2013-11-13 19:49:08 +00:00
|
|
|
var loopback = require('../');
|
|
|
|
var Token = loopback.AccessToken.extend('MyToken');
|
2013-11-15 04:19:46 +00:00
|
|
|
var ACL = loopback.ACL;
|
2013-11-13 19:49:08 +00:00
|
|
|
|
2013-11-14 23:27:36 +00:00
|
|
|
describe('loopback.token(options)', function() {
|
2013-11-13 19:49:08 +00:00
|
|
|
beforeEach(createTestingToken);
|
2013-11-14 23:27:36 +00:00
|
|
|
|
2013-11-13 19:49:08 +00:00
|
|
|
it('should populate req.token from the query string', function (done) {
|
2013-11-14 23:27:36 +00:00
|
|
|
createTestAppAndRequest(this.token, done)
|
2013-11-13 19:49:08 +00:00
|
|
|
.get('/?access_token=' + this.token.id)
|
|
|
|
.expect(200)
|
|
|
|
.end(done);
|
|
|
|
});
|
2013-11-14 23:27:36 +00:00
|
|
|
|
2014-07-02 16:02:13 +00:00
|
|
|
it('should populate req.token from an authorization header', function (done) {
|
|
|
|
createTestAppAndRequest(this.token, done)
|
|
|
|
.get('/')
|
|
|
|
.set('authorization', this.token.id)
|
|
|
|
.expect(200)
|
|
|
|
.end(done);
|
|
|
|
});
|
|
|
|
|
|
|
|
it('should populate req.token from an X-Access-Token header', function (done) {
|
|
|
|
createTestAppAndRequest(this.token, done)
|
|
|
|
.get('/')
|
|
|
|
.set('X-Access-Token', this.token.id)
|
|
|
|
.expect(200)
|
|
|
|
.end(done);
|
|
|
|
});
|
|
|
|
|
|
|
|
it('should populate req.token from an authorization header with bearer token', function (done) {
|
|
|
|
var token = this.token.id;
|
|
|
|
token = 'Bearer '+ new Buffer(token).toString('base64');
|
2013-11-14 23:27:36 +00:00
|
|
|
createTestAppAndRequest(this.token, done)
|
|
|
|
.get('/')
|
|
|
|
.set('authorization', this.token.id)
|
|
|
|
.expect(200)
|
|
|
|
.end(done);
|
|
|
|
});
|
|
|
|
|
|
|
|
it('should populate req.token from a secure cookie', function (done) {
|
|
|
|
var app = createTestApp(this.token, done);
|
|
|
|
|
|
|
|
request(app)
|
|
|
|
.get('/token')
|
|
|
|
.end(function(err, res) {
|
|
|
|
request(app)
|
|
|
|
.get('/')
|
|
|
|
.set('Cookie', res.header['set-cookie'])
|
|
|
|
.end(done);
|
|
|
|
});
|
|
|
|
});
|
2014-02-04 15:17:32 +00:00
|
|
|
|
2014-07-02 16:02:13 +00:00
|
|
|
it('should populate req.token from a header or a secure cookie', function (done) {
|
|
|
|
var app = createTestApp(this.token, done);
|
|
|
|
var id = this.token.id;
|
|
|
|
request(app)
|
|
|
|
.get('/token')
|
|
|
|
.end(function(err, res) {
|
|
|
|
request(app)
|
|
|
|
.get('/')
|
|
|
|
.set('authorization', id)
|
|
|
|
.set('Cookie', res.header['set-cookie'])
|
|
|
|
.end(done);
|
|
|
|
});
|
|
|
|
});
|
|
|
|
|
2014-02-04 15:17:32 +00:00
|
|
|
it('should skip when req.token is already present', function(done) {
|
|
|
|
var tokenStub = { id: 'stub id' };
|
|
|
|
app.use(function(req, res, next) {
|
|
|
|
req.accessToken = tokenStub;
|
|
|
|
next();
|
|
|
|
});
|
|
|
|
app.use(loopback.token({ model: Token }));
|
|
|
|
app.get('/', function(req, res, next) {
|
|
|
|
res.send(req.accessToken);
|
|
|
|
});
|
|
|
|
|
|
|
|
request(app).get('/')
|
|
|
|
.set('Authorization', this.token.id)
|
|
|
|
.expect(200)
|
|
|
|
.end(function(err, res) {
|
|
|
|
if (err) return done(err);
|
|
|
|
expect(res.body).to.eql(tokenStub);
|
|
|
|
done();
|
|
|
|
});
|
|
|
|
});
|
2013-11-13 19:49:08 +00:00
|
|
|
});
|
|
|
|
|
2013-11-15 02:34:51 +00:00
|
|
|
describe('AccessToken', function () {
|
|
|
|
beforeEach(createTestingToken);
|
|
|
|
|
|
|
|
it('should auto-generate id', function () {
|
|
|
|
assert(this.token.id);
|
|
|
|
assert.equal(this.token.id.length, 64);
|
|
|
|
});
|
|
|
|
|
|
|
|
it('should auto-generate created date', function () {
|
|
|
|
assert(this.token.created);
|
|
|
|
assert(Object.prototype.toString.call(this.token.created), '[object Date]');
|
|
|
|
});
|
|
|
|
|
|
|
|
it('should be validateable', function (done) {
|
|
|
|
this.token.validate(function(err, isValid) {
|
|
|
|
assert(isValid);
|
|
|
|
done();
|
|
|
|
});
|
|
|
|
});
|
|
|
|
});
|
|
|
|
|
2013-11-15 04:19:46 +00:00
|
|
|
describe('app.enableAuth()', function() {
|
|
|
|
beforeEach(createTestingToken);
|
|
|
|
|
2014-06-06 01:53:30 +00:00
|
|
|
it('prevents remote call with 401 status on denied ACL', function (done) {
|
2013-11-15 04:19:46 +00:00
|
|
|
createTestAppAndRequest(this.token, done)
|
|
|
|
.del('/tests/123')
|
|
|
|
.expect(401)
|
|
|
|
.set('authorization', this.token.id)
|
|
|
|
.end(done);
|
|
|
|
});
|
2014-06-06 01:53:30 +00:00
|
|
|
|
|
|
|
it('prevent remote call with app setting status on denied ACL', function (done) {
|
|
|
|
createTestAppAndRequest(this.token, {app:{aclErrorStatus:403}}, done)
|
|
|
|
.del('/tests/123')
|
|
|
|
.expect(403)
|
|
|
|
.set('authorization', this.token.id)
|
|
|
|
.end(done);
|
|
|
|
});
|
|
|
|
|
|
|
|
it('prevent remote call with app setting status on denied ACL', function (done) {
|
|
|
|
createTestAppAndRequest(this.token, {model:{aclErrorStatus:404}}, done)
|
|
|
|
.del('/tests/123')
|
|
|
|
.expect(404)
|
|
|
|
.set('authorization', this.token.id)
|
|
|
|
.end(done);
|
|
|
|
});
|
|
|
|
|
|
|
|
it('prevent remote call if the accessToken is missing and required', function (done) {
|
|
|
|
createTestAppAndRequest(null, done)
|
|
|
|
.del('/tests/123')
|
|
|
|
.expect(401)
|
|
|
|
.set('authorization', null)
|
|
|
|
.end(done);
|
|
|
|
});
|
|
|
|
|
2013-11-15 04:19:46 +00:00
|
|
|
});
|
|
|
|
|
2013-11-13 19:49:08 +00:00
|
|
|
function createTestingToken(done) {
|
|
|
|
var test = this;
|
|
|
|
Token.create({}, function (err, token) {
|
|
|
|
if(err) return done(err);
|
|
|
|
test.token = token;
|
|
|
|
done();
|
|
|
|
});
|
2013-11-14 21:01:47 +00:00
|
|
|
}
|
2013-11-14 23:27:36 +00:00
|
|
|
|
2014-06-06 01:53:30 +00:00
|
|
|
function createTestAppAndRequest(testToken, settings, done) {
|
|
|
|
var app = createTestApp(testToken, settings, done);
|
2013-11-14 23:27:36 +00:00
|
|
|
return request(app);
|
|
|
|
}
|
|
|
|
|
2014-06-06 01:53:30 +00:00
|
|
|
function createTestApp(testToken, settings, done) {
|
|
|
|
done = arguments[arguments.length-1];
|
|
|
|
if(settings == done) settings = {};
|
|
|
|
settings = settings || {};
|
|
|
|
|
|
|
|
var appSettings = settings.app || {};
|
|
|
|
var modelSettings = settings.model || {};
|
|
|
|
|
2013-11-14 23:27:36 +00:00
|
|
|
var app = loopback();
|
|
|
|
|
|
|
|
app.use(loopback.cookieParser('secret'));
|
|
|
|
app.use(loopback.token({model: Token}));
|
|
|
|
app.get('/token', function(req, res) {
|
|
|
|
res.cookie('authorization', testToken.id, {signed: true});
|
|
|
|
res.end();
|
|
|
|
});
|
|
|
|
app.get('/', function (req, res) {
|
|
|
|
try {
|
|
|
|
assert(req.accessToken, 'req should have accessToken');
|
|
|
|
assert(req.accessToken.id === testToken.id);
|
|
|
|
} catch(e) {
|
|
|
|
return done(e);
|
|
|
|
}
|
|
|
|
res.send('ok');
|
|
|
|
});
|
2013-11-15 04:19:46 +00:00
|
|
|
app.use(loopback.rest());
|
|
|
|
app.enableAuth();
|
|
|
|
|
2014-06-06 01:53:30 +00:00
|
|
|
Object.keys(appSettings).forEach(function(key){
|
|
|
|
app.set(key, appSettings[key]);
|
|
|
|
});
|
|
|
|
|
|
|
|
var modelOptions = {
|
2013-11-15 04:19:46 +00:00
|
|
|
acls: [
|
|
|
|
{
|
|
|
|
principalType: "ROLE",
|
|
|
|
principalId: "$everyone",
|
|
|
|
accessType: ACL.ALL,
|
|
|
|
permission: ACL.DENY,
|
2014-07-16 16:09:07 +00:00
|
|
|
property: 'deleteById'
|
2013-11-15 04:19:46 +00:00
|
|
|
}
|
|
|
|
]
|
2014-06-06 01:53:30 +00:00
|
|
|
};
|
|
|
|
|
|
|
|
Object.keys(modelSettings).forEach(function(key){
|
|
|
|
modelOptions[key] = modelSettings[key];
|
2013-11-15 04:19:46 +00:00
|
|
|
});
|
|
|
|
|
2014-06-16 08:20:22 +00:00
|
|
|
var TestModel = loopback.PersistedModel.extend('test', {}, modelOptions);
|
2014-06-06 01:53:30 +00:00
|
|
|
|
2013-11-15 04:19:46 +00:00
|
|
|
TestModel.attachTo(loopback.memory());
|
|
|
|
app.model(TestModel);
|
2013-11-14 23:27:36 +00:00
|
|
|
|
|
|
|
return app;
|
|
|
|
}
|