yuuza/outline
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Added adminOnly auth option and auth middleware tests

Browse Source
This commit is contained in:
Jori Lallo
2017-12-26 09:11:48 +02:00
parent c4d1490d01
commit 4406ec8e15
4 changed files with 888 additions and 320 deletions
Download Patch File Download Diff File Expand all files Collapse all files

23
server/api/middlewares/authentication.js
View File

@@ -5,7 +5,17 @@ import { type Context } from 'koa';
import { User, ApiKey } from '../../models';
export default function auth({ require = true }: { require?: boolean } = {}) {
type AuthOptions = {
require?: boolean,
adminOnly?: boolean,
};
export default function auth(options: AuthOptions = {}) {
options = {
require: true,
...options,
};
return async function authMiddleware(
ctx: Context,
next: () => Promise<void>
@@ -25,8 +35,7 @@ export default function auth({ require = true }: { require?: boolean } = {}) {
} else {
if (require) {
throw httpErrors.Unauthorized(
`Bad Authorization header format. \
Format is "Authorization: Bearer <token>"\n`
`Bad Authorization header format. Format is "Authorization: Bearer <token>"`
);
}
}
@@ -57,13 +66,13 @@ export default function auth({ require = true }: { require?: boolean } = {}) {
throw httpErrors.Unauthorized('Invalid API key');
}
if (!apiKey) throw httpErrors.Unauthorized('Invalid token');
if (!apiKey) throw httpErrors.Unauthorized('Invalid API key');
user = await User.findOne({
where: { id: apiKey.userId },
});
if (!user) throw httpErrors.Unauthorized('Invalid token');
if (!user) throw httpErrors.Unauthorized('Invalid API key');
} else {
// JWT
// Get user without verifying payload signature
@@ -87,6 +96,10 @@ export default function auth({ require = true }: { require?: boolean } = {}) {
}
}
if (options.adminOnly && !user.isAdmin) {
throw httpErrors.Forbidden('Only available for admins');
}
ctx.state.token = token;
ctx.state.user = user;
// $FlowFixMe

197
server/api/middlewares/authentication.test.js Normal file
View File

@@ -0,0 +1,197 @@
/* eslint-disable flowtype/require-valid-file-annotation */
import { flushdb, seed } from '../../test/support';
import ApiKey from '../../models/ApiKey';
import randomstring from 'randomstring';
import auth from './authentication';
beforeEach(flushdb);
describe('Authentication middleware', async () => {
describe('with JWT', () => {
it('should authenticate with correct token', async () => {
const state = {};
const { user } = await seed();
const authMiddleware = auth();
await authMiddleware(
{
request: {
get: jest.fn(() => `Bearer ${user.getJwtToken()}`),
},
state,
cache: {},
},
jest.fn()
);
expect(state.user.id).toEqual(user.id);
});
it('should return error with invalid token', async () => {
const state = {};
const { user } = await seed();
const authMiddleware = auth();
try {
await authMiddleware(
{
request: {
get: jest.fn(() => `Bearer ${user.getJwtToken()}error`),
},
state,
cache: {},
},
jest.fn()
);
} catch (e) {
expect(e.message).toBe('Invalid token');
}
});
});
describe('with API key', () => {
it('should authenticate user with valid API key', async () => {
const state = {};
const { user } = await seed();
const authMiddleware = auth();
const key = await ApiKey.create({
userId: user.id,
});
await authMiddleware(
{
request: {
get: jest.fn(() => `Bearer ${key.secret}`),
},
state,
cache: {},
},
jest.fn()
);
expect(state.user.id).toEqual(user.id);
});
it('should return error with invalid API key', async () => {
const state = {};
const authMiddleware = auth();
try {
await authMiddleware(
{
request: {
get: jest.fn(() => `Bearer ${randomstring.generate(38)}`),
},
state,
cache: {},
},
jest.fn()
);
} catch (e) {
expect(e.message).toBe('Invalid API key');
}
});
});
describe('adminOnly', () => {
it('should work if user is an admin', async () => {
const state = {};
const { user } = await seed();
const authMiddleware = auth({ adminOnly: true });
user.isAdmin = true;
await user.save();
await authMiddleware(
{
request: {
get: jest.fn(() => `Bearer ${user.getJwtToken()}`),
},
state,
cache: {},
},
jest.fn()
);
expect(state.user.id).toEqual(user.id);
});
it('should raise 403 if user is not an admin', async () => {
const { user } = await seed();
const authMiddleware = auth({ adminOnly: true });
user.idAdmin = true;
await user.save();
try {
await authMiddleware({
request: {
get: jest.fn(() => `Bearer ${user.getJwtToken()}`),
},
});
} catch (e) {
expect(e.message).toBe('Only available for admins');
}
});
});
it('should return error message if no auth token is available', async () => {
const state = {};
const authMiddleware = auth();
try {
await authMiddleware(
{
request: {
get: jest.fn(() => 'error'),
},
state,
cache: {},
},
jest.fn()
);
} catch (e) {
expect(e.message).toBe(
'Bad Authorization header format. Format is "Authorization: Bearer <token>"'
);
}
});
it('should allow passing auth token as a GET param', async () => {
const state = {};
const { user } = await seed();
const authMiddleware = auth();
await authMiddleware(
{
request: {
get: jest.fn(() => null),
query: {
token: user.getJwtToken(),
},
},
body: {},
state,
cache: {},
},
jest.fn()
);
expect(state.user.id).toEqual(user.id);
});
it('should allow passing auth token in body params', async () => {
const state = {};
const { user } = await seed();
const authMiddleware = auth();
await authMiddleware(
{
request: {
get: jest.fn(() => null),
},
body: {
token: user.getJwtToken(),
},
state,
cache: {},
},
jest.fn()
);
expect(state.user.id).toEqual(user.id);
});
});