-
Notifications
You must be signed in to change notification settings - Fork 48
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
User model's defaultScope should exclude password. (#157)
By default, the API will now return User records *without* the encrypted password field. Explicitly use the db model scope “withSensitiveInfo” to include the encrypted password field in the response (e.g. for passport configuration). Add tests to confirm both the default and the scoped behavior. Unskip all the “getWriters” tests.
- Loading branch information
Showing
12 changed files
with
174 additions
and
19 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,82 @@ | ||
/** | ||
* Copyright (c) 2016, salesforce.com, inc. | ||
* All rights reserved. | ||
* Licensed under the BSD 3-Clause license. | ||
* For full license text, see LICENSE.txt file in the repo root or | ||
* https://opensource.org/licenses/BSD-3-Clause | ||
*/ | ||
|
||
/** | ||
* tests/api/v1/users/get.js | ||
*/ | ||
'use strict'; | ||
|
||
const supertest = require('supertest'); | ||
const api = supertest(require('../../../../index').app); | ||
const constants = require('../../../../api/v1/constants'); | ||
const tu = require('../../../testUtils'); | ||
const u = require('./utils'); | ||
const path = '/v1/users'; | ||
const expect = require('chai').expect; | ||
const Profile = tu.db.Profile; | ||
const User = tu.db.User; | ||
const Token = tu.db.Token; | ||
|
||
describe(`api: GET ${path}`, () => { | ||
const uname = `${tu.namePrefix}test@refocus.com`; | ||
const tname = `${tu.namePrefix}Voldemort`; | ||
|
||
before((done) => { | ||
Profile.create({ | ||
name: `${tu.namePrefix}testProfile`, | ||
}) | ||
.then((profile) => | ||
User.create({ | ||
profileId: profile.id, | ||
name: uname, | ||
email: uname, | ||
password: 'user123password', | ||
}) | ||
) | ||
.then(() => done()) | ||
.catch(done); | ||
}); | ||
|
||
after(u.forceDelete); | ||
|
||
it('user found', (done) => { | ||
api.get(`${path}/${uname}`) | ||
.expect(constants.httpStatus.OK) | ||
.end((err, res) => { | ||
if (err) { | ||
done(err); | ||
} else { | ||
expect(res.body).to.have.property('name', uname); | ||
expect(res.body).to.not.have.property('password'); | ||
expect(res.body.isDeleted).to.not.equal(0); | ||
done(); | ||
} | ||
}); | ||
}); | ||
|
||
it('users array returned', (done) => { | ||
api.get(`${path}`) | ||
.expect(constants.httpStatus.OK) | ||
.end((err, res) => { | ||
if (err) { | ||
done(err); | ||
} else { | ||
expect(res.body).to.be.instanceof(Array); | ||
expect(res.body[0]).to.not.have.property('password'); | ||
done(); | ||
} | ||
}); | ||
}); | ||
|
||
it('user not found', (done) => { | ||
api.get(`${path}/who@what.com`) | ||
.set('Authorization', '???') | ||
.expect(constants.httpStatus.NOT_FOUND) | ||
.end(() => done()); | ||
}); | ||
}); |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,25 @@ | ||
/** | ||
* Copyright (c) 2016, salesforce.com, inc. | ||
* All rights reserved. | ||
* Licensed under the BSD 3-Clause license. | ||
* For full license text, see LICENSE.txt file in the repo root or | ||
* https://opensource.org/licenses/BSD-3-Clause | ||
*/ | ||
|
||
/** | ||
* tests/api/v1/users/utils.js | ||
*/ | ||
'use strict'; | ||
|
||
const tu = require('../../../testUtils'); | ||
|
||
const testStartTime = new Date(); | ||
|
||
module.exports = { | ||
forceDelete(done) { | ||
tu.forceDelete(tu.db.User, testStartTime) | ||
.then(() => tu.forceDelete(tu.db.Profile, testStartTime)) | ||
.then(() => done()) | ||
.catch(done); | ||
}, | ||
}; |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,53 @@ | ||
/** | ||
* Copyright (c) 2016, salesforce.com, inc. | ||
* All rights reserved. | ||
* Licensed under the BSD 3-Clause license. | ||
* For full license text, see LICENSE.txt file in the repo root or | ||
* https://opensource.org/licenses/BSD-3-Clause | ||
*/ | ||
|
||
/** | ||
* tests/db/model/user/find.js | ||
*/ | ||
'use strict'; // eslint-disable-line strict | ||
const tu = require('../../../testUtils'); | ||
const u = require('./utils'); | ||
const expect = require('chai').expect; | ||
const User = tu.db.User; | ||
const Profile = tu.db.Profile; | ||
|
||
describe('db: user: find: ', () => { | ||
beforeEach((done) => { | ||
Profile.create({ name: `${tu.namePrefix}1` }) | ||
.then((createdProfile) => { | ||
return User.create({ | ||
profileId: createdProfile.id, | ||
name: `${tu.namePrefix}1`, | ||
email: 'user@example.com', | ||
password: 'user123password', | ||
}); | ||
}) | ||
.then(() => done()) | ||
.catch(done); | ||
}); | ||
|
||
afterEach(u.forceDelete); | ||
|
||
it('default scope no password', (done) => { | ||
User.find({ name: `${tu.namePrefix}1` }) | ||
.then((found) => { | ||
expect(found.dataValues).to.not.have.property('password'); | ||
done(); | ||
}) | ||
.catch(done); | ||
}); | ||
|
||
it('withSensitiveInfo scope', (done) => { | ||
User.scope('withSensitiveInfo').find({ name: `${tu.namePrefix}1` }) | ||
.then((found) => { | ||
expect(found.dataValues).to.have.property('password'); | ||
done(); | ||
}) | ||
.catch(done); | ||
}); | ||
}); |