Add auth and blacklist APIs

2017-11-11 12:18:13 -08:00
parent cc70428986
commit 0e1f26849b
35 changed files with 1166 additions and 339 deletions
--- a/server/tests/server-test.js
+++ b/server/tests/server-test.js
@ -0,0 +1,201 @@
+const request = require('supertest')
+const createServer = require('../createServer')
+const withBlacklist = require('./utils/withBlacklist')
+const withRevokedToken = require('./utils/withRevokedToken')
+const withToken = require('./utils/withToken')
+
+describe('The server', () => {
+  let server
+  beforeEach(() => {
+    server = createServer()
+  })
+
+  it('rejects invalid package names', done => {
+    request(server)
+      .get('/_invalid/index.js')
+      .end((err, res) => {
+        expect(res.statusCode).toBe(403)
+        done()
+      })
+  })
+
+  it('redirects invalid query params', done => {
+    request(server)
+      .get('/react?main=index&invalid')
+      .end((err, res) => {
+        expect(res.statusCode).toBe(302)
+        expect(res.headers.location).toBe('/react?main=index')
+        done()
+      })
+  })
+
+  it('redirects /_meta to ?meta', done => {
+    request(server)
+      .get('/_meta/react?main=index')
+      .end((err, res) => {
+        expect(res.statusCode).toBe(302)
+        expect(res.headers.location).toBe('/react?main=index&meta')
+        done()
+      })
+  })
+
+  it('does not serve blacklisted packages', done => {
+    withBlacklist(['bad-package'], () => {
+      request(server)
+        .get('/bad-package/index.js')
+        .end((err, res) => {
+          expect(res.statusCode).toBe(403)
+          done()
+        })
+    })
+  })
+
+  describe('POST /_auth', () => {
+    it('creates a new auth token', done => {
+      request(server)
+        .post('/_auth')
+        .end((err, res) => {
+          expect(res.body).toHaveProperty('token')
+          done()
+        })
+    })
+  })
+
+  describe('GET /_auth', () => {
+    describe('with no auth', () => {
+      it('echoes back null', done => {
+        request(server)
+          .get('/_auth')
+          .end((err, res) => {
+            expect(res.body).toHaveProperty('auth')
+            expect(res.body.auth).toBe(null)
+            done()
+          })
+      })
+    })
+
+    describe('with a revoked auth token', () => {
+      it('echoes back null', done => {
+        withRevokedToken({ some: { scope: true } }, token => {
+          request(server)
+            .get('/_auth?token=' + token)
+            .end((err, res) => {
+              expect(res.body).toHaveProperty('auth')
+              expect(res.body.auth).toBe(null)
+              done()
+            })
+        })
+      })
+    })
+
+    describe('with a valid auth token', () => {
+      it('echoes back the auth payload', done => {
+        withToken({ some: { scope: true } }, token => {
+          request(server)
+            .get('/_auth?token=' + token)
+            .end((err, res) => {
+              expect(res.body).toHaveProperty('auth')
+              expect(typeof res.body.auth).toBe('object')
+              done()
+            })
+        })
+      })
+    })
+  })
+
+  describe('GET /_publicKey', () => {
+    it('echoes the public key', done => {
+      request(server)
+        .get('/_publicKey')
+        .end((err, res) => {
+          expect(res.text).toMatch(/PUBLIC KEY/)
+          done()
+        })
+    })
+  })
+
+  describe('POST /_blacklist', () => {
+    describe('with no auth', () => {
+      it('is forbidden', done => {
+        request(server)
+          .post('/_blacklist')
+          .end((err, res) => {
+            expect(res.statusCode).toBe(403)
+            done()
+          })
+      })
+    })
+
+    describe('with the "blacklist.add" scope', () => {
+      it('can add to the blacklist', done => {
+        withToken({ blacklist: { add: true } }, token => {
+          request(server)
+            .post('/_blacklist')
+            .send({ token, packageName: 'bad-package' })
+            .end((err, res) => {
+              expect(res.statusCode).toBe(200)
+              expect(res.headers['content-location']).toEqual(
+                '/_blacklist/bad-package'
+              )
+              expect(res.body.ok).toBe(true)
+              done()
+            })
+        })
+      })
+    })
+  })
+
+  describe('GET /_blacklist', () => {
+    describe('with no auth', () => {
+      it('is forbidden', done => {
+        request(server)
+          .get('/_blacklist')
+          .end((err, res) => {
+            expect(res.statusCode).toBe(403)
+            done()
+          })
+      })
+    })
+
+    describe('with the "blacklist.read" scope', () => {
+      it('can read the blacklist', done => {
+        withToken({ blacklist: { read: true } }, token => {
+          request(server)
+            .get('/_blacklist?token=' + token)
+            .end((err, res) => {
+              expect(res.statusCode).toBe(200)
+              done()
+            })
+        })
+      })
+    })
+  })
+
+  describe('DELETE /_blacklist/:packageName', () => {
+    describe('with no auth', () => {
+      it('is forbidden', done => {
+        request(server)
+          .delete('/_blacklist/bad-package')
+          .end((err, res) => {
+            expect(res.statusCode).toBe(403)
+            done()
+          })
+      })
+    })
+
+    describe('with the "blacklist.remove" scope', () => {
+      it('can remove a package from the blacklist', done => {
+        withToken({ blacklist: { remove: true } }, token => {
+          request(server)
+            .delete('/_blacklist/bad-package')
+            .send({ token })
+            .end((err, res) => {
+              expect(res.statusCode).toBe(200)
+              expect(res.body.ok).toBe(true)
+              done()
+            })
+        })
+      })
+    })
+  })
+})