@ossy/users 1.8.0 → 1.9.1

package/package.json

@@ -1,7 +1,7 @@
 {
   "name": "@ossy/users",
   "description": "User domain — aggregate, events, and validators for the Ossy user model",
-  "version": "1.8.0",
+  "version": "1.9.1",
   "private": false,
   "type": "module",
   "main": "./src/index.js",
@@ -9,6 +9,9 @@
   "exports": {
     ".": "./src/index.js"
   },
+  "scripts": {
+    "test": "NODE_OPTIONS=--experimental-vm-modules jest --verbose"
+  },
   "author": "Ossy <yourfriends@ossy.se> (https://ossy.se)",
   "license": "MIT",
   "ossy": {
@@ -19,12 +22,18 @@
     "registry": "https://registry.npmjs.org"
   },
   "dependencies": {
-    "@ossy/observability": "^1.3.0",
+    "@ossy/observability": "^1.4.1",
     "nanoid": "^5.1.11"
   },
+  "devDependencies": {
+    "@jest/globals": "^30.2.0",
+    "@ossy/platform": "^1.35.1",
+    "casual": "^1.6.2",
+    "jest": "^30.2.0"
+  },
   "files": [
     "/src",
     "README.md"
   ],
-  "gitHead": "c6697078268867d88553ca0bac08faad5cea1546"
+  "gitHead": "a144d7767264d96bc6ae095784d4f884f03a89a0"
 }

package/src/index.js

@@ -1,3 +1,4 @@
 export * from './user.aggregate.js'
 export * from './users.events.js'
 export * from './users.validators.js'
+export * from './users.queries.js'

package/src/users.queries.js

@@ -0,0 +1,52 @@
+import { EventStore, Aggregate } from '@ossy/event-store'
+import { createLogger } from '@ossy/observability'
+
+const log = createLogger('users')
+
+/**
+ * Database queries related to user aggregates.
+ * @class
+ */
+export class UsersQueries {
+
+  static getByEmail(email) {
+    log.debug(`[UsersQueries][getByEmail()] Fetch user for ${email}`)
+
+    return Aggregate.Collection.findOne({
+      type: 'User',
+      'state.email': email
+    }).then(aggregate => aggregate?.state)
+      .then(user => {
+        !!user
+          ? log.debug('[UsersQueries][getByEmail()] Found user', { user })
+          : log.debug('[UsersQueries][getByEmail()] No user found')
+        
+        return user
+      })
+  }
+
+  static getIdByVerificationToken(token) {
+    log.info('[UsersQueries] Using verificationToken to fetch userId')
+
+    return EventStore.FindEvent({
+      aggregateType: 'User',
+      type: { $in: [ 'SignedUp', 'SignInRequested' ] },
+      'payload.verificationToken': token
+    }).then(event => event.aggregateId)
+  }
+
+  static getIdByAuthToken(token) {
+    log.info('[UsersQueries] Using authToken to fetch userId')
+    log.debug('[UsersQueries] token', { token })
+
+    return EventStore.FindEvent({
+      aggregateType: 'User',
+      type: { $in: [ 'SignInVerified' ] },
+      'payload.token': token
+    }).then(event => {
+      log.debug('[UsersQueries] Found', { event })
+      return event.aggregateId
+    })
+  }
+
+}

package/src/users.spec.js

@@ -0,0 +1,681 @@
+import casual from 'casual'
+import { TestUtil, getApiTestBaseUrl, getSetCookieHeader } from '@ossy/platform/test'
+
+const isUUID = x =>
+  /^[0-9a-f]{8}-[0-9a-f]{4}-[1-5][0-9a-f]{3}-[89ab][0-9a-f]{3}-[0-9a-f]{12}$/i
+    .test(x)
+
+const invalidEmails = [
+  undefined,
+  '',
+  2,
+  'notanemail',
+  'not@anemail',
+  '3',
+  false,
+  true,
+  { email: casual.email }
+]
+
+const invalidVerifySignInCases = [
+  { label: 'notatoken', query: 'token=notatoken', status: 401, body: '' },
+  { label: 'numeric string', query: 'token=2', status: 401, body: '' },
+]
+
+function invalidSignUpBody(invalidEmail) {
+  const o = { firstName: 'Test', lastName: 'User' }
+  if (invalidEmail !== undefined) o.email = invalidEmail
+  return JSON.stringify(o)
+}
+
+describe('[/users/sign-up][POST]', () => {
+
+  describe('given an email that is not already in use', () => {
+
+    it('must return OK 200', () => TestUtil.AssertResponse({
+        endpoint: '/users/sign-up',
+        method: 'POST',
+        headers: { 'Content-Type': 'application/json'},
+        body: TestUtil.signUpBody({ email: casual.email }),
+        expectedResponseStatus: 200,
+        expectedResponseBody: ''
+    }))
+
+    it('must produce a SignedUp event', async () => {
+
+      const email = casual.email
+
+      await TestUtil.AssertResponse({
+          endpoint: '/users/sign-up',
+          method: 'POST',
+          headers: { 'Content-Type': 'application/json'},
+          body: TestUtil.signUpBody({ email }),
+          expectedResponseStatus: 200,
+          expectedResponseBody: ''
+      })
+
+      await TestUtil.AssertEventExist({
+        aggregateType: 'User',
+        type: { $in: [ 'SignedUp' ] },
+        'payload.email': email
+      })
+
+    })
+
+  })
+
+  describe('given an email that is already in use', () => {
+
+    it('must for sequerity reasons return OK 200', async () => {
+      const email = casual.email
+
+      const signUpTestRequest = {
+          endpoint: '/users/sign-up',
+          method: 'POST',
+          headers: { 'Content-Type': 'application/json'},
+          body: TestUtil.signUpBody({ email }),
+          expectedResponseStatus: 200,
+          expectedResponseBody: ''
+      }
+
+      await TestUtil.AssertResponse(signUpTestRequest)
+      await TestUtil.AssertResponse(signUpTestRequest)
+    })
+
+    it('must not produce another SignUp event', async () => {
+      const email = `dup-${Date.now()}-${casual.email}`
+
+      const signUpTestRequest = {
+          endpoint: '/users/sign-up',
+          method: 'POST',
+          headers: { 'Content-Type': 'application/json'},
+          body: TestUtil.signUpBody({ email }),
+          expectedResponseStatus: 200,
+          expectedResponseBody: ''
+      }
+
+      await TestUtil.AssertResponse(signUpTestRequest)
+      await TestUtil.AssertResponse(signUpTestRequest)
+
+      const signUpEvents = await TestUtil.GetEvents({
+        aggregateType: 'User',
+        type: { $in: [ 'SignedUp' ] },
+        'payload.email': email
+      })
+
+      expect(signUpEvents.length).toEqual(1)
+    })
+
+  })
+
+  describe('given an invalid email', () => {
+
+    invalidEmails.forEach(invalidEmail => {
+      it(
+        `must return BAD REQUEST 400 for invalid email: ${invalidEmail}`,
+        () => TestUtil.AssertResponse({
+          endpoint: '/users/sign-up',
+          method: 'POST',
+          headers: { 'Content-Type': 'application/json'},
+          body: invalidSignUpBody(invalidEmail),
+          expectedResponseStatus: 400,
+          expectedResponseBody: 'Invalid email'
+      })
+    )
+    })
+  })
+
+})
+
+describe('[/users/sign-in][POST]', () => {
+
+  describe('given an email that is in use', () => {
+
+    it('must return an OK 200 response', async () => {
+      const email = casual.email
+
+      await TestUtil.AssertResponse({
+          endpoint: '/users/sign-up',
+          description: '',
+          method: 'POST',
+          headers: { 'Content-Type': 'application/json'},
+          body: TestUtil.signUpBody({ email }),
+          expectedResponseStatus: 200,
+          expectedResponseBody: ''
+      })
+
+      await TestUtil.AssertResponse({
+          endpoint: '/users/sign-in',
+          description: '',
+          method: 'POST',
+          headers: { 'Content-Type': 'application/json'},
+          body: JSON.stringify({ email }),
+          expectedResponseStatus: 200,
+          expectedResponseBody: ''
+      })
+
+    })
+
+    it('must create a Verification token for sign-in (Token aggregate)', async () => {
+
+      const email = casual.email
+
+      await TestUtil.AssertResponse({
+          endpoint: '/users/sign-up',
+          description: '',
+          method: 'POST',
+          headers: { 'Content-Type': 'application/json'},
+          body: TestUtil.signUpBody({ email }),
+          expectedResponseStatus: 200,
+          expectedResponseBody: ''
+      })
+
+      await TestUtil.AssertResponse({
+          endpoint: '/users/sign-in',
+          description: '',
+          method: 'POST',
+          headers: { 'Content-Type': 'application/json'},
+          body: JSON.stringify({ email }),
+          expectedResponseStatus: 200,
+          expectedResponseBody: ''
+      })
+
+      const signedUpEvent = await TestUtil.GetEvent({
+        aggregateType: 'User',
+        type: { $in: [ 'SignedUp' ] },
+        'payload.email': email
+      })
+
+      const jwt = await TestUtil.getLatestVerificationJwtForSubject(signedUpEvent.aggregateId)
+      expect(typeof jwt).toBe('string')
+    })
+
+  })
+
+  describe('given an email that is not in use', () => {
+
+    it('must, for security reasons, return an OK 200 response', async () => {
+      await TestUtil.AssertResponse({
+          endpoint: '/users/sign-in',
+          description: '',
+          method: 'POST',
+          headers: { 'Content-Type': 'application/json'},
+          body: JSON.stringify({ email: casual.email }),
+          expectedResponseStatus: 200,
+          expectedResponseBody: ''
+      })
+    })
+
+    it('must not create a Verification token for an unknown user', async () => {
+
+      const verificationTokensBefore = await TestUtil.countVerificationTokenEvents()
+
+      await TestUtil.AssertResponse({
+          endpoint: '/users/sign-in',
+          description: '',
+          method: 'POST',
+          headers: { 'Content-Type': 'application/json'},
+          body: JSON.stringify({ email: casual.email }),
+          expectedResponseStatus: 200,
+          expectedResponseBody: ''
+      })
+
+      const verificationTokensAfter = await TestUtil.countVerificationTokenEvents()
+
+      expect(verificationTokensAfter).toEqual(verificationTokensBefore)
+
+    })
+
+  })
+
+  describe('given an invalid email', () => {
+
+    invalidEmails.forEach(invalidEmail => {
+      it(
+        `must return BAD REQUEST 400 for invalid email: ${invalidEmail}`,
+        () => TestUtil.AssertResponse({
+          endpoint: '/users/sign-in',
+          method: 'POST',
+          headers: { 'Content-Type': 'application/json'},
+          body: JSON.stringify({ email: invalidEmail }),
+          expectedResponseStatus: 400,
+          expectedResponseBody: { message: 'No email provided' }
+      })
+    )
+    })
+  })
+
+})
+
+describe('[/users/verify-sign-in][GET]', () => {
+
+  describe('given a valid token created from a SignedUp event', () => {
+    it('must return OK 200 and an auth cookie and must produce a SignInVerified event', async () => {
+      const email = casual.email
+
+      await TestUtil.AssertResponse({
+          endpoint: '/users/sign-up',
+          method: 'POST',
+          headers: { 'Content-Type': 'application/json'},
+          body: TestUtil.signUpBody({ email }),
+          expectedResponseStatus: 200,
+          expectedResponseBody: ''
+      })
+
+      const signedUpEvent = await TestUtil.GetEvent({
+        aggregateType: 'User',
+        type: { $in: [ 'SignedUp' ] },
+        'payload.email': email
+      })
+
+      const verificationJwt = await TestUtil.getLatestVerificationJwtForSubject(signedUpEvent.aggregateId)
+
+      const response = await fetch(
+        `${getApiTestBaseUrl()}/users/verify-sign-in?token=${verificationJwt}`,
+        { method: 'GET' }
+      )
+
+      const body = await response.json()
+
+      const signInVerifiedEvent = await TestUtil.GetEvent({
+        aggregateType: 'User',
+        aggregateId: signedUpEvent.aggregateId,
+        type: { $in: [ 'SignInVerified' ] },
+      })
+
+      expect(body).toBe('')
+      expect(!!signInVerifiedEvent).toBe(true)
+      expect(response.status).toBe(200)
+      expect(getSetCookieHeader(response).includes(signInVerifiedEvent.payload.token)).toEqual(true)
+    })
+  })
+
+  describe('given a valid token created from a SignInRequested event', () => {
+    it('must return OK 200 and an auth cookie and must produce a SignInVerified event', async () => {
+      const email = casual.email
+
+      await TestUtil.AssertResponse({
+          endpoint: '/users/sign-up',
+          method: 'POST',
+          headers: { 'Content-Type': 'application/json'},
+          body: TestUtil.signUpBody({ email }),
+          expectedResponseStatus: 200,
+          expectedResponseBody: ''
+      })
+
+      await TestUtil.AssertResponse({
+          endpoint: '/users/sign-in',
+          method: 'POST',
+          headers: { 'Content-Type': 'application/json'},
+          body: JSON.stringify({ email }),
+          expectedResponseStatus: 200,
+          expectedResponseBody: ''
+      })
+
+      const signedUpEvent = await TestUtil.GetEvent({
+        aggregateType: 'User',
+        type: { $in: [ 'SignedUp' ] },
+        'payload.email': email
+      })
+
+      const verificationJwt = await TestUtil.getLatestVerificationJwtForSubject(signedUpEvent.aggregateId)
+
+      const response = await fetch(
+        `${getApiTestBaseUrl()}/users/verify-sign-in?token=${verificationJwt}`,
+        { method: 'GET' }
+      )
+
+      const body = await response.json()
+
+      const signInVerifiedEvent = await TestUtil.GetEvent({
+        aggregateType: 'User',
+        aggregateId: signedUpEvent.aggregateId,
+        type: { $in: [ 'SignInVerified' ] },
+      })
+
+      expect(body).toBe('')
+      expect(!!signInVerifiedEvent).toBe(true)
+      expect(response.status).toBe(200)
+      expect(getSetCookieHeader(response).includes(signInVerifiedEvent.payload.token)).toEqual(true)
+    })
+  })
+
+  describe('given an invalid token', () => {
+
+    it('must return 400 when token query param is missing', () => TestUtil.AssertResponse({
+      endpoint: '/users/verify-sign-in',
+      method: 'GET',
+      expectedResponseStatus: 400,
+      expectedResponseBody: { message: 'No token provided' },
+    }))
+
+    it('must return 400 when token is empty string', () => TestUtil.AssertResponse({
+      endpoint: '/users/verify-sign-in?token=',
+      method: 'GET',
+      expectedResponseStatus: 400,
+      expectedResponseBody: { message: 'No token provided' },
+    }))
+
+    invalidVerifySignInCases.forEach(({ label, query, status, body }) => {
+      it(`must return ${status} for invalid token: ${label}`, () => TestUtil.AssertResponse({
+        endpoint: `/users/verify-sign-in?${query}`,
+        method: 'GET',
+        expectedResponseStatus: status,
+        expectedResponseBody: body,
+      }))
+    })
+
+  })
+
+})
+
+describe('[/users/me][GET]', () => {
+
+  TestUtil.AssertAuthenticationNeeded({
+    endpoint: '/users/me',
+    method: 'GET',
+    headers: { 'Content-Type': 'application/json' },
+  })
+
+  describe('given an auth token', () => {
+    it('must return OK 200 with a view of the current user state', async () => {
+      const user = await TestUtil.GetAuthenticatedTestUser()
+
+      const response = await TestUtil.MakeRequest({
+        endpoint: '/users/me',
+        method: 'GET',
+        headers: { 'Content-Type': 'application/json', 'Authorization': user.token }
+      })
+
+      const body = await response.json()
+
+      expect(response.status).toEqual(200)
+      expect(response.headers.get('Content-Type').includes('application/json')).toEqual(true)
+
+      expect(body).toEqual(
+        expect.objectContaining({
+          id: expect.stringMatching(/.../),
+          email: user.email,
+          created: expect.any(Number)
+        })
+      )
+
+    })
+  })
+})
+
+describe('[/users/me/history][GET]', () => {
+
+  TestUtil.AssertAuthenticationNeeded({
+    endpoint: '/users/me/history',
+    method: 'GET',
+    headers: { 'Content-Type': 'application/json' },
+  })
+
+  describe('given an auth token', () => {
+    it('must return OK 200 with a view of the history of the current user', async () => {
+      const user = await TestUtil.GetAuthenticatedTestUser()
+
+      const response = await TestUtil.MakeRequest({
+        endpoint: '/users/me/history',
+        method: 'GET',
+        headers: { 'Content-Type': 'application/json', 'Authorization': user.token }
+      })
+
+      const body = await response.json()
+
+      expect(response.status).toEqual(200)
+      expect(response.headers.get('Content-Type').includes('application/json')).toEqual(true)
+
+      expect(body.map(x => x.type)).toEqual([
+        'SignInVerified',
+        'SignedUp'
+      ])
+
+    })
+  })
+})
+
+describe('[/users/me/tokens][POST]', () => {
+
+  TestUtil.AssertAuthenticationNeeded({
+    endpoint: '/users/me/tokens',
+    method: 'POST',
+    headers: { 'Content-Type': 'application/json' },
+    body: JSON.stringify({ name: 't', description: 'd' })
+  })
+
+  describe('given a valid auth token', () => {
+    it('must return OK 200 with an API token and produce an ApiTokenCreated event', async () => {
+      const user = await TestUtil.GetAuthenticatedTestUser()
+
+      const response = await TestUtil.MakeRequest({
+        endpoint: '/users/me/tokens',
+        method: 'POST',
+        headers: { 'Content-Type': 'application/json', 'Authorization': user.token },
+        body: JSON.stringify({ name: 'cli', description: casual.sentence })
+      })
+
+      const responseBody = await response.json()
+
+      const event = await TestUtil.getLatestApiTokenCreatedEventForSubject(user.id)
+
+      expect(response.status).toEqual(200)
+      expect(response.headers.get('Content-Type').includes('application/json')).toEqual(true)
+      expect(event.createdBy).toEqual(user.id)
+      expect(responseBody).toEqual(
+        expect.objectContaining({
+          description: event.payload.description,
+          token: event.payload.token,
+          created: event.created,
+          id: event.aggregateId,
+          type: 'Api',
+          name: 'cli',
+        })
+      )
+
+    })
+  })
+
+  describe('given an invalid description', () => {
+    ['', {}, [], undefined].forEach(invalidDescription => {
+      it(`must return 400 and produce no event for invalid description: ${invalidDescription}`, async () => {
+        const user = await TestUtil.GetAuthenticatedTestUser()
+
+        let payload
+        if (invalidDescription === undefined) payload = { name: 'token' }
+        else if (invalidDescription === '') payload = { name: 'token', description: '' }
+        else payload = invalidDescription
+
+        const response = await TestUtil.MakeRequest({
+          endpoint: '/users/me/tokens',
+          method: 'POST',
+          headers: { 'Content-Type': 'application/json', 'Authorization': user.token },
+          body: JSON.stringify(payload)
+        })
+
+        const responseBody = await response.json()
+
+        const event = TestUtil.GetEvent({
+          aggregateId: user.id,
+          aggregateType: 'User',
+          type: 'ApiTokenCreated'
+        })
+
+        expect(response.status).toEqual(400)
+        expect(response.headers.get('Content-Type').includes('application/json')).toEqual(true)
+        expect(responseBody).toEqual('')
+        await expect(event).rejects.toEqual(undefined)
+      })
+    })
+  })
+
+})
+
+describe('[/users/me/tokens][GET]', () => {
+
+  TestUtil.AssertAuthenticationNeeded({
+    endpoint: '/users/me/tokens',
+    method: 'GET',
+    headers: { 'Content-Type': 'application/json' },
+  })
+
+  describe('given authentication token is provided', () => {
+    it('must return OK 200 and with a list of token meta data (not actual tokens)', async () => {
+
+      const user = await TestUtil.GetAuthenticatedTestUser()
+
+      const token = await TestUtil.MakeRequest({
+        endpoint: '/users/me/tokens',
+        method: 'POST',
+        headers: { 'Content-Type': 'application/json', 'Authorization': user.token },
+        body: JSON.stringify({ name: 'list-test', description: casual.sentence })
+      }).then(response => response.json())
+
+      const response = await TestUtil.MakeRequest({
+        endpoint: '/users/me/tokens',
+        method: 'GET',
+        headers: { 'Content-Type': 'application/json', 'Authorization': user.token  }
+      })
+
+      const responseBody = await response.json()
+
+      const expectedToken = {
+        description: token.description,
+        id: token.id,
+        created: token.created,
+        type: 'Api',
+      }
+
+      expect(response.status).toEqual(200)
+      expect(response.headers.get('Content-Type').includes('application/json')).toEqual(true)
+      expect(responseBody.length).toBeGreaterThanOrEqual(1)
+      expect(responseBody.every(t => t.token === undefined)).toBe(true)
+      expect(responseBody).toEqual(
+        expect.arrayContaining([expect.objectContaining(expectedToken)])
+      )
+    })
+  })
+
+})
+
+const createApiToken = async (user) => {
+  const token = await TestUtil.MakeRequest({
+    endpoint: '/users/me/tokens',
+    method: 'POST',
+    headers: { 'Content-Type': 'application/json', 'Authorization': user.token },
+    body: JSON.stringify({ name: 'delete-test', description: casual.sentence })
+  }).then(response => response.json())
+
+  return token
+}
+
+describe('[/users/me/tokens/:tokenId][DELETE]', () => {
+
+  TestUtil.AssertAuthenticationNeeded({
+    endpoint: `/users/me/tokens/123`,
+    method: 'DELETE',
+    headers: { 'Content-Type': 'application/json' },
+  })
+
+  describe('authentication with user token', () => {
+
+    it('must return OK 200 and produce an ApiTokenInvalidated event', async () => {
+      const user = await TestUtil.GetAuthenticatedTestUser()
+      const token = await createApiToken(user)
+
+      const response = await TestUtil.MakeRequest({
+        endpoint: `/users/me/tokens/${token.id}`,
+        method: 'DELETE',
+        headers: { 'Content-Type': 'application/json', 'Authorization': user.token  }
+      })
+
+      const responseBody = await response.json()
+
+      const event = await TestUtil.GetEvent({
+        aggregateId: token.id,
+        aggregateType: 'Token',
+        type: 'Revoked',
+      })
+
+      expect(response.status).toEqual(200)
+      expect(response.headers.get('Content-Type').includes('application/json')).toEqual(true)
+      expect(responseBody).toEqual('')
+      expect(!!event).toBe(true)
+    })
+
+    it('must not show up en subsequent [GET] requests', async () => {
+      const user = await TestUtil.GetAuthenticatedTestUser()
+      const token = await createApiToken(user)
+
+      await TestUtil.MakeRequest({
+        endpoint: `/users/me/tokens/${token.id}`,
+        method: 'DELETE',
+        headers: { 'Content-Type': 'application/json', 'Authorization': user.token  }
+      })
+
+      const response = await TestUtil.MakeRequest({
+        endpoint: '/users/me/tokens',
+        method: 'GET',
+        headers: { 'Content-Type': 'application/json', 'Authorization': user.token  }
+      })
+
+      const responseBody = await response.json()
+
+      expect(response.status).toEqual(200)
+      expect(responseBody.map(t => t.id)).not.toContain(token.id)
+    })
+
+  })
+
+  describe('authentication with API token', () => {
+
+    it('must return OK 200 and produce an ApiTokenInvalidated event', async () => {
+      const user = await TestUtil.GetAuthenticatedTestUser()
+      const token = await createApiToken(user)
+
+      const response = await TestUtil.MakeRequest({
+        endpoint: `/users/me/tokens/${token.id}`,
+        method: 'DELETE',
+        headers: { 'Content-Type': 'application/json', 'Authorization': token.token  }
+      })
+
+      const responseBody = await response.json()
+
+      const event = await TestUtil.GetEvent({
+        aggregateId: token.id,
+        aggregateType: 'Token',
+        type: 'Revoked',
+      })
+
+      expect(response.status).toEqual(200)
+      expect(response.headers.get('Content-Type').includes('application/json')).toEqual(true)
+      expect(responseBody).toEqual('')
+      expect(!!event).toBe(true)
+    })
+
+    it('must not be usable in subsequent API calls', async () => {
+      const user = await TestUtil.GetAuthenticatedTestUser()
+      const token = await createApiToken(user)
+
+      await TestUtil.MakeRequest({
+        endpoint: `/users/me/tokens/${token.id}`,
+        method: 'DELETE',
+        headers: { 'Content-Type': 'application/json', 'Authorization': token.token  }
+      })
+
+      const response = await TestUtil.MakeRequest({
+        endpoint: '/users/me/tokens',
+        method: 'GET',
+        headers: { 'Content-Type': 'application/json', 'Authorization': token.token  }
+      })
+
+      const responseBody = await response.json()
+
+      expect(response.status).toEqual(401)
+      expect(responseBody).toEqual('')
+    })
+
+  })
+
+})