bc97de5fe9
no issue - provide a single point for accessing config in unit tests - create a single way to set and restore config - ensure that restore deletes top level optional keys that are now undefined - use this._config in check deprecations, otherwise the config gets cached - solves issues with interdependent tests
543 lines
18 KiB
JavaScript
543 lines
18 KiB
JavaScript
/*globals describe, it, beforeEach, afterEach */
|
|
/*jshint expr:true*/
|
|
var sinon = require('sinon'),
|
|
should = require('should'),
|
|
passport = require('passport'),
|
|
rewire = require('rewire'),
|
|
configUtils = require('../../utils/configUtils'),
|
|
errors = require('../../../server/errors'),
|
|
auth = rewire('../../../server/middleware/auth'),
|
|
BearerStrategy = require('passport-http-bearer').Strategy,
|
|
ClientPasswordStrategy = require('passport-oauth2-client-password').Strategy,
|
|
user = {id: 1},
|
|
info = {scope: '*'},
|
|
token = 'test_token',
|
|
testClient = 'test_client',
|
|
testSecret = 'not_available',
|
|
client = {
|
|
id: 2,
|
|
type: 'ua'
|
|
},
|
|
|
|
sandbox = sinon.sandbox.create();
|
|
|
|
should.equal(true, true);
|
|
|
|
function registerSuccessfulBearerStrategy() {
|
|
// register fake BearerStrategy which always authenticates
|
|
passport.use(new BearerStrategy(
|
|
function strategy(accessToken, done) {
|
|
accessToken.should.eql(token);
|
|
return done(null, user, info);
|
|
}
|
|
));
|
|
}
|
|
|
|
function registerUnsuccessfulBearerStrategy() {
|
|
// register fake BearerStrategy which always authenticates
|
|
passport.use(new BearerStrategy(
|
|
function strategy(accessToken, done) {
|
|
accessToken.should.eql(token);
|
|
return done(null, false);
|
|
}
|
|
));
|
|
}
|
|
|
|
function registerFaultyBearerStrategy() {
|
|
// register fake BearerStrategy which always authenticates
|
|
passport.use(new BearerStrategy(
|
|
function strategy(accessToken, done) {
|
|
accessToken.should.eql(token);
|
|
return done('error');
|
|
}
|
|
));
|
|
}
|
|
|
|
function registerSuccessfulClientPasswordStrategy() {
|
|
// register fake BearerStrategy which always authenticates
|
|
passport.use(new ClientPasswordStrategy(
|
|
function strategy(clientId, clientSecret, done) {
|
|
clientId.should.eql(testClient);
|
|
clientSecret.should.eql('not_available');
|
|
return done(null, client);
|
|
}
|
|
));
|
|
}
|
|
|
|
function registerUnsuccessfulClientPasswordStrategy() {
|
|
// register fake BearerStrategy which always authenticates
|
|
passport.use(new ClientPasswordStrategy(
|
|
function strategy(clientId, clientSecret, done) {
|
|
clientId.should.eql(testClient);
|
|
clientSecret.should.eql('not_available');
|
|
return done(null, false);
|
|
}
|
|
));
|
|
}
|
|
|
|
function registerFaultyClientPasswordStrategy() {
|
|
// register fake BearerStrategy which always authenticates
|
|
passport.use(new ClientPasswordStrategy(
|
|
function strategy(clientId, clientSecret, done) {
|
|
clientId.should.eql(testClient);
|
|
clientSecret.should.eql('not_available');
|
|
return done('error');
|
|
}
|
|
));
|
|
}
|
|
|
|
describe('Auth', function () {
|
|
var res, req, next, errorStub;
|
|
|
|
beforeEach(function () {
|
|
req = {};
|
|
res = {};
|
|
next = sandbox.spy();
|
|
errorStub = sandbox.stub(errors, 'logError');
|
|
});
|
|
|
|
afterEach(function () {
|
|
sandbox.restore();
|
|
});
|
|
|
|
it('should require authorized user (user exists)', function (done) {
|
|
req.user = {id: 1};
|
|
|
|
auth.requiresAuthorizedUser(req, res, next);
|
|
next.called.should.be.true;
|
|
next.calledWith().should.be.true;
|
|
done();
|
|
});
|
|
|
|
it('should require authorized user (user is missing)', function (done) {
|
|
req.user = false;
|
|
res.status = {};
|
|
|
|
sandbox.stub(res, 'status', function (statusCode) {
|
|
statusCode.should.eql(403);
|
|
return {
|
|
json: function (err) {
|
|
err.errors[0].errorType.should.eql('NoPermissionError');
|
|
}
|
|
};
|
|
});
|
|
|
|
auth.requiresAuthorizedUser(req, res, next);
|
|
next.called.should.be.false;
|
|
done();
|
|
});
|
|
|
|
describe('User Authentication', function () {
|
|
beforeEach(function () {
|
|
configUtils.set({url: 'http://my-domain.com'});
|
|
});
|
|
|
|
afterEach(function () {
|
|
configUtils.restore();
|
|
});
|
|
|
|
it('should authenticate user', function (done) {
|
|
req.headers = {};
|
|
req.headers.authorization = 'Bearer ' + token;
|
|
|
|
registerSuccessfulBearerStrategy();
|
|
auth.authenticateUser(req, res, next);
|
|
|
|
next.called.should.be.true;
|
|
next.calledWith(null, user, info).should.be.true;
|
|
done();
|
|
});
|
|
|
|
it('shouldn\'t pass with client, no bearer token', function (done) {
|
|
req.headers = {};
|
|
req.client = {id: 1};
|
|
res.status = {};
|
|
|
|
auth.authenticateUser(req, res, next);
|
|
|
|
next.called.should.be.true;
|
|
next.calledWith().should.be.true;
|
|
done();
|
|
});
|
|
|
|
it('shouldn\'t authenticate user', function (done) {
|
|
req.headers = {};
|
|
req.headers.authorization = 'Bearer ' + token;
|
|
res.status = {};
|
|
|
|
sandbox.stub(res, 'status', function (statusCode) {
|
|
statusCode.should.eql(401);
|
|
return {
|
|
json: function (err) {
|
|
err.errors[0].errorType.should.eql('UnauthorizedError');
|
|
}
|
|
};
|
|
});
|
|
|
|
registerUnsuccessfulBearerStrategy();
|
|
auth.authenticateUser(req, res, next);
|
|
|
|
next.called.should.be.false;
|
|
done();
|
|
});
|
|
|
|
it('shouldn\'t authenticate without bearer token', function (done) {
|
|
req.headers = {};
|
|
res.status = {};
|
|
|
|
sandbox.stub(res, 'status', function (statusCode) {
|
|
statusCode.should.eql(401);
|
|
return {
|
|
json: function (err) {
|
|
err.errors[0].errorType.should.eql('UnauthorizedError');
|
|
}
|
|
};
|
|
});
|
|
|
|
registerUnsuccessfulBearerStrategy();
|
|
auth.authenticateUser(req, res, next);
|
|
|
|
next.called.should.be.false;
|
|
done();
|
|
});
|
|
|
|
it('shouldn\'t authenticate with bearer token and client', function (done) {
|
|
req.headers = {};
|
|
req.headers.authorization = 'Bearer ' + token;
|
|
req.client = {id: 1};
|
|
res.status = {};
|
|
|
|
sandbox.stub(res, 'status', function (statusCode) {
|
|
statusCode.should.eql(401);
|
|
return {
|
|
json: function (err) {
|
|
err.errors[0].errorType.should.eql('UnauthorizedError');
|
|
}
|
|
};
|
|
});
|
|
|
|
registerUnsuccessfulBearerStrategy();
|
|
auth.authenticateUser(req, res, next);
|
|
|
|
next.called.should.be.false;
|
|
done();
|
|
});
|
|
|
|
it('shouldn\'t authenticate when error', function (done) {
|
|
req.headers = {};
|
|
req.headers.authorization = 'Bearer ' + token;
|
|
|
|
registerFaultyBearerStrategy();
|
|
auth.authenticateUser(req, res, next);
|
|
|
|
next.called.should.be.true;
|
|
next.calledWith('error').should.be.true;
|
|
done();
|
|
});
|
|
});
|
|
|
|
describe('Client Authentication', function () {
|
|
it('shouldn\'t require authorized client with bearer token', function (done) {
|
|
req.headers = {};
|
|
req.headers.authorization = 'Bearer ' + token;
|
|
|
|
auth.authenticateClient(req, res, next);
|
|
next.called.should.be.true;
|
|
next.calledWith().should.be.true;
|
|
done();
|
|
});
|
|
|
|
it('shouldn\'t authenticate client with broken bearer token', function (done) {
|
|
req.body = {};
|
|
req.headers = {};
|
|
req.headers.authorization = 'Bearer';
|
|
res.status = {};
|
|
|
|
sandbox.stub(res, 'status', function (statusCode) {
|
|
statusCode.should.eql(401);
|
|
return {
|
|
json: function (err) {
|
|
err.errors[0].errorType.should.eql('UnauthorizedError');
|
|
}
|
|
};
|
|
});
|
|
|
|
auth.authenticateClient(req, res, next);
|
|
next.called.should.be.false;
|
|
done();
|
|
});
|
|
|
|
it('shouldn\'t authenticate client without client_id/client_secret', function (done) {
|
|
req.body = {};
|
|
res.status = {};
|
|
|
|
sandbox.stub(res, 'status', function (statusCode) {
|
|
statusCode.should.eql(401);
|
|
return {
|
|
json: function (err) {
|
|
err.errors[0].errorType.should.eql('UnauthorizedError');
|
|
}
|
|
};
|
|
});
|
|
|
|
auth.authenticateClient(req, res, next);
|
|
next.called.should.be.false;
|
|
done();
|
|
});
|
|
|
|
it('shouldn\'t authenticate client without client_id', function (done) {
|
|
req.body = {};
|
|
req.body.client_secret = testSecret;
|
|
res.status = {};
|
|
|
|
sandbox.stub(res, 'status', function (statusCode) {
|
|
statusCode.should.eql(401);
|
|
return {
|
|
json: function (err) {
|
|
err.errors[0].errorType.should.eql('UnauthorizedError');
|
|
}
|
|
};
|
|
});
|
|
|
|
auth.authenticateClient(req, res, next);
|
|
next.called.should.be.false;
|
|
done();
|
|
});
|
|
|
|
it('shouldn\'t authenticate client without client_secret', function (done) {
|
|
req.body = {};
|
|
req.body.client_id = testClient;
|
|
res.status = {};
|
|
|
|
sandbox.stub(res, 'status', function (statusCode) {
|
|
statusCode.should.eql(401);
|
|
return {
|
|
json: function (err) {
|
|
err.errors[0].errorType.should.eql('UnauthorizedError');
|
|
}
|
|
};
|
|
});
|
|
|
|
auth.authenticateClient(req, res, next);
|
|
next.called.should.be.false;
|
|
done();
|
|
});
|
|
|
|
it('shouldn\'t authenticate without full client credentials', function (done) {
|
|
req.body = {};
|
|
req.body.client_id = testClient;
|
|
res.status = {};
|
|
|
|
sandbox.stub(res, 'status', function (statusCode) {
|
|
statusCode.should.eql(401);
|
|
return {
|
|
json: function (err) {
|
|
err.errors[0].errorType.should.eql('UnauthorizedError');
|
|
}
|
|
};
|
|
});
|
|
|
|
registerUnsuccessfulClientPasswordStrategy();
|
|
auth.authenticateClient(req, res, next);
|
|
next.called.should.be.false;
|
|
errorStub.calledTwice.should.be.true;
|
|
errorStub.getCall(0).args[1].should.eql('Client credentials were not provided');
|
|
|
|
done();
|
|
});
|
|
|
|
it('shouldn\'t authenticate invalid/unknown client', function (done) {
|
|
req.body = {};
|
|
req.body.client_id = testClient;
|
|
req.body.client_secret = testSecret;
|
|
res.status = {};
|
|
|
|
sandbox.stub(res, 'status', function (statusCode) {
|
|
statusCode.should.eql(401);
|
|
return {
|
|
json: function (err) {
|
|
err.errors[0].errorType.should.eql('UnauthorizedError');
|
|
}
|
|
};
|
|
});
|
|
|
|
registerUnsuccessfulClientPasswordStrategy();
|
|
auth.authenticateClient(req, res, next);
|
|
next.called.should.be.false;
|
|
errorStub.calledTwice.should.be.true;
|
|
errorStub.getCall(0).args[1].should.eql('Client credentials were not valid');
|
|
|
|
done();
|
|
});
|
|
|
|
it('shouldn\'t authenticate client with invalid origin', function (done) {
|
|
req.body = {};
|
|
req.body.client_id = testClient;
|
|
req.body.client_secret = testSecret;
|
|
req.headers = {};
|
|
req.headers.origin = 'http://invalid.origin.com';
|
|
res.status = {};
|
|
|
|
sandbox.stub(res, 'status', function (statusCode) {
|
|
statusCode.should.eql(401);
|
|
return {
|
|
json: function (err) {
|
|
err.errors[0].errorType.should.eql('UnauthorizedError');
|
|
}
|
|
};
|
|
});
|
|
|
|
registerSuccessfulClientPasswordStrategy();
|
|
auth.authenticateClient(req, res, next);
|
|
next.called.should.be.false;
|
|
done();
|
|
});
|
|
|
|
it('should authenticate valid/known client', function (done) {
|
|
req.body = {};
|
|
req.body.client_id = testClient;
|
|
req.body.client_secret = testSecret;
|
|
req.headers = {};
|
|
req.headers.origin = configUtils.config.url;
|
|
|
|
res.header = {};
|
|
|
|
sandbox.stub(res, 'header', function (key, value) {
|
|
key.should.equal('Access-Control-Allow-Origin');
|
|
value.should.equal(configUtils.config.url);
|
|
});
|
|
|
|
registerSuccessfulClientPasswordStrategy();
|
|
auth.authenticateClient(req, res, next);
|
|
|
|
next.called.should.be.true;
|
|
next.calledWith(null, client).should.be.true;
|
|
done();
|
|
});
|
|
|
|
it('should authenticate client without origin', function (done) {
|
|
req.body = {};
|
|
req.body.client_id = testClient;
|
|
req.body.client_secret = testSecret;
|
|
|
|
res.header = {};
|
|
|
|
sandbox.stub(res, 'header', function (key, value) {
|
|
key.should.equal('Access-Control-Allow-Origin');
|
|
value.should.equal(configUtils.config.url);
|
|
});
|
|
|
|
registerSuccessfulClientPasswordStrategy();
|
|
auth.authenticateClient(req, res, next);
|
|
|
|
next.called.should.be.true;
|
|
next.calledWith(null, client).should.be.true;
|
|
done();
|
|
});
|
|
|
|
it('should authenticate client with origin `localhost`', function (done) {
|
|
req.body = {};
|
|
req.body.client_id = testClient;
|
|
req.body.client_secret = testSecret;
|
|
req.headers = {};
|
|
req.headers.origin = 'http://localhost';
|
|
|
|
res.header = {};
|
|
|
|
sandbox.stub(res, 'header', function (key, value) {
|
|
key.should.equal('Access-Control-Allow-Origin');
|
|
value.should.equal('http://localhost');
|
|
});
|
|
|
|
registerSuccessfulClientPasswordStrategy();
|
|
auth.authenticateClient(req, res, next);
|
|
|
|
next.called.should.be.true;
|
|
next.calledWith(null, client).should.be.true;
|
|
done();
|
|
});
|
|
|
|
it('should authenticate client with origin `127.0.0.1`', function (done) {
|
|
req.body = {};
|
|
req.body.client_id = testClient;
|
|
req.body.client_secret = testSecret;
|
|
req.headers = {};
|
|
req.headers.origin = 'http://127.0.0.1';
|
|
|
|
res.header = {};
|
|
|
|
sandbox.stub(res, 'header', function (key, value) {
|
|
key.should.equal('Access-Control-Allow-Origin');
|
|
value.should.equal('http://127.0.0.1');
|
|
});
|
|
|
|
registerSuccessfulClientPasswordStrategy();
|
|
auth.authenticateClient(req, res, next);
|
|
|
|
next.called.should.be.true;
|
|
next.calledWith(null, client).should.be.true;
|
|
done();
|
|
});
|
|
|
|
it('should authenticate client with id in query', function (done) {
|
|
req.body = {};
|
|
req.query = {};
|
|
req.query.client_id = testClient;
|
|
req.query.client_secret = testSecret;
|
|
req.headers = {};
|
|
req.headers.origin = configUtils.config.url;
|
|
|
|
res.header = {};
|
|
|
|
sandbox.stub(res, 'header', function (key, value) {
|
|
key.should.equal('Access-Control-Allow-Origin');
|
|
value.should.equal(configUtils.config.url);
|
|
});
|
|
|
|
registerSuccessfulClientPasswordStrategy();
|
|
auth.authenticateClient(req, res, next);
|
|
|
|
next.called.should.be.true;
|
|
next.calledWith(null, client).should.be.true;
|
|
done();
|
|
});
|
|
|
|
it('should authenticate client with id + secret in query', function (done) {
|
|
req.body = {};
|
|
req.query = {};
|
|
req.query.client_id = testClient;
|
|
req.query.client_secret = testSecret;
|
|
req.headers = {};
|
|
req.headers.origin = configUtils.config.url;
|
|
|
|
res.header = {};
|
|
|
|
sandbox.stub(res, 'header', function (key, value) {
|
|
key.should.equal('Access-Control-Allow-Origin');
|
|
value.should.equal(configUtils.config.url);
|
|
});
|
|
|
|
registerSuccessfulClientPasswordStrategy();
|
|
auth.authenticateClient(req, res, next);
|
|
|
|
next.called.should.be.true;
|
|
next.calledWith(null, client).should.be.true;
|
|
done();
|
|
});
|
|
|
|
it('shouldn\'t authenticate when error', function (done) {
|
|
req.body = {};
|
|
req.body.client_id = testClient;
|
|
req.body.client_secret = testSecret;
|
|
res.status = {};
|
|
|
|
registerFaultyClientPasswordStrategy();
|
|
auth.authenticateClient(req, res, next);
|
|
|
|
next.called.should.be.true;
|
|
next.calledWith('error').should.be.true;
|
|
done();
|
|
});
|
|
});
|
|
});
|