Refactors user and auth routes

- Adds update password functionality
- Separates auth and user routes
- Adds an update password validator
- Adds unit and integration tests

Author: Raywire

app.js

@@ -8,11 +8,14 @@ const joiErrors = require('./server/middlewares/joiErrors');
 
 // Require our routes and passport into the application
 const todosRouter = require('./server/routes').todosRouter();
-const userRouter = require('./server/routes').userRouter();
+const authRouter = require('./server/routes').authRouter();
+const usersRouter = require('./server/routes').usersRouter();
 const { passportAuth } = require('./server/config/passport');
 
 passportAuth(passport);
 
+const apiPrefix = '/api';
+
 // Set up the express app
 const app = express();
 
@@ -29,8 +32,10 @@ app.use(logger('dev'));
 app.use(bodyParser.json());
 app.use(bodyParser.urlencoded({ extended: false }));
 
-app.use('/api', passport.authenticate('jwt', { session: false }), todosRouter);
-app.use(userRouter);
+app.use(apiPrefix, passport.authenticate('jwt', { session: false }));
+app.use(apiPrefix, usersRouter);
+app.use(apiPrefix, todosRouter);
+app.use(authRouter);
 
 app.use(joiErrors);
 

server/controllers/users.js

@@ -55,7 +55,35 @@ async function login(req, res) {
   });
 }
 
+const updatePassword = async (req, res) => {
+  const { body, params } = req;
+  const user = await User.findByPk(params.userId);
+
+  if (!user) {
+    return res.status(404).send({
+      success: false,
+      message: 'User not found',
+    });
+  }
+
+  if (user.id !== req.user.id) {
+    return res.status(403).send({
+      success: false,
+      message: 'Forbidden, you can only update your own password',
+    });
+  }
+
+  await user.update({
+    password: body.password,
+  });
+  return res.status(200).send({
+    success: true,
+    message: 'Password updated successfully',
+  });
+};
+
 module.exports = {
   signup,
   login,
+  updatePassword,
 };

server/routes/userRouter.js renamed to server/routes/authRouter.js

@@ -4,15 +4,15 @@ const usersController = require('../controllers').users;
 const validator = require('../validators/validators');
 const asyncHandler = require('../middlewares/asyncHandler');
 
-function userRoutes() {
-  const userRouter = express.Router();
+function authRoutes() {
+  const authRouter = express.Router();
 
-  userRouter.route('/auth/signup')
+  authRouter.route('/auth/signup')
     .post(celebrate({ body: validator.validateUser }), asyncHandler(usersController.signup));
-  userRouter.route('/auth/login')
+  authRouter.route('/auth/login')
     .post(celebrate({ body: validator.validateLogin }), asyncHandler(usersController.login));
 
-  return userRouter;
+  return authRouter;
 }
 
-module.exports = userRoutes;
+module.exports = authRoutes;

server/routes/index.js

@@ -1,8 +1,10 @@
 const todosRouter = require('./todosRouter');
-const userRouter = require('./userRouter');
+const authRouter = require('./authRouter');
+const usersRouter = require('./usersRouter');
 
 
 module.exports = {
   todosRouter,
-  userRouter,
+  authRouter,
+  usersRouter,
 };

server/routes/usersRouter.js

@@ -0,0 +1,18 @@
+const express = require('express');
+const { celebrate } = require('celebrate');
+const usersController = require('../controllers').users;
+const validator = require('../validators/validators');
+const asyncHandler = require('../middlewares/asyncHandler');
+
+function userRoutes() {
+  const userRouter = express.Router();
+
+  userRouter.route('/users/:userId')
+    .patch(celebrate({
+      body: validator.validatePassword,
+    }), asyncHandler(usersController.updatePassword));
+
+  return userRouter;
+}
+
+module.exports = userRoutes;

server/tests/integration/userRouter.spec.js renamed to server/tests/integration/authRouter.spec.js

@@ -0,0 +1,42 @@
+const chai = require('chai');
+
+const { expect } = chai;
+const chaiHttp = require('chai-http');
+const app = require('../../../app');
+const { deleteTestUser } = require('../utils');
+
+chai.use(chaiHttp);
+
+describe('A user', () => {
+  before(async () => {
+    await chai
+      .request(app)
+      .post('/auth/signup')
+      .send({ username: 'ironman@starkindustries.com', password: 'breaker' });
+
+    const res1 = await chai
+      .request(app)
+      .post('/auth/login')
+      .send({ username: 'ironman@starkindustries.com', password: 'breaker' });
+
+    token = res1.body.token;
+    userId = res1.body.user.id;
+  });
+
+  after(async () => {
+    await deleteTestUser('ironman@starkindustries.com');
+  });
+
+  describe('Update password', () => {
+    it('Should return 200 Success, on successfully updating the password of a user.', async () => {
+      const res = await chai
+        .request(app)
+        .patch(`/api/users/${userId}`)
+        .set('Authorization', `Bearer ${token}`)
+        .send({ password: '1234567890' });
+
+      expect(res).to.have.status(200);
+    });
+  });
+
+});

server/tests/integration/usersRouter.spec.js

@@ -3,14 +3,20 @@ const chai = require('chai');
 const { expect } = chai;
 const sinonChai = require('sinon-chai');
 const { mockReq, mockRes } = require('sinon-express-mock');
+const { User } = require('../../models');
 const usersController = require('../../controllers/users');
 const { deleteTestUser } = require('../utils');
 
 chai.use(sinonChai);
 
 describe('user.controller', () => {
+  before(async () => {
+    user = await User.create({ username: 'testuserchange@test.com', password: '1234567' });
+  });
+
   after(async () => {
     await deleteTestUser('testuser3@test.com');
+    await deleteTestUser('testuserchange@test.com');
   });
 
   describe('signup', () => {
@@ -39,6 +45,7 @@ describe('user.controller', () => {
       expect(res.status).to.have.been.calledWith(400);
     });
   });
+
   describe('login', () => {
     it('should return authentication failed when a username is not found', async () => {
       const request = {
@@ -53,4 +60,55 @@ describe('user.controller', () => {
       expect(res.status).to.have.been.calledWith(401);
     });
   });
+
+  describe('update password', () => {
+    it('should return a 404 when a user is not found', async () => {
+      const request = {
+        body: {
+          password: '12345678',
+        },
+        params: {
+          userId: 10000,
+        },
+      };
+      const req = mockReq(request);
+      const res = mockRes();
+      await usersController.updatePassword(req, res);
+      expect(res.status).to.have.been.calledWith(404);
+    });
+    it('should return a 403 forbidden when a user tries to update the password of another user', async () => {
+      const request = {
+        body: {
+          password: '12345678',
+        },
+        params: {
+          userId: user.id,
+        },
+        user: {
+          id: 44
+        }
+      };
+      const req = mockReq(request);
+      const res = mockRes();
+      await usersController.updatePassword(req, res);
+      expect(res.status).to.have.been.calledWith(403);
+    });
+    it('should return a 200 on successful update of the password of a user', async () => {
+      const request = {
+        body: {
+          password: '12345678',
+        },
+        params: {
+          userId: user.id,
+        },
+        user: {
+          id: user.id
+        }
+      };
+      const req = mockReq(request);
+      const res = mockRes();
+      await usersController.updatePassword(req, res);
+      expect(res.status).to.have.been.calledWith(200);
+    });
+  });
 });

server/tests/unit/user.spec.js

@@ -19,9 +19,14 @@ const validateLogin = Joi.object().keys({
   password: Joi.string().required(),
 });
 
+const validatePassword = Joi.object().keys({
+  password: Joi.string().alphanum().min(7).required(),
+});
+
 module.exports = {
   validateTodo,
   validateTodoItem,
   validateUser,
   validateLogin,
+  validatePassword,
 };