npm - apostrophe - Versions diffs - 4.27.1 → 4.28.0 - Mend

apostrophe 4.27.1 → 4.28.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (55) hide show

package/test/files.js ADDED Viewed

@@ -0,0 +1,135 @@
+const t = require('../test-lib/test.js');
+const assert = require('assert/strict');
+const fs = require('fs');
+describe('Files', function() {
+  let apos;
+  const mockFiles = [
+    {
+      type: '@apostrophecms/file',
+      slug: 'file-pretty-nice',
+      visibility: 'public',
+      attachment: {
+        type: 'attachment',
+        _id: 'testid',
+        name: 'testname',
+        extension: 'pdf',
+        // Only for simulation purposes
+        data: 'I am a fake PDF'
+      }
+    }
+  ];
+  this.timeout(t.timeout);
+  after(async function() {
+    return t.destroy(apos);
+  });
+  before(async function() {
+    this.timeout(t.timeout);
+    this.slow(2000);
+    apos = await t.create({
+      root: module,
+      modules: {
+        '@apostrophecms/file': {
+          options: {
+            prettyUrls: true
+          }
+        }
+      }
+    });
+    assert(apos.file);
+    assert(apos.file.__meta.name === '@apostrophecms/file');
+    // Bring the right port number into the base URL. This is
+    // good enough for loopback only, which is why we only
+    // use this trick in tests
+    apos.baseUrl = apos.http.getBase();
+    // Clean up any leftovers from last time
+    try {
+      const response = await apos.doc.db.deleteMany(
+        { type: '@apostrophecms/file' }
+      );
+      assert(response.result.ok === 1);
+      try {
+        fs.mkdirSync(`${__dirname}/public/uploads/attachments`);
+      } catch (e) {
+        // May already exist
+      }
+      for (const file of mockFiles) {
+        try {
+          const {
+            _id, name, extension
+          } = file;
+          fs.unlinkSync(`${__dirname}/public/uploads/attachments/${_id}-${name}.${extension}`);
+        } catch (e) {
+          // Don't care if we got that far or not
+        }
+      }
+    } catch (e) {
+      assert(false);
+    }
+  });
+  it('should add files for testing', async function() {
+    assert(apos.file.insert);
+    const req = apos.task.getReq();
+    const insertPromises = mockFiles.map(async (file) => {
+      const result = await apos.file.insert(req, file);
+      const {
+        _id, name, extension, data
+      } = file.attachment;
+      fs.writeFileSync(`${__dirname}/public/uploads/attachments/${_id}-${name}.${extension}`, data);
+      return result;
+    });
+    const inserted = await Promise.all(insertPromises);
+    assert(inserted.length === mockFiles.length);
+    assert(inserted[0]._id);
+  });
+  it('should generate an ugly URL when prettyUrls: true is not set on the module', async function() {
+    apos.file.options.prettyUrls = false;
+    try {
+      const req = apos.task.getAnonReq();
+      const files = await apos.file.find(req).toArray();
+      assert.strictEqual(files.length, 1);
+      const file = files[0];
+      const attachment = apos.attachment.first(file);
+      const url = apos.attachment.url(attachment);
+      assert(url);
+      assert.strictEqual(url, `/uploads/attachments/${attachment._id}-${attachment.name}.${attachment.extension}`);
+    } finally {
+      // So we don't spoil the next test either way
+      apos.file.options.prettyUrls = true;
+    }
+  });
+  it('should generate a pretty URL when prettyUrls: true is set and successfully serve it', async function() {
+    const req = apos.task.getAnonReq();
+    try {
+      apos.file.options.prettyUrls = true;
+      const files = await apos.file.find(req).toArray();
+      assert.strictEqual(files.length, 1);
+      const file = files[0];
+      const attachment = apos.attachment.first(file);
+      const url = apos.attachment.url(attachment);
+      assert(url);
+      assert.strictEqual(url, `${apos.http.getBase()}/files/${file.slug.replace('file-', '')}.${attachment.extension}`);
+      const body = await apos.http.get(url);
+      assert.strictEqual(body, attachment.data);
+    } finally {
+      apos.file.options.prettyUrls = false;
+    }
+  });
+});

package/test/login-requirements.js CHANGED Viewed

@@ -1,7 +1,7 @@
 const t = require('../test-lib/test.js');
 const assert = require('assert');
-describe('Login', function() {
+describe('Login Requirements', function() {
   let apos;
@@ -433,10 +433,13 @@ describe('Login', function() {
     assert(page.match(/logged out/));
-    // Make sure it won't convert with an incorrect ExtraSecret
     const token = result.incompleteToken;
+    // Make sure we can't use an incomplete token as a bearer token
+    await assert.rejects(tryAsBearerToken);
+    // Make sure it won't convert with an incorrect ExtraSecret
     try {
       await apos.http.post('/api/v1/@apostrophecms/login/requirement-verify', {
         body: {
@@ -447,12 +450,17 @@ describe('Login', function() {
         },
         jar
       });
+      // Getting here is bad
+      assert(false);
     } catch ({ status, body }) {
       assert(status === 400);
       assert.strictEqual(body.message, extraSecretErr);
       assert.strictEqual(body.data.requirement, 'ExtraSecret');
     }
+    // Make sure a bad conversion attempt doesn't unlock it as a bearer token either
+    await assert.rejects(tryAsBearerToken);
     // If we try the final login without
     // having successfully verified all requirements we get an error
     try {
@@ -512,6 +520,10 @@ describe('Login', function() {
       jar
     });
+    // Only now should we be able to use it as a bearer token
+    await tryAsBearerToken();
+    // Complete the cookie-based session login process
     await apos.http.post(
       '/api/v1/@apostrophecms/login/login',
       {
@@ -532,6 +544,136 @@ describe('Login', function() {
     );
     assert(page.match(/logged in/));
+    async function tryAsBearerToken() {
+      await apos.http.get('/api/v1/@apostrophecms/page', {
+        headers: {
+          authorization: `Bearer ${token}`
+        }
+      });
+    }
+  });
+});
+describe('Expired Token Deletion', function() {
+  let apos;
+  const extraSecretErr = 'extra secret incorrect';
+  this.timeout(20000);
+  this.beforeEach(async function() {
+    if (apos && apos.modules && apos.modules['@apostrophecms/login']) {
+      const loginModule = apos.modules['@apostrophecms/login'];
+      await loginModule.clearLoginAttempts('HarryPutter');
+    }
+  });
+  after(function() {
+    return t.destroy(apos);
+  });
+  // EXISTENCE
+  it('should initialize', async function() {
+    apos = await t.create({
+      root: module,
+      modules: {
+        '@apostrophecms/login': {
+          options: {
+            incompleteLifetime: 5000
+          },
+          requirements(self) {
+            return {
+              add: {
+                // Need an extra requirement so that the token will die
+                // after incompleteLifetime
+                ExtraSecret: {
+                  phase: 'afterPasswordVerified',
+                  async props(req, user) {
+                    return {
+                      // Verify we had access to the user here
+                      hint: user.username
+                    };
+                  },
+                  async verify(req, data, user) {
+                    if (data !== user.extraSecret) {
+                      throw self.apos.error('invalid', extraSecretErr);
+                    }
+                  }
+                }
+              }
+            };
+          }
+        }
+      }
+    });
+    assert(apos.modules['@apostrophecms/login']);
+  });
+  it('should be able to insert test user', async function() {
+    assert(apos.user.newInstance);
+    const user = apos.user.newInstance();
+    assert(user);
+    user.title = 'Harry Putter';
+    user.username = 'HarryPutter';
+    user.password = 'crookshanks';
+    user.email = 'hputter@aol.com';
+    user.role = 'admin';
+    user.extraSecret = 'roll-on';
+    assert(user.type === '@apostrophecms/user');
+    assert(apos.user.insert);
+    const doc = await apos.user.insert(apos.task.getReq(), user);
+    assert(doc._id);
   });
+  it('initial login should produce an incompleteToken, convertible with the afterPasswordVerified requirements', async function() {
+    const jar = apos.http.jar();
+    // establish session
+    let page = await apos.http.get(
+      '/',
+      {
+        jar
+      }
+    );
+    const result = await apos.http.post(
+      '/api/v1/@apostrophecms/login/login',
+      {
+        method: 'POST',
+        body: {
+          username: 'HarryPutter',
+          password: 'crookshanks',
+          session: true,
+          requirements: {
+            WeakCaptcha: 'xyz',
+            UponSubmit: 'abc'
+          }
+        },
+        jar
+      }
+    );
+    const token = result.incompleteToken;
+    assert(token);
+    // Verify it initially exists
+    assert(await apos.login.bearerTokens.findOne({ _id: token }));
+    // Wait until well over 5 seconds have passed to allow the cleanup interval to run
+    await delay(10000);
+    // Verify it is gone from the db
+    assert(!(await apos.login.bearerTokens.findOne({ _id: token })));
+  });
 });
+function delay(ms) {
+  return new Promise((resolve, reject) => {
+    setTimeout(() => resolve(), ms);
+  });
+}