feat(secure): secure all routes

andela · Apr 4, 2019 · 34d5673 · 34d5673
1 parent 79f5bc5
commit 34d5673
Show file tree

Hide file tree

Showing 8 changed files with 162 additions and 12 deletions.
diff --git a/server/app.js b/server/app.js
@@ -15,7 +15,11 @@ app.get('/', (req, res) => {
 });
 
 app.use('/api/v1', routes);
-
+app.all('*', (req, res) => {
+  res.status(404).json({
+    error: 'This route does not exist yet!',
+  });
+});
 app.listen(port, () => {
   // eslint-disable-next-line no-console
   console.log(`App is listen on Port ${port}`);

diff --git a/server/controllers/profile.controllers.js b/server/controllers/profile.controllers.js
@@ -95,6 +95,12 @@ const controller = {
           error: 'id not valid',
         });
       }
+      const { userObj } = req.user;
+      if (!validations.compareFieldWithToken(userObj.id, req.params.id)) {
+        return res.status(403).json({
+          error: 'User does not own this account',
+        });
+      }
 
       const updateBody = req.body;
 

diff --git a/server/helpers/validations.js b/server/helpers/validations.js
@@ -51,15 +51,16 @@ const validations = {
     return valid;
   },
   verifyAuthHeader(req) {
-    if (!req.headers.authorization) {
-      return { error: 'error' };
-    }
-    const token = req.headers.authorization;
-    const payload = Authenticate.decode(token);
-    if (!payload) {
+    try {
+      if (!req.headers.authorization) {
+        return { error: 'error' };
+      }
+      const token = req.headers.authorization;
+      const payload = Authenticate.decode(token);
+      return payload;
+    } catch (err) {
       return { error: 'Invalid token' };
     }
-    return payload;
   },
 
   /**
@@ -74,7 +75,7 @@ const validations = {
     const payload = validations.verifyAuthHeader(req);
     let error;
     let status;
-    if (!payload || payload === 'error') {
+    if (!payload || payload.error === 'error') {
       status = 401;
       error = 'You are not authorized';
     }
@@ -142,6 +143,9 @@ const validations = {
       next();
     }
   },
+  compareFieldWithToken(field, token) {
+    return field === token;
+  },
 };
 
 export default validations;
diff --git a/server/routes/article.routes.js b/server/routes/article.routes.js
@@ -1,10 +1,15 @@
 import express from 'express';
 import controllers from '../controllers';
+import validations from '../helpers/validations';
 
 const { articleController } = controllers;
 
 const router = express.Router();
 
-router.get('/article/:id', articleController.getOneArticle);
+router.get(
+  '/article/:id',
+  validations.verifyUser,
+  articleController.getOneArticle
+);
 
 export default router;
diff --git a/server/routes/profile.routes.js b/server/routes/profile.routes.js
@@ -1,17 +1,27 @@
 import express from 'express';
 import controllers from '../controllers';
 import middlewares from '../middlewares';
+import validations from '../helpers/validations';
 
 const { profileController } = controllers;
 const { profileMiddleware } = middlewares;
 
 const router = express.Router();
 
-router.get('/profile/:id', profileController.getUserProfile);
-router.get('/profile', profileController.getProfileByField);
+router.get(
+  '/profile/:id',
+  validations.verifyUser,
+  profileController.getUserProfile
+);
+router.get(
+  '/profile',
+  validations.verifyUser,
+  profileController.getProfileByField
+);
 
 router.patch(
   '/profile/:id',
+  validations.verifyUser,
   profileMiddleware.validateUpdateProfile,
   profileController.patchProfile
 );

diff --git a/tests/article.test.js b/tests/article.test.js
@@ -4,11 +4,43 @@ import app from '../server/app';
 
 chai.use(chaiHttp);
 
+let userAToken;
+let userBToken;
+
+before('login admin', done => {
+  chai
+    .request(app)
+    .post('/api/v1/auth/login')
+    .send({
+      email: 'anayo@mail.com',
+      password: '12345678',
+    })
+    .end((err, res) => {
+      userAToken = res.body.user.token;
+      done();
+    });
+});
+
+before('login user', done => {
+  chai
+    .request(app)
+    .post('/api/v1/auth/login')
+    .send({
+      email: 'ameachichuks@gmail.com',
+      password: '12345678',
+    })
+    .end((err, res) => {
+      userBToken = res.body.user.token;
+      done();
+    });
+});
+
 describe('ARTICLE', () => {
   it('should respond with the article', done => {
     chai
       .request(app)
       .get('/api/v1/article/7139d3af-b8b4-44f6-a49f-9305791700f4')
+      .set('Authorization', userBToken)
       .end((err, res) => {
         expect(res).to.have.status(200);
         const {
@@ -48,6 +80,7 @@ describe('ARTICLE', () => {
     chai
       .request(app)
       .get(`/api/v1/article/7139d3af-b8b4-44f6-a49f-9305791700f4*`)
+      .set('Authorization', userAToken)
       .end((err, res) => {
         expect(res).to.have.status(400);
         expect(res.body.error).to.equal('id not valid');
@@ -59,6 +92,7 @@ describe('ARTICLE', () => {
     chai
       .request(app)
       .get(`/api/v1/article/4139d3af-b8b4-44f6-a49f-9305791700f4`)
+      .set('Authorization', userAToken)
       .end((err, res) => {
         expect(res).to.have.status(404);
         expect(res.body.error).to.equal('Article not found');

diff --git a/tests/index.test.js b/tests/index.test.js
@@ -14,4 +14,14 @@ describe('HOMEPAGE', () => {
         done();
       });
   });
+
+  it('should respond with invalid route error', done => {
+    chai
+      .request(app)
+      .get('/thisisaninvalidroute')
+      .end((err, res) => {
+        expect(res).to.have.status(404);
+        done();
+      });
+  });
 });
diff --git a/tests/profile.test.js b/tests/profile.test.js
@@ -4,11 +4,43 @@ import app from '../server/app';
 
 chai.use(chaiHttp);
 
+let userAToken;
+let userBToken;
+
+before('login admin', done => {
+  chai
+    .request(app)
+    .post('/api/v1/auth/login')
+    .send({
+      email: 'anayo@mail.com',
+      password: '12345678',
+    })
+    .end((err, res) => {
+      userAToken = res.body.user.token;
+      done();
+    });
+});
+
+before('login user', done => {
+  chai
+    .request(app)
+    .post('/api/v1/auth/login')
+    .send({
+      email: 'ameachichuks@gmail.com',
+      password: '12345678',
+    })
+    .end((err, res) => {
+      userBToken = res.body.user.token;
+      done();
+    });
+});
+
 describe('PROFILE', () => {
   it('should respond with the user profile', done => {
     chai
       .request(app)
       .get('/api/v1/profile/6517a6ea-662b-4eef-ab9f-20f89bd7099c')
+      .set('Authorization', userAToken)
       .end((err, res) => {
         expect(res).to.have.status(200);
         const {
@@ -44,6 +76,7 @@ describe('PROFILE', () => {
     chai
       .request(app)
       .get(`/api/v1/profile/6517a6ea-662b-4eef-ab9f-20f89bd7099*`)
+      .set('Authorization', userBToken)
       .end((err, res) => {
         expect(res).to.have.status(400);
         expect(res.body.error).to.equal('id not valid');
@@ -55,6 +88,7 @@ describe('PROFILE', () => {
     chai
       .request(app)
       .get(`/api/v1/profile?first_name=Ameachi`)
+      .set('Authorization', userAToken)
       .end((err, res) => {
         expect(res).to.have.status(200);
         const { first_name: firstname } = res.body.data[0];
@@ -67,6 +101,7 @@ describe('PROFILE', () => {
     chai
       .request(app)
       .get(`/api/v1/profile?firstname=Ameachi`)
+      .set('Authorization', userAToken)
       .end((err, res) => {
         expect(res).to.have.status(400);
         expect(res.body.error).to.equal('invalid query sring');
@@ -78,6 +113,7 @@ describe('PROFILE', () => {
     chai
       .request(app)
       .patch(`/api/v1/profile/6517a6ea-662b-4eef-ab9f-20f89bd7099c`)
+      .set('Authorization', userAToken)
       .send({ first_name: 'Sammy' })
       .end((err, res) => {
         expect(res).to.have.status(200);
@@ -88,10 +124,49 @@ describe('PROFILE', () => {
       });
   });
 
+  it('should respond with error for updating wrong users profile', done => {
+    chai
+      .request(app)
+      .patch(`/api/v1/profile/6517a6ea-662b-4eef-ab9f-20f89bd7099c`)
+      .set('Authorization', userBToken)
+      .send({ first_name: 'Sammy' })
+      .end((err, res) => {
+        expect(res).to.have.status(403);
+        expect(res.body.error).to.equal('User does not own this account');
+        done();
+      });
+  });
+
+  it('should respond with error for no authorization', done => {
+    chai
+      .request(app)
+      .patch(`/api/v1/profile/6517a6ea-662b-4eef-ab9f-20f89bd7099c`)
+      .send({ first_name: 'Sammy' })
+      .end((err, res) => {
+        expect(res).to.have.status(401);
+        expect(res.body.error).to.equal('You are not authorized');
+        done();
+      });
+  });
+
+  it('should respond with error for bad token', done => {
+    chai
+      .request(app)
+      .patch(`/api/v1/profile/6517a6ea-662b-4eef-ab9f-20f89bd7099c`)
+      .set('Authorization', 'fakeToken')
+      .send({ first_name: 'Sammy' })
+      .end((err, res) => {
+        expect(res).to.have.status(403);
+        expect(res.body.error).to.equal('Forbidden');
+        done();
+      });
+  });
+
   it('should respond with error for invalid editable field', done => {
     chai
       .request(app)
       .patch(`/api/v1/profile/6517a6ea-662b-4eef-ab9f-20f89bd7099c`)
+      .set('Authorization', userAToken)
       .send({ firstname: 'Sammy' })
       .end((err, res) => {
         expect(res).to.have.status(400);
@@ -104,6 +179,7 @@ describe('PROFILE', () => {
     chai
       .request(app)
       .patch(`/api/v1/profile/6517a6ea-662b-4eef-ab9f-20f89bd7099c`)
+      .set('Authorization', userAToken)
       .send({})
       .end((err, res) => {
         expect(res).to.have.status(400);
@@ -116,6 +192,7 @@ describe('PROFILE', () => {
     chai
       .request(app)
       .patch(`/api/v1/profile/6517a6ea-662b-4eef-ab9f-20f89bd7099c`)
+      .set('Authorization', userAToken)
       .send({ email: 'Sammy' })
       .end((err, res) => {
         expect(res).to.have.status(400);