loopback/test/access-token.test.js

var loopback = require('../');
var Token = loopback.AccessToken.extend('MyToken');
var ACL = loopback.ACL;

describe('loopback.token(options)', function() {
  beforeEach(createTestingToken);

  it('should populate req.token from the query string', function (done) {
    createTestAppAndRequest(this.token, done)
      .get('/?access_token=' + this.token.id)
      .expect(200)
      .end(done);
  });

  it('should populate req.token from a header', function (done) {
    createTestAppAndRequest(this.token, done)
      .get('/')
      .set('authorization', this.token.id)
      .expect(200)
      .end(done);
  });

  it('should populate req.token from a secure cookie', function (done) {
    var app = createTestApp(this.token, done);

    request(app)
      .get('/token')
      .end(function(err, res) {
        request(app)
          .get('/')
          .set('Cookie', res.header['set-cookie'])
          .end(done);
      });
  });

  it('should skip when req.token is already present', function(done) {
    var tokenStub = { id: 'stub id' };
    app.use(function(req, res, next) {
      req.accessToken = tokenStub;
      next();
    });
    app.use(loopback.token({ model: Token }));
    app.get('/', function(req, res, next) {
      res.send(req.accessToken);
    });

    request(app).get('/')
      .set('Authorization', this.token.id)
      .expect(200)
      .end(function(err, res) {
        if (err) return done(err);
        expect(res.body).to.eql(tokenStub);
        done();
      });
  });
});

describe('AccessToken', function () {
  beforeEach(createTestingToken);

  it('should auto-generate id', function () {
    assert(this.token.id);
    assert.equal(this.token.id.length, 64);
  });

  it('should auto-generate created date', function () {
    assert(this.token.created);
    assert(Object.prototype.toString.call(this.token.created), '[object Date]');
  });

  it('should be validateable', function (done) {
    this.token.validate(function(err, isValid) {
      assert(isValid);
      done();
    });
  });
});

describe('app.enableAuth()', function() {
  this.timeout(0);

  beforeEach(createTestingToken);

  it('should prevent remote method calls if the accessToken doesnt have access', function (done) {
    createTestAppAndRequest(this.token, done)
      .del('/tests/123')
      .expect(401)
      .set('authorization', this.token.id)
      .end(done);
  });
});

function createTestingToken(done) {
  var test = this;
  Token.create({}, function (err, token) {
    if(err) return done(err);
    test.token = token;
    done();
  });
}

function createTestAppAndRequest(testToken, done) {
  var app = createTestApp(testToken, done);
  return request(app);
}

function createTestApp(testToken, done) {
  var app = loopback();

  app.use(loopback.cookieParser('secret'));
  app.use(loopback.token({model: Token}));
  app.get('/token', function(req, res) {
    res.cookie('authorization', testToken.id, {signed: true});
    res.end();
  });
  app.get('/', function (req, res) {
    try {
      assert(req.accessToken, 'req should have accessToken');
      assert(req.accessToken.id === testToken.id);
    } catch(e) {
      return done(e);
    }
    res.send('ok');
  });
  app.use(loopback.rest());
  app.enableAuth();

  var TestModel = loopback.Model.extend('test', {}, {
    acls: [
      {
        principalType: "ROLE",
        principalId: "$everyone",
        accessType: ACL.ALL,
        permission: ACL.DENY,
        property: 'removeById'
      }
    ]
  });

  TestModel.attachTo(loopback.memory());
  app.model(TestModel);

  return app;
}
Rename Session => AccessToken 2013-11-13 19:49:08 +00:00			`var loopback = require('../');`
			`var Token = loopback.AccessToken.extend('MyToken');`
Initial auth implementation 2013-11-15 04:19:46 +00:00			`var ACL = loopback.ACL;`
Rename Session => AccessToken 2013-11-13 19:49:08 +00:00
Update session / token documentation 2013-11-14 23:27:36 +00:00			`describe('loopback.token(options)', function() {`
Rename Session => AccessToken 2013-11-13 19:49:08 +00:00			`beforeEach(createTestingToken);`
Update session / token documentation 2013-11-14 23:27:36 +00:00
Rename Session => AccessToken 2013-11-13 19:49:08 +00:00			`it('should populate req.token from the query string', function (done) {`
Update session / token documentation 2013-11-14 23:27:36 +00:00			`createTestAppAndRequest(this.token, done)`
Rename Session => AccessToken 2013-11-13 19:49:08 +00:00			`.get('/?access_token=' + this.token.id)`
			`.expect(200)`
			`.end(done);`
			`});`
Update session / token documentation 2013-11-14 23:27:36 +00:00
			`it('should populate req.token from a header', function (done) {`
			`createTestAppAndRequest(this.token, done)`
			`.get('/')`
			`.set('authorization', this.token.id)`
			`.expect(200)`
			`.end(done);`
			`});`

			`it('should populate req.token from a secure cookie', function (done) {`
			`var app = createTestApp(this.token, done);`

			`request(app)`
			`.get('/token')`
			`.end(function(err, res) {`
			`request(app)`
			`.get('/')`
			`.set('Cookie', res.header['set-cookie'])`
			`.end(done);`
			`});`
			`});`
Modify `loopback.rest` to include `loopback.token` Make `loopback.rest` self-contained, so that authentication works out of the box. var app = loopback(); app.enableAuth(); app.use(loopback.rest()); Note that cookie parsing middleware is not added, users have to explicitly configure that if they want to store access tokens in cookies. Modify `loopback.token` to skip token lookup when the request already contains `accessToken` property. This is in line with other connect-based middleware like `cookieParser` or `json`. 2014-02-04 15:17:32 +00:00
			`it('should skip when req.token is already present', function(done) {`
			`var tokenStub = { id: 'stub id' };`
			`app.use(function(req, res, next) {`
			`req.accessToken = tokenStub;`
			`next();`
			`});`
			`app.use(loopback.token({ model: Token }));`
			`app.get('/', function(req, res, next) {`
			`res.send(req.accessToken);`
			`});`

			`request(app).get('/')`
			`.set('Authorization', this.token.id)`
			`.expect(200)`
			`.end(function(err, res) {`
			`if (err) return done(err);`
			`expect(res.body).to.eql(tokenStub);`
			`done();`
			`});`
			`});`
Rename Session => AccessToken 2013-11-13 19:49:08 +00:00			`});`

Update AccessToken and User relationship - Add created default - Default TTLs for user login access tokens - Break out User / AccessToken relationship 2013-11-15 02:34:51 +00:00			`describe('AccessToken', function () {`
			`beforeEach(createTestingToken);`

			`it('should auto-generate id', function () {`
			`assert(this.token.id);`
			`assert.equal(this.token.id.length, 64);`
			`});`

			`it('should auto-generate created date', function () {`
			`assert(this.token.created);`
			`assert(Object.prototype.toString.call(this.token.created), '[object Date]');`
			`});`

			`it('should be validateable', function (done) {`
			`this.token.validate(function(err, isValid) {`
			`assert(isValid);`
			`done();`
			`});`
			`});`
			`});`

Initial auth implementation 2013-11-15 04:19:46 +00:00			`describe('app.enableAuth()', function() {`
			`this.timeout(0);`

			`beforeEach(createTestingToken);`

			`it('should prevent remote method calls if the accessToken doesnt have access', function (done) {`
			`createTestAppAndRequest(this.token, done)`
			`.del('/tests/123')`
			`.expect(401)`
			`.set('authorization', this.token.id)`
			`.end(done);`
			`});`
			`});`

Rename Session => AccessToken 2013-11-13 19:49:08 +00:00			`function createTestingToken(done) {`
			`var test = this;`
			`Token.create({}, function (err, token) {`
			`if(err) return done(err);`
			`test.token = token;`
			`done();`
			`});`
Add loopback.token() middleware 2013-11-14 21:01:47 +00:00			`}`
Update session / token documentation 2013-11-14 23:27:36 +00:00
			`function createTestAppAndRequest(testToken, done) {`
			`var app = createTestApp(testToken, done);`
			`return request(app);`
			`}`

			`function createTestApp(testToken, done) {`
			`var app = loopback();`

			`app.use(loopback.cookieParser('secret'));`
			`app.use(loopback.token({model: Token}));`
			`app.get('/token', function(req, res) {`
			`res.cookie('authorization', testToken.id, {signed: true});`
			`res.end();`
			`});`
			`app.get('/', function (req, res) {`
			`try {`
			`assert(req.accessToken, 'req should have accessToken');`
			`assert(req.accessToken.id === testToken.id);`
			`} catch(e) {`
			`return done(e);`
			`}`
			`res.send('ok');`
			`});`
Initial auth implementation 2013-11-15 04:19:46 +00:00			`app.use(loopback.rest());`
			`app.enableAuth();`

			`var TestModel = loopback.Model.extend('test', {}, {`
			`acls: [`
			`{`
			`principalType: "ROLE",`
			`principalId: "$everyone",`
			`accessType: ACL.ALL,`
			`permission: ACL.DENY,`
			`property: 'removeById'`
			`}`
			`]`
			`});`

			`TestModel.attachTo(loopback.memory());`
			`app.model(TestModel);`
Update session / token documentation 2013-11-14 23:27:36 +00:00
			`return app;`
			`}`