mirror of
https://github.com/Unleash/unleash.git
synced 2025-10-13 11:17:26 +02:00
bfa82d79bf
### What Adds `createdByUserId` to all events exposed by unleash. In addition this PR updates all tests and usages of the methods in this codebase to include the required number.
887 lines
34 KiB
TypeScript
887 lines
34 KiB
TypeScript
import { setupAppWithCustomAuth } from '../../helpers/test-helper';
|
|
import dbInit from '../../helpers/database-init';
|
|
import getLogger from '../../../fixtures/no-logger';
|
|
import { ApiTokenType } from '../../../../lib/types/models/api-token';
|
|
import { RoleName } from '../../../../lib/types/model';
|
|
import {
|
|
CREATE_CLIENT_API_TOKEN,
|
|
CREATE_PROJECT_API_TOKEN,
|
|
DELETE_CLIENT_API_TOKEN,
|
|
READ_CLIENT_API_TOKEN,
|
|
READ_FRONTEND_API_TOKEN,
|
|
SYSTEM_USER_ID,
|
|
UPDATE_CLIENT_API_TOKEN,
|
|
} from '../../../../lib/types';
|
|
import { addDays } from 'date-fns';
|
|
import { AccessService, UserService } from 'lib/services';
|
|
|
|
let stores;
|
|
let db;
|
|
|
|
beforeAll(async () => {
|
|
db = await dbInit('token_api_auth_serial', getLogger);
|
|
stores = db.stores;
|
|
});
|
|
|
|
afterAll(async () => {
|
|
if (db) {
|
|
await db.destroy();
|
|
}
|
|
});
|
|
|
|
afterEach(async () => {
|
|
await stores.apiTokenStore.deleteAll();
|
|
});
|
|
|
|
test('editor users should only get client or frontend tokens', async () => {
|
|
expect.assertions(3);
|
|
|
|
const preHook = (app, config, { userService, accessService }) => {
|
|
app.use('/api/admin/', async (req, res, next) => {
|
|
const role = await accessService.getPredefinedRole(RoleName.EDITOR);
|
|
const user = await userService.createUser({
|
|
email: 'editor@example.com',
|
|
rootRole: role.id,
|
|
});
|
|
req.user = user;
|
|
next();
|
|
});
|
|
};
|
|
|
|
const { request, destroy } = await setupAppWithCustomAuth(stores, preHook);
|
|
|
|
await stores.apiTokenStore.insert({
|
|
username: 'test',
|
|
secret: '1234',
|
|
type: ApiTokenType.CLIENT,
|
|
});
|
|
|
|
await stores.apiTokenStore.insert({
|
|
username: 'frontend',
|
|
secret: '12345',
|
|
type: ApiTokenType.FRONTEND,
|
|
});
|
|
|
|
await stores.apiTokenStore.insert({
|
|
username: 'test',
|
|
secret: 'sdfsdf2d',
|
|
type: ApiTokenType.ADMIN,
|
|
});
|
|
|
|
await request
|
|
.get('/api/admin/api-tokens')
|
|
.expect('Content-Type', /json/)
|
|
.expect(200)
|
|
.expect((res) => {
|
|
expect(res.body.tokens.length).toBe(2);
|
|
expect(res.body.tokens[0].type).toBe(ApiTokenType.CLIENT);
|
|
expect(res.body.tokens[1].type).toBe(ApiTokenType.FRONTEND);
|
|
});
|
|
|
|
await destroy();
|
|
});
|
|
|
|
test('viewer users should not be allowed to fetch tokens', async () => {
|
|
expect.assertions(0);
|
|
|
|
const preHook = (app, config, { userService, accessService }) => {
|
|
app.use('/api/admin/', async (req, res, next) => {
|
|
const role = await accessService.getPredefinedRole(RoleName.VIEWER);
|
|
const user = await userService.createUser({
|
|
email: 'viewer@example.com',
|
|
rootRole: role.id,
|
|
});
|
|
req.user = user;
|
|
next();
|
|
});
|
|
};
|
|
|
|
const { request, destroy } = await setupAppWithCustomAuth(stores, preHook);
|
|
|
|
await stores.apiTokenStore.insert({
|
|
username: 'test',
|
|
secret: '1234',
|
|
type: ApiTokenType.CLIENT,
|
|
});
|
|
|
|
await stores.apiTokenStore.insert({
|
|
username: 'test',
|
|
secret: 'sdfsdf2d',
|
|
type: ApiTokenType.ADMIN,
|
|
});
|
|
|
|
await request
|
|
.get('/api/admin/api-tokens')
|
|
.expect('Content-Type', /json/)
|
|
.expect(403);
|
|
|
|
await destroy();
|
|
});
|
|
|
|
test('Only token-admins should be allowed to create token', async () => {
|
|
expect.assertions(0);
|
|
|
|
const preHook = (app, config, { userService, accessService }) => {
|
|
app.use('/api/admin/', async (req, res, next) => {
|
|
const role = await accessService.getPredefinedRole(RoleName.EDITOR);
|
|
req.user = await userService.createUser({
|
|
email: 'editor2@example.com',
|
|
rootRole: role.id,
|
|
});
|
|
next();
|
|
});
|
|
};
|
|
|
|
const { request, destroy } = await setupAppWithCustomAuth(stores, preHook);
|
|
|
|
await request
|
|
.post('/api/admin/api-tokens')
|
|
.send({
|
|
username: 'default-admin',
|
|
type: 'admin',
|
|
})
|
|
.set('Content-Type', 'application/json')
|
|
.expect(403);
|
|
|
|
await destroy();
|
|
});
|
|
|
|
test('Token-admin should be allowed to create token', async () => {
|
|
expect.assertions(0);
|
|
|
|
const preHook = (app, config, { userService, accessService }) => {
|
|
app.use('/api/admin/', async (req, res, next) => {
|
|
const role = await accessService.getPredefinedRole(RoleName.ADMIN);
|
|
req.user = await userService.createUser({
|
|
email: 'admin@example.com',
|
|
rootRole: role.id,
|
|
});
|
|
next();
|
|
});
|
|
};
|
|
|
|
const { request, destroy } = await setupAppWithCustomAuth(stores, preHook);
|
|
|
|
await request
|
|
.post('/api/admin/api-tokens')
|
|
.send({
|
|
username: 'default-admin',
|
|
type: 'admin',
|
|
})
|
|
.set('Content-Type', 'application/json')
|
|
.expect(201);
|
|
|
|
await destroy();
|
|
});
|
|
|
|
test('A role with only CREATE_PROJECT_API_TOKEN can create project tokens', async () => {
|
|
expect.assertions(0);
|
|
|
|
const preHook = (
|
|
app,
|
|
config,
|
|
{
|
|
userService,
|
|
accessService,
|
|
}: { userService: UserService; accessService: AccessService },
|
|
) => {
|
|
app.use('/api/admin/', async (req, res, next) => {
|
|
const role = (await accessService.getPredefinedRole(
|
|
RoleName.VIEWER,
|
|
))!;
|
|
const user = await userService.createUser({
|
|
email: 'powerpuffgirls_viewer@example.com',
|
|
rootRole: role.id,
|
|
});
|
|
const createClientApiTokenRole = await accessService.createRole({
|
|
name: 'project_client_token_creator',
|
|
description: 'Can create client tokens',
|
|
permissions: [{ name: CREATE_PROJECT_API_TOKEN }],
|
|
type: 'root-custom',
|
|
createdByUserId: SYSTEM_USER_ID,
|
|
});
|
|
await accessService.addUserToRole(
|
|
user.id,
|
|
createClientApiTokenRole.id,
|
|
'default',
|
|
);
|
|
req.user = user;
|
|
next();
|
|
});
|
|
};
|
|
|
|
const { request, destroy } = await setupAppWithCustomAuth(
|
|
stores,
|
|
preHook,
|
|
{},
|
|
db.rawDatabase,
|
|
);
|
|
|
|
await request
|
|
.post('/api/admin/projects/default/api-tokens')
|
|
.send({
|
|
username: 'client-token-maker',
|
|
type: 'client',
|
|
projects: ['default'],
|
|
})
|
|
.set('Content-Type', 'application/json')
|
|
.expect(201);
|
|
await destroy();
|
|
});
|
|
|
|
describe('Fine grained API token permissions', () => {
|
|
describe('A role with access to CREATE_CLIENT_API_TOKEN', () => {
|
|
test('should be allowed to create client tokens', async () => {
|
|
const preHook = (app, config, { userService, accessService }) => {
|
|
app.use('/api/admin/', async (req, res, next) => {
|
|
const builtInRole = await accessService.getPredefinedRole(
|
|
RoleName.VIEWER,
|
|
);
|
|
const user = await userService.createUser({
|
|
email: 'mylittlepony_viewer@example.com',
|
|
rootRole: builtInRole.id,
|
|
});
|
|
req.user = user;
|
|
const createClientApiTokenRole =
|
|
await accessService.createRole({
|
|
name: 'client_token_creator',
|
|
description: 'Can create client tokens',
|
|
permissions: [],
|
|
type: 'root-custom',
|
|
});
|
|
// not sure if we should add the permission to the builtin role or to the newly created role
|
|
await accessService.addPermissionToRole(
|
|
builtInRole.id,
|
|
CREATE_CLIENT_API_TOKEN,
|
|
);
|
|
await accessService.addUserToRole(
|
|
user.id,
|
|
createClientApiTokenRole.id,
|
|
'default',
|
|
);
|
|
next();
|
|
});
|
|
};
|
|
const { request, destroy } = await setupAppWithCustomAuth(
|
|
stores,
|
|
preHook,
|
|
);
|
|
await request
|
|
.post('/api/admin/api-tokens')
|
|
.send({
|
|
username: 'default-client',
|
|
type: 'client',
|
|
})
|
|
.set('Content-Type', 'application/json')
|
|
.expect(201);
|
|
await destroy();
|
|
});
|
|
test('should NOT be allowed to create frontend tokens', async () => {
|
|
const preHook = (app, config, { userService, accessService }) => {
|
|
app.use('/api/admin/', async (req, res, next) => {
|
|
const role = await accessService.getPredefinedRole(
|
|
RoleName.VIEWER,
|
|
);
|
|
const user = await userService.createUser({
|
|
email: 'mylittlepony_viewer_frontend@example.com',
|
|
rootRole: role.id,
|
|
});
|
|
req.user = user;
|
|
const createClientApiTokenRole =
|
|
await accessService.createRole({
|
|
name: 'client_token_creator_cannot_create_frontend',
|
|
description: 'Can create client tokens',
|
|
permissions: [],
|
|
type: 'root-custom',
|
|
});
|
|
await accessService.addPermissionToRole(
|
|
role.id,
|
|
CREATE_CLIENT_API_TOKEN,
|
|
);
|
|
await accessService.addUserToRole(
|
|
user.id,
|
|
createClientApiTokenRole.id,
|
|
'default',
|
|
);
|
|
next();
|
|
});
|
|
};
|
|
const { request, destroy } = await setupAppWithCustomAuth(
|
|
stores,
|
|
preHook,
|
|
);
|
|
await request
|
|
.post('/api/admin/api-tokens')
|
|
.send({
|
|
username: 'default-frontend',
|
|
type: 'frontend',
|
|
})
|
|
.set('Content-Type', 'application/json')
|
|
.expect(403);
|
|
await destroy();
|
|
});
|
|
test('should NOT be allowed to create ADMIN tokens', async () => {
|
|
const preHook = (app, config, { userService, accessService }) => {
|
|
app.use('/api/admin/', async (req, res, next) => {
|
|
const role = await accessService.getPredefinedRole(
|
|
RoleName.VIEWER,
|
|
);
|
|
const user = await userService.createUser({
|
|
email: 'mylittlepony_admin@example.com',
|
|
rootRole: role.id,
|
|
});
|
|
req.user = user;
|
|
const createClientApiTokenRole =
|
|
await accessService.createRole({
|
|
name: 'client_token_creator_cannot_create_admin',
|
|
description: 'Can create client tokens',
|
|
permissions: [],
|
|
type: 'root-custom',
|
|
});
|
|
await accessService.addPermissionToRole(
|
|
role.id,
|
|
CREATE_CLIENT_API_TOKEN,
|
|
);
|
|
await accessService.addUserToRole(
|
|
user.id,
|
|
createClientApiTokenRole.id,
|
|
'default',
|
|
);
|
|
next();
|
|
});
|
|
};
|
|
const { request, destroy } = await setupAppWithCustomAuth(
|
|
stores,
|
|
preHook,
|
|
);
|
|
await request
|
|
.post('/api/admin/api-tokens')
|
|
.send({
|
|
username: 'default-admin',
|
|
type: 'admin',
|
|
})
|
|
.set('Content-Type', 'application/json')
|
|
.expect(403);
|
|
await destroy();
|
|
});
|
|
});
|
|
describe('Read operations', () => {
|
|
test('READ_FRONTEND_API_TOKEN should be able to see FRONTEND tokens', async () => {
|
|
const preHook = (app, config, { userService, accessService }) => {
|
|
app.use('/api/admin/', async (req, res, next) => {
|
|
const role = await accessService.getPredefinedRole(
|
|
RoleName.VIEWER,
|
|
);
|
|
const user = await userService.createUser({
|
|
email: 'read_frontend_token@example.com',
|
|
rootRole: role.id,
|
|
});
|
|
req.user = user;
|
|
const readFrontendApiToken = await accessService.createRole(
|
|
{
|
|
name: 'frontend_token_reader',
|
|
description: 'Can read frontend tokens',
|
|
permissions: [],
|
|
type: 'root-custom',
|
|
},
|
|
);
|
|
await accessService.addPermissionToRole(
|
|
readFrontendApiToken.id,
|
|
READ_FRONTEND_API_TOKEN,
|
|
);
|
|
await accessService.addUserToRole(
|
|
user.id,
|
|
readFrontendApiToken.id,
|
|
'default',
|
|
);
|
|
next();
|
|
});
|
|
};
|
|
const { request, destroy } = await setupAppWithCustomAuth(
|
|
stores,
|
|
preHook,
|
|
);
|
|
await stores.apiTokenStore.insert({
|
|
username: 'client',
|
|
secret: 'client_secret',
|
|
type: ApiTokenType.CLIENT,
|
|
});
|
|
|
|
await stores.apiTokenStore.insert({
|
|
username: 'admin',
|
|
secret: 'sdfsdf2admin_secret',
|
|
type: ApiTokenType.ADMIN,
|
|
});
|
|
await stores.apiTokenStore.insert({
|
|
username: 'frontender',
|
|
secret: 'sdfsdf2dfrontend_Secret',
|
|
type: ApiTokenType.FRONTEND,
|
|
});
|
|
await request
|
|
.get('/api/admin/api-tokens')
|
|
.set('Content-Type', 'application/json')
|
|
.expect(200)
|
|
.expect((res) => {
|
|
expect(
|
|
res.body.tokens.every(
|
|
(t) => t.type === ApiTokenType.FRONTEND,
|
|
),
|
|
).toBe(true);
|
|
});
|
|
await destroy();
|
|
});
|
|
test('READ_CLIENT_API_TOKEN should be able to see CLIENT tokens', async () => {
|
|
const preHook = (app, config, { userService, accessService }) => {
|
|
app.use('/api/admin/', async (req, res, next) => {
|
|
const role = await accessService.getPredefinedRole(
|
|
RoleName.VIEWER,
|
|
);
|
|
const user = await userService.createUser({
|
|
email: 'read_client_token@example.com',
|
|
rootRole: role.id,
|
|
});
|
|
req.user = user;
|
|
const readClientTokenRole = await accessService.createRole({
|
|
name: 'client_token_reader',
|
|
description: 'Can read client tokens',
|
|
permissions: [],
|
|
type: 'root-custom',
|
|
});
|
|
await accessService.addPermissionToRole(
|
|
readClientTokenRole.id,
|
|
READ_CLIENT_API_TOKEN,
|
|
);
|
|
await accessService.addUserToRole(
|
|
user.id,
|
|
readClientTokenRole.id,
|
|
'default',
|
|
);
|
|
next();
|
|
});
|
|
};
|
|
const { request, destroy } = await setupAppWithCustomAuth(
|
|
stores,
|
|
preHook,
|
|
);
|
|
await stores.apiTokenStore.insert({
|
|
username: 'client',
|
|
secret: 'client_secret_1234',
|
|
type: ApiTokenType.CLIENT,
|
|
});
|
|
|
|
await stores.apiTokenStore.insert({
|
|
username: 'admin',
|
|
secret: 'admin_secret_1234',
|
|
type: ApiTokenType.ADMIN,
|
|
});
|
|
await stores.apiTokenStore.insert({
|
|
username: 'frontender',
|
|
secret: 'frontend_secret_1234',
|
|
type: ApiTokenType.FRONTEND,
|
|
});
|
|
await request
|
|
.get('/api/admin/api-tokens')
|
|
.set('Content-Type', 'application/json')
|
|
.expect(200)
|
|
.expect((res) => {
|
|
expect(res.body.tokens).toHaveLength(1);
|
|
expect(res.body.tokens[0].type).toBe(ApiTokenType.CLIENT);
|
|
});
|
|
await destroy();
|
|
});
|
|
test('Admin users should be able to see all tokens', async () => {
|
|
const preHook = (app, config, { userService, accessService }) => {
|
|
app.use('/api/admin/', async (req, res, next) => {
|
|
const role = await accessService.getPredefinedRole(
|
|
RoleName.ADMIN,
|
|
);
|
|
const user = await userService.createUser({
|
|
email: 'read_admin_token@example.com',
|
|
rootRole: role.id,
|
|
});
|
|
req.user = user;
|
|
next();
|
|
});
|
|
};
|
|
const { request, destroy } = await setupAppWithCustomAuth(
|
|
stores,
|
|
preHook,
|
|
);
|
|
await stores.apiTokenStore.insert({
|
|
username: 'client',
|
|
secret: 'client_secret_4321',
|
|
type: ApiTokenType.CLIENT,
|
|
});
|
|
|
|
await stores.apiTokenStore.insert({
|
|
username: 'admin',
|
|
secret: 'admin_secret_4321',
|
|
type: ApiTokenType.ADMIN,
|
|
});
|
|
await stores.apiTokenStore.insert({
|
|
username: 'frontender',
|
|
secret: 'frontend_secret_4321',
|
|
type: ApiTokenType.FRONTEND,
|
|
});
|
|
await request
|
|
.get('/api/admin/api-tokens')
|
|
.set('Content-Type', 'application/json')
|
|
.expect(200)
|
|
.expect((res) => {
|
|
expect(res.body.tokens).toHaveLength(3);
|
|
});
|
|
await destroy();
|
|
});
|
|
test('Editor users should be able to see all tokens except ADMIN tokens', async () => {
|
|
const preHook = (app, config, { userService, accessService }) => {
|
|
app.use('/api/admin/', async (req, res, next) => {
|
|
const role = await accessService.getPredefinedRole(
|
|
RoleName.EDITOR,
|
|
);
|
|
const user = await userService.createUser({
|
|
email: 'standard-editor-reads-tokens@example.com',
|
|
rootRole: role.id,
|
|
});
|
|
req.user = user;
|
|
next();
|
|
});
|
|
};
|
|
const { request, destroy } = await setupAppWithCustomAuth(
|
|
stores,
|
|
preHook,
|
|
);
|
|
await stores.apiTokenStore.insert({
|
|
username: 'client',
|
|
secret: 'client_secret_4321',
|
|
type: ApiTokenType.CLIENT,
|
|
});
|
|
await stores.apiTokenStore.insert({
|
|
username: 'admin',
|
|
secret: 'admin_secret_4321',
|
|
type: ApiTokenType.ADMIN,
|
|
});
|
|
await stores.apiTokenStore.insert({
|
|
username: 'frontender',
|
|
secret: 'frontend_secret_4321',
|
|
type: ApiTokenType.FRONTEND,
|
|
});
|
|
await request
|
|
.get('/api/admin/api-tokens')
|
|
.set('Content-Type', 'application/json')
|
|
.expect(200)
|
|
.expect((res) => {
|
|
expect(res.body.tokens).toHaveLength(2);
|
|
expect(
|
|
res.body.tokens.filter(
|
|
({ type }) => type === ApiTokenType.ADMIN,
|
|
),
|
|
).toHaveLength(0);
|
|
});
|
|
await destroy();
|
|
});
|
|
});
|
|
describe('Update operations', () => {
|
|
describe('UPDATE_CLIENT_API_TOKEN can', () => {
|
|
test('UPDATE client_api token expiry', async () => {
|
|
const preHook = (
|
|
app,
|
|
config,
|
|
{ userService, accessService },
|
|
) => {
|
|
app.use('/api/admin/', async (req, res, next) => {
|
|
const role = await accessService.getPredefinedRole(
|
|
RoleName.VIEWER,
|
|
);
|
|
const user = await userService.createUser({
|
|
email: 'update_client_token@example.com',
|
|
rootRole: role.id,
|
|
});
|
|
req.user = user;
|
|
const updateClientApiExpiry =
|
|
await accessService.createRole({
|
|
name: 'update_client_token',
|
|
description: 'Can update client tokens',
|
|
permissions: [],
|
|
type: 'root-custom',
|
|
});
|
|
await accessService.addPermissionToRole(
|
|
updateClientApiExpiry.id,
|
|
UPDATE_CLIENT_API_TOKEN,
|
|
);
|
|
await accessService.addUserToRole(
|
|
user.id,
|
|
updateClientApiExpiry.id,
|
|
'default',
|
|
);
|
|
next();
|
|
});
|
|
};
|
|
const { request, destroy } = await setupAppWithCustomAuth(
|
|
stores,
|
|
preHook,
|
|
);
|
|
const token = await stores.apiTokenStore.insert({
|
|
username: 'cilent',
|
|
secret: 'update_client_token',
|
|
type: ApiTokenType.CLIENT,
|
|
});
|
|
await request
|
|
.put(`/api/admin/api-tokens/${token.secret}`)
|
|
.send({ expiresAt: addDays(new Date(), 14) })
|
|
.expect(200);
|
|
await destroy();
|
|
});
|
|
test('NOT UPDATE frontend_api token expiry', async () => {
|
|
const preHook = (
|
|
app,
|
|
config,
|
|
{ userService, accessService },
|
|
) => {
|
|
app.use('/api/admin/', async (req, res, next) => {
|
|
const role = await accessService.getPredefinedRole(
|
|
RoleName.VIEWER,
|
|
);
|
|
const user = await userService.createUser({
|
|
email: 'update_frontend_token@example.com',
|
|
rootRole: role.id,
|
|
});
|
|
req.user = user;
|
|
const updateClientApiExpiry =
|
|
await accessService.createRole({
|
|
name: 'update_client_token_not_frontend',
|
|
description: 'Can not update frontend tokens',
|
|
permissions: [],
|
|
type: 'root-custom',
|
|
});
|
|
await accessService.addPermissionToRole(
|
|
updateClientApiExpiry.id,
|
|
UPDATE_CLIENT_API_TOKEN,
|
|
);
|
|
await accessService.addUserToRole(
|
|
user.id,
|
|
updateClientApiExpiry.id,
|
|
'default',
|
|
);
|
|
next();
|
|
});
|
|
};
|
|
const { request, destroy } = await setupAppWithCustomAuth(
|
|
stores,
|
|
preHook,
|
|
);
|
|
const token = await stores.apiTokenStore.insert({
|
|
username: 'frontend',
|
|
secret: 'update_frontend_token',
|
|
type: ApiTokenType.FRONTEND,
|
|
});
|
|
await request
|
|
.put(`/api/admin/api-tokens/${token.secret}`)
|
|
.send({ expiresAt: addDays(new Date(), 14) })
|
|
.expect(403);
|
|
|
|
await destroy();
|
|
});
|
|
test('NOT UPDATE admin_api token expiry', async () => {
|
|
const preHook = (
|
|
app,
|
|
config,
|
|
{ userService, accessService },
|
|
) => {
|
|
app.use('/api/admin/', async (req, res, next) => {
|
|
const role = await accessService.getPredefinedRole(
|
|
RoleName.VIEWER,
|
|
);
|
|
const user = await userService.createUser({
|
|
email: 'update_admin_token@example.com',
|
|
rootRole: role.id,
|
|
});
|
|
req.user = user;
|
|
const updateClientApiExpiry =
|
|
await accessService.createRole({
|
|
name: 'update_client_token_not_admin',
|
|
description: 'Can not update admin tokens',
|
|
permissions: [],
|
|
type: 'root-custom',
|
|
});
|
|
await accessService.addPermissionToRole(
|
|
updateClientApiExpiry.id,
|
|
UPDATE_CLIENT_API_TOKEN,
|
|
);
|
|
await accessService.addUserToRole(
|
|
user.id,
|
|
updateClientApiExpiry.id,
|
|
'default',
|
|
);
|
|
next();
|
|
});
|
|
};
|
|
const { request, destroy } = await setupAppWithCustomAuth(
|
|
stores,
|
|
preHook,
|
|
);
|
|
const token = await stores.apiTokenStore.insert({
|
|
username: 'admin',
|
|
secret: 'update_admin_token',
|
|
type: ApiTokenType.ADMIN,
|
|
});
|
|
await request
|
|
.put(`/api/admin/api-tokens/${token.secret}`)
|
|
.send({ expiresAt: addDays(new Date(), 14) })
|
|
.expect(403);
|
|
await destroy();
|
|
});
|
|
});
|
|
});
|
|
describe('Delete operations', () => {
|
|
describe('DELETE_CLIENT_API_TOKEN can', () => {
|
|
test('DELETE client_api token', async () => {
|
|
const preHook = (
|
|
app,
|
|
config,
|
|
{ userService, accessService },
|
|
) => {
|
|
app.use('/api/admin/', async (req, res, next) => {
|
|
const role = await accessService.getPredefinedRole(
|
|
RoleName.VIEWER,
|
|
);
|
|
const user = await userService.createUser({
|
|
email: 'delete_client_token@example.com',
|
|
rootRole: role.id,
|
|
});
|
|
req.user = user;
|
|
const updateClientApiExpiry =
|
|
await accessService.createRole({
|
|
name: 'delete_client_token',
|
|
description: 'Can delete client tokens',
|
|
permissions: [],
|
|
type: 'root-custom',
|
|
});
|
|
await accessService.addPermissionToRole(
|
|
updateClientApiExpiry.id,
|
|
DELETE_CLIENT_API_TOKEN,
|
|
);
|
|
await accessService.addUserToRole(
|
|
user.id,
|
|
updateClientApiExpiry.id,
|
|
'default',
|
|
);
|
|
next();
|
|
});
|
|
};
|
|
const { request, destroy } = await setupAppWithCustomAuth(
|
|
stores,
|
|
preHook,
|
|
);
|
|
const token = await stores.apiTokenStore.insert({
|
|
username: 'cilent',
|
|
secret: 'delete_client_token',
|
|
type: ApiTokenType.CLIENT,
|
|
});
|
|
await request
|
|
.delete(`/api/admin/api-tokens/${token.secret}`)
|
|
.send({ expiresAt: addDays(new Date(), 14) })
|
|
.expect(200);
|
|
await destroy();
|
|
});
|
|
test('NOT DELETE frontend_api token', async () => {
|
|
const preHook = (
|
|
app,
|
|
config,
|
|
{ userService, accessService },
|
|
) => {
|
|
app.use('/api/admin/', async (req, res, next) => {
|
|
const role = await accessService.getPredefinedRole(
|
|
RoleName.VIEWER,
|
|
);
|
|
const user = await userService.createUser({
|
|
email: 'delete_frontend_token@example.com',
|
|
rootRole: role.id,
|
|
});
|
|
req.user = user;
|
|
const updateClientApiExpiry =
|
|
await accessService.createRole({
|
|
name: 'delete_client_token_not_frontend',
|
|
description: 'Can not delete frontend tokens',
|
|
permissions: [],
|
|
type: 'root-custom',
|
|
});
|
|
await accessService.addPermissionToRole(
|
|
updateClientApiExpiry.id,
|
|
DELETE_CLIENT_API_TOKEN,
|
|
);
|
|
await accessService.addUserToRole(
|
|
user.id,
|
|
updateClientApiExpiry.id,
|
|
'default',
|
|
);
|
|
next();
|
|
});
|
|
};
|
|
const { request, destroy } = await setupAppWithCustomAuth(
|
|
stores,
|
|
preHook,
|
|
);
|
|
const token = await stores.apiTokenStore.insert({
|
|
username: 'frontend',
|
|
secret: 'delete_frontend_token',
|
|
type: ApiTokenType.FRONTEND,
|
|
});
|
|
await request
|
|
.delete(`/api/admin/api-tokens/${token.secret}`)
|
|
.send({ expiresAt: addDays(new Date(), 14) })
|
|
.expect(403);
|
|
await destroy();
|
|
});
|
|
test('NOT DELETE admin_api token', async () => {
|
|
const preHook = (
|
|
app,
|
|
config,
|
|
{ userService, accessService },
|
|
) => {
|
|
app.use('/api/admin/', async (req, res, next) => {
|
|
const role = await accessService.getPredefinedRole(
|
|
RoleName.VIEWER,
|
|
);
|
|
const user = await userService.createUser({
|
|
email: 'delete_admin_token@example.com',
|
|
rootRole: role.id,
|
|
});
|
|
req.user = user;
|
|
const updateClientApiExpiry =
|
|
await accessService.createRole({
|
|
name: 'delete_client_token_not_admin',
|
|
description: 'Can not delete admin tokens',
|
|
permissions: [],
|
|
type: 'root-custom',
|
|
});
|
|
await accessService.addPermissionToRole(
|
|
updateClientApiExpiry.id,
|
|
DELETE_CLIENT_API_TOKEN,
|
|
);
|
|
await accessService.addUserToRole(
|
|
user.id,
|
|
updateClientApiExpiry.id,
|
|
'default',
|
|
);
|
|
next();
|
|
});
|
|
};
|
|
const { request, destroy } = await setupAppWithCustomAuth(
|
|
stores,
|
|
preHook,
|
|
);
|
|
const token = await stores.apiTokenStore.insert({
|
|
username: 'admin',
|
|
secret: 'delete_admin_token',
|
|
type: ApiTokenType.ADMIN,
|
|
});
|
|
await request
|
|
.delete(`/api/admin/api-tokens/${token.secret}`)
|
|
.send({ expiresAt: addDays(new Date(), 14) })
|
|
.expect(403);
|
|
await destroy();
|
|
});
|
|
});
|
|
});
|
|
});
|