Adding more tests for access controlled routes.

feathersjs-ecosystem · Feb 15, 2016 · 3758bbe · 3758bbe
1 parent 76d9d84
commit 3758bbe
Show file tree

Hide file tree

Showing 4 changed files with 208 additions and 63 deletions.
diff --git a/test/integration/primus.test.js b/test/integration/primus.test.js
@@ -201,4 +201,44 @@ describe('Primus authentication', function() {
     // TODO (EK): This isn't really possible with primus unless
     // you are sending auth_tokens from your OAuth2 provider
   });
+
+  describe('Authorization', () => {
+    describe('when authenticated', () => {
+      it('returns data from protected route', (done) => {
+        const data = { token: validToken };
+
+        primus.on('authenticated', function() {
+          primus.send('messages::get', 1, {}, (error, data) => {
+            assert.equal(data.id, 1);
+            done();
+          });
+        });
+
+        primus.send('authenticate', data);
+      });
+    });
+
+    describe('when not authenticated', () => {
+      it('returns 401 from protected route', (done) => {
+        primus.send('messages::get', 1, {}, (error) => {
+          assert.equal(error.code, 401);
+          done();
+        });
+      });
+
+      it('does not return data from protected route', (done) => {
+        primus.send('messages::get', 1, {}, (error, data) => {
+          assert.equal(data, undefined);
+          done();
+        });
+      });
+
+      it('returns data from unprotected route', (done) => {
+        primus.send('users::find', {}, (error, data) => {
+          assert.notEqual(data, undefined);
+          done();
+        });
+      });
+    });
+  });
 });
diff --git a/test/integration/rest.test.js b/test/integration/rest.test.js
@@ -182,57 +182,126 @@ describe('REST authentication', function() {
     // TODO (EK): This is hard to test
   });
 
-  // it('Requests without auth to an unprotected service will return data.', function(done) {
-  //   request({
-  //     url: 'http://localhost:8888/api/tasks',
-  //     method: 'GET',
-  //     json: true
-  //   }, function(err, res, tasks) {
-  //     assert.equal(tasks.length, 3, 'Got tasks');
-
-  //     request({
-  //       url: 'http://localhost:8888/api/tasks/1',
-  //       json: true
-  //     }, function(err, res, task) {
-  //       assert.deepEqual(task, {
-  //         id: '1',
-  //         name: 'Make Pizza.'
-  //       });
-  //       done();
-  //     });
-  //   });
-  // });
-
-  // it('Requests without auth to a protected service will return an error.', function(done) {
-  //   request({
-  //     url: 'http://localhost:8888/api/todos',
-  //     method: 'GET',
-  //     json: true
-  //   }, function(err, res, body) {
-  //     assert.equal(typeof body, 'string', 'Got an error string back, not an object/array');
-
-  //     request({
-  //       url: 'http://localhost:8888/api/todos/1',
-  //       json: true
-  //     }, function(err, res, body) {
-  //       assert.equal(typeof body, 'string', 'Got an error string back, not an object/array');
-  //       done();
-  //     });
-  //   });
-  // });
-
-  // it('Requests with a broken token will return a JWT error', function(done) {
-  //   request({
-  //     url: 'http://localhost:8888/api/todos',
-  //     method: 'GET',
-  //     json: true,
-  //     headers: {
-  //       'Authorization': 'Bearer abcd'
-  //     }
-  //   }, function(err, res, body) {
-  //     assert.equal(typeof body, 'string', 'Got an error string back, not an object/array');
-  //     assert.ok(body.indexOf('JsonWebTokenError' > -1), 'Got a JsonWebTokenError');
-  //     done();
-  //   });
-  // });
+  describe('Authorization', () => {
+    describe('when authenticated', () => {
+      describe('when token passed via header', () => {
+        let options;
+
+        before(() => {
+          options = {
+            method: 'GET',
+            json: true,
+            headers: {
+              Authorization: validToken
+            }
+          };
+        });
+
+        it('returns data from protected route', (done) => {
+          options.url = `${host}/messages/1`;
+
+          request(options, function(err, response, body) {
+            assert.equal(body.id, 1);
+            done();
+          });
+        });
+      });
+
+      describe('when token passed via body', () => {
+        let options;
+
+        before(() => {
+          options = {
+            method: 'PATCH',
+            json: true,
+            body: {
+              token: validToken,
+              text: 'new text'
+            }
+          };
+        });
+
+        it('returns updates data behind protected route', (done) => {
+          options.url = `${host}/messages/2`;
+
+          request(options, function(err, response, body) {
+            assert.equal(body.id, 2);
+            assert.equal(body.text, 'new text');
+            done();
+          });
+        });
+      });
+
+      describe('when token passed via query string', () => {
+        let options;
+
+        before(() => {
+          options = {
+            method: 'GET',
+            json: true
+          };
+        });
+
+        it('returns data from protected route', (done) => {
+          options.url = `${host}/messages/1?token=${validToken}`;
+
+          request(options, function(err, response, body) {
+            assert.equal(body.id, 1);
+            done();
+          });
+        });
+      });
+    });
+
+    describe('when not authenticated', () => {
+      let options;
+
+      before(() => {
+        options = {
+          method: 'GET',
+          json: true
+        };
+      });
+
+      describe('when route is protected', () => {
+        before(() => {
+          options.url = `${host}/messages/1`;
+        });
+
+        it('returns 401', (done) => {
+          request(options, function(err, response) {
+            assert.equal(response.statusCode, 401);
+            done();
+          });
+        });
+
+        it('returns error instead of data', (done) => {
+          request(options, function(err, response, body) {
+            assert.equal(body.code, 401);
+            done();
+          });
+        });
+      });
+
+      describe('when route is not protected', () => {
+        before(() => {
+          options.url = `${host}/users`;
+        });
+
+        it('returns 200', (done) => {
+          request(options, function(err, response) {
+            assert.equal(response.statusCode, 200);
+            done();
+          });
+        });
+
+        it('returns data', (done) => {
+          request(options, function(err, response, body) {
+            assert.notEqual(body, undefined);
+            done();
+          });
+        });
+      });
+    });
+  });
 });
diff --git a/test/integration/socket-io.test.js b/test/integration/socket-io.test.js
@@ -203,4 +203,44 @@ describe('Socket.io authentication', function() {
     // TODO (EK): This isn't really possible with sockets unless
     // you are sending auth_tokens from your OAuth2 provider
   });
+
+  describe('Authorization', () => {
+    describe('when authenticated', () => {
+      it('returns data from protected route', (done) => {
+        const data = { token: validToken };
+
+        socket.on('authenticated', function() {
+          socket.emit('messages::get', 1, {}, (error, data) => {
+            assert.equal(data.id, 1);
+            done();
+          });
+        });
+
+        socket.emit('authenticate', data);
+      });
+    });
+
+    describe('when not authenticated', () => {
+      it('returns 401 from protected route', (done) => {
+        socket.emit('messages::get', 1, {}, (error) => {
+          assert.equal(error.code, 401);
+          done();
+        });
+      });
+
+      it('does not return data from protected route', (done) => {
+        socket.emit('messages::get', 1, {}, (error, data) => {
+          assert.equal(data, undefined);
+          done();
+        });
+      });
+
+      it('returns data from unprotected route', (done) => {
+        socket.emit('users::find', {}, (error, data) => {
+          assert.notEqual(data, undefined);
+          done();
+        });
+      });
+    });
+  });
 });
diff --git a/test/test-server.js b/test/test-server.js
@@ -21,7 +21,6 @@ export default function(settings, username, password, useSocketio, next) {
     .configure(authentication(settings))
     .use('/users', memory())
     .use('/messages', memory())
-    .use('/tasks', memory())
     .use('/', feathers.static(__dirname))
     /*jshint unused: false*/
     .use(function(error, req, res, next){
@@ -40,9 +39,6 @@ export default function(settings, username, password, useSocketio, next) {
   // Messages will require auth.
   let messageService = app.service('/messages');
 
-  // Tasks service won't require auth.
-  let taskService = app.service('/tasks');
-
   server.on('listening', () => {
     async.series([
       function(cb){
@@ -51,15 +47,15 @@ export default function(settings, username, password, useSocketio, next) {
       function(cb){
         messageService.create({text: 'A million people walk into a Silicon Valley bar'}, {}, function(){});
         messageService.create({text: 'Nobody buys anything'}, {}, function(){});
-        messageService.create({text: 'Bar declared massive success'}, {}, function(){});
-        taskService.create({text: 'Feed the pigs'}, {}, function(){});
-        taskService.create({text: 'Make Pizza.'}, {}, function(){});
-        taskService.create({text: 'Write a book.'}, {}, cb);
+        messageService.create({text: 'Bar declared massive success'}, {}, cb);
       }
     ], function(){
       messageService.before({
-        find: [hooks.requireAuth()],
-        get: [hooks.requireAuth()]
+        all: [
+          hooks.verifyToken({ secret: settings.token.secret }),
+          hooks.populateUser(),
+          hooks.requireAuth()
+        ]
       });
 
       var obj = {