loopback/test/access-token.test.js

var loopback = require('../');
var Token = loopback.AccessToken.extend('MyToken');
var ACL = loopback.ACL;

describe('loopback.token(options)', function() {
  beforeEach(createTestingToken);

  it('should populate req.token from the query string', function (done) {
    createTestAppAndRequest(this.token, done)
      .get('/?access_token=' + this.token.id)
      .expect(200)
      .end(done);
  });

  it('should populate req.token from an authorization header', function (done) {
    createTestAppAndRequest(this.token, done)
      .get('/')
      .set('authorization', this.token.id)
      .expect(200)
      .end(done);
  });

  it('should populate req.token from an X-Access-Token header', function (done) {
    createTestAppAndRequest(this.token, done)
      .get('/')
      .set('X-Access-Token', this.token.id)
      .expect(200)
      .end(done);
  });

  it('should populate req.token from an authorization header with bearer token', function (done) {
    var token = this.token.id;
    token = 'Bearer '+ new Buffer(token).toString('base64');
    createTestAppAndRequest(this.token, done)
      .get('/')
      .set('authorization', this.token.id)
      .expect(200)
      .end(done);
  });

  it('should populate req.token from a secure cookie', function (done) {
    var app = createTestApp(this.token, done);

    request(app)
      .get('/token')
      .end(function(err, res) {
        request(app)
          .get('/')
          .set('Cookie', res.header['set-cookie'])
          .end(done);
      });
  });

  it('should populate req.token from a header or a secure cookie', function (done) {
    var app = createTestApp(this.token, done);
    var id = this.token.id;
    request(app)
      .get('/token')
      .end(function(err, res) {
        request(app)
          .get('/')
          .set('authorization', id)
          .set('Cookie', res.header['set-cookie'])
          .end(done);
      });
  });

  it('should skip when req.token is already present', function(done) {
    var tokenStub = { id: 'stub id' };
    app.use(function(req, res, next) {
      req.accessToken = tokenStub;
      next();
    });
    app.use(loopback.token({ model: Token }));
    app.get('/', function(req, res, next) {
      res.send(req.accessToken);
    });

    request(app).get('/')
      .set('Authorization', this.token.id)
      .expect(200)
      .end(function(err, res) {
        if (err) return done(err);
        expect(res.body).to.eql(tokenStub);
        done();
      });
  });
});

describe('AccessToken', function () {
  beforeEach(createTestingToken);

  it('should auto-generate id', function () {
    assert(this.token.id);
    assert.equal(this.token.id.length, 64);
  });

  it('should auto-generate created date', function () {
    assert(this.token.created);
    assert(Object.prototype.toString.call(this.token.created), '[object Date]');
  });

  it('should be validateable', function (done) {
    this.token.validate(function(err, isValid) {
      assert(isValid);
      done();
    });
  });
});

describe('app.enableAuth()', function() {
  beforeEach(createTestingToken);

  it('prevents remote call with 401 status on denied ACL', function (done) {
    createTestAppAndRequest(this.token, done)
      .del('/tests/123')
      .expect(401)
      .set('authorization', this.token.id)
      .end(done);
  });

  it('prevent remote call with app setting status on denied ACL', function (done) {
    createTestAppAndRequest(this.token, {app:{aclErrorStatus:403}}, done)
      .del('/tests/123')
      .expect(403)
      .set('authorization', this.token.id)
      .end(done);
  });

  it('prevent remote call with app setting status on denied ACL', function (done) {
    createTestAppAndRequest(this.token, {model:{aclErrorStatus:404}}, done)
      .del('/tests/123')
      .expect(404)
      .set('authorization', this.token.id)
      .end(done);
  });

  it('prevent remote call if the accessToken is missing and required', function (done) {
    createTestAppAndRequest(null, done)
      .del('/tests/123')
      .expect(401)
      .set('authorization', null)
      .end(done);
  });

  it('stores token in the context', function(done) {
    var TestModel = loopback.createModel('TestModel', { base: 'Model' });
    TestModel.getToken = function(cb) {
      cb(null, loopback.getCurrentContext().get('accessToken') || null);
    };
    TestModel.remoteMethod('getToken', {
      returns: { arg: 'token', type: 'object' },
      http: { verb: 'GET', path: '/token' }
    });

    var app = loopback();
    app.model(TestModel, { dataSource: null });

    app.enableAuth();
    app.use(loopback.context());
    app.use(loopback.token({ model: Token }));
    app.use(loopback.rest());

    var token = this.token;
    request(app)
      .get('/TestModels/token?_format=json')
      .set('authorization', token.id)
      .expect(200)
      .expect('Content-Type', /json/)
      .end(function(err, res) {
        if (err) return done(err);
        expect(res.body.token.id).to.eql(token.id);
        done();
      });
  });
});

function createTestingToken(done) {
  var test = this;
  Token.create({}, function (err, token) {
    if(err) return done(err);
    test.token = token;
    done();
  });
}

function createTestAppAndRequest(testToken, settings, done) {
  var app = createTestApp(testToken, settings, done);
  return request(app);
}

function createTestApp(testToken, settings, done) {
  done = arguments[arguments.length-1];
  if(settings == done) settings = {};
  settings = settings || {};

  var appSettings = settings.app || {};
  var modelSettings = settings.model || {};

  var app = loopback();

  app.use(loopback.cookieParser('secret'));
  app.use(loopback.token({model: Token}));
  app.get('/token', function(req, res) {
    res.cookie('authorization', testToken.id, {signed: true});
    res.end();
  });
  app.get('/', function (req, res) {
    try {
      assert(req.accessToken, 'req should have accessToken');
      assert(req.accessToken.id === testToken.id);
    } catch(e) {
      return done(e);
    }
    res.send('ok');
  });
  app.use(loopback.rest());
  app.enableAuth();

  Object.keys(appSettings).forEach(function(key){
    app.set(key, appSettings[key]);
  });

  var modelOptions = {
    acls: [
      {
        principalType: "ROLE",
        principalId: "$everyone",
        accessType: ACL.ALL,
        permission: ACL.DENY,
        property: 'deleteById'
      }
    ]
  };

  Object.keys(modelSettings).forEach(function(key){
    modelOptions[key] = modelSettings[key];
  });

  var TestModel = loopback.PersistedModel.extend('test', {}, modelOptions);

  TestModel.attachTo(loopback.memory());
  app.model(TestModel);

  return app;
}
Rename Session => AccessToken 2013-11-13 19:49:08 +00:00			`var loopback = require('../');`
			`var Token = loopback.AccessToken.extend('MyToken');`
Initial auth implementation 2013-11-15 04:19:46 +00:00			`var ACL = loopback.ACL;`
Rename Session => AccessToken 2013-11-13 19:49:08 +00:00
Update session / token documentation 2013-11-14 23:27:36 +00:00			`describe('loopback.token(options)', function() {`
Rename Session => AccessToken 2013-11-13 19:49:08 +00:00			`beforeEach(createTestingToken);`
Update session / token documentation 2013-11-14 23:27:36 +00:00
Rename Session => AccessToken 2013-11-13 19:49:08 +00:00			`it('should populate req.token from the query string', function (done) {`
Update session / token documentation 2013-11-14 23:27:36 +00:00			`createTestAppAndRequest(this.token, done)`
Rename Session => AccessToken 2013-11-13 19:49:08 +00:00			`.get('/?access_token=' + this.token.id)`
			`.expect(200)`
			`.end(done);`
			`});`
Update session / token documentation 2013-11-14 23:27:36 +00:00
Fix the typo and add Bearer token support See https://github.com/strongloop/loopback/issues/333 2014-07-02 16:02:13 +00:00			`it('should populate req.token from an authorization header', function (done) {`
			`createTestAppAndRequest(this.token, done)`
			`.get('/')`
			`.set('authorization', this.token.id)`
			`.expect(200)`
			`.end(done);`
			`});`

			`it('should populate req.token from an X-Access-Token header', function (done) {`
			`createTestAppAndRequest(this.token, done)`
			`.get('/')`
			`.set('X-Access-Token', this.token.id)`
			`.expect(200)`
			`.end(done);`
			`});`

			`it('should populate req.token from an authorization header with bearer token', function (done) {`
			`var token = this.token.id;`
			`token = 'Bearer '+ new Buffer(token).toString('base64');`
Update session / token documentation 2013-11-14 23:27:36 +00:00			`createTestAppAndRequest(this.token, done)`
			`.get('/')`
			`.set('authorization', this.token.id)`
			`.expect(200)`
			`.end(done);`
			`});`

			`it('should populate req.token from a secure cookie', function (done) {`
			`var app = createTestApp(this.token, done);`

			`request(app)`
			`.get('/token')`
			`.end(function(err, res) {`
			`request(app)`
			`.get('/')`
			`.set('Cookie', res.header['set-cookie'])`
			`.end(done);`
			`});`
			`});`
Modify `loopback.rest` to include `loopback.token` Make `loopback.rest` self-contained, so that authentication works out of the box. var app = loopback(); app.enableAuth(); app.use(loopback.rest()); Note that cookie parsing middleware is not added, users have to explicitly configure that if they want to store access tokens in cookies. Modify `loopback.token` to skip token lookup when the request already contains `accessToken` property. This is in line with other connect-based middleware like `cookieParser` or `json`. 2014-02-04 15:17:32 +00:00
Fix the typo and add Bearer token support See https://github.com/strongloop/loopback/issues/333 2014-07-02 16:02:13 +00:00			`it('should populate req.token from a header or a secure cookie', function (done) {`
			`var app = createTestApp(this.token, done);`
			`var id = this.token.id;`
			`request(app)`
			`.get('/token')`
			`.end(function(err, res) {`
			`request(app)`
			`.get('/')`
			`.set('authorization', id)`
			`.set('Cookie', res.header['set-cookie'])`
			`.end(done);`
			`});`
			`});`

Modify `loopback.rest` to include `loopback.token` Make `loopback.rest` self-contained, so that authentication works out of the box. var app = loopback(); app.enableAuth(); app.use(loopback.rest()); Note that cookie parsing middleware is not added, users have to explicitly configure that if they want to store access tokens in cookies. Modify `loopback.token` to skip token lookup when the request already contains `accessToken` property. This is in line with other connect-based middleware like `cookieParser` or `json`. 2014-02-04 15:17:32 +00:00			`it('should skip when req.token is already present', function(done) {`
			`var tokenStub = { id: 'stub id' };`
			`app.use(function(req, res, next) {`
			`req.accessToken = tokenStub;`
			`next();`
			`});`
			`app.use(loopback.token({ model: Token }));`
			`app.get('/', function(req, res, next) {`
			`res.send(req.accessToken);`
			`});`

			`request(app).get('/')`
			`.set('Authorization', this.token.id)`
			`.expect(200)`
			`.end(function(err, res) {`
			`if (err) return done(err);`
			`expect(res.body).to.eql(tokenStub);`
			`done();`
			`});`
			`});`
Rename Session => AccessToken 2013-11-13 19:49:08 +00:00			`});`

Update AccessToken and User relationship - Add created default - Default TTLs for user login access tokens - Break out User / AccessToken relationship 2013-11-15 02:34:51 +00:00			`describe('AccessToken', function () {`
			`beforeEach(createTestingToken);`

			`it('should auto-generate id', function () {`
			`assert(this.token.id);`
			`assert.equal(this.token.id.length, 64);`
			`});`

			`it('should auto-generate created date', function () {`
			`assert(this.token.created);`
			`assert(Object.prototype.toString.call(this.token.created), '[object Date]');`
			`});`

			`it('should be validateable', function (done) {`
			`this.token.validate(function(err, isValid) {`
			`assert(isValid);`
			`done();`
			`});`
			`});`
			`});`

Initial auth implementation 2013-11-15 04:19:46 +00:00			`describe('app.enableAuth()', function() {`
			`beforeEach(createTestingToken);`

Allow customization of ACL http status emulate existing error on 404 new tests for model and app settings Signed-off-by: Karl Mikkelsen <karl@karlmikko.com> 2014-06-06 01:53:30 +00:00			`it('prevents remote call with 401 status on denied ACL', function (done) {`
Initial auth implementation 2013-11-15 04:19:46 +00:00			`createTestAppAndRequest(this.token, done)`
			`.del('/tests/123')`
			`.expect(401)`
			`.set('authorization', this.token.id)`
			`.end(done);`
			`});`
Allow customization of ACL http status emulate existing error on 404 new tests for model and app settings Signed-off-by: Karl Mikkelsen <karl@karlmikko.com> 2014-06-06 01:53:30 +00:00
			`it('prevent remote call with app setting status on denied ACL', function (done) {`
			`createTestAppAndRequest(this.token, {app:{aclErrorStatus:403}}, done)`
			`.del('/tests/123')`
			`.expect(403)`
			`.set('authorization', this.token.id)`
			`.end(done);`
			`});`

			`it('prevent remote call with app setting status on denied ACL', function (done) {`
			`createTestAppAndRequest(this.token, {model:{aclErrorStatus:404}}, done)`
			`.del('/tests/123')`
			`.expect(404)`
			`.set('authorization', this.token.id)`
			`.end(done);`
			`});`

			`it('prevent remote call if the accessToken is missing and required', function (done) {`
			`createTestAppAndRequest(null, done)`
			`.del('/tests/123')`
			`.expect(401)`
			`.set('authorization', null)`
			`.end(done);`
			`});`

middleware/token: store the token in current ctx 2014-11-10 17:37:35 +00:00			`it('stores token in the context', function(done) {`
			`var TestModel = loopback.createModel('TestModel', { base: 'Model' });`
			`TestModel.getToken = function(cb) {`
			`cb(null, loopback.getCurrentContext().get('accessToken') \|\| null);`
			`};`
			`TestModel.remoteMethod('getToken', {`
			`returns: { arg: 'token', type: 'object' },`
			`http: { verb: 'GET', path: '/token' }`
			`});`

			`var app = loopback();`
			`app.model(TestModel, { dataSource: null });`

			`app.enableAuth();`
			`app.use(loopback.context());`
			`app.use(loopback.token({ model: Token }));`
			`app.use(loopback.rest());`

			`var token = this.token;`
			`request(app)`
			`.get('/TestModels/token?_format=json')`
			`.set('authorization', token.id)`
			`.expect(200)`
			`.expect('Content-Type', /json/)`
			`.end(function(err, res) {`
			`if (err) return done(err);`
			`expect(res.body.token.id).to.eql(token.id);`
			`done();`
			`});`
			`});`
Initial auth implementation 2013-11-15 04:19:46 +00:00			`});`

Rename Session => AccessToken 2013-11-13 19:49:08 +00:00			`function createTestingToken(done) {`
			`var test = this;`
			`Token.create({}, function (err, token) {`
			`if(err) return done(err);`
			`test.token = token;`
			`done();`
			`});`
Add loopback.token() middleware 2013-11-14 21:01:47 +00:00			`}`
Update session / token documentation 2013-11-14 23:27:36 +00:00
Allow customization of ACL http status emulate existing error on 404 new tests for model and app settings Signed-off-by: Karl Mikkelsen <karl@karlmikko.com> 2014-06-06 01:53:30 +00:00			`function createTestAppAndRequest(testToken, settings, done) {`
			`var app = createTestApp(testToken, settings, done);`
Update session / token documentation 2013-11-14 23:27:36 +00:00			`return request(app);`
			`}`

Allow customization of ACL http status emulate existing error on 404 new tests for model and app settings Signed-off-by: Karl Mikkelsen <karl@karlmikko.com> 2014-06-06 01:53:30 +00:00			`function createTestApp(testToken, settings, done) {`
			`done = arguments[arguments.length-1];`
			`if(settings == done) settings = {};`
			`settings = settings \|\| {};`

			`var appSettings = settings.app \|\| {};`
			`var modelSettings = settings.model \|\| {};`

Update session / token documentation 2013-11-14 23:27:36 +00:00			`var app = loopback();`

			`app.use(loopback.cookieParser('secret'));`
			`app.use(loopback.token({model: Token}));`
			`app.get('/token', function(req, res) {`
			`res.cookie('authorization', testToken.id, {signed: true});`
			`res.end();`
			`});`
			`app.get('/', function (req, res) {`
			`try {`
			`assert(req.accessToken, 'req should have accessToken');`
			`assert(req.accessToken.id === testToken.id);`
			`} catch(e) {`
			`return done(e);`
			`}`
			`res.send('ok');`
			`});`
Initial auth implementation 2013-11-15 04:19:46 +00:00			`app.use(loopback.rest());`
			`app.enableAuth();`

Allow customization of ACL http status emulate existing error on 404 new tests for model and app settings Signed-off-by: Karl Mikkelsen <karl@karlmikko.com> 2014-06-06 01:53:30 +00:00			`Object.keys(appSettings).forEach(function(key){`
			`app.set(key, appSettings[key]);`
			`});`

			`var modelOptions = {`
Initial auth implementation 2013-11-15 04:19:46 +00:00			`acls: [`
			`{`
			`principalType: "ROLE",`
			`principalId: "$everyone",`
			`accessType: ACL.ALL,`
			`permission: ACL.DENY,`
Merge branch 'master' into 2.0 2014-07-16 16:09:07 +00:00			`property: 'deleteById'`
Initial auth implementation 2013-11-15 04:19:46 +00:00			`}`
			`]`
Allow customization of ACL http status emulate existing error on 404 new tests for model and app settings Signed-off-by: Karl Mikkelsen <karl@karlmikko.com> 2014-06-06 01:53:30 +00:00			`};`

			`Object.keys(modelSettings).forEach(function(key){`
			`modelOptions[key] = modelSettings[key];`
Initial auth implementation 2013-11-15 04:19:46 +00:00			`});`

Merge branch 'master' into 2.0 Conflicts: test/access-token.test.js 2014-06-16 08:20:22 +00:00			`var TestModel = loopback.PersistedModel.extend('test', {}, modelOptions);`
Allow customization of ACL http status emulate existing error on 404 new tests for model and app settings Signed-off-by: Karl Mikkelsen <karl@karlmikko.com> 2014-06-06 01:53:30 +00:00
Initial auth implementation 2013-11-15 04:19:46 +00:00			`TestModel.attachTo(loopback.memory());`
			`app.model(TestModel);`
Update session / token documentation 2013-11-14 23:27:36 +00:00
			`return app;`
			`}`