OpenSourceArk/Ghost
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
e9587e02d0
Ghost/ghost/magic-link/test/index.test.js

117 lines
4.5 KiB
JavaScript
Raw Normal View History

🔒 Fixed magic link endpoint sending multiple emails refs https://github.com/TryGhost/Team/issues/2024 Without validation it was possible to send a string of comma separated email addresses to the endpoint, and an email would be sent to each address, bypassing any rate limiting. This bug does not allow for an authentication bypass exploit. It is purely a spam email concern. Credit: Sandip Maity <maitysandip925@gmail.com>
2022-10-04 19:17:26 +03:00
const assert = require('assert');
Created @tryghost/magic-link module (#50) * slimer create magic-link Created the initial magic-link project * Added usage section to README * Installed types and deps for magic-link * Added tsconfig.json * Initial commit for magic-link module * Renamed hello.test.js -> index.test.js * Added initial basic test * Removed test util directory * Updated ecmaVersion for test eslint parserOptions * Added tests for MagicLink * Added language to README usage codeblock * Updated sendMagicLink to return SentMessageInfo * Updated README * Updated README usage example * Fixed types
2019-09-03 06:07:03 +03:00
const sinon = require('sinon');
const MagicLink = require('../');
const crypto = require('crypto');
const sandbox = sinon.createSandbox();
Updated to use HS256 signatures for tokens no-issue This makes the tokens a little more acceptable in plaintext emails
2019-10-10 12:21:03 +03:00
const secret = crypto.randomBytes(64);
Created @tryghost/magic-link module (#50) * slimer create magic-link Created the initial magic-link project * Added usage section to README * Installed types and deps for magic-link * Added tsconfig.json * Initial commit for magic-link module * Renamed hello.test.js -> index.test.js * Added initial basic test * Removed test util directory * Updated ecmaVersion for test eslint parserOptions * Added tests for MagicLink * Added language to README usage codeblock * Updated sendMagicLink to return SentMessageInfo * Updated README * Updated README usage example * Fixed types
2019-09-03 06:07:03 +03:00
describe('MagicLink', function () {
it('Exports a function', function () {
🔒 Fixed magic link endpoint sending multiple emails refs https://github.com/TryGhost/Team/issues/2024 Without validation it was possible to send a string of comma separated email addresses to the endpoint, and an email would be sent to each address, bypassing any rate limiting. This bug does not allow for an authentication bypass exploit. It is purely a spam email concern. Credit: Sandip Maity <maitysandip925@gmail.com>
2022-10-04 19:17:26 +03:00
assert.equal(typeof MagicLink, 'function');
Created @tryghost/magic-link module (#50) * slimer create magic-link Created the initial magic-link project * Added usage section to README * Installed types and deps for magic-link * Added tsconfig.json * Initial commit for magic-link module * Renamed hello.test.js -> index.test.js * Added initial basic test * Removed test util directory * Updated ecmaVersion for test eslint parserOptions * Added tests for MagicLink * Added language to README usage codeblock * Updated sendMagicLink to return SentMessageInfo * Updated README * Updated README usage example * Fixed types
2019-09-03 06:07:03 +03:00
});
describe('#sendMagicLink', function () {
🔒 Fixed magic link endpoint sending multiple emails refs https://github.com/TryGhost/Team/issues/2024 Without validation it was possible to send a string of comma separated email addresses to the endpoint, and an email would be sent to each address, bypassing any rate limiting. This bug does not allow for an authentication bypass exploit. It is purely a spam email concern. Credit: Sandip Maity <maitysandip925@gmail.com>
2022-10-04 19:17:26 +03:00
it('Throws when passed comma separated emails', async function () {
const options = {
tokenProvider: new MagicLink.JWTTokenProvider(secret),
getSigninURL: sandbox.stub().returns('FAKEURL'),
getText: sandbox.stub().returns('SOMETEXT'),
getHTML: sandbox.stub().returns('SOMEHTML'),
getSubject: sandbox.stub().returns('SOMESUBJECT'),
transporter: {
sendMail: sandbox.stub().resolves()
}
};
const service = new MagicLink(options);
const args = {
email: 'one@email.com,two@email.com',
tokenData: {
id: '420'
},
type: 'blazeit',
referrer: 'https://whatever.com'
};
let errored = false;
try {
await service.sendMagicLink(args);
} catch (err) {
errored = true;
} finally {
assert(errored, 'sendMagicLink should error when given comma separated emails');
}
});
Added type param to content generation functions no-issue This will allow conditional logic based on the type passed to sending the magic-link
2019-10-01 09:51:43 +03:00
it('Sends an email to the user with a link generated from getSigninURL(token, type)', async function () {
Created @tryghost/magic-link module (#50) * slimer create magic-link Created the initial magic-link project * Added usage section to README * Installed types and deps for magic-link * Added tsconfig.json * Initial commit for magic-link module * Renamed hello.test.js -> index.test.js * Added initial basic test * Removed test util directory * Updated ecmaVersion for test eslint parserOptions * Added tests for MagicLink * Added language to README usage codeblock * Updated sendMagicLink to return SentMessageInfo * Updated README * Updated README usage example * Fixed types
2019-09-03 06:07:03 +03:00
const options = {
Fixed MagicLink tests no-issue The JWTTokenProvider is now exported from the index
2020-09-18 15:21:46 +03:00
tokenProvider: new MagicLink.JWTTokenProvider(secret),
Created @tryghost/magic-link module (#50) * slimer create magic-link Created the initial magic-link project * Added usage section to README * Installed types and deps for magic-link * Added tsconfig.json * Initial commit for magic-link module * Renamed hello.test.js -> index.test.js * Added initial basic test * Removed test util directory * Updated ecmaVersion for test eslint parserOptions * Added tests for MagicLink * Added language to README usage codeblock * Updated sendMagicLink to return SentMessageInfo * Updated README * Updated README usage example * Fixed types
2019-09-03 06:07:03 +03:00
getSigninURL: sandbox.stub().returns('FAKEURL'),
getText: sandbox.stub().returns('SOMETEXT'),
getHTML: sandbox.stub().returns('SOMEHTML'),
Support custom subject line with getSubject option no-issue
2019-10-10 16:19:56 +03:00
getSubject: sandbox.stub().returns('SOMESUBJECT'),
Created @tryghost/magic-link module (#50) * slimer create magic-link Created the initial magic-link project * Added usage section to README * Installed types and deps for magic-link * Added tsconfig.json * Initial commit for magic-link module * Renamed hello.test.js -> index.test.js * Added initial basic test * Removed test util directory * Updated ecmaVersion for test eslint parserOptions * Added tests for MagicLink * Added language to README usage codeblock * Updated sendMagicLink to return SentMessageInfo * Updated README * Updated README usage example * Fixed types
2019-09-03 06:07:03 +03:00
transporter: {
sendMail: sandbox.stub().resolves()
}
};
const service = new MagicLink(options);
const args = {
email: 'test@example.com',
Refactored magic-link to be more generic (#202) no-issue This removes the concept of `subject` & `payload` from the function signatures, making the implementation a little more generic, and less JWT centric. We also replace getUserFromToken and getPayloadFromToken with a single method getDataFromToken, which will contain all the necessary data. * Updated members-api to use new magic-link module This updates the usage of magic-link to work with the new interface * Fixed labels not saving for new members Due to how bookshelf-relations works, we must fetch the labels before saving a member, otherwise the labels are all deleted. * Used a proper class rather than constructor function This just moves the code to a more modern standard * Updated methods to be async This prepares us for a future where token generation and validation may require access to storage and thus be an asyncronous operation
2020-09-17 17:42:01 +03:00
tokenData: {
id: '420'
},
Passed request referrer to magic link service (#408) refs https://github.com/TryGhost/Team/issues/1174 This paves the way for Ghost to be able to redirect to the referrer page when dealign with signup magic links. We pass the referrer for all types of magic links however, to allow extension of this functionality in the future. We've also removed the concept of `requestSrc` which has been unused for a while now.
2022-07-15 13:02:58 +03:00
type: 'blazeit',
referrer: 'https://whatever.com'
Created @tryghost/magic-link module (#50) * slimer create magic-link Created the initial magic-link project * Added usage section to README * Installed types and deps for magic-link * Added tsconfig.json * Initial commit for magic-link module * Renamed hello.test.js -> index.test.js * Added initial basic test * Removed test util directory * Updated ecmaVersion for test eslint parserOptions * Added tests for MagicLink * Added language to README usage codeblock * Updated sendMagicLink to return SentMessageInfo * Updated README * Updated README usage example * Fixed types
2019-09-03 06:07:03 +03:00
};
const {token} = await service.sendMagicLink(args);
🔒 Fixed magic link endpoint sending multiple emails refs https://github.com/TryGhost/Team/issues/2024 Without validation it was possible to send a string of comma separated email addresses to the endpoint, and an email would be sent to each address, bypassing any rate limiting. This bug does not allow for an authentication bypass exploit. It is purely a spam email concern. Credit: Sandip Maity <maitysandip925@gmail.com>
2022-10-04 19:17:26 +03:00
assert(options.getSigninURL.calledOnce);
assert(options.getSigninURL.firstCall.calledWithExactly(token, 'blazeit', 'https://whatever.com'));
Created @tryghost/magic-link module (#50) * slimer create magic-link Created the initial magic-link project * Added usage section to README * Installed types and deps for magic-link * Added tsconfig.json * Initial commit for magic-link module * Renamed hello.test.js -> index.test.js * Added initial basic test * Removed test util directory * Updated ecmaVersion for test eslint parserOptions * Added tests for MagicLink * Added language to README usage codeblock * Updated sendMagicLink to return SentMessageInfo * Updated README * Updated README usage example * Fixed types
2019-09-03 06:07:03 +03:00
🔒 Fixed magic link endpoint sending multiple emails refs https://github.com/TryGhost/Team/issues/2024 Without validation it was possible to send a string of comma separated email addresses to the endpoint, and an email would be sent to each address, bypassing any rate limiting. This bug does not allow for an authentication bypass exploit. It is purely a spam email concern. Credit: Sandip Maity <maitysandip925@gmail.com>
2022-10-04 19:17:26 +03:00
assert(options.getText.calledOnce);
assert(options.getText.firstCall.calledWithExactly('FAKEURL', 'blazeit', 'test@example.com'));
Updated use of magic-link module to pass subject no-issue This takes advantage of magic-links smaller tokens
2019-10-11 07:29:11 +03:00
🔒 Fixed magic link endpoint sending multiple emails refs https://github.com/TryGhost/Team/issues/2024 Without validation it was possible to send a string of comma separated email addresses to the endpoint, and an email would be sent to each address, bypassing any rate limiting. This bug does not allow for an authentication bypass exploit. It is purely a spam email concern. Credit: Sandip Maity <maitysandip925@gmail.com>
2022-10-04 19:17:26 +03:00
assert(options.getHTML.calledOnce);
assert(options.getHTML.firstCall.calledWithExactly('FAKEURL', 'blazeit', 'test@example.com'));
Updated use of magic-link module to pass subject no-issue This takes advantage of magic-links smaller tokens
2019-10-11 07:29:11 +03:00
🔒 Fixed magic link endpoint sending multiple emails refs https://github.com/TryGhost/Team/issues/2024 Without validation it was possible to send a string of comma separated email addresses to the endpoint, and an email would be sent to each address, bypassing any rate limiting. This bug does not allow for an authentication bypass exploit. It is purely a spam email concern. Credit: Sandip Maity <maitysandip925@gmail.com>
2022-10-04 19:17:26 +03:00
assert(options.getSubject.calledOnce);
assert(options.getSubject.firstCall.calledWithExactly('blazeit'));
Updated use of magic-link module to pass subject no-issue This takes advantage of magic-links smaller tokens
2019-10-11 07:29:11 +03:00
🔒 Fixed magic link endpoint sending multiple emails refs https://github.com/TryGhost/Team/issues/2024 Without validation it was possible to send a string of comma separated email addresses to the endpoint, and an email would be sent to each address, bypassing any rate limiting. This bug does not allow for an authentication bypass exploit. It is purely a spam email concern. Credit: Sandip Maity <maitysandip925@gmail.com>
2022-10-04 19:17:26 +03:00
assert(options.transporter.sendMail.calledOnce);
assert.equal(options.transporter.sendMail.firstCall.args[0].to, args.email);
assert.equal(options.transporter.sendMail.firstCall.args[0].subject, options.getSubject.firstCall.returnValue);
assert.equal(options.transporter.sendMail.firstCall.args[0].text, options.getText.firstCall.returnValue);
assert.equal(options.transporter.sendMail.firstCall.args[0].html, options.getHTML.firstCall.returnValue);
Created @tryghost/magic-link module (#50) * slimer create magic-link Created the initial magic-link project * Added usage section to README * Installed types and deps for magic-link * Added tsconfig.json * Initial commit for magic-link module * Renamed hello.test.js -> index.test.js * Added initial basic test * Removed test util directory * Updated ecmaVersion for test eslint parserOptions * Added tests for MagicLink * Added language to README usage codeblock * Updated sendMagicLink to return SentMessageInfo * Updated README * Updated README usage example * Fixed types
2019-09-03 06:07:03 +03:00
});
});
Refactored magic-link to be more generic (#202) no-issue This removes the concept of `subject` & `payload` from the function signatures, making the implementation a little more generic, and less JWT centric. We also replace getUserFromToken and getPayloadFromToken with a single method getDataFromToken, which will contain all the necessary data. * Updated members-api to use new magic-link module This updates the usage of magic-link to work with the new interface * Fixed labels not saving for new members Due to how bookshelf-relations works, we must fetch the labels before saving a member, otherwise the labels are all deleted. * Used a proper class rather than constructor function This just moves the code to a more modern standard * Updated methods to be async This prepares us for a future where token generation and validation may require access to storage and thus be an asyncronous operation
2020-09-17 17:42:01 +03:00
describe('#getDataFromToken', function () {
Created @tryghost/magic-link module (#50) * slimer create magic-link Created the initial magic-link project * Added usage section to README * Installed types and deps for magic-link * Added tsconfig.json * Initial commit for magic-link module * Renamed hello.test.js -> index.test.js * Added initial basic test * Removed test util directory * Updated ecmaVersion for test eslint parserOptions * Added tests for MagicLink * Added language to README usage codeblock * Updated sendMagicLink to return SentMessageInfo * Updated README * Updated README usage example * Fixed types
2019-09-03 06:07:03 +03:00
it('Returns the user data which from the token that was encoded by #sendMagicLink', async function () {
const options = {
Fixed MagicLink tests no-issue
2020-09-18 15:23:17 +03:00
tokenProvider: new MagicLink.JWTTokenProvider(secret),
Created @tryghost/magic-link module (#50) * slimer create magic-link Created the initial magic-link project * Added usage section to README * Installed types and deps for magic-link * Added tsconfig.json * Initial commit for magic-link module * Renamed hello.test.js -> index.test.js * Added initial basic test * Removed test util directory * Updated ecmaVersion for test eslint parserOptions * Added tests for MagicLink * Added language to README usage codeblock * Updated sendMagicLink to return SentMessageInfo * Updated README * Updated README usage example * Fixed types
2019-09-03 06:07:03 +03:00
getSigninURL: sandbox.stub().returns('FAKEURL'),
getText: sandbox.stub().returns('SOMETEXT'),
getHTML: sandbox.stub().returns('SOMEHTML'),
transporter: {
sendMail: sandbox.stub().resolves()
}
};
const service = new MagicLink(options);
const args = {
email: 'test@example.com',
Refactored magic-link to be more generic (#202) no-issue This removes the concept of `subject` & `payload` from the function signatures, making the implementation a little more generic, and less JWT centric. We also replace getUserFromToken and getPayloadFromToken with a single method getDataFromToken, which will contain all the necessary data. * Updated members-api to use new magic-link module This updates the usage of magic-link to work with the new interface * Fixed labels not saving for new members Due to how bookshelf-relations works, we must fetch the labels before saving a member, otherwise the labels are all deleted. * Used a proper class rather than constructor function This just moves the code to a more modern standard * Updated methods to be async This prepares us for a future where token generation and validation may require access to storage and thus be an asyncronous operation
2020-09-17 17:42:01 +03:00
tokenData: {
id: '420'
}
Created @tryghost/magic-link module (#50) * slimer create magic-link Created the initial magic-link project * Added usage section to README * Installed types and deps for magic-link * Added tsconfig.json * Initial commit for magic-link module * Renamed hello.test.js -> index.test.js * Added initial basic test * Removed test util directory * Updated ecmaVersion for test eslint parserOptions * Added tests for MagicLink * Added language to README usage codeblock * Updated sendMagicLink to return SentMessageInfo * Updated README * Updated README usage example * Fixed types
2019-09-03 06:07:03 +03:00
};
const {token} = await service.sendMagicLink(args);
Refactored magic-link to be more generic (#202) no-issue This removes the concept of `subject` & `payload` from the function signatures, making the implementation a little more generic, and less JWT centric. We also replace getUserFromToken and getPayloadFromToken with a single method getDataFromToken, which will contain all the necessary data. * Updated members-api to use new magic-link module This updates the usage of magic-link to work with the new interface * Fixed labels not saving for new members Due to how bookshelf-relations works, we must fetch the labels before saving a member, otherwise the labels are all deleted. * Used a proper class rather than constructor function This just moves the code to a more modern standard * Updated methods to be async This prepares us for a future where token generation and validation may require access to storage and thus be an asyncronous operation
2020-09-17 17:42:01 +03:00
const data = await service.getDataFromToken(token);
Created @tryghost/magic-link module (#50) * slimer create magic-link Created the initial magic-link project * Added usage section to README * Installed types and deps for magic-link * Added tsconfig.json * Initial commit for magic-link module * Renamed hello.test.js -> index.test.js * Added initial basic test * Removed test util directory * Updated ecmaVersion for test eslint parserOptions * Added tests for MagicLink * Added language to README usage codeblock * Updated sendMagicLink to return SentMessageInfo * Updated README * Updated README usage example * Fixed types
2019-09-03 06:07:03 +03:00
🔒 Fixed magic link endpoint sending multiple emails refs https://github.com/TryGhost/Team/issues/2024 Without validation it was possible to send a string of comma separated email addresses to the endpoint, and an email would be sent to each address, bypassing any rate limiting. This bug does not allow for an authentication bypass exploit. It is purely a spam email concern. Credit: Sandip Maity <maitysandip925@gmail.com>
2022-10-04 19:17:26 +03:00
assert.deepEqual(data.id, args.tokenData.id);
Created @tryghost/magic-link module (#50) * slimer create magic-link Created the initial magic-link project * Added usage section to README * Installed types and deps for magic-link * Added tsconfig.json * Initial commit for magic-link module * Renamed hello.test.js -> index.test.js * Added initial basic test * Removed test util directory * Updated ecmaVersion for test eslint parserOptions * Added tests for MagicLink * Added language to README usage codeblock * Updated sendMagicLink to return SentMessageInfo * Updated README * Updated README usage example * Fixed types
2019-09-03 06:07:03 +03:00
});
});
});
Reference in New Issue Copy Permalink