loopback/test/rest.middleware.test.js

// Copyright IBM Corp. 2014,2016. All Rights Reserved.
// Node module: loopback
// This file is licensed under the MIT License.
// License text available at https://opensource.org/licenses/MIT

var path = require('path');

describe('loopback.rest', function() {
  var app, MyModel;

  beforeEach(function() {
    // override the global app object provided by test/support.js
    // and create a local one that does not share state with other tests
    app = loopback({ localRegistry: true, loadBuiltinModels: true });
    app.set('remoting', { errorHandler: { debug: true, log: false }});
    var db = app.dataSource('db', { connector: 'memory' });
    MyModel = app.registry.createModel('MyModel');
    MyModel.attachTo(db);
  });

  it('works out-of-the-box', function(done) {
    app.model(MyModel);
    app.use(loopback.rest());
    request(app).get('/mymodels')
      .expect(200)
      .end(done);
  });

  it('should report 200 for DELETE /:id found', function(done) {
    app.model(MyModel);
    app.use(loopback.rest());
    MyModel.create({ name: 'm1' }, function(err, inst) {
      request(app)
        .del('/mymodels/' + inst.id)
        .expect(200, function(err, res) {
          expect(res.body.count).to.equal(1);

          done();
        });
    });
  });

  it('should report 404 for GET /:id not found', function(done) {
    app.model(MyModel);
    app.use(loopback.rest());
    request(app).get('/mymodels/1')
      .expect(404)
      .end(function(err, res) {
        if (err) return done(err);

        var errorResponse = res.body.error;
        assert(errorResponse);
        assert.equal(errorResponse.code, 'MODEL_NOT_FOUND');

        done();
      });
  });

  it('should report 404 for HEAD /:id not found', function(done) {
    app.model(MyModel);
    app.use(loopback.rest());
    request(app).head('/mymodels/1')
      .expect(404)
      .end(done);
  });

  it('should report 200 for GET /:id/exists not found', function(done) {
    app.model(MyModel);
    app.use(loopback.rest());
    request(app).get('/mymodels/1/exists')
      .expect(200)
      .end(function(err, res) {
        if (err) return done(err);

        expect(res.body).to.eql({ exists: false });

        done();
      });
  });

  it('should report 200 for GET /:id found', function(done) {
    app.model(MyModel);
    app.use(loopback.rest());
    MyModel.create({ name: 'm1' }, function(err, inst) {
      request(app).get('/mymodels/' + inst.id)
        .expect(200)
        .end(done);
    });
  });

  it('should report 200 for HEAD /:id found', function(done) {
    app.model(MyModel);
    app.use(loopback.rest());
    MyModel.create({ name: 'm2' }, function(err, inst) {
      request(app).head('/mymodels/' + inst.id)
        .expect(200)
        .end(done);
    });
  });

  it('should report 200 for GET /:id/exists found', function(done) {
    app.model(MyModel);
    app.use(loopback.rest());
    MyModel.create({ name: 'm2' }, function(err, inst) {
      request(app).get('/mymodels/' + inst.id + '/exists')
        .expect(200)
        .end(function(err, res) {
          if (err) return done(err);

          expect(res.body).to.eql({ exists: true });

          done();
        });
    });
  });

  it('should honour `remoting.rest.supportedTypes`', function(done) {
    var app = loopback({ localRegistry: true });

    // NOTE it is crucial to set `remoting` before creating any models
    var supportedTypes = ['json', 'application/javascript', 'text/javascript'];
    app.set('remoting', { rest: { supportedTypes: supportedTypes }});

    app.model(MyModel);
    app.use(loopback.rest());

    request(app).get('/mymodels')
      .set('Accept', 'text/html,application/xml;q= 0.9,*/*;q= 0.8')
      .expect('Content-Type', 'application/json; charset=utf-8')
      .expect(200, done);
  });

  it('allows models to provide a custom HTTP path', function(done) {
    var CustomModel = app.registry.createModel('CustomModel',
      { name: String },
      { http: { 'path': 'domain1/CustomModelPath' },
    });

    app.model(CustomModel, { dataSource: 'db' });
    app.use(loopback.rest());

    request(app).get('/domain1/CustomModelPath').expect(200).end(done);
  });

  it('should report 200 for url-encoded HTTP path', function(done) {
    var CustomModel = app.registry.createModel('CustomModel',
      { name: String },
      { http: { path: 'domain%20one/CustomModelPath' },
    });

    app.model(CustomModel, { dataSource: 'db' });
    app.use(loopback.rest());

    request(app).get('/domain%20one/CustomModelPath').expect(200).end(done);
  });

  it('includes loopback.token when necessary', function(done) {
    givenUserModelWithAuth();
    app.enableAuth({ dataSource: 'db' });
    app.use(loopback.rest());

    givenLoggedInUser(function(err, token) {
      if (err) return done(err);
      expect(token).instanceOf(app.models.AccessToken);
      request(app).get('/users/' + token.userId)
        .set('Authorization', token.id)
        .expect(200)
        .end(done);
    }, done);
  });

  it('does not include loopback.token when auth not enabled', function(done) {
    var User = givenUserModelWithAuth();
    User.getToken = function(req, cb) {
      cb(null, req.accessToken ? req.accessToken.id : null);
    };
    loopback.remoteMethod(User.getToken, {
      accepts: [{ type: 'object', http: { source: 'req' }}],
      returns: [{ type: 'object', name: 'id' }],
    });

    app.use(loopback.rest());
    givenLoggedInUser(function(err, token) {
      if (err) return done(err);

      request(app).get('/users/getToken')
        .set('Authorization', token.id)
        .expect(200)
        .end(function(err, res) {
          if (err) return done(err);

          expect(res.body.id).to.equal(null);

          done();
        });
    }, done);
  });

  describe('context propagation', function() {
    var User;

    beforeEach(function() {
      User = givenUserModelWithAuth();
      User.getToken = function(cb) {
        var context = loopback.getCurrentContext();
        var req = context.get('http').req;
        expect(req).to.have.property('accessToken');

        var juggler = require('loopback-datasource-juggler');
        expect(juggler.getCurrentContext().get('http').req)
          .to.have.property('accessToken');

        var remoting = require('strong-remoting');
        expect(remoting.getCurrentContext().get('http').req)
          .to.have.property('accessToken');

        cb(null, req && req.accessToken ? req.accessToken.id : null);
      };
      // Set up the ACL
      User.settings.acls.push({ principalType: 'ROLE',
        principalId: '$authenticated', permission: 'ALLOW',
        property: 'getToken' });

      loopback.remoteMethod(User.getToken, {
        accepts: [],
        returns: [
          { type: 'object', name: 'id' },
        ],
      });
    });

    function invokeGetToken(done) {
      givenLoggedInUser(function(err, token) {
        if (err) return done(err);

        request(app).get('/users/getToken')
          .set('Authorization', token.id)
          .expect(200)
          .end(function(err, res) {
            if (err) return done(err);

            expect(res.body.id).to.equal(token.id);

            done();
          });
      });
    }

    it('should enable context using loopback.context', function(done) {
      app.use(loopback.context({ enableHttpContext: true }));
      app.enableAuth({ dataSource: 'db' });
      app.use(loopback.rest());

      invokeGetToken(done);
    });

    it('should enable context with loopback.rest', function(done) {
      app.enableAuth({ dataSource: 'db' });
      app.set('remoting', { context: { enableHttpContext: true }});
      app.use(loopback.rest());

      invokeGetToken(done);
    });

    it('should support explicit context', function(done) {
      app.enableAuth({ dataSource: 'db' });
      app.use(loopback.context());
      app.use(loopback.token(
        { model: app.registry.getModelByType('AccessToken') }));
      app.use(function(req, res, next) {
        loopback.getCurrentContext().set('accessToken', req.accessToken);

        next();
      });
      app.use(loopback.rest());

      User.getToken = function(cb) {
        var context = loopback.getCurrentContext();
        var accessToken = context.get('accessToken');
        expect(context.get('accessToken')).to.have.property('id');

        var juggler = require('loopback-datasource-juggler');
        context = juggler.getCurrentContext();
        expect(context.get('accessToken')).to.have.property('id');

        var remoting = require('strong-remoting');
        context = remoting.getCurrentContext();
        expect(context.get('accessToken')).to.have.property('id');

        cb(null, accessToken ? accessToken.id : null);
      };

      loopback.remoteMethod(User.getToken, {
        accepts: [],
        returns: [
          { type: 'object', name: 'id' },
        ],
      });

      invokeGetToken(done);
    });
  });

  function givenUserModelWithAuth() {
    var AccessToken = app.registry.getModel('AccessToken');
    app.model(AccessToken, { dataSource: 'db' });
    var User = app.registry.getModel('User');
    app.model(User, { dataSource: 'db' });

    // NOTE(bajtos) This is puzzling to me. The built-in User & AccessToken
    // models should come with both relations already set up, i.e. the
    // following two lines should not be neccessary.
    // And it does behave that way when only tests in this file are run.
    // However, when I run the full test suite (all files), the relations
    // get broken.
    AccessToken.belongsTo(User, { as: 'user', foreignKey: 'userId' });
    User.hasMany(AccessToken, { as: 'accessTokens', foreignKey: 'userId' });

    return User;
  }

  function givenLoggedInUser(cb, done) {
    var credentials = { email: 'user@example.com', password: 'pwd' };
    var User = app.models.User;
    User.create(credentials,
      function(err, user) {
        if (err) return done(err);

        User.login(credentials, cb);
      });
  }

  describe('shared methods', function() {
    function getFixturePath(dirName) {
      return path.join(__dirname, 'fixtures/shared-methods/' + dirName +
          '/server/server.js');
    }

    describe('with specific definitions in model-config.json', function() {
      it('should not be exposed when the definition value is false',
          function(done) {
            var app = require(getFixturePath('model-config-defined-false'));
            request(app)
          .get('/todos')
          .expect(404, done);
          });

      it('should be exposed when the definition value is true', function(done) {
        var app = require(getFixturePath('model-config-defined-true'));
        request(app)
          .get('/todos')
          .expect(200, done);
      });
    });

    describe('with default definitions in model-config.json', function() {
      it('should not be exposed when the definition value is false',
          function(done) {
            var app = require(getFixturePath('model-config-default-false'));
            request(app)
          .get('/todos')
          .expect(404, done);
          });

      it('should be exposed when the definition value is true', function(done) {
        var app = require(getFixturePath('model-config-default-true'));
        app.models.Todo.create([
          { content: 'a' },
          { content: 'b' },
          { content: 'c' },
        ], function() {
          request(app)
            .del('/todos')
            .expect(200)
            .end(function(err, res) {
              if (err) return done(err);

              expect(res.body.count).to.equal(3);

              done();
            });
        });
      });
    });

    describe('with specific definitions in config.json', function() {
      it('should not be exposed when the definition value is false',
          function(done) {
            var app = require(getFixturePath('config-defined-false'));
            request(app)
          .get('/todos')
          .expect(404, done);
          });

      it('should be exposed when the definition value is true',
          function(done) {
            var app = require(getFixturePath('config-defined-true'));
            request(app)
          .get('/todos')
          .expect(200, done);
          });
    });

    describe('with default definitions in config.json', function() {
      it('should not be exposed when the definition value is false',
          function(done) {
            var app = require(getFixturePath('config-default-false'));
            request(app)
          .get('/todos')
          .expect(404, done);
          });

      it('should be exposed when the definition value is true', function(done) {
        var app = require(getFixturePath('config-default-true'));
        app.models.Todo.create([
          { content: 'a' },
          { content: 'b' },
          { content: 'c' },
        ], function() {
          request(app)
            .del('/todos')
            .expect(200)
            .end(function(err, res) {
              if (err) return done(err);

              expect(res.body.count).to.equal(3);

              done();
            });
        });
      });
    });

    // The fixture in `shared-method/both-configs-set/config.json` has `*:false`
    // set which disables the REST endpoints for built-in models such as User as
    // a side effect since tests share the same loopback instance. As a
    // consequence, this causes the tests in user.integration to fail.
    describe.skip('with definitions in both config.json and model-config.json',
        function() {
          it('should prioritize the settings in model-config.json', function(done) {
            var app = require(getFixturePath('both-configs-set'));
            request(app)
          .del('/todos')
          .expect(404, done);
          });

          it('should fall back to config.json settings if setting is not found in' +
          'model-config.json', function(done) {
            var app = require(getFixturePath('both-configs-set'));
            request(app)
          .get('/todos')
          .expect(404, done);
          });
        });
  });
});