowProxy from 'ghost-admin/utils/window-proxy';
import {Response} from 'miragejs';
import {afterEach, beforeEach, describe, it} from 'mocha';
import {authenticateSession, invalidateSession} from 'ember-simple-auth/test-support';
import {currentRouteName, currentURL, fillIn, findAll, triggerKeyEvent, visit, waitFor} from '@ember/test-helpers';
import {expect} from 'chai';
import {run} from '@ember/runloop';
import {setupApplicationTest} from 'ember-mocha';
import {setupMirage} from 'ember-cli-mirage/test-support';
describe('Acceptance: Authentication', function () {
let originalReplaceLocation;
let hooks = setupApplicationTest();
setupMirage(hooks);
beforeEach(async function () {
this.server.loadFixtures('configs');
});
🎨 remove usage of ghost's {{asset}} helper in index.html (#574) refs #8140 🎨 remove usage of ghost's {{asset}} helper in built index.html files requires https://github.com/TryGhost/Ghost/pull/8142 - switch to hash-location rather than history-location - remove usage of Ghost's `{{asset}}` helper in index.html - add `content-for` helpers to `asset-delivery` addon that switch asset urls in index.html to `.min` files in production - update the `asset-delivery` addon to copy the production `index.min.html` to `default-prod.hbs` so Ghost can serve production assets when in production mode - change template output path to `core/server/admin/views/` - enable asset fingerprinting - remove `ember-cli-sri` dependency - we weren't using it but now that ember is handling assets it was used automatically and could potentially create issues if users have proxy servers that attempt to compress or otherwise modify asset files ✨ redirect to setup if server says setup isn't finished refs https://github.com/TryGhost/Ghost/issues/8140 - now we're using hash-location the server no longer knows if we're hitting the /setup route so it's not able to redirect for us - extends the default ESA `UnauthenticatedRouteMixin` to add a check against the `/authentication/setup` API endpoint and redirects to `/#/setup/one` if setup isn't complete - this works for all routes because the default behaviour when hitting an authenticated route without the right credentials is to force a logout and redirect to `/#/signin` which utilises the `UnauthenticatedRouteMixin` deps: ember-cli-inject-live-reload@1.6.1
2017-03-14 19:04:46 +03:00
describe('setup redirect', function () {
beforeEach(function () {
// ensure the /users/me route doesn't error
this.server.create('user');
this.server.get('authentication/setup', function () {
🎨 remove usage of ghost's {{asset}} helper in index.html (#574) refs #8140 🎨 remove usage of ghost's {{asset}} helper in built index.html files requires https://github.com/TryGhost/Ghost/pull/8142 - switch to hash-location rather than history-location - remove usage of Ghost's `{{asset}}` helper in index.html - add `content-for` helpers to `asset-delivery` addon that switch asset urls in index.html to `.min` files in production - update the `asset-delivery` addon to copy the production `index.min.html` to `default-prod.hbs` so Ghost can serve production assets when in production mode - change template output path to `core/server/admin/views/` - enable asset fingerprinting - remove `ember-cli-sri` dependency - we weren't using it but now that ember is handling assets it was used automatically and could potentially create issues if users have proxy servers that attempt to compress or otherwise modify asset files ✨ redirect to setup if server says setup isn't finished refs https://github.com/TryGhost/Ghost/issues/8140 - now we're using hash-location the server no longer knows if we're hitting the /setup route so it's not able to redirect for us - extends the default ESA `UnauthenticatedRouteMixin` to add a check against the `/authentication/setup` API endpoint and redirects to `/#/setup/one` if setup isn't complete - this works for all routes because the default behaviour when hitting an authenticated route without the right credentials is to force a logout and redirect to `/#/signin` which utilises the `UnauthenticatedRouteMixin` deps: ember-cli-inject-live-reload@1.6.1
2017-03-14 19:04:46 +03:00
return {setup: [{status: false}]};
});
});
it('redirects to setup when setup isn\'t complete', async function () {
await visit('settings/labs');
expect(currentURL()).to.equal('/setup');
🎨 remove usage of ghost's {{asset}} helper in index.html (#574) refs #8140 🎨 remove usage of ghost's {{asset}} helper in built index.html files requires https://github.com/TryGhost/Ghost/pull/8142 - switch to hash-location rather than history-location - remove usage of Ghost's `{{asset}}` helper in index.html - add `content-for` helpers to `asset-delivery` addon that switch asset urls in index.html to `.min` files in production - update the `asset-delivery` addon to copy the production `index.min.html` to `default-prod.hbs` so Ghost can serve production assets when in production mode - change template output path to `core/server/admin/views/` - enable asset fingerprinting - remove `ember-cli-sri` dependency - we weren't using it but now that ember is handling assets it was used automatically and could potentially create issues if users have proxy servers that attempt to compress or otherwise modify asset files ✨ redirect to setup if server says setup isn't finished refs https://github.com/TryGhost/Ghost/issues/8140 - now we're using hash-location the server no longer knows if we're hitting the /setup route so it's not able to redirect for us - extends the default ESA `UnauthenticatedRouteMixin` to add a check against the `/authentication/setup` API endpoint and redirects to `/#/setup/one` if setup isn't complete - this works for all routes because the default behaviour when hitting an authenticated route without the right credentials is to force a logout and redirect to `/#/signin` which utilises the `UnauthenticatedRouteMixin` deps: ember-cli-inject-live-reload@1.6.1
2017-03-14 19:04:46 +03:00
});
});
describe('general page', function () {
let newLocation;
beforeEach(function () {
originalReplaceLocation = windowProxy.replaceLocation;
windowProxy.replaceLocation = function (url) {
url = url.replace(/^\/ghost\//, '/');
newLocation = url;
};
newLocation = undefined;
let role = this.server.create('role', {name: 'Administrator'});
this.server.create('user', {roles: [role], slug: 'test-user'});
});
afterEach(function () {
windowProxy.replaceLocation = originalReplaceLocation;
});
it('invalidates session on 401 API response', async function () {
// return a 401 when attempting to retrieve users
this.server.get('/users/me', () => new Response(401, {}, {
errors: [
{message: 'Access denied.', type: 'UnauthorizedError'}
]
}));
await authenticateSession();
await visit('/settings/staff');
// running `visit(url)` inside windowProxy.replaceLocation breaks
// the async behaviour so we need to run `visit` here to simulate
// the browser visiting the new page
if (newLocation) {
await visit(newLocation);
}
🎨 remove usage of ghost's {{asset}} helper in index.html (#574) refs #8140 🎨 remove usage of ghost's {{asset}} helper in built index.html files requires https://github.com/TryGhost/Ghost/pull/8142 - switch to hash-location rather than history-location - remove usage of Ghost's `{{asset}}` helper in index.html - add `content-for` helpers to `asset-delivery` addon that switch asset urls in index.html to `.min` files in production - update the `asset-delivery` addon to copy the production `index.min.html` to `default-prod.hbs` so Ghost can serve production assets when in production mode - change template output path to `core/server/admin/views/` - enable asset fingerprinting - remove `ember-cli-sri` dependency - we weren't using it but now that ember is handling assets it was used automatically and could potentially create issues if users have proxy servers that attempt to compress or otherwise modify asset files ✨ redirect to setup if server says setup isn't finished refs https://github.com/TryGhost/Ghost/issues/8140 - now we're using hash-location the server no longer knows if we're hitting the /setup route so it's not able to redirect for us - extends the default ESA `UnauthenticatedRouteMixin` to add a check against the `/authentication/setup` API endpoint and redirects to `/#/setup/one` if setup isn't complete - this works for all routes because the default behaviour when hitting an authenticated route without the right credentials is to force a logout and redirect to `/#/signin` which utilises the `UnauthenticatedRouteMixin` deps: ember-cli-inject-live-reload@1.6.1
2017-03-14 19:04:46 +03:00
expect(currentURL(), 'url after 401').to.equal('/signin');
});
it('invalidates session on 403 API response', async function () {
// return a 401 when attempting to retrieve users
this.server.get('/users/me', () => new Response(403, {}, {
errors: [
{message: 'Authorization failed', type: 'NoPermissionError'}
]
}));
await authenticateSession();
await visit('/settings/staff');
// running `visit(url)` inside windowProxy.replaceLocation breaks
// the async behaviour so we need to run `visit` here to simulate
// the browser visiting the new page
if (newLocation) {
await visit(newLocation);
}
expect(currentURL(), 'url after 403').to.equal('/signin');
});
it('doesn\'t show navigation menu on invalid url when not authenticated', async function () {
await invalidateSession();
await visit('/');
expect(currentURL(), 'current url').to.equal('/signin');
expect(findAll('nav.gh-nav').length, 'nav menu presence').to.equal(0);
await visit('/signin/invalidurl/');
expect(currentURL(), 'url after invalid url').to.equal('/signin/invalidurl/');
expect(currentRouteName(), 'path after invalid url').to.equal('error404');
expect(findAll('nav.gh-nav').length, 'nav menu presence').to.equal(0);
});
it('shows nav menu on invalid url when authenticated', async function () {
await authenticateSession();
await visit('/signin/invalidurl/');
expect(currentURL(), 'url after invalid url').to.equal('/signin/invalidurl/');
expect(currentRouteName(), 'path after invalid url').to.equal('error404');
expect(findAll('nav.gh-nav').length, 'nav menu presence').to.equal(1);
});
});
describe('editor', function () {
let origDebounce = run.debounce;
let origThrottle = run.throttle;
// we don't want the autosave interfering in this test
beforeEach(function () {
run.debounce = function () { };
run.throttle = function () { };
});
it('displays re-auth modal attempting to save with invalid session', async function () {
let role = this.server.create('role', {name: 'Administrator'});
this.server.create('user', {roles: [role]});
let testOn = 'save'; // use marker for different type of server.put result
// simulate an invalid session when saving the edited post
this.server.put('/posts/:id/', function ({posts, db}, {params}) {
let post = posts.find(params.id);
let attrs = db.posts.find(params.id); // use attribute from db.posts to avoid hasInverseFor error
if (testOn === 'edit') {
return new Response(401, {}, {
errors: [
{message: 'Access denied.', type: 'UnauthorizedError'}
]
});
} else {
return post.update(attrs);
}
});
await authenticateSession();
await visit('/editor');
// create the post
await fillIn('.gh-editor-title', 'Test Post');
// await fillIn('.kg-prose', 'Test post body'); // TODO: We don't currently have an editorInstance when loading Lexical as the editor.. need to look in to this
await triggerKeyEvent('.gh-editor-title', 'keydown', 83, {
metaKey: ctrlOrCmd === 'command',
ctrlKey: ctrlOrCmd === 'ctrl'
});
// we shouldn't have a modal at this point
expect(findAll('[data-test-modal="re-authenticate"]').length, 'modal exists').to.equal(0);
// we also shouldn't have any alerts
expect(findAll('.gh-alert').length, 'no of alerts').to.equal(0);
// update the post
testOn = 'edit';
await fillIn('.gh-editor-title', 'Test Post Updated');
triggerKeyEvent('.gh-editor-title', 'keydown', 83, {
metaKey: ctrlOrCmd === 'command',
ctrlKey: ctrlOrCmd === 'ctrl'
});
// we should see a re-auth modal
await waitFor('[data-test-modal="re-authenticate"]', {timeout: 100});
// close the modal so the modal promise is settled and we can continue
await triggerKeyEvent('[data-test-modal="re-authenticate"]', 'keydown', 'Escape');
});
// don't clobber debounce/throttle for future tests
afterEach(function () {
run.debounce = origDebounce;
run.throttle = origThrottle;
});
});
});