xuthus/pigallery2
1
0
Fork 0
mirror of https://github.com/xuthus83/pigallery2.git synced 2024-11-03 21:04:03 +08:00
Code Actions Projects Activity
5b4f06e789
pigallery2/test/backend/integration/routers/SharingRouter.ts
Patrik J. Braun 5b4f06e789 implementing csrf security for posts
2020-01-07 22:17:54 +01:00

122 lines
4.1 KiB
TypeScript
Raw Blame History

import {Config} from '../../../../src/common/config/private/Config';
import {ServerConfig} from '../../../../src/common/config/private/IPrivateConfig';
import {Server} from '../../../../src/backend/server';
import {LoginCredential} from '../../../../src/common/entities/LoginCredential';
import {UserDTO, UserRoles} from '../../../../src/common/entities/UserDTO';
import * as path from 'path';
import * as util from 'util';
import * as rimraf from 'rimraf';
import {SQLConnection} from '../../../../src/backend/model/database/sql/SQLConnection';
import {ObjectManagers} from '../../../../src/backend/model/ObjectManagers';
import {Utils} from '../../../../src/common/Utils';
import {SuperAgentStatic} from 'superagent';
import {RouteTestingHelper} from './RouteTestingHelper';
import {QueryParams} from '../../../../src/common/QueryParams';
import {ErrorCodes} from '../../../../src/common/entities/Error';
process.env.NODE_ENV = 'test';
const chai: any = require('chai');
const chaiHttp = require('chai-http');
const should = chai.should();
chai.use(chaiHttp);
const rimrafPR = util.promisify(rimraf);
describe('Sharing', () => {
const testUser: UserDTO = {
id: 1,
name: 'test',
password: 'test',
role: UserRoles.User,
permissions: null
};
const {password: _pass, ...expectedUser} = testUser;
const tempDir = path.join(__dirname, '../../tmp');
let server: Server;
const setUp = async () => {
await rimrafPR(tempDir);
Config.Client.authenticationRequired = true;
Config.Server.Threading.enabled = false;
Config.Client.Sharing.enabled = true;
Config.Server.Database.type = ServerConfig.DatabaseType.sqlite;
Config.Server.Database.dbFolder = tempDir;
server = new Server();
await server.onStarted.wait();
await ObjectManagers.InitSQLManagers();
await ObjectManagers.getInstance().UserManager.createUser(Utils.clone(testUser));
await SQLConnection.close();
};
const tearDown = async () => {
await SQLConnection.close();
await rimrafPR(tempDir);
};
const shouldBeValidUser = (result: any, user: any) => {
result.should.have.status(200);
result.body.should.be.a('object');
should.equal(result.body.error, null);
result.body.result.csrfToken.should.be.a('string');
const {csrfToken, ...u} = result.body.result;
u.should.deep.equal(user);
};
const shareLogin = async (srv: Server, sharingKey: string, password?: string): Promise<any> => {
return (chai.request(srv.App) as SuperAgentStatic)
.post('/api/share/login?' + QueryParams.gallery.sharingKey_query + '=' + sharingKey)
.send({password});
};
const login = async (srv: Server): Promise<any> => {
const result = await (chai.request(srv.App) as SuperAgentStatic)
.post('/api/user/login')
.send({
loginCredential: <LoginCredential>{
password: testUser.password,
username: testUser.name,
rememberMe: false
}
});
shouldBeValidUser(result, expectedUser);
return result;
};
describe('/POST share/login', () => {
beforeEach(setUp);
afterEach(tearDown);
it('should login with passworded share', async () => {
const sharing = await RouteTestingHelper.createSharing(testUser, 'secret_pass');
const res = await shareLogin(server, sharing.sharingKey, sharing.password);
shouldBeValidUser(res, RouteTestingHelper.getExpectedSharingUser(sharing));
});
it('should not login with passworded share without password', async () => {
const sharing = await RouteTestingHelper.createSharing(testUser, 'secret_pass');
const result = await shareLogin(server, sharing.sharingKey);
result.should.have.status(401);
result.body.should.be.a('object');
result.body.error.should.be.a('object');
should.equal(result.body.error.code, ErrorCodes.CREDENTIAL_NOT_FOUND);
});
it('should login with no-password share', async () => {
const sharing = await RouteTestingHelper.createSharing(testUser,);
const res = await shareLogin(server, sharing.sharingKey, sharing.password);
shouldBeValidUser(res, RouteTestingHelper.getExpectedSharingUser(sharing));
});
});
});
View Git Blame Copy Permalink