apostrophe 3.11.0 → 3.14.0

package/test/express.js

@@ -39,37 +39,13 @@ describe('Express', function() {
     assert(body.toString() === 'ok');
   });
 
-  it('should flunk a POST request with no X-XSRF-TOKEN header', async function() {
+  it('should flunk a POST request without the CSRF cookie', async function() {
     try {
       await apos.http.post('/tests/body', {
         body: {
           person: {
             age: '30'
           }
-        },
-        jar,
-        csrf: false
-      });
-      assert(false);
-    } catch (e) {
-      assert(e);
-    }
-  });
-
-  it('should flunk a POST request with the wrong CSRF token', async function() {
-    const csrfToken = 'BOGOSITY';
-
-    try {
-      await apos.http.post('/tests/body', {
-        body: {
-          person: {
-            age: '30'
-          }
-        },
-        jar,
-        csrf: false,
-        headers: {
-          'X-XSRF-TOKEN': csrfToken
         }
       });
       assert(false);
@@ -78,7 +54,7 @@ describe('Express', function() {
     }
   });
 
-  it('should use the extended bodyParser for submitted forms', async function() {
+  it('should use the extended bodyParser for submitted forms, and pass CSRF with the cookie', async function() {
 
     const response = await apos.http.post('/tests/body', {
       send: 'form',

package/test/http.js

@@ -40,30 +40,6 @@ describe('Http', function() {
     assert(result.match(/logged out/));
   });
 
-  it('should not be able to make an http POST request without csrf header', async () => {
-    try {
-      await apos.http.post('/csrf-test', {
-        jar,
-        csrf: false
-      });
-      assert(false);
-    } catch (e) {
-      assert(e.status === 403);
-    }
-  });
-
-  it('should be able to make an http POST request with manually built csrf header', async () => {
-    const response = await apos.http.post('/csrf-test?manual=1', {
-      jar,
-      headers: {
-        'X-XSRF-TOKEN': apos.http.getCookie(jar, '/', `${apos.options.shortName}.csrf`)
-      },
-      body: {},
-      csrf: false
-    });
-    assert(response.ok === true);
-  });
-
   it('should be able to make an http POST request with csrf header via default csrf convenience of http.post', async () => {
     const response = await apos.http.post('/csrf-test', {
       jar,

package/test/login-requirements.js

@@ -0,0 +1,328 @@
+const t = require('../test-lib/test.js');
+const assert = require('assert');
+
+let apos;
+
+describe('Login', function() {
+
+  this.timeout(20000);
+
+  after(function() {
+    return t.destroy(apos);
+  });
+
+  // EXISTENCE
+
+  it('should initialize', async function() {
+    apos = await t.create({
+      root: module,
+      modules: {
+        '@apostrophecms/login': {
+          requirements(self) {
+            return {
+              add: {
+                WeakCaptcha: {
+                  phase: 'beforeSubmit',
+                  async props(req) {
+                    return {
+                      hint: 'xyz'
+                    };
+                  },
+                  async verify(req, data) {
+                    if (data !== 'xyz') {
+                      throw self.apos.error('invalid', 'captcha code incorrect');
+                    }
+                  }
+                },
+
+                ExtraSecret: {
+                  phase: 'afterPasswordVerified',
+                  async props(req, user) {
+                    return {
+                      // Verify we had access to the user here
+                      hint: user.username
+                    };
+                  },
+                  async verify(req, data, user) {
+                    if (data !== user.extraSecret) {
+                      throw self.apos.error('invalid', 'extra secret incorrect');
+                    }
+                  }
+                }
+              }
+            };
+          }
+        }
+      }
+    });
+
+    assert(apos.modules['@apostrophecms/login']);
+  });
+
+  it('should be able to insert test user', async function() {
+    assert(apos.user.newInstance);
+    const user = apos.user.newInstance();
+    assert(user);
+
+    user.title = 'Harry Putter';
+    user.username = 'HarryPutter';
+    user.password = 'crookshanks';
+    user.email = 'hputter@aol.com';
+    user.role = 'admin';
+    user.extraSecret = 'roll-on';
+
+    assert(user.type === '@apostrophecms/user');
+    assert(apos.user.insert);
+    const doc = await apos.user.insert(apos.task.getReq(), user);
+    assert(doc._id);
+  });
+
+  it('should not be able to login a user without meeting a beforeSubmit requirement', async function() {
+
+    const jar = apos.http.jar();
+
+    // establish session
+    let page = await apos.http.get(
+      '/',
+      {
+        jar
+      }
+    );
+
+    assert(page.match(/logged out/));
+
+    const context = await apos.http.post(
+      '/api/v1/@apostrophecms/login/context',
+      {
+        method: 'POST',
+        body: {},
+        jar
+      }
+    );
+    assert(context.requirementProps);
+    assert(context.requirementProps.WeakCaptcha);
+    assert.strictEqual(context.requirementProps.WeakCaptcha.hint, 'xyz');
+
+    try {
+      await apos.http.post(
+        '/api/v1/@apostrophecms/login/login',
+        {
+          method: 'POST',
+          body: {
+            username: 'HarryPutter',
+            password: 'crookshanks',
+            session: true
+          },
+          jar
+        }
+      );
+      assert(false);
+    } catch (e) {
+      assert(e.status === 400);
+      assert.strictEqual(e.body.message, 'captcha code incorrect');
+      assert.strictEqual(e.body.data.requirement, 'WeakCaptcha');
+    }
+
+    // Make sure it really didn't work
+    page = await apos.http.get(
+      '/',
+      {
+        jar
+      }
+    );
+
+    assert(page.match(/logged out/));
+  });
+
+  it('should not be able to login a user with the wrong value for a beforeSubmit requirement', async function() {
+
+    const jar = apos.http.jar();
+
+    // establish session
+    let page = await apos.http.get(
+      '/',
+      {
+        jar
+      }
+    );
+
+    assert(page.match(/logged out/));
+
+    try {
+      await apos.http.post(
+        '/api/v1/@apostrophecms/login/login',
+        {
+          method: 'POST',
+          body: {
+            username: 'HarryPutter',
+            password: 'crookshanks',
+            session: true,
+            requirements: {
+              WeakCaptcha: 'abc'
+            }
+          },
+          jar
+        }
+      );
+      assert(false);
+    } catch (e) {
+      assert(e.status === 400);
+      assert.strictEqual(e.body.message, 'captcha code incorrect');
+      assert.strictEqual(e.body.data.requirement, 'WeakCaptcha');
+    }
+
+    // Make sure it really didn't work
+    page = await apos.http.get(
+      '/',
+      {
+        jar
+      }
+    );
+
+    assert(page.match(/logged out/));
+  });
+
+  it('initial login should produce an incompleteToken, convertible with the afterPasswordVerified requirements', async function() {
+
+    const jar = apos.http.jar();
+
+    // establish session
+    let page = await apos.http.get(
+      '/',
+      {
+        jar
+      }
+    );
+
+    assert(page.match(/logged out/));
+
+    const result = await apos.http.post(
+      '/api/v1/@apostrophecms/login/login',
+      {
+        method: 'POST',
+        body: {
+          username: 'HarryPutter',
+          password: 'crookshanks',
+          session: true,
+          requirements: {
+            WeakCaptcha: 'xyz'
+          }
+        },
+        jar
+      }
+    );
+
+    assert(result.incompleteToken);
+
+    // Make sure it did not create a login session prematurely
+    page = await apos.http.get(
+      '/',
+      {
+        jar
+      }
+    );
+
+    assert(page.match(/logged out/));
+
+    // Make sure it won't convert with an incorrect ExtraSecret
+
+    const token = result.incompleteToken;
+
+    try {
+      await apos.http.post('/api/v1/@apostrophecms/login/requirement-verify', {
+        body: {
+          incompleteToken: token,
+          session: true,
+          name: 'ExtraSecret',
+          value: 'roll-off'
+        },
+        jar
+      });
+    } catch ({ status, body }) {
+      assert(status === 400);
+      assert.strictEqual(body.message, 'extra secret incorrect');
+      assert.strictEqual(body.data.requirement, 'ExtraSecret');
+    }
+
+    // If we try the final login without
+    // having successfully verified all requirements we get an error
+    try {
+      await apos.http.post(
+        '/api/v1/@apostrophecms/login/login',
+        {
+          method: 'POST',
+          body: {
+            incompleteToken: token,
+            session: true
+          },
+          jar
+        }
+      );
+    } catch ({ status, body }) {
+      assert(status === 403);
+      assert.strictEqual(body.message, 'All requirements must be verified');
+    }
+
+    // Make sure it did not create a login session prematurely
+    page = await apos.http.get(
+      '/',
+      {
+        jar
+      }
+    );
+
+    assert(page.match(/logged out/));
+
+    // Fetch props for afterPasswordVerified component
+
+    const props = await apos.http.post(
+      '/api/v1/@apostrophecms/login/requirement-props',
+      {
+        method: 'POST',
+        body: {
+          incompleteToken: token,
+          name: 'ExtraSecret'
+        },
+        jar
+      }
+    );
+
+    assert.strictEqual(props.hint, 'HarryPutter');
+
+    // Now convert token to an actual login session
+    // by providing the post-password-verification requirements,
+    // correctly
+
+    await apos.http.post('/api/v1/@apostrophecms/login/requirement-verify', {
+      body: {
+        incompleteToken: token,
+        session: true,
+        name: 'ExtraSecret',
+        value: 'roll-on'
+      },
+      jar
+    });
+
+    await apos.http.post(
+      '/api/v1/@apostrophecms/login/login',
+      {
+        method: 'POST',
+        body: {
+          incompleteToken: token,
+          session: true
+        },
+        jar
+      }
+    );
+
+    page = await apos.http.get(
+      '/',
+      {
+        jar
+      }
+    );
+
+    assert(page.match(/logged in/));
+  });
+
+});

package/test/modules/base-type/i18n/custom/en.json

@@ -0,0 +1,4 @@
+{
+  "customTestOne": "Custom Test One From Base Type",
+  "customTestTwo": "Custom Test Two From Base Type"
+}

package/test/modules/base-type/i18n/en.json

@@ -0,0 +1,3 @@
+{
+  "defaultTestOne": "Default Test One"
+}

package/test/modules/nested-module-subdirs/example1/index.js

@@ -0,0 +1,5 @@
+module.exports = {
+  init(self) {
+    self.initialized = true;
+  }
+};

package/test/modules/nested-module-subdirs/modules.js

@@ -0,0 +1,7 @@
+module.exports = {
+  example1: {
+    options: {
+      folderLevelOption: true
+    }
+  }
+};

package/test/modules/subtype/i18n/custom/en.json

@@ -0,0 +1,4 @@
+{
+  "customTestOne": "Custom Test One From Subtype",
+  "customTestThree": "Custom Test Three From Subtype"
+}

package/test/modules/subtype/index.js

@@ -0,0 +1,7 @@
+module.exports = {
+  i18n: {
+    custom: {
+      browser: true
+    }
+  }
+};

package/test/pages-rest.js

@@ -1486,6 +1486,45 @@ describe('Pages REST', function() {
     assert(doc.title === 'Advisory Test Patched Again');
   });
 
+  let diacriticsId;
+  it('is able to make a page including diacritics', async function() {
+    const body = {
+      slug: '/ḑiaçritiçs-čharaćters',
+      visibility: 'public',
+      type: 'test-page',
+      title: 'Ḑiaçritiçs Čharaćters',
+      _targetId: '_home',
+      _position: '1'
+    };
+
+    const page = await apos.http.post('/api/v1/@apostrophecms/page', {
+      body,
+      jar
+    });
+
+    assert(page);
+    assert(page.title === 'Ḑiaçritiçs Čharaćters');
+    diacriticsId = page._id;
+    // Accesses the published page.
+    const published = await apos.http.get('/ḑiaçritiçs-čharaćters');
+    assert(published);
+  });
+
+  it('can archive the diacritics page then access the draft preview', async function () {
+    // Now only a draft preview will be available.
+    await apos.page.archive(apos.task.getReq(), diacriticsId);
+
+    try {
+      const rendered = await apos.http.get('/ḑiaçritiçs-čharaćters', {
+        jar
+      });
+      assert(rendered.match(/Sing to me, Oh Muse\./));
+    } catch (error) {
+      console.error(error);
+      assert(false);
+    }
+  });
+
   let jar2;
 
   it('should be able to log in as second user', async () => {

package/test/pieces-page-type.js

@@ -34,6 +34,24 @@ describe('Pieces Pages', function() {
             perPage: 10
           }
         },
+        home: {
+          extend: '@apostrophecms/piece-type',
+          options: {
+            name: 'home',
+            label: 'Home',
+            alias: 'home',
+            sort: { title: 1 }
+          }
+        },
+        'home-page': {
+          extend: '@apostrophecms/piece-page-type',
+          options: {
+            name: 'homePiecePage',
+            label: 'Home Piece Page',
+            alias: 'homePiecePage',
+            perPage: 10
+          }
+        },
         '@apostrophecms/page': {
           options: {
             park: [
@@ -42,6 +60,12 @@ describe('Pieces Pages', function() {
                 type: 'eventPage',
                 slug: '/events',
                 parkedId: 'events'
+              },
+              {
+                title: 'Home piece page',
+                type: 'homePiecePage',
+                slug: '/',
+                parkedId: 'home'
               }
             ]
           }
@@ -81,6 +105,36 @@ describe('Pieces Pages', function() {
     return apos.doc.db.insertMany(testItems);
   });
 
+  it('should be able to use db to insert test "home" pieces', async function() {
+    assert(apos.modules.home);
+    const testItems = [];
+    const total = 100;
+    for (let i = 1; (i <= total); i++) {
+      const paddedInt = apos.launder.padInteger(i, 3);
+
+      testItems.push({
+        _id: 'home' + paddedInt,
+        slug: 'home-' + paddedInt,
+        visibility: 'public',
+        type: 'home',
+        title: 'Home ' + paddedInt,
+        titleSortified: 'home ' + paddedInt,
+        body: {
+          metaType: 'area',
+          _id: apos.util.generateId(),
+          items: [
+            {
+              metaType: 'widget',
+              type: '@apostrophecms/rich-text',
+              content: '<p>This is some content.</p>'
+            }
+          ]
+        }
+      });
+    }
+
+    return apos.doc.db.insertMany(testItems);
+  });
   it('should populate the ._url property of pieces in any docs query', async function() {
     const piece = await apos.doc.find(apos.task.getAnonReq(), {
       type: 'event',
@@ -104,6 +158,15 @@ describe('Pieces Pages', function() {
     assert((!piece._url) || (piece._url.match(/undefined/)));
   });
 
+  it('should not create a double-slashed _url on a piece-page-type set as the homepage', async function() {
+    const piece = await apos.doc.find(apos.task.getAnonReq(), {
+      type: 'home',
+      title: 'Home 001'
+    }).toObject();
+    assert(piece);
+    assert(piece._url === '/home-001');
+  });
+
   it('should correctly populate the ._url property of pieces in a docs query if _url itself is "projected"', async function() {
     const piece = await apos.doc.find(apos.task.getAnonReq(), {
       type: 'event',

package/test/static-i18n.js

@@ -33,9 +33,19 @@ describe('static i18n', function() {
         'apos-fr': {
           options: {
             i18n: {
+              // Legacy technique must work
               ns: 'apostrophe'
             }
           }
+        },
+        // A base class that contributes some namespaced phrases in the new style way (subdirs)
+        'base-type': {
+          instantiate: false
+        },
+        // Also contributes namespaced phrases in the new style way (subdirs)
+        // plus default locale phrases in the root i18n folder
+        subtype: {
+          extend: 'base-type'
         }
       }
     });
@@ -60,4 +70,22 @@ describe('static i18n', function() {
     assert.strictEqual(apos.task.getReq({ locale: 'fr' }).t('apostrophe:richTextAlignCenter'), 'Aligner Le Centre');
   });
 
+  it('should fetch default locale phrases from main i18n dir with no i18n option necessary', function() {
+    assert.strictEqual(apos.task.getReq().t('defaultTestOne'), 'Default Test One');
+  });
+
+  it('should fetch custom locale phrases from corresponding subdir', function() {
+    assert.strictEqual(apos.task.getReq().t('custom:customTestTwo'), 'Custom Test Two From Base Type');
+    assert.strictEqual(apos.task.getReq().t('custom:customTestThree'), 'Custom Test Three From Subtype');
+  });
+
+  it('last appearance in inheritance + configuration order wins', function() {
+    assert.strictEqual(apos.task.getReq().t('custom:customTestOne'), 'Custom Test One From Subtype');
+  });
+
+  it('should honor the browser: true flag in the i18n section of an index.js file', function() {
+    const browserData = apos.i18n.getBrowserData(apos.task.getReq());
+    assert.strictEqual(browserData.i18n.en.custom.customTestOne, 'Custom Test One From Subtype');
+  });
+
 });

package/test/with-nested-module-subdirs.js

@@ -0,0 +1,32 @@
+const t = require('../test-lib/test.js');
+const assert = require('assert');
+
+describe('With Nested Module Subdirs', function() {
+  this.timeout(t.timeout);
+
+  let apos;
+
+  after(function () {
+    return t.destroy(apos);
+  });
+
+  /// ///
+  // EXISTENCE
+  /// ///
+
+  it('should initialize', async function() {
+    apos = await t.create({
+      root: module,
+      nestedModuleSubdirs: true,
+      modules: {
+        example1: {}
+      }
+    });
+    assert(apos.modules.example1);
+    // With nestedModuleSubdirs switched on, the index.js should be found,
+    // and modules.js should be loaded
+    assert(apos.modules.example1.options.folderLevelOption);
+    assert(apos.modules.example1.initialized);
+  });
+
+});

package/test/without-nested-module-subdirs.js

@@ -0,0 +1,31 @@
+const t = require('../test-lib/test.js');
+const assert = require('assert');
+
+describe('Without Nested Module Subdirs', function() {
+  this.timeout(t.timeout);
+
+  let apos;
+
+  after(function () {
+    return t.destroy(apos);
+  });
+
+  /// ///
+  // EXISTENCE
+  /// ///
+
+  it('should initialize', async function() {
+    apos = await t.create({
+      root: module,
+      modules: {
+        example1: {}
+      }
+    });
+    assert(apos.modules.example1);
+    // Should fail because we didn't turn on nestedModuleSubdirs,
+    // so the index.js was not found and modules.js was not loaded
+    assert(!apos.modules.example1.options.folderLevelOption);
+    assert(!apos.modules.example1.initialized);
+  });
+
+});