15d9a77092
* moved `server/config` to `shared/config` * updated config import paths in server to use shared * updated config import paths in frontend to use shared * updated config import paths in test to use shared * updated config import paths in root to use shared * trigger regression tests * of course the rebase broke tests
104 lines
3.4 KiB
JavaScript
104 lines
3.4 KiB
JavaScript
const should = require('should');
|
|
const supertest = require('supertest');
|
|
const jwt = require('jsonwebtoken');
|
|
const jwksClient = require('jwks-rsa');
|
|
const testUtils = require('../../../../utils');
|
|
const localUtils = require('./utils');
|
|
const config = require('../../../../../core/shared/config');
|
|
|
|
const ghost = testUtils.startGhost;
|
|
|
|
let request;
|
|
|
|
const verifyJWKS = (endpoint, token) => {
|
|
return new Promise((resolve, reject) => {
|
|
const jwksClient = require('jwks-rsa');
|
|
const client = jwksClient({
|
|
jwksUri: endpoint
|
|
});
|
|
|
|
function getKey(header, callback){
|
|
client.getSigningKey(header.kid, (err, key) => {
|
|
let signingKey = key.publicKey || key.rsaPublicKey;
|
|
callback(null, signingKey);
|
|
});
|
|
}
|
|
|
|
jwt.verify(token, getKey, {}, (err, decoded) => {
|
|
if (err) {
|
|
reject(err);
|
|
}
|
|
|
|
resolve(decoded);
|
|
});
|
|
});
|
|
};
|
|
|
|
describe('Identities API', function () {
|
|
describe('As Owner', function () {
|
|
before(function () {
|
|
return ghost()
|
|
.then(function () {
|
|
request = supertest.agent(config.get('url'));
|
|
})
|
|
.then(function () {
|
|
return localUtils.doAuth(request);
|
|
});
|
|
});
|
|
|
|
it('Can create JWT token and verify it afterwards with public jwks', function () {
|
|
let identity;
|
|
|
|
return request
|
|
.get(localUtils.API.getApiQuery(`identities/`))
|
|
.set('Origin', config.get('url'))
|
|
.expect('Content-Type', /json/)
|
|
.expect('Cache-Control', testUtils.cacheRules.private)
|
|
.expect(200)
|
|
.then((res) => {
|
|
should.not.exist(res.headers['x-cache-invalidate']);
|
|
const jsonResponse = res.body;
|
|
should.exist(jsonResponse);
|
|
should.exist(jsonResponse.identities);
|
|
|
|
identity = jsonResponse.identities[0];
|
|
})
|
|
.then(() => {
|
|
return verifyJWKS(`${request.app}/ghost/.well-known/jwks.json`, identity.token);
|
|
})
|
|
.then((decoded) => {
|
|
decoded.sub.should.equal('jbloggs@example.com');
|
|
});
|
|
});
|
|
});
|
|
|
|
describe('As non-Owner', function () {
|
|
before(function () {
|
|
return ghost()
|
|
.then(function (_ghostServer) {
|
|
request = supertest.agent(config.get('url'));
|
|
})
|
|
.then(function () {
|
|
return testUtils.createUser({
|
|
user: testUtils.DataGenerator.forKnex.createUser({email: 'admin+1@ghost.org'}),
|
|
role: testUtils.DataGenerator.Content.roles[0].name
|
|
});
|
|
})
|
|
.then(function (admin) {
|
|
request.user = admin;
|
|
|
|
return localUtils.doAuth(request);
|
|
});
|
|
});
|
|
|
|
it('Cannot read', function () {
|
|
return request
|
|
.get(localUtils.API.getApiQuery(`identities/`))
|
|
.set('Origin', config.get('url'))
|
|
.expect('Content-Type', /json/)
|
|
.expect('Cache-Control', testUtils.cacheRules.private)
|
|
.expect(403);
|
|
});
|
|
});
|
|
});
|