@kalisio/kdk 2.6.4 → 2.7.0

package/test/api/core/index.test.js

@@ -6,6 +6,7 @@ import request from 'superagent'
 import chai from 'chai'
 import chailint from 'chai-lint'
 import spies from 'chai-spies'
+import fuzzySearch from 'feathers-mongodb-fuzzy-search'
 import core, { kdk, hooks, permissions, createMessagesService } from '../../../core/api/index.js'
 import { fileURLToPath } from 'url'
 
@@ -15,7 +16,7 @@ const { util, expect } = chai
 
 describe('core:services', () => {
   let app, server, port, baseUrl, accessToken,
-    userService, userObject, authorisationService, messagesService, messageObject,
+    usersService, userObject, authorisationService, messagesService, messageObject,
     spyUpdateAbilities
 
   before(async () => {
@@ -44,8 +45,12 @@ describe('core:services', () => {
   it('registers the services', async () => {
     await app.configure(core)
 
-    userService = app.getService('users')
-    expect(userService).toExist()
+    usersService = app.getService('users')
+    expect(usersService).toExist()
+    // Register search hooks
+    usersService.hooks({
+      before: { find: [fuzzySearch({ fields: ['profile.name'] }), hooks.diacriticSearch()] }
+    })
     // Create a global messages service for tests
     await createMessagesService.call(app)
     messagesService = app.getService('messages')
@@ -108,11 +113,11 @@ describe('core:services', () => {
     const [localStrategy] = app.service('api/authentication').getStrategies('local')
     const previousPassword = await localStrategy.hashPassword('weak;')
 
-    await assert.rejects(() => userService.create({
+    await assert.rejects(() => usersService.create({
       email: 'test@test.org',
       password: 'weak;',
       previousPasswords: [previousPassword],
-      name: 'test-user'
+      name: 'maëlis'
     }), error => {
       expect(error).toExist()
       expect(error.name).to.equal('BadRequest')
@@ -120,10 +125,10 @@ describe('core:services', () => {
       return true
     })
 
-    await assert.rejects(() => userService.create({
+    await assert.rejects(() => usersService.create({
       email: 'test@test.org',
       password: '12345678',
-      name: 'test-user'
+      name: 'maëlis'
     }), error => {
       expect(error).toExist()
       expect(error.name).to.equal('BadRequest')
@@ -137,17 +142,17 @@ describe('core:services', () => {
   it('creates a user', async () => {
     // Test password generation
     const hook = hooks.generatePassword()({ type: 'before', data: {}, params: {}, app })
-    userObject = await userService.create({
+    userObject = await usersService.create({
       email: 'test@test.org',
       password: hook.data.password,
-      name: 'test-user',
+      name: 'maëlis',
       profile: { phone: '0623256968' }
     }, { checkAuthorisation: true })
     expect(spyUpdateAbilities).to.have.been.called.once
     spyUpdateAbilities.reset()
     // Keep track of clear password
     userObject.clearPassword = hook.data.password
-    const users = await userService.find({ query: { 'profile.name': 'test-user' } })
+    const users = await usersService.find({ query: { 'profile.name': 'maëlis' } })
     expect(users.data.length > 0).beTrue()
     expect(users.data[0].email).toExist()
     expect(users.data[0].clearPassword).beUndefined()
@@ -159,10 +164,10 @@ describe('core:services', () => {
     .timeout(10000)
 
   it('changing user password keeps password history', async () => {
-    await userService.patch(userObject._id.toString(), { password: userObject.password })
+    await usersService.patch(userObject._id.toString(), { password: userObject.password })
     expect(spyUpdateAbilities).to.have.been.called.once
     spyUpdateAbilities.reset()
-    const user = await userService.get(userObject._id.toString())
+    const user = await usersService.get(userObject._id.toString())
     expect(user.previousPasswords).toExist()
     expect(user.previousPasswords).to.deep.equal([userObject.password])
   })
@@ -226,15 +231,16 @@ describe('core:services', () => {
     .timeout(5000)
 
   it('authenticated user can access services', () => {
-    return userService.find({ query: {}, params: { user: userObject, checkAuthorisation: true } })
+    return usersService.find({ query: {}, params: { user: userObject, checkAuthorisation: true } })
       .then(users => {
         expect(users.data.length === 1).beTrue()
       })
   })
 
   it('get user profile', () => {
-    return userService.find({ query: { $select: ['profile'] } })
+    return usersService.find({ query: { $select: ['profile'] } })
       .then(users => {
+        expect(users.data.length > 0).beTrue()
         expect(users.data[0].name).beUndefined()
         expect(users.data[0].profile.name).toExist()
         expect(users.data[0].profile.description).toExist()
@@ -242,6 +248,25 @@ describe('core:services', () => {
       })
   })
 
+  it('search user profile', async () => {
+    const hook = hooks.generatePassword()({ type: 'before', data: {}, params: {}, app })
+    const user = await usersService.create({
+      email: 'anothertest@test.org',
+      password: hook.data.password,
+      name: 'maelis',
+      profile: { phone: '0623256968' }
+    })
+    spyUpdateAbilities.reset()
+    const allUsers = await usersService.find({ query: { 'profile.name': { $search: 'Mae' } } })
+    // Diacritic should be more specific
+    const singleUsers = await usersService.find({ query: { 'profile.name': { $search: 'Maë' } } })
+    await usersService.remove(user._id)
+    expect(allUsers.data.length === 2).beTrue()
+    expect(singleUsers.data.length === 1).beTrue()
+  })
+  // Let enough time to process
+    .timeout(10000)
+
   it('creates a user message', async () => {
     const message = await messagesService.create({
       title: 'Title',
@@ -271,7 +296,7 @@ describe('core:services', () => {
     expect(authorisation).toExist()
     expect(spyUpdateAbilities).to.have.been.called.once
     spyUpdateAbilities.reset()
-    userObject = await userService.get(userObject._id.toString())
+    userObject = await usersService.get(userObject._id.toString())
     expect(userObject.authorisations).toExist()
     expect(userObject.authorisations.length > 0).beTrue()
     expect(userObject.authorisations[0].permissions).to.deep.equal('manager')
@@ -334,7 +359,7 @@ describe('core:services', () => {
     expect(authorisation).toExist()
     expect(spyUpdateAbilities).to.have.been.called.once
     spyUpdateAbilities.reset()
-    const user = await userService.get(userObject._id.toString())
+    const user = await usersService.get(userObject._id.toString())
     expect(user.authorisations).toExist()
     expect(user.authorisations.length === 0).beTrue()
   })
@@ -361,11 +386,11 @@ describe('core:services', () => {
   })
 
   it('removes a user', async () => {
-    await userService.remove(userObject._id, {
+    await usersService.remove(userObject._id, {
       user: userObject,
       checkAuthorisation: true
     })
-    const users = await userService.find({ query: { name: 'test-user' } })
+    const users = await usersService.find({ query: { name: 'maëlis' } })
     expect(users.data.length === 0).beTrue()
     const messages = await messagesService.find({ query: { title: 'Title' } })
     expect(messages.data.length === 0).beTrue()

package/test/api/core/push.test.js

@@ -14,7 +14,7 @@ const { util, expect } = chai
 
 describe('core:push', () => {
   let app, server, port, mailerStub, gmailUser, user,
-    mailerService, userService, pushService
+    mailerService, usersService, pushService
 
   const subscription = {
     endpoint: process.env.SUBSCRIPTION_ENDPOINT,
@@ -71,9 +71,9 @@ describe('core:push', () => {
 
   it('registers the services', async () => {
     await app.configure(core)
-    userService = app.getService('users')
-    expect(userService).toExist()
-    userService.hooks({
+    usersService = app.getService('users')
+    expect(usersService).toExist()
+    usersService.hooks({
       before: {
         remove: [hooks.unregisterDevices]
       },
@@ -101,7 +101,7 @@ describe('core:push', () => {
     .timeout(5000)
 
   it('create a user', () => {
-    return userService.create({
+    return usersService.create({
       email: gmailUser,
       password: 'Pass;word1',
       name: 'user'
@@ -117,7 +117,7 @@ describe('core:push', () => {
     const previousUser = _.cloneDeep(user)
     await addSubscription(user, subscription, 'subscriptions')
     // Subscriptions change detection requires the previous user to be set
-    await userService.patch(user._id, { subscriptions: user.subscriptions }, { user: previousUser })
+    await usersService.patch(user._id, { subscriptions: user.subscriptions }, { user: previousUser })
     expect(user.subscriptions).toExist()
     expect(user.subscriptions.length === 1).beTrue()
     expect(user.subscriptions[0].endpoint).to.equal(subscription.endpoint)
@@ -156,7 +156,7 @@ describe('core:push', () => {
   it('delete expired subscriptions', async () => {
     // Add expired subscription
     await addSubscription(user, expiredSubscription, 'subscriptions')
-    await userService.patch(user._id, { subscriptions: user.subscriptions })
+    await usersService.patch(user._id, { subscriptions: user.subscriptions })
     expect(user.subscriptions).toExist()
     expect(user.subscriptions.length === 2).beTrue()
     // Send push notification
@@ -166,7 +166,7 @@ describe('core:push', () => {
       subscriptionProperty: 'subscriptions',
       subscriptionFilter: { _id: user._id }
     })
-    const users = await userService.find({ query: { email: gmailUser } })
+    const users = await usersService.find({ query: { email: gmailUser } })
     expect(users.data.length > 0).beTrue()
     user = users.data[0]
     // Check that expired subscriptions have been deleted

package/test/api/core/test-log-2026-03-10.log

@@ -0,0 +1,60 @@
+{"level":"error","message":"error: api/account - Method: create: The provided password does not comply to the password policy"}
+{"level":"error","message":"error: api/account - Method: create: The provided password does not comply to the password policy"}
+{"level":"error","message":"error: api/account - Method: create: The provided password does not comply to the password policy"}
+{"level":"error","message":"error: api/messages - Method: create: You are not allowed to access service messages"}
+{"level":"error","message":"error: api/users - Method: create: The provided password does not comply to the password policy"}
+{"level":"error","message":"error: api/users - Method: create: The provided password does not comply to the password policy"}
+{"level":"error","message":"error: api/authorisations - Method: create: You are not allowed to change authorisation on resource"}
+{"level":"error","message":"error: api/authorisations - Method: remove: You are not allowed to change authorisation on subject(s)"}
+{"level":"info","message":"This is a log test"}
+{"level":"error","message":"error: api/service - Method: create: validation failed"}
+{"level":"error","message":"error: api/service - Method: create: validation failed"}
+{"level":"error","message":"error: api/service - Method: create: validation failed"}
+{"level":"error","message":"error: api/service - Method: create: validation failed"}
+{"level":"error","message":"error: api/storage - Method: get: NoSuchKey"}
+{"level":"error","message":"error: api/storage - Method: get: NoSuchKey"}
+{"level":"error","message":"error: api/account - Method: create: The provided password does not comply to the password policy"}
+{"level":"error","message":"error: api/account - Method: create: The provided password does not comply to the password policy"}
+{"level":"error","message":"error: api/account - Method: create: The provided password does not comply to the password policy"}
+{"level":"error","message":"error: api/messages - Method: create: You are not allowed to access service messages"}
+{"level":"error","message":"error: api/users - Method: create: The provided password does not comply to the password policy"}
+{"level":"error","message":"error: api/users - Method: create: The provided password does not comply to the password policy"}
+{"level":"error","message":"error: api/authorisations - Method: create: You are not allowed to change authorisation on resource"}
+{"level":"error","message":"error: api/authorisations - Method: remove: You are not allowed to change authorisation on subject(s)"}
+{"level":"info","message":"This is a log test"}
+{"level":"error","message":"error: api/service - Method: create: validation failed"}
+{"level":"error","message":"error: api/service - Method: create: validation failed"}
+{"level":"error","message":"error: api/service - Method: create: validation failed"}
+{"level":"error","message":"error: api/service - Method: create: validation failed"}
+{"level":"error","message":"error: api/storage - Method: get: NoSuchKey"}
+{"level":"error","message":"error: api/storage - Method: get: NoSuchKey"}
+{"level":"error","message":"error: api/account - Method: create: The provided password does not comply to the password policy"}
+{"level":"error","message":"error: api/account - Method: create: The provided password does not comply to the password policy"}
+{"level":"error","message":"error: api/account - Method: create: The provided password does not comply to the password policy"}
+{"level":"error","message":"error: api/messages - Method: create: You are not allowed to access service messages"}
+{"level":"error","message":"error: api/users - Method: create: The provided password does not comply to the password policy"}
+{"level":"error","message":"error: api/users - Method: create: The provided password does not comply to the password policy"}
+{"level":"error","message":"error: api/authorisations - Method: create: You are not allowed to change authorisation on resource"}
+{"level":"error","message":"error: api/authorisations - Method: remove: You are not allowed to change authorisation on subject(s)"}
+{"level":"info","message":"This is a log test"}
+{"level":"error","message":"error: api/service - Method: create: validation failed"}
+{"level":"error","message":"error: api/service - Method: create: validation failed"}
+{"level":"error","message":"error: api/service - Method: create: validation failed"}
+{"level":"error","message":"error: api/service - Method: create: validation failed"}
+{"level":"error","message":"error: api/storage - Method: get: NoSuchKey"}
+{"level":"error","message":"error: api/storage - Method: get: NoSuchKey"}
+{"level":"error","message":"error: api/account - Method: create: The provided password does not comply to the password policy"}
+{"level":"error","message":"error: api/account - Method: create: The provided password does not comply to the password policy"}
+{"level":"error","message":"error: api/account - Method: create: The provided password does not comply to the password policy"}
+{"level":"error","message":"error: api/messages - Method: create: You are not allowed to access service messages"}
+{"level":"error","message":"error: api/users - Method: create: The provided password does not comply to the password policy"}
+{"level":"error","message":"error: api/users - Method: create: The provided password does not comply to the password policy"}
+{"level":"error","message":"error: api/authorisations - Method: create: You are not allowed to change authorisation on resource"}
+{"level":"error","message":"error: api/authorisations - Method: remove: You are not allowed to change authorisation on subject(s)"}
+{"level":"info","message":"This is a log test"}
+{"level":"error","message":"error: api/service - Method: create: validation failed"}
+{"level":"error","message":"error: api/service - Method: create: validation failed"}
+{"level":"error","message":"error: api/service - Method: create: validation failed"}
+{"level":"error","message":"error: api/service - Method: create: validation failed"}
+{"level":"error","message":"error: api/storage - Method: get: NoSuchKey"}
+{"level":"error","message":"error: api/storage - Method: get: NoSuchKey"}

package/test/api/core/users.test.js

@@ -0,0 +1,384 @@
+import _ from 'lodash'
+import authentication from '@feathersjs/authentication'
+import commonHooks from 'feathers-hooks-common'
+import request from 'superagent'
+import chai from 'chai'
+import chailint from 'chai-lint'
+import core, { kdk, hooks } from '../../../core/api/index.js'
+
+const { authenticate } = authentication.hooks
+const { util, expect } = chai
+const { iff, disallow, isProvider, keep, discard } = commonHooks
+const { isNotMe, onlyMe, preventChanges } = hooks
+
+describe('core:users', () => {
+  let app, server, port, baseUrl, userIdAccessToken, emailAccessToken, phoneAccessToken, statelessAccessToken, adminAccessToken,
+    userService, userObject, anotherUserObject, authenticationService
+
+  before(async () => {
+    chailint(chai, util)
+
+    app = kdk()
+    port = app.get('port')
+    baseUrl = `http://localhost:${port}${app.get('apiPath')}`
+    await app.db.connect()
+    await app.db.instance.dropDatabase()
+  })
+
+  it('registers the services', async () => {
+    await app.configure(core)
+    authenticationService = app.getService('authentication')
+    expect(authenticationService).toExist()
+    userService = app.getService('users')
+    expect(userService).toExist()
+    // Register hooks, what we'd like is a configuration so that:
+    // - information disclosure about internal user secrets like password is not permitted
+    // - information disclosure about others users is not permitted for a given user unless it has 'administrator' permissions
+    // - privilege escalation is not permitted for a given user
+    // - user with 'administrator' permissions can change others user permissions
+    // - changing others users information is not permitted for a given user unless it has 'administrator' permissions
+    // - external calls can only target myself except if I have administrator permissions
+    const isNotAdministrator = (context) => {
+      const userPermissions = _.get(context.params, 'user.permissions')
+      return userPermissions !== 'administrator'
+    }
+    userService.hooks({
+      before: {
+        all: authenticate('jwt'),
+        get: [iff(isNotMe(), disallow('external'))],
+        find: [iff(isProvider('external'), iff(isNotAdministrator, onlyMe()))],
+        create: [iff(isProvider('external'), keep('name', 'email', 'profile', 'password'))],
+        update: [disallow('external')],
+        patch: [iff(isProvider('external'), iff(isNotAdministrator, onlyMe(), preventChanges(true, ['permissions'])))],
+        remove: [iff(isProvider('external'), iff(isNotAdministrator, onlyMe()))]
+      },
+      after: {
+        all: [iff(isProvider('external'), iff(isNotMe(), iff(isNotAdministrator, discard('permissions'))))]
+      }
+    })
+    // Now app is configured launch the server
+    server = await app.listen(port)
+    await new Promise(resolve => server.once('listening', resolve))
+  })
+  // Let enough time to process
+    .timeout(10000)
+
+  it('creates users and tokens with different subject identifiers', async () => {
+    userObject = await userService.create({
+      email: 'test@test.org',
+      name: 'test user',
+      permissions: 'user',
+      profile: { phone: '0623256968' }
+    })
+    userIdAccessToken = await authenticationService.createAccessToken({
+      sub: userObject._id
+    })
+    emailAccessToken = await authenticationService.createAccessToken({
+      sub: userObject.email
+    })
+    phoneAccessToken = await authenticationService.createAccessToken({
+      sub: userObject.profile.phone
+    })
+    statelessAccessToken = await authenticationService.createAccessToken({
+      property: 'mycustomproperty'
+    }, {
+      subject: 'mycustomapp'
+    })
+    anotherUserObject = await userService.create({
+      email: 'another_test@test.org',
+      name: 'another test user',
+      permissions: 'administrator',
+      profile: { phone: '0623256969' }
+    })
+    adminAccessToken = await authenticationService.createAccessToken({
+      sub: anotherUserObject._id
+    })
+  })
+
+  it('checks all user tokens are recognized', async () => {
+    let response = await request
+      .post(`${baseUrl}/authentication`)
+      .send({ accessToken: userIdAccessToken, strategy: 'jwt' })
+    let accessToken = response.body.accessToken
+    let user = response.body.user
+    expect(accessToken).toExist()
+    expect(accessToken).not.to.equal(userIdAccessToken)
+    expect(user).toExist()
+    response = await request
+      .post(`${baseUrl}/authentication`)
+      .send({ accessToken: emailAccessToken, strategy: 'jwt' })
+    accessToken = response.body.accessToken
+    user = response.body.user
+    expect(accessToken).toExist()
+    expect(accessToken).not.to.equal(emailAccessToken)
+    expect(user).toExist()
+    response = await request
+      .post(`${baseUrl}/authentication`)
+      .send({ accessToken: phoneAccessToken, strategy: 'jwt' })
+    accessToken = response.body.accessToken
+    user = response.body.user
+    expect(accessToken).toExist()
+    expect(accessToken).not.to.equal(phoneAccessToken)
+    expect(user).toExist()
+    response = await request
+      .post(`${baseUrl}/authentication`)
+      .send({ accessToken: statelessAccessToken, strategy: 'jwt' })
+    accessToken = response.body.accessToken
+    user = response.body.user
+    expect(accessToken).toExist()
+    expect(accessToken).not.to.equal(statelessAccessToken)
+    expect(user).beUndefined()
+  })
+
+  it('checks for user information disclosure', async () => {
+    // Should not retrieve internal user secret information like password in any case
+    // Should not list others users in case of requests with identified user
+    let response = await request
+      .get(`${baseUrl}/users`)
+      .set('Authorization', 'Bearer ' + userIdAccessToken)
+    let users = response.body.data
+    expect(users.length).to.equal(1)
+    let user = users[0]
+    expect(user._id).to.equal(userObject._id.toString())
+    expect(user.password).beUndefined()
+    expect(user.previousPasswords).beUndefined()
+    expect(user.permissions).toExist()
+    response = await request
+      .get(`${baseUrl}/users`)
+      .set('Authorization', 'Bearer ' + emailAccessToken)
+    users = response.body.data
+    expect(users.length).to.equal(1)
+    user = users[0]
+    expect(user._id).to.equal(userObject._id.toString())
+    expect(user.password).beUndefined()
+    expect(user.previousPasswords).beUndefined()
+    expect(user.permissions).toExist()
+    response = await request
+      .get(`${baseUrl}/users`)
+      .set('Authorization', 'Bearer ' + phoneAccessToken)
+    users = response.body.data
+    expect(users.length).to.equal(1)
+    user = users[0]
+    expect(user._id).to.equal(userObject._id.toString())
+    expect(user.password).beUndefined()
+    expect(user.previousPasswords).beUndefined()
+    expect(user.permissions).toExist()
+    // Should not list users in case of request without identified user
+    try {
+      response = await request
+        .get(`${baseUrl}/users/${anotherUserObject._id}`)
+        .set('Authorization', 'Bearer ' + statelessAccessToken)
+    } catch (error) {
+      // Not sure why but in this case the raised error is in text/html format
+      expect(error.status).to.equal(500)
+      expect(error.response.text.includes('MethodNotAllowed')).beTrue()
+    }
+    /*
+    response = await request
+      .get(`${baseUrl}/users`)
+      .set('Authorization', 'Bearer ' + statelessAccessToken)
+    users = response.body.data
+    expect(users.length).to.equal(2)
+    user = users[0]
+    expect(user._id).to.equal(userObject._id.toString())
+    expect(user.password).beUndefined()
+    expect(user.previousPasswords).beUndefined()
+    expect(user.permissions).beUndefined()
+    user = users[1]
+    expect(user._id).to.equal(anotherUserObject._id.toString())
+    expect(user.password).beUndefined()
+    expect(user.previousPasswords).beUndefined()
+    expect(user.permissions).beUndefined()
+    */
+    // Should not get others users in case of requests with identified user
+    try {
+      response = await request
+        .get(`${baseUrl}/users/${anotherUserObject._id}`)
+        .set('Authorization', 'Bearer ' + userIdAccessToken)
+    } catch (error) {
+      // Not sure why but in this case the raised error is in text/html format
+      expect(error.status).to.equal(500)
+      expect(error.response.text.includes('MethodNotAllowed')).beTrue()
+    }
+    try {
+      response = await request
+        .get(`${baseUrl}/users/${anotherUserObject._id}`)
+        .set('Authorization', 'Bearer ' + emailAccessToken)
+    } catch (error) {
+      // Not sure why but in this case the raised error is in text/html format
+      expect(error.status).to.equal(500)
+      expect(error.response.text.includes('MethodNotAllowed')).beTrue()
+    }
+    try {
+      response = await request
+        .get(`${baseUrl}/users/${anotherUserObject._id}`)
+        .set('Authorization', 'Bearer ' + phoneAccessToken)
+    } catch (error) {
+      // Not sure why but in this case the raised error is in text/html format
+      expect(error.status).to.equal(500)
+      expect(error.response.text.includes('MethodNotAllowed')).beTrue()
+    }
+    try {
+      response = await request
+        .get(`${baseUrl}/users/${anotherUserObject._id}`)
+        .set('Authorization', 'Bearer ' + statelessAccessToken)
+    } catch (error) {
+      // Not sure why but in this case the raised error is in text/html format
+      expect(error.status).to.equal(500)
+      expect(error.response.text.includes('MethodNotAllowed')).beTrue()
+    }
+  })
+
+  it('checks for user information integrity', async () => {
+    // Should not be able to update information of others users if not administrator
+    try {
+      await request
+        .patch(`${baseUrl}/users/${anotherUserObject._id}`)
+        .set('Authorization', 'Bearer ' + userIdAccessToken)
+        .send({ name: 'new name' })
+    } catch (error) {
+      // Not sure why but in this case the raised error is in text/html format
+      expect(error.status).to.equal(500)
+      expect(error.response.text.includes('NotFound')).beTrue()
+    }
+    try {
+      await request
+        .patch(`${baseUrl}/users/${anotherUserObject._id}`)
+        .set('Authorization', 'Bearer ' + emailAccessToken)
+        .send({ name: 'new name' })
+    } catch (error) {
+      // Not sure why but in this case the raised error is in text/html format
+      expect(error.status).to.equal(500)
+      expect(error.response.text.includes('NotFound')).beTrue()
+    }
+    try {
+      await request
+        .patch(`${baseUrl}/users/${anotherUserObject._id}`)
+        .set('Authorization', 'Bearer ' + phoneAccessToken)
+        .send({ name: 'new name' })
+    } catch (error) {
+      // Not sure why but in this case the raised error is in text/html format
+      expect(error.status).to.equal(500)
+      expect(error.response.text.includes('NotFound')).beTrue()
+    }
+    try {
+      await request
+        .patch(`${baseUrl}/users/${anotherUserObject._id}`)
+        .set('Authorization', 'Bearer ' + statelessAccessToken)
+        .send({ name: 'new name' })
+    } catch (error) {
+      // Not sure why but in this case the raised error is in text/html format
+      expect(error.status).to.equal(500)
+      expect(error.response.text.includes('Forbidden')).beTrue()
+    }
+    // Should be possible otherwise
+    const response = await request
+      .patch(`${baseUrl}/users/${userObject._id}`)
+      .set('Authorization', 'Bearer ' + adminAccessToken)
+      .send({ name: 'new name' })
+    const user = response.body
+    expect(user.name).to.equal('new name')
+  })
+
+  it('checks for user privilege escalation', async () => {
+    // Should not be able to upgrade user permissions when not administrator
+    try {
+      await request
+        .patch(`${baseUrl}/users/${userObject._id}`)
+        .set('Authorization', 'Bearer ' + userIdAccessToken)
+        .send({ permissions: 'administrator' })
+    } catch (error) {
+      // Not sure why but in this case the raised error is in text/html format
+      expect(error.status).to.equal(500)
+      expect(error.response.text.includes('BadRequest')).beTrue()
+    }
+    try {
+      await request
+        .patch(`${baseUrl}/users/${userObject._id}`)
+        .set('Authorization', 'Bearer ' + emailAccessToken)
+        .send({ permissions: 'administrator' })
+    } catch (error) {
+      // Not sure why but in this case the raised error is in text/html format
+      expect(error.status).to.equal(500)
+      expect(error.response.text.includes('BadRequest')).beTrue()
+    }
+    try {
+      await request
+        .patch(`${baseUrl}/users/${userObject._id}`)
+        .set('Authorization', 'Bearer ' + phoneAccessToken)
+        .send({ permissions: 'administrator' })
+    } catch (error) {
+      // Not sure why but in this case the raised error is in text/html format
+      expect(error.status).to.equal(500)
+      expect(error.response.text.includes('BadRequest')).beTrue()
+    }
+    try {
+      await request
+        .patch(`${baseUrl}/users/${userObject._id}`)
+        .set('Authorization', 'Bearer ' + statelessAccessToken)
+        .send({ permissions: 'administrator' })
+    } catch (error) {
+      // Not sure why but in this case the raised error is in text/html format
+      expect(error.status).to.equal(500)
+      expect(error.response.text.includes('Forbidden')).beTrue()
+    }
+    // Should be possible otherwise
+    const response = await request
+      .patch(`${baseUrl}/users/${userObject._id}`)
+      .set('Authorization', 'Bearer ' + adminAccessToken)
+      .send({ permissions: 'manager' })
+    const user = response.body
+    expect(user.permissions).to.equal('manager')
+  })
+
+  it('checks users removal', async () => {
+    // Should not be able to remove others users if not administrator
+    try {
+      await request
+        .delete(`${baseUrl}/users/${anotherUserObject._id}`)
+        .set('Authorization', 'Bearer ' + userIdAccessToken)
+    } catch (error) {
+      // Not sure why but in this case the raised error is in text/html format
+      expect(error.status).to.equal(500)
+      expect(error.response.text.includes('NotFound')).beTrue()
+    }
+    try {
+      await request
+        .delete(`${baseUrl}/users/${anotherUserObject._id}`)
+        .set('Authorization', 'Bearer ' + emailAccessToken)
+    } catch (error) {
+      // Not sure why but in this case the raised error is in text/html format
+      expect(error.status).to.equal(500)
+      expect(error.response.text.includes('NotFound')).beTrue()
+    }
+    try {
+      await request
+        .delete(`${baseUrl}/users/${anotherUserObject._id}`)
+        .set('Authorization', 'Bearer ' + phoneAccessToken)
+    } catch (error) {
+      // Not sure why but in this case the raised error is in text/html format
+      expect(error.status).to.equal(500)
+      expect(error.response.text.includes('NotFound')).beTrue()
+    }
+    try {
+      await request
+        .delete(`${baseUrl}/users/${anotherUserObject._id}`)
+        .set('Authorization', 'Bearer ' + statelessAccessToken)
+    } catch (error) {
+      // Not sure why but in this case the raised error is in text/html format
+      expect(error.status).to.equal(500)
+      expect(error.response.text.includes('Forbidden')).beTrue()
+    }
+    await userService.remove(userObject._id)
+    await userService.remove(anotherUserObject._id)
+  })
+  // Let enough time to process
+    .timeout(5000)
+
+  // Cleanup
+  after(async () => {
+    if (server) await server.close()
+    await app.db.instance.dropDatabase()
+    await app.db.disconnect()
+  })
+})