loopback/test/user.integration.js

// Copyright IBM Corp. 2015,2016. All Rights Reserved.
// Node module: loopback
// This file is licensed under the MIT License.
// License text available at https://opensource.org/licenses/MIT

/*jshint -W030 */
var loopback = require('../');
var lt = require('loopback-testing');
var path = require('path');
var SIMPLE_APP = path.join(__dirname, 'fixtures', 'user-integration-app');
var app = require(path.join(SIMPLE_APP, 'server/server.js'));
var expect = require('chai').expect;

describe('users - integration', function() {
  before(function(done) {
    if (app.booting) {
      return app.once('booted', done);
    }
    done();
  });

  lt.beforeEach.withApp(app);

  before(function(done) {
    app.models.User.destroyAll(function(err) {
      if (err) return done(err);

      app.models.Post.destroyAll(function(err) {
        if (err) return done(err);

        app.models.blog.destroyAll(function(err) {
          if (err) return done(err);

          done();
        });
      });
    });
  });

  describe('base-user', function() {
    var userId;
    var accessToken;

    it('should create a new user', function(done) {
      this.post('/api/users')
        .send({username: 'x', email: 'x@y.com', password: 'x'})
        .expect(200, function(err, res) {
          if (err) return done(err);

          expect(res.body.id).to.exist;
          userId = res.body.id;

          done();
        });
    });

    it('should log into the user', function(done) {
      var url = '/api/users/login';

      this.post(url)
        .send({username: 'x', email: 'x@y.com', password: 'x'})
        .expect(200, function(err, res) {
          if (err) return done(err);

          expect(res.body.id).to.exist;
          accessToken = res.body.id;

          done();
        });
    });

    it('should create post for a given user', function(done) {
      var url = '/api/users/' + userId + '/posts?access_token=' + accessToken;
      this.post(url)
        .send({title: 'T1', content: 'C1'})
        .expect(200, function(err, res) {
          if (err) return done(err);

          expect(res.body.title).to.be.eql('T1');
          expect(res.body.content).to.be.eql('C1');
          expect(res.body.userId).to.be.eql(userId);

          done();
        });
    });

    // FIXME: [rfeng] The test is passing if run alone. But it fails with
    // `npm test` as the loopback models are polluted by other tests
    it('should prevent access tokens from being included', function(done) {
      var url = '/api/posts?filter={"include":{"user":"accessTokens"}}';
      this.get(url)
        .expect(200, function(err, res) {
          if (err) return done(err);

          expect(res.body).to.have.property('length', 1);
          var post = res.body[0];
          expect(post.user).to.have.property('username', 'x');
          expect(post.user).to.not.have.property('accessTokens');

          done();
        });
    });

    it('invalidates current session when options are not injected', function(done) {
      // "injectOptionsFromRemoteContext" is disabled by default,
      // therefore the code invalidating sessions cannot tell what
      // is the current session, and thus invalidates all sessions
      var url = '/api/users/' + userId;
      var self = this;
      this.request.patch(url)
        .send({email: 'new@example.com'})
        .set('Authorization', accessToken)
        .expect(200, function(err) {
          if (err) return done(err);
          self.get(url)
            .set('Authorization', accessToken)
            .expect(401, done);
        });
    });

    it('should preserve current session when invalidating tokens', function(done) {
      var UserWithContext = app.registry.createModel({
        name: 'UserWithContext',
        plural: 'ctx-users',
        base: 'User',
        injectOptionsFromRemoteContext: true
      });
      app.model(UserWithContext, {dataSource: 'db'});

      var self = this;
      var CREDENTIALS = {email: 'ctx@example.com', password: 'pass'};
      UserWithContext.create(CREDENTIALS, function(err, user) {
        if (err) return done(err);

        UserWithContext.login(CREDENTIALS, function(err, token) {
          if (err) return done(err);

          var url = '/api/ctx-users/' + user.id;
          self.request.patch(url)
            .send({email: 'new@example.com'})
            .set('Authorization', token.id)
            .expect(200, function(err) {
              if (err) return done(err);
              self.get(url)
                .set('Authorization', token.id)
                .expect(200, done);
            });
        });
      });
    });

    it('returns 401 on logout with no access token', function(done) {
      this.post('/api/users/logout')
        .expect(401, done);
    });

    it('returns 401 on logout with invalid access token', function(done) {
      this.post('/api/users/logout')
        .set('Authorization', 'unknown-token')
        .expect(401, done);
    });
  });

  describe('sub-user', function() {
    var userId;
    var accessToken;

    it('should create a new user', function(done) {
      var url = '/api/myUsers';

      this.post(url)
        .send({username: 'x', email: 'x@y.com', password: 'x'})
        .expect(200, function(err, res) {
          if (err) return done(err);

          expect(res.body.id).to.exist;
          userId = res.body.id;

          done();
        });
    });

    it('should log into the user', function(done) {
      var url = '/api/myUsers/login';

      this.post(url)
        .send({username: 'x', email: 'x@y.com', password: 'x'})
        .expect(200, function(err, res) {
          if (err) return done(err);

          expect(res.body.id).to.exist;
          accessToken = res.body.id;

          done();
        });
    });

    it('should create blog for a given user', function(done) {
      var url = '/api/myUsers/' + userId + '/blogs?access_token=' + accessToken;
      this.post(url)
        .send({title: 'T1', content: 'C1'})
        .expect(200, function(err, res) {
          if (err) {
            console.error(err);
            return done(err);
          }

          expect(res.body.title).to.be.eql('T1');
          expect(res.body.content).to.be.eql('C1');
          expect(res.body.userId).to.be.eql(userId);

          done();
        });
    });

    it('should prevent access tokens from being included', function(done) {
      var url = '/api/blogs?filter={"include":{"user":"accessTokens"}}';
      this.get(url)
        .expect(200, function(err, res) {
          if (err) return done(err);

          expect(res.body).to.have.property('length', 1);
          var blog = res.body[0];
          expect(blog.user).to.have.property('username', 'x');
          expect(blog.user).to.not.have.property('accessTokens');

          done();
        });
    });
  });

});
update/insert copyright notices 2016-05-04 00:10:46 +00:00			`// Copyright IBM Corp. 2015,2016. All Rights Reserved.`
			`// Node module: loopback`
			`// This file is licensed under the MIT License.`
			`// License text available at https://opensource.org/licenses/MIT`

Disable inclusion of User.accessTokens 2015-04-20 18:44:07 +00:00			`/jshint -W030 /`
			`var loopback = require('../');`
			`var lt = require('loopback-testing');`
			`var path = require('path');`
			`var SIMPLE_APP = path.join(__dirname, 'fixtures', 'user-integration-app');`
			`var app = require(path.join(SIMPLE_APP, 'server/server.js'));`
			`var expect = require('chai').expect;`

			`describe('users - integration', function() {`
ensure app is booted before integration tests 2016-01-01 00:52:31 +00:00			`before(function(done) {`
			`if (app.booting) {`
			`return app.once('booted', done);`
			`}`
			`done();`
			`});`
Disable inclusion of User.accessTokens 2015-04-20 18:44:07 +00:00
			`lt.beforeEach.withApp(app);`

			`before(function(done) {`
			`app.models.User.destroyAll(function(err) {`
			`if (err) return done(err);`
Backport separate error checking and done logic 2016-05-06 20:50:01 +00:00
test: use local registry in test fixtures Use local registry in test fixtures to prevent collision in globally shared models. Fix issues discoverd in auth implementation where the global registry was used instead of the correct local one. 2016-07-26 12:10:13 +00:00			`app.models.Post.destroyAll(function(err) {`
Disable inclusion of User.accessTokens 2015-04-20 18:44:07 +00:00			`if (err) return done(err);`
Backport separate error checking and done logic 2016-05-06 20:50:01 +00:00
Disable inclusion of User.accessTokens 2015-04-20 18:44:07 +00:00			`app.models.blog.destroyAll(function(err) {`
			`if (err) return done(err);`
Backport separate error checking and done logic 2016-05-06 20:50:01 +00:00
Disable inclusion of User.accessTokens 2015-04-20 18:44:07 +00:00			`done();`
			`});`
			`});`
			`});`
			`});`

			`describe('base-user', function() {`
			`var userId;`
			`var accessToken;`

			`it('should create a new user', function(done) {`
Check configs for shared method settings 2015-09-19 02:13:30 +00:00			`this.post('/api/users')`
Disable inclusion of User.accessTokens 2015-04-20 18:44:07 +00:00			`.send({username: 'x', email: 'x@y.com', password: 'x'})`
			`.expect(200, function(err, res) {`
Check configs for shared method settings 2015-09-19 02:13:30 +00:00			`if (err) return done(err);`
Backport separate error checking and done logic 2016-05-06 20:50:01 +00:00
Disable inclusion of User.accessTokens 2015-04-20 18:44:07 +00:00			`expect(res.body.id).to.exist;`
			`userId = res.body.id;`
Backport separate error checking and done logic 2016-05-06 20:50:01 +00:00
Disable inclusion of User.accessTokens 2015-04-20 18:44:07 +00:00			`done();`
			`});`
			`});`

			`it('should log into the user', function(done) {`
			`var url = '/api/users/login';`

			`this.post(url)`
			`.send({username: 'x', email: 'x@y.com', password: 'x'})`
			`.expect(200, function(err, res) {`
Backport separate error checking and done logic 2016-05-06 20:50:01 +00:00			`if (err) return done(err);`

Disable inclusion of User.accessTokens 2015-04-20 18:44:07 +00:00			`expect(res.body.id).to.exist;`
			`accessToken = res.body.id;`
Backport separate error checking and done logic 2016-05-06 20:50:01 +00:00
Disable inclusion of User.accessTokens 2015-04-20 18:44:07 +00:00			`done();`
			`});`
			`});`

			`it('should create post for a given user', function(done) {`
			`var url = '/api/users/' + userId + '/posts?access_token=' + accessToken;`
			`this.post(url)`
			`.send({title: 'T1', content: 'C1'})`
			`.expect(200, function(err, res) {`
Backport separate error checking and done logic 2016-05-06 20:50:01 +00:00			`if (err) return done(err);`

Disable inclusion of User.accessTokens 2015-04-20 18:44:07 +00:00			`expect(res.body.title).to.be.eql('T1');`
			`expect(res.body.content).to.be.eql('C1');`
			`expect(res.body.userId).to.be.eql(userId);`
Backport separate error checking and done logic 2016-05-06 20:50:01 +00:00
Disable inclusion of User.accessTokens 2015-04-20 18:44:07 +00:00			`done();`
			`});`
			`});`

			`// FIXME: [rfeng] The test is passing if run alone. But it fails with`
			// `npm test` as the loopback models are polluted by other tests
			`it('should prevent access tokens from being included', function(done) {`
			`var url = '/api/posts?filter={"include":{"user":"accessTokens"}}';`
			`this.get(url)`
			`.expect(200, function(err, res) {`
Backport separate error checking and done logic 2016-05-06 20:50:01 +00:00			`if (err) return done(err);`

Disable inclusion of User.accessTokens 2015-04-20 18:44:07 +00:00			`expect(res.body).to.have.property('length', 1);`
			`var post = res.body[0];`
			`expect(post.user).to.have.property('username', 'x');`
			`expect(post.user).to.not.have.property('accessTokens');`
Backport separate error checking and done logic 2016-05-06 20:50:01 +00:00
Disable inclusion of User.accessTokens 2015-04-20 18:44:07 +00:00			`done();`
			`});`
			`});`
Preserve current session when invalidating tokens Fix User model to preserve the current session (provided via "options.accessToken") when invalidating access tokens after a change of email or password property. 2017-01-13 10:03:06 +00:00
			`it('invalidates current session when options are not injected', function(done) {`
			`// "injectOptionsFromRemoteContext" is disabled by default,`
			`// therefore the code invalidating sessions cannot tell what`
			`// is the current session, and thus invalidates all sessions`
			`var url = '/api/users/' + userId;`
			`var self = this;`
			`this.request.patch(url)`
			`.send({email: 'new@example.com'})`
			`.set('Authorization', accessToken)`
			`.expect(200, function(err) {`
			`if (err) return done(err);`
			`self.get(url)`
			`.set('Authorization', accessToken)`
			`.expect(401, done);`
			`});`
			`});`

			`it('should preserve current session when invalidating tokens', function(done) {`
			`var UserWithContext = app.registry.createModel({`
			`name: 'UserWithContext',`
			`plural: 'ctx-users',`
			`base: 'User',`
			`injectOptionsFromRemoteContext: true`
			`});`
			`app.model(UserWithContext, {dataSource: 'db'});`

			`var self = this;`
			`var CREDENTIALS = {email: 'ctx@example.com', password: 'pass'};`
			`UserWithContext.create(CREDENTIALS, function(err, user) {`
			`if (err) return done(err);`

			`UserWithContext.login(CREDENTIALS, function(err, token) {`
			`if (err) return done(err);`

			`var url = '/api/ctx-users/' + user.id;`
			`self.request.patch(url)`
			`.send({email: 'new@example.com'})`
			`.set('Authorization', token.id)`
			`.expect(200, function(err) {`
			`if (err) return done(err);`
			`self.get(url)`
			`.set('Authorization', token.id)`
			`.expect(200, done);`
			`});`
			`});`
			`});`
			`});`
Fix logout to handle no or missing accessToken Return 401 when the request does not provide any accessToken argument or the token was not found. Also simplify the implementation of the `logout` method to make only a single database call (`deleteById`) instead of `findById` + `delete`. 2015-07-01 19:13:09 +00:00
			`it('returns 401 on logout with no access token', function(done) {`
			`this.post('/api/users/logout')`
			`.expect(401, done);`
			`});`

			`it('returns 401 on logout with invalid access token', function(done) {`
			`this.post('/api/users/logout')`
			`.set('Authorization', 'unknown-token')`
			`.expect(401, done);`
			`});`
Disable inclusion of User.accessTokens 2015-04-20 18:44:07 +00:00			`});`

			`describe('sub-user', function() {`
			`var userId;`
			`var accessToken;`

			`it('should create a new user', function(done) {`
			`var url = '/api/myUsers';`

			`this.post(url)`
			`.send({username: 'x', email: 'x@y.com', password: 'x'})`
			`.expect(200, function(err, res) {`
Backport separate error checking and done logic 2016-05-06 20:50:01 +00:00			`if (err) return done(err);`

Disable inclusion of User.accessTokens 2015-04-20 18:44:07 +00:00			`expect(res.body.id).to.exist;`
			`userId = res.body.id;`
Backport separate error checking and done logic 2016-05-06 20:50:01 +00:00
Disable inclusion of User.accessTokens 2015-04-20 18:44:07 +00:00			`done();`
			`});`
			`});`

			`it('should log into the user', function(done) {`
			`var url = '/api/myUsers/login';`

			`this.post(url)`
			`.send({username: 'x', email: 'x@y.com', password: 'x'})`
			`.expect(200, function(err, res) {`
Backport separate error checking and done logic 2016-05-06 20:50:01 +00:00			`if (err) return done(err);`

Disable inclusion of User.accessTokens 2015-04-20 18:44:07 +00:00			`expect(res.body.id).to.exist;`
			`accessToken = res.body.id;`
Backport separate error checking and done logic 2016-05-06 20:50:01 +00:00
Disable inclusion of User.accessTokens 2015-04-20 18:44:07 +00:00			`done();`
			`});`
			`});`

			`it('should create blog for a given user', function(done) {`
			`var url = '/api/myUsers/' + userId + '/blogs?access_token=' + accessToken;`
			`this.post(url)`
			`.send({title: 'T1', content: 'C1'})`
			`.expect(200, function(err, res) {`
			`if (err) {`
			`console.error(err);`
			`return done(err);`
			`}`
Backport separate error checking and done logic 2016-05-06 20:50:01 +00:00
Disable inclusion of User.accessTokens 2015-04-20 18:44:07 +00:00			`expect(res.body.title).to.be.eql('T1');`
			`expect(res.body.content).to.be.eql('C1');`
			`expect(res.body.userId).to.be.eql(userId);`
Backport separate error checking and done logic 2016-05-06 20:50:01 +00:00
Disable inclusion of User.accessTokens 2015-04-20 18:44:07 +00:00			`done();`
			`});`
			`});`

			`it('should prevent access tokens from being included', function(done) {`
			`var url = '/api/blogs?filter={"include":{"user":"accessTokens"}}';`
			`this.get(url)`
			`.expect(200, function(err, res) {`
Backport separate error checking and done logic 2016-05-06 20:50:01 +00:00			`if (err) return done(err);`

Disable inclusion of User.accessTokens 2015-04-20 18:44:07 +00:00			`expect(res.body).to.have.property('length', 1);`
			`var blog = res.body[0];`
			`expect(blog.user).to.have.property('username', 'x');`
			`expect(blog.user).to.not.have.property('accessTokens');`
Backport separate error checking and done logic 2016-05-06 20:50:01 +00:00
Disable inclusion of User.accessTokens 2015-04-20 18:44:07 +00:00			`done();`
			`});`
			`});`
			`});`

			`});`