wabe 0.6.12 → 0.6.14

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (156) hide show
  1. package/dist/database/DatabaseController.d.ts +2 -0
  2. package/dist/file/FileDevAdapter.d.ts +1 -0
  3. package/dist/graphql/pointerAndRelationFunction.d.ts +6 -0
  4. package/dist/index.js +3827 -3541
  5. package/dist/schema/Schema.d.ts +2 -2
  6. package/dist/server/generateCodegen.d.ts +10 -0
  7. package/dist/server/index.d.ts +2 -1
  8. package/dist/utils/objectKeys.d.ts +1 -0
  9. package/package.json +7 -4
  10. package/dev/index.ts +0 -215
  11. package/dist/schema/resolvers/sendEmail.d.ts +0 -1
  12. package/generated/schema.graphql +0 -1945
  13. package/generated/wabe.ts +0 -448
  14. package/src/authentication/OTP.test.ts +0 -69
  15. package/src/authentication/OTP.ts +0 -64
  16. package/src/authentication/Session.test.ts +0 -629
  17. package/src/authentication/Session.ts +0 -517
  18. package/src/authentication/cookies.ts +0 -10
  19. package/src/authentication/defaultAuthentication.ts +0 -209
  20. package/src/authentication/index.ts +0 -4
  21. package/src/authentication/interface.ts +0 -177
  22. package/src/authentication/oauth/GitHub.test.ts +0 -91
  23. package/src/authentication/oauth/GitHub.ts +0 -121
  24. package/src/authentication/oauth/Google.test.ts +0 -91
  25. package/src/authentication/oauth/Google.ts +0 -101
  26. package/src/authentication/oauth/Oauth2Client.test.ts +0 -219
  27. package/src/authentication/oauth/Oauth2Client.ts +0 -135
  28. package/src/authentication/oauth/index.ts +0 -2
  29. package/src/authentication/oauth/utils.test.ts +0 -33
  30. package/src/authentication/oauth/utils.ts +0 -27
  31. package/src/authentication/providers/EmailOTP.test.ts +0 -127
  32. package/src/authentication/providers/EmailOTP.ts +0 -95
  33. package/src/authentication/providers/EmailPassword.test.ts +0 -263
  34. package/src/authentication/providers/EmailPassword.ts +0 -138
  35. package/src/authentication/providers/EmailPasswordSRP.test.ts +0 -208
  36. package/src/authentication/providers/EmailPasswordSRP.ts +0 -191
  37. package/src/authentication/providers/GitHub.ts +0 -24
  38. package/src/authentication/providers/Google.ts +0 -24
  39. package/src/authentication/providers/OAuth.test.ts +0 -185
  40. package/src/authentication/providers/OAuth.ts +0 -106
  41. package/src/authentication/providers/PhonePassword.test.ts +0 -221
  42. package/src/authentication/providers/PhonePassword.ts +0 -136
  43. package/src/authentication/providers/QRCodeOTP.test.ts +0 -77
  44. package/src/authentication/providers/QRCodeOTP.ts +0 -69
  45. package/src/authentication/providers/index.ts +0 -6
  46. package/src/authentication/resolvers/refreshResolver.test.ts +0 -30
  47. package/src/authentication/resolvers/refreshResolver.ts +0 -19
  48. package/src/authentication/resolvers/signInWithResolver.inte.test.ts +0 -59
  49. package/src/authentication/resolvers/signInWithResolver.test.ts +0 -306
  50. package/src/authentication/resolvers/signInWithResolver.ts +0 -106
  51. package/src/authentication/resolvers/signOutResolver.test.ts +0 -38
  52. package/src/authentication/resolvers/signOutResolver.ts +0 -18
  53. package/src/authentication/resolvers/signUpWithResolver.test.ts +0 -180
  54. package/src/authentication/resolvers/signUpWithResolver.ts +0 -68
  55. package/src/authentication/resolvers/verifyChallenge.test.ts +0 -230
  56. package/src/authentication/resolvers/verifyChallenge.ts +0 -78
  57. package/src/authentication/roles.test.ts +0 -49
  58. package/src/authentication/roles.ts +0 -40
  59. package/src/authentication/security.ts +0 -278
  60. package/src/authentication/utils.test.ts +0 -97
  61. package/src/authentication/utils.ts +0 -39
  62. package/src/cache/InMemoryCache.test.ts +0 -62
  63. package/src/cache/InMemoryCache.ts +0 -45
  64. package/src/cron/index.test.ts +0 -17
  65. package/src/cron/index.ts +0 -43
  66. package/src/database/DatabaseController.test.ts +0 -613
  67. package/src/database/DatabaseController.ts +0 -1415
  68. package/src/database/index.test.ts +0 -1551
  69. package/src/database/index.ts +0 -9
  70. package/src/database/interface.ts +0 -308
  71. package/src/email/DevAdapter.ts +0 -7
  72. package/src/email/EmailController.test.ts +0 -29
  73. package/src/email/EmailController.ts +0 -13
  74. package/src/email/index.ts +0 -2
  75. package/src/email/interface.ts +0 -36
  76. package/src/email/templates/sendOtpCode.ts +0 -120
  77. package/src/file/FileController.ts +0 -28
  78. package/src/file/FileDevAdapter.ts +0 -51
  79. package/src/file/hookDeleteFile.ts +0 -25
  80. package/src/file/hookReadFile.ts +0 -66
  81. package/src/file/hookUploadFile.ts +0 -52
  82. package/src/file/index.test.ts +0 -1031
  83. package/src/file/index.ts +0 -2
  84. package/src/file/interface.ts +0 -63
  85. package/src/file/security.ts +0 -156
  86. package/src/graphql/GraphQLSchema.test.ts +0 -5099
  87. package/src/graphql/GraphQLSchema.ts +0 -886
  88. package/src/graphql/index.ts +0 -2
  89. package/src/graphql/parseGraphqlSchema.ts +0 -85
  90. package/src/graphql/parser.test.ts +0 -203
  91. package/src/graphql/parser.ts +0 -707
  92. package/src/graphql/pointerAndRelationFunction.ts +0 -191
  93. package/src/graphql/resolvers.ts +0 -464
  94. package/src/graphql/tests/aggregation.test.ts +0 -1115
  95. package/src/graphql/tests/e2e.test.ts +0 -590
  96. package/src/graphql/tests/scalars.test.ts +0 -250
  97. package/src/graphql/types.ts +0 -227
  98. package/src/hooks/HookObject.test.ts +0 -122
  99. package/src/hooks/HookObject.ts +0 -165
  100. package/src/hooks/authentication.ts +0 -67
  101. package/src/hooks/createUser.test.ts +0 -77
  102. package/src/hooks/createUser.ts +0 -10
  103. package/src/hooks/defaultFields.test.ts +0 -176
  104. package/src/hooks/defaultFields.ts +0 -32
  105. package/src/hooks/deleteSession.test.ts +0 -181
  106. package/src/hooks/deleteSession.ts +0 -20
  107. package/src/hooks/hashFieldHook.test.ts +0 -152
  108. package/src/hooks/hashFieldHook.ts +0 -89
  109. package/src/hooks/index.test.ts +0 -258
  110. package/src/hooks/index.ts +0 -420
  111. package/src/hooks/permissions.test.ts +0 -412
  112. package/src/hooks/permissions.ts +0 -93
  113. package/src/hooks/protected.test.ts +0 -551
  114. package/src/hooks/protected.ts +0 -74
  115. package/src/hooks/searchableFields.test.ts +0 -147
  116. package/src/hooks/searchableFields.ts +0 -86
  117. package/src/hooks/session.test.ts +0 -134
  118. package/src/hooks/session.ts +0 -76
  119. package/src/hooks/setEmail.test.ts +0 -216
  120. package/src/hooks/setEmail.ts +0 -33
  121. package/src/hooks/setupAcl.test.ts +0 -618
  122. package/src/hooks/setupAcl.ts +0 -25
  123. package/src/hooks/virtualFields.test.ts +0 -228
  124. package/src/hooks/virtualFields.ts +0 -48
  125. package/src/index.ts +0 -9
  126. package/src/schema/Schema.test.ts +0 -482
  127. package/src/schema/Schema.ts +0 -839
  128. package/src/schema/defaultResolvers.ts +0 -93
  129. package/src/schema/index.ts +0 -1
  130. package/src/schema/resolvers/meResolver.test.ts +0 -62
  131. package/src/schema/resolvers/meResolver.ts +0 -10
  132. package/src/schema/resolvers/resetPassword.test.ts +0 -341
  133. package/src/schema/resolvers/resetPassword.ts +0 -63
  134. package/src/schema/resolvers/sendEmail.test.ts +0 -118
  135. package/src/schema/resolvers/sendEmail.ts +0 -21
  136. package/src/schema/resolvers/sendOtpCode.test.ts +0 -141
  137. package/src/schema/resolvers/sendOtpCode.ts +0 -52
  138. package/src/security.test.ts +0 -4136
  139. package/src/server/defaultSessionHandler.test.ts +0 -62
  140. package/src/server/defaultSessionHandler.ts +0 -104
  141. package/src/server/generateCodegen.ts +0 -433
  142. package/src/server/index.test.ts +0 -843
  143. package/src/server/index.ts +0 -336
  144. package/src/server/interface.ts +0 -11
  145. package/src/server/routes/authHandler.ts +0 -171
  146. package/src/server/routes/index.ts +0 -48
  147. package/src/utils/crypto.test.ts +0 -41
  148. package/src/utils/crypto.ts +0 -105
  149. package/src/utils/database.ts +0 -8
  150. package/src/utils/export.ts +0 -12
  151. package/src/utils/helper.ts +0 -204
  152. package/src/utils/index.test.ts +0 -11
  153. package/src/utils/index.ts +0 -196
  154. package/src/utils/preload.ts +0 -8
  155. package/src/utils/testHelper.ts +0 -124
  156. package/tsconfig.json +0 -32
package/src/security.test.ts DELETED
@@ -1,4136 +0,0 @@
1
- import { describe, it, expect } from 'bun:test'
2
- import { v4 as uuid } from 'uuid'
3
- import getPort from 'get-port'
4
- import { decode, sign } from 'jsonwebtoken'
5
- import { gql } from 'graphql-request'
6
- import {
7
- getAdminUserClient,
8
- getGraphqlClient,
9
- getAnonymousClient,
10
- createUserAndUpdateRole,
11
- getUserClient,
12
- } from './utils/helper'
13
- import { setupTests, closeTests, getDatabaseAdapter } from './utils/testHelper'
14
- import { RoleEnum } from 'generated/wabe'
15
- import { Session } from './authentication/Session'
16
- import { Wabe } from './server'
17
- import type { DevWabeTypes } from './utils/helper'
18
-
19
- describe('Security tests', () => {
20
- it('should apply rate limit on GraphQL endpoints when rateLimit is configured', async () => {
21
- const setup = await setupTests(
22
- [
23
- {
24
- name: 'RateLimitTest',
25
- fields: { name: { type: 'String' } },
26
- permissions: {
27
- read: { requireAuthentication: false },
28
- create: { requireAuthentication: false },
29
- },
30
- },
31
- ],
32
- {
33
- rateLimit: {
34
- interval: 60 * 1000,
35
- numberOfRequests: 2,
36
- },
37
- },
38
- )
39
-
40
- const wabe = setup.wabe
41
- const port = setup.port
42
- const graphqlUrl = `http://127.0.0.1:${port}/graphql`
43
-
44
- const graphqlRequest = async () =>
45
- fetch(graphqlUrl, {
46
- method: 'POST',
47
- headers: {
48
- 'Content-Type': 'application/json',
49
- 'Wabe-Root-Key': 'dev',
50
- },
51
- body: JSON.stringify({
52
- query: 'query { rateLimitTests { edges { node { id } } } }',
53
- }),
54
- })
55
-
56
- const res1 = await graphqlRequest()
57
- const res2 = await graphqlRequest()
58
- const res3 = await graphqlRequest()
59
-
60
- expect(res1.status).toBe(200)
61
- expect(res2.status).toBe(200)
62
- expect(res3.status).toBe(429)
63
-
64
- await closeTests(wabe)
65
- })
66
-
67
- it('should not apply rate limit on GraphQL endpoints when rateLimit is not configured', async () => {
68
- const setup = await setupTests([
69
- {
70
- name: 'NoRateLimitTest',
71
- fields: { name: { type: 'String' } },
72
- permissions: {
73
- read: { requireAuthentication: false },
74
- create: { requireAuthentication: false },
75
- },
76
- },
77
- ])
78
-
79
- const wabe = setup.wabe
80
- const port = setup.port
81
- const rootClient = getGraphqlClient(port)
82
-
83
- const requests = Array.from({ length: 5 }, () =>
84
- rootClient.request<any>(gql`
85
- query {
86
- noRateLimitTests {
87
- edges {
88
- node {
89
- id
90
- }
91
- }
92
- }
93
- }
94
- `),
95
- )
96
-
97
- const results = await Promise.all(requests)
98
- expect(results).toHaveLength(5)
99
- results.forEach((res) => expect(res.noRateLimitTests).toBeDefined())
100
-
101
- await closeTests(wabe)
102
- })
103
-
104
- it('should throw at server startup when rootKey is empty', async () => {
105
- const databaseId = uuid()
106
- const port = await getPort()
107
-
108
- const wabe = new Wabe<DevWabeTypes>({
109
- isProduction: false,
110
- rootKey: '',
111
- database: {
112
- // @ts-expect-error
113
- adapter: await getDatabaseAdapter(databaseId),
114
- },
115
- port,
116
- schema: {
117
- classes: [
118
- {
119
- name: 'Collection1',
120
- fields: { name: { type: 'String' } },
121
- },
122
- ],
123
- },
124
- })
125
-
126
- await expect(wabe.start()).rejects.toThrow('rootKey cannot be empty')
127
- })
128
-
129
- it('should not return private fields (acl) on createObject, getObject and getObjects if not root', async () => {
130
- const setup = await setupTests([
131
- {
132
- name: 'Secret',
133
- fields: {
134
- name: { type: 'String' },
135
- },
136
- permissions: {
137
- create: {
138
- requireAuthentication: true,
139
- authorizedRoles: ['Client'],
140
- },
141
- read: {
142
- requireAuthentication: true,
143
- authorizedRoles: ['Client'],
144
- },
145
- acl: async (hookObject) => {
146
- await hookObject.addACL('roles', {
147
- read: true,
148
- write: true,
149
- role: RoleEnum.Client,
150
- })
151
- },
152
- },
153
- },
154
- ])
155
-
156
- const wabe = setup.wabe
157
- const port = setup.port
158
- const client = getAnonymousClient(port)
159
- const rootClient = getGraphqlClient(port)
160
-
161
- const { userClient } = await createUserAndUpdateRole({
162
- anonymousClient: client,
163
- port,
164
- roleName: 'Client',
165
- rootClient,
166
- })
167
-
168
- const res = await userClient.request<any>(gql`
169
- mutation createSecret {
170
- createSecret(input: { fields: { name: "n" } }) {
171
- secret {
172
- id
173
- acl {
174
- roles {
175
- roleId
176
- read
177
- write
178
- }
179
- }
180
- }
181
- }
182
- }
183
- `)
184
-
185
- expect(res.createSecret.secret.acl).toBeNull()
186
-
187
- const res2 = await userClient.request<any>(gql`
188
- query secret {
189
- secret(id: "${res.createSecret.secret.id}") {
190
- id
191
- acl {
192
- roles {
193
- roleId
194
- read
195
- write
196
- }
197
- }
198
- }
199
- }
200
- `)
201
-
202
- expect(res2.secret.acl).toBeNull()
203
-
204
- const res3 = await userClient.request<any>(gql`
205
- query secrets {
206
- secrets {
207
- edges {
208
- node {
209
- id
210
- acl {
211
- roles {
212
- roleId
213
- read
214
- write
215
- }
216
- }
217
- }
218
- }
219
- }
220
- }
221
- `)
222
-
223
- expect(res3.secrets.edges[0].node.acl).toBeNull()
224
-
225
- const res4 = await rootClient.request<any>(gql`
226
- query secret {
227
- secret(id: "${res.createSecret.secret.id}") {
228
- id
229
- name
230
- acl {
231
- roles {
232
- roleId
233
- read
234
- write
235
- }
236
- }
237
- }
238
- }
239
- `)
240
-
241
- expect(res4.secret.acl.roles).not.toBeNull()
242
-
243
- await closeTests(wabe)
244
- })
245
-
246
- it('should block requests without a valid CSRF token', async () => {
247
- const setup = await setupTests(
248
- [
249
- {
250
- name: 'TestCSRF',
251
- fields: {
252
- name: { type: 'String' },
253
- },
254
- permissions: {
255
- create: {
256
- authorizedRoles: ['Client'],
257
- requireAuthentication: true,
258
- },
259
- read: {
260
- authorizedRoles: ['Client'],
261
- requireAuthentication: true,
262
- },
263
- },
264
- },
265
- ],
266
- { disableCSRFProtection: false },
267
- )
268
-
269
- const wabe = setup.wabe
270
- const port = setup.port
271
- const client = getAnonymousClient(port)
272
- const rootClient = getGraphqlClient(port)
273
-
274
- const { userClient, accessToken, userId } = await createUserAndUpdateRole({
275
- anonymousClient: client,
276
- port,
277
- roleName: 'Client',
278
- rootClient,
279
- })
280
-
281
- expect(
282
- userClient.request(gql`
283
- mutation createTestCSRF {
284
- createTestCSRF(input: { fields: { name: "CSRF Test" } }) {
285
- testCSRF {
286
- id
287
- }
288
- }
289
- }
290
- `),
291
- ).rejects.toThrow('Permission denied to create class TestCSRF')
292
-
293
- const invalidCsrfClient = getUserClient(port, {
294
- accessToken,
295
- })
296
- expect(
297
- invalidCsrfClient.request(gql`
298
- mutation createTestCSRF {
299
- createTestCSRF(input: { fields: { name: "CSRF Test" } }) {
300
- testCSRF {
301
- id
302
- }
303
- }
304
- }
305
- `),
306
- ).rejects.toThrow('Permission denied to create class TestCSRF')
307
-
308
- const session = new Session<any>()
309
-
310
- const { csrfToken, accessToken: validAccessToken } = await session.create(userId, {
311
- wabe,
312
- isRoot: false,
313
- })
314
-
315
- const validCsrfClient = getUserClient(port, {
316
- accessToken: validAccessToken,
317
- csrfToken,
318
- })
319
-
320
- const res = await validCsrfClient.request<any>(gql`
321
- mutation createTestCSRF {
322
- createTestCSRF(input: { fields: { name: "CSRF Test" } }) {
323
- testCSRF {
324
- id
325
- }
326
- }
327
- }
328
- `)
329
-
330
- expect(res.createTestCSRF.testCSRF.id).toBeDefined()
331
-
332
- await closeTests(wabe)
333
- })
334
-
335
- it('should not block requests without a valid CSRF token if security.csrfToken is to false', async () => {
336
- const setup = await setupTests([
337
- {
338
- name: 'TestCSRF',
339
- fields: {
340
- name: { type: 'String' },
341
- },
342
- permissions: {
343
- create: {
344
- authorizedRoles: ['Client'],
345
- requireAuthentication: true,
346
- },
347
- read: {
348
- authorizedRoles: ['Client'],
349
- requireAuthentication: true,
350
- },
351
- },
352
- },
353
- ])
354
-
355
- const wabe = setup.wabe
356
- const port = setup.port
357
- const client = getAnonymousClient(port)
358
- const rootClient = getGraphqlClient(port)
359
-
360
- const { accessToken } = await createUserAndUpdateRole({
361
- anonymousClient: client,
362
- port,
363
- roleName: 'Client',
364
- rootClient,
365
- })
366
-
367
- const invalidCsrfClient = getUserClient(port, {
368
- accessToken,
369
- })
370
-
371
- const res = await invalidCsrfClient.request<any>(gql`
372
- mutation createTestCSRF {
373
- createTestCSRF(input: { fields: { name: "CSRF Test" } }) {
374
- testCSRF {
375
- id
376
- }
377
- }
378
- }
379
- `)
380
-
381
- expect(res.createTestCSRF.testCSRF.id).toBeDefined()
382
-
383
- await closeTests(wabe)
384
- })
385
-
386
- it('should not return protected fields in creation response when user is not authorized to read them', async () => {
387
- const setup = await setupTests([
388
- {
389
- name: 'Secret',
390
- fields: {
391
- name: { type: 'String' },
392
- secret: {
393
- type: 'String',
394
- protected: {
395
- protectedOperations: ['read'],
396
- authorizedRoles: ['Admin'],
397
- },
398
- },
399
- },
400
- permissions: {
401
- create: {
402
- requireAuthentication: true,
403
- authorizedRoles: ['Client'],
404
- },
405
- read: {
406
- requireAuthentication: true,
407
- authorizedRoles: ['Client'],
408
- },
409
- },
410
- },
411
- ])
412
-
413
- const wabe = setup.wabe
414
- const port = setup.port
415
- const client = getAnonymousClient(port)
416
- const rootClient = getGraphqlClient(port)
417
-
418
- const { userClient } = await createUserAndUpdateRole({
419
- anonymousClient: client,
420
- port,
421
- roleName: 'Client',
422
- rootClient,
423
- })
424
-
425
- expect(
426
- userClient.request<any>(gql`
427
- mutation createSecret {
428
- createSecret(input: { fields: { name: "n", secret: "s" } }) {
429
- secret {
430
- id
431
- secret
432
- }
433
- }
434
- }
435
- `),
436
- ).rejects.toThrow('You are not authorized to read this field')
437
-
438
- await closeTests(wabe)
439
- })
440
-
441
- it('should apply ACL filtering to count queries', async () => {
442
- const setup = await setupTests([
443
- {
444
- name: 'CountAcl',
445
- fields: {
446
- name: { type: 'String' },
447
- },
448
- permissions: {
449
- create: {
450
- requireAuthentication: true,
451
- authorizedRoles: ['Client'],
452
- },
453
- read: {
454
- requireAuthentication: true,
455
- authorizedRoles: ['Client'],
456
- },
457
- acl: async (hookObject) => {
458
- await hookObject.addACL('users', null)
459
- await hookObject.addACL('roles', null)
460
- },
461
- },
462
- },
463
- ])
464
-
465
- const wabe = setup.wabe
466
- const port = setup.port
467
- const client = getAnonymousClient(port)
468
- const rootClient = getGraphqlClient(port)
469
-
470
- const { userClient } = await createUserAndUpdateRole({
471
- anonymousClient: client,
472
- port,
473
- roleName: 'Client',
474
- rootClient,
475
- })
476
-
477
- await rootClient.request<any>(gql`
478
- mutation createCountAcl {
479
- createCountAcl(input: { fields: { name: "toto" } }) {
480
- countAcl {
481
- id
482
- }
483
- }
484
- }
485
- `)
486
-
487
- const res = await userClient.request<any>(gql`
488
- query countAcls {
489
- countAcls {
490
- totalCount
491
- }
492
- }
493
- `)
494
-
495
- expect(res.countAcls.totalCount).toEqual(0)
496
-
497
- await closeTests(wabe)
498
- })
499
-
500
- it('should block GraphQL introspection queries for anonymous and authenticated users when disableIntrospection is true', async () => {
501
- const setup = await setupTests([], {
502
- isProduction: true,
503
- disableIntrospection: true,
504
- })
505
- const wabe = setup.wabe
506
- const port = setup.port
507
- const client = getAnonymousClient(port)
508
- const rootClient = getGraphqlClient(port)
509
-
510
- // Test pour un utilisateur anonyme
511
- expect(
512
- client.request(gql`
513
- query IntrospectionQuery {
514
- __schema {
515
- types {
516
- name
517
- }
518
- }
519
- }
520
- `),
521
- ).rejects.toThrow('GraphQL introspection has been disabled')
522
-
523
- // Test pour un utilisateur authentifié (même un admin)
524
- const { userClient } = await createUserAndUpdateRole({
525
- anonymousClient: client,
526
- port,
527
- roleName: 'Admin',
528
- rootClient,
529
- })
530
-
531
- expect(
532
- userClient.request(gql`
533
- query IntrospectionQuery {
534
- __schema {
535
- types {
536
- name
537
- }
538
- }
539
- }
540
- `),
541
- ).rejects.toThrow('GraphQL introspection has been disabled')
542
-
543
- await closeTests(wabe)
544
- })
545
-
546
- it('should return null if the accessToken is an invalid accessToken', async () => {
547
- const setup = await setupTests()
548
- const wabe = setup.wabe
549
- const port = setup.port
550
- const rootClient = getGraphqlClient(port)
551
-
552
- const { accessToken } = await createUserAndUpdateRole({
553
- anonymousClient: getAnonymousClient(port),
554
- port,
555
- roleName: 'Client',
556
- rootClient,
557
- })
558
-
559
- const decoded = decode(accessToken) as any
560
-
561
- const invalidToken = sign(
562
- {
563
- ...decoded,
564
- sub: 'fake-user-id',
565
- },
566
- 'dev',
567
- )
568
-
569
- const userClient = getUserClient(port, { accessToken: invalidToken })
570
-
571
- const res = await userClient.request<any>(gql`
572
- query me {
573
- me {
574
- user {
575
- id
576
- }
577
- }
578
- }
579
- `)
580
-
581
- expect(res.me.user).toBeNull()
582
-
583
- await closeTests(wabe)
584
- })
585
-
586
- it('should reject token reuse after logout', async () => {
587
- const setup = await setupTests()
588
- const wabe = setup.wabe
589
- const port = setup.port
590
- const rootClient = getGraphqlClient(port)
591
-
592
- const { userClient } = await createUserAndUpdateRole({
593
- anonymousClient: getAnonymousClient(port),
594
- port,
595
- roleName: 'Client',
596
- rootClient,
597
- })
598
-
599
- const meBeforeLogout = await userClient.request<any>(gql`
600
- query me {
601
- me {
602
- user {
603
- id
604
- }
605
- }
606
- }
607
- `)
608
-
609
- expect(meBeforeLogout.me.user).not.toBeNull()
610
-
611
- await userClient.request<any>(graphql.signOut)
612
-
613
- const meAfterLogout = await userClient.request<any>(gql`
614
- query me {
615
- me {
616
- user {
617
- id
618
- }
619
- }
620
- }
621
- `)
622
-
623
- expect(meAfterLogout.me.user).toBeNull()
624
-
625
- await closeTests(wabe)
626
- })
627
-
628
- it('should prevent session fixation by issuing new tokens on sign-in', async () => {
629
- const setup = await setupTests()
630
- const wabe = setup.wabe
631
- const port = setup.port
632
- const anonymousClient = getAnonymousClient(port)
633
-
634
- const userARes = await anonymousClient.request<any>(graphql.signUpWith, {
635
- input: {
636
- authentication: {
637
- emailPassword: {
638
- email: 'attacker@test.fr',
639
- password: 'password',
640
- },
641
- },
642
- },
643
- })
644
-
645
- const userBRes = await anonymousClient.request<any>(graphql.signUpWith, {
646
- input: {
647
- authentication: {
648
- emailPassword: {
649
- email: 'victim@test.fr',
650
- password: 'password',
651
- },
652
- },
653
- },
654
- })
655
-
656
- const tokenA = userARes.signUpWith.accessToken
657
- const userIdA = userARes.signUpWith.id
658
- const userIdB = userBRes.signUpWith.id
659
-
660
- const clientWithTokenA = getUserClient(port, { accessToken: tokenA })
661
-
662
- await clientWithTokenA.request<any>(
663
- gql`
664
- mutation signInWith($input: SignInWithInput!) {
665
- signInWith(input: $input) {
666
- accessToken
667
- refreshToken
668
- }
669
- }
670
- `,
671
- {
672
- input: {
673
- authentication: {
674
- emailPassword: {
675
- email: 'victim@test.fr',
676
- password: 'password',
677
- },
678
- },
679
- },
680
- },
681
- )
682
-
683
- const meWithTokenA = await clientWithTokenA.request<any>(gql`
684
- query me {
685
- me {
686
- user {
687
- id
688
- }
689
- }
690
- }
691
- `)
692
-
693
- expect(meWithTokenA.me.user?.id).toBe(userIdA)
694
- expect(meWithTokenA.me.user?.id).not.toBe(userIdB)
695
-
696
- await closeTests(wabe)
697
- })
698
-
699
- it('should throw an error if try to access to a class with empty authorizedRoles but not requireAuthentication', async () => {
700
- const setup = await setupTests([
701
- {
702
- name: 'Test',
703
- fields: {
704
- name: {
705
- type: 'String',
706
- },
707
- },
708
- permissions: {
709
- read: {
710
- authorizedRoles: [],
711
- },
712
- },
713
- },
714
- ])
715
- const wabe = setup.wabe
716
- const port = setup.port
717
- const client = getAnonymousClient(port)
718
-
719
- expect(
720
- client.request(gql`
721
- query tests {
722
- tests {
723
- totalCount
724
- }
725
- }
726
- `),
727
- ).rejects.toThrow('Permission denied to read class Test')
728
-
729
- await closeTests(wabe)
730
- })
731
-
732
- it('should throw an error if try to count the number of objects in anonymous', async () => {
733
- const setup = await setupTests([
734
- {
735
- name: 'Test',
736
- fields: {
737
- name: {
738
- type: 'String',
739
- },
740
- },
741
- permissions: {
742
- read: {
743
- authorizedRoles: [],
744
- requireAuthentication: true,
745
- },
746
- },
747
- },
748
- ])
749
- const wabe = setup.wabe
750
- const port = setup.port
751
- const client = getAnonymousClient(port)
752
-
753
- expect(
754
- client.request(gql`
755
- query tests {
756
- tests {
757
- totalCount
758
- }
759
- }
760
- `),
761
- ).rejects.toThrow('Permission denied to read class Test')
762
-
763
- await closeTests(wabe)
764
- })
765
-
766
- it('should throw an error when I try to update and create ACL field without root access', async () => {
767
- const setup = await setupTests([
768
- {
769
- name: 'Test',
770
- fields: {
771
- name: {
772
- type: 'String',
773
- },
774
- },
775
- permissions: {
776
- create: {
777
- authorizedRoles: ['Client'],
778
- requireAuthentication: true,
779
- },
780
- read: {
781
- authorizedRoles: ['Client'],
782
- requireAuthentication: true,
783
- },
784
- update: {
785
- authorizedRoles: ['Client'],
786
- requireAuthentication: true,
787
- },
788
- },
789
- },
790
- ])
791
- const wabe = setup.wabe
792
- const port = setup.port
793
- const rootClient = getGraphqlClient(port)
794
-
795
- const { userClient } = await createUserAndUpdateRole({
796
- anonymousClient: getAnonymousClient(port),
797
- port,
798
- roleName: 'Client',
799
- rootClient,
800
- })
801
-
802
- const res = await userClient.request<any>(gql`
803
- mutation createTest {
804
- createTest(input: { fields: { name: "Test" } }) {
805
- test {
806
- id
807
- }
808
- }
809
- }
810
- `)
811
-
812
- const testId = res.createTest.test.id
813
-
814
- expect(
815
- userClient.request(gql`
816
- mutation updateTest {
817
- updateTest(input: {id: "${testId}", fields: {acl: {users: [{userId: "2"}]}}}) {
818
- test {
819
- id
820
- }
821
- }
822
- }
823
- `),
824
- ).rejects.toThrow('You are not authorized to update this field')
825
-
826
- expect(
827
- userClient.request(gql`
828
- mutation createTest {
829
- createTest(input: { fields: { acl: { users: [{ userId: "2" }] } } }) {
830
- test {
831
- id
832
- }
833
- }
834
- }
835
- `),
836
- ).rejects.toThrow('You are not authorized to create this field')
837
-
838
- await closeTests(wabe)
839
- })
840
-
841
- it('should not allow user with ACL write access to modify ACL on existing object (ACL updates restricted to root)', async () => {
842
- const setup = await setupTests([
843
- {
844
- name: 'AclRestrictedTest',
845
- fields: { name: { type: 'String' } },
846
- permissions: {
847
- create: { authorizedRoles: ['Client'], requireAuthentication: true },
848
- read: { authorizedRoles: ['Client'], requireAuthentication: true },
849
- update: { authorizedRoles: ['Client'], requireAuthentication: true },
850
- },
851
- },
852
- ])
853
- const wabe = setup.wabe
854
- const port = setup.port
855
- const rootClient = getGraphqlClient(port)
856
-
857
- const { userClient, userId } = await createUserAndUpdateRole({
858
- anonymousClient: getAnonymousClient(port),
859
- port,
860
- roleName: 'Client',
861
- rootClient,
862
- })
863
-
864
- const created = await rootClient.request<any>(gql`
865
- mutation createAclRestrictedTest {
866
- createAclRestrictedTest(input: { fields: { name: "original" } }) {
867
- aclRestrictedTest {
868
- id
869
- }
870
- }
871
- }
872
- `)
873
-
874
- const objectId = created.createAclRestrictedTest.aclRestrictedTest.id
875
-
876
- await rootClient.request<any>(gql`
877
- mutation updateACL {
878
- updateAclRestrictedTest(input: {
879
- id: "${objectId}",
880
- fields: { acl: { users: [{ userId: "${userId}", read: true, write: true }] } }
881
- }) {
882
- aclRestrictedTest { id }
883
- }
884
- }
885
- `)
886
-
887
- await expect(
888
- userClient.request<any>(gql`
889
- mutation updateName {
890
- updateAclRestrictedTest(input: { id: "${objectId}", fields: { name: "updated" } }) {
891
- aclRestrictedTest { id name }
892
- }
893
- }
894
- `),
895
- ).resolves.toMatchObject({
896
- updateAclRestrictedTest: { aclRestrictedTest: { name: 'updated' } },
897
- })
898
-
899
- await expect(
900
- userClient.request(gql`
901
- mutation updateACL {
902
- updateAclRestrictedTest(input: {
903
- id: "${objectId}",
904
- fields: { acl: { users: [{ userId: "other-user-id", read: true, write: true }] } }
905
- }) {
906
- aclRestrictedTest { id }
907
- }
908
- }
909
- `),
910
- ).rejects.toThrow('You are not authorized to update this field')
911
-
912
- await closeTests(wabe)
913
- })
914
-
915
- it('should throw an error when I try to create an user with a role without root access', async () => {
916
- const setup = await setupTests()
917
- const wabe = setup.wabe
918
- const port = setup.port
919
- const client = getAnonymousClient(port)
920
-
921
- const adminRole = await wabe.controllers.database.getObjects({
922
- className: 'Role',
923
- where: {
924
- name: { equalTo: 'Admin' },
925
- },
926
- first: 1,
927
- select: { id: true },
928
- context: {
929
- wabe,
930
- isRoot: true,
931
- },
932
- })
933
-
934
- expect(
935
- client.request(gql`
936
- mutation createUser {
937
- createUser(input: { fields: {role: {link: "${adminRole[0]?.id}"}} }) {
938
- user {
939
- id
940
- }
941
- }
942
- }
943
- `),
944
- ).rejects.toThrow('You are not authorized to create this field')
945
-
946
- await closeTests(wabe)
947
- })
948
-
949
- it('should not be able to update role pointer in the User class', async () => {
950
- const setup = await setupTests()
951
- const wabe = setup.wabe
952
- const port = setup.port
953
- const rootClient = getGraphqlClient(port)
954
-
955
- const { userId } = await createUserAndUpdateRole({
956
- anonymousClient: getAnonymousClient(port),
957
- port,
958
- roleName: 'Client',
959
- rootClient,
960
- })
961
-
962
- expect(
963
- wabe.controllers.database.updateObject({
964
- className: 'User',
965
- id: userId,
966
- context: {
967
- wabe,
968
- isRoot: false,
969
- },
970
- data: {
971
- role: 'newid',
972
- },
973
- }),
974
- ).rejects.toThrow('You are not authorized to update this field')
975
-
976
- await closeTests(wabe)
977
- })
978
-
979
- it('should not be able to create / update sessions relation in the User class', async () => {
980
- const setup = await setupTests()
981
- const wabe = setup.wabe
982
- const port = setup.port
983
- const rootClient = getGraphqlClient(port)
984
-
985
- const { userId } = await createUserAndUpdateRole({
986
- anonymousClient: getAnonymousClient(port),
987
- port,
988
- roleName: 'Client',
989
- rootClient,
990
- })
991
-
992
- expect(
993
- wabe.controllers.database.updateObject({
994
- className: 'User',
995
- id: userId,
996
- context: {
997
- wabe,
998
- isRoot: false,
999
- },
1000
- data: {
1001
- sessions: ['newid'],
1002
- },
1003
- }),
1004
- ).rejects.toThrow('You are not authorized to update this field')
1005
-
1006
- expect(
1007
- wabe.controllers.database.createObject({
1008
- className: 'User',
1009
- context: {
1010
- wabe,
1011
- isRoot: false,
1012
- },
1013
- data: {
1014
- sessions: ['newid'],
1015
- },
1016
- }),
1017
- ).rejects.toThrow('You are not authorized to create this field')
1018
-
1019
- await closeTests(wabe)
1020
- })
1021
-
1022
- it("should throw an error if the user tries to delete an object and doesn't have access to read the object", async () => {
1023
- const setup = await setupTests([
1024
- {
1025
- name: 'Test1',
1026
- fields: {
1027
- name: {
1028
- type: 'String',
1029
- },
1030
- },
1031
- permissions: {
1032
- read: {
1033
- authorizedRoles: [],
1034
- requireAuthentication: true,
1035
- },
1036
- create: {
1037
- authorizedRoles: ['Client'],
1038
- requireAuthentication: true,
1039
- },
1040
- delete: {
1041
- authorizedRoles: ['Client'],
1042
- requireAuthentication: true,
1043
- },
1044
- },
1045
- },
1046
- ])
1047
- const wabe = setup.wabe
1048
- const port = setup.port
1049
- const rootClient = getGraphqlClient(port)
1050
-
1051
- const { userClient } = await createUserAndUpdateRole({
1052
- anonymousClient: getAnonymousClient(port),
1053
- port,
1054
- roleName: 'Client',
1055
- rootClient,
1056
- })
1057
-
1058
- const res = await rootClient.request<any>(gql`
1059
- mutation createTest1 {
1060
- createTest1(input: { fields: { name: "test1" } }) {
1061
- test1 {
1062
- id
1063
- }
1064
- }
1065
- }
1066
- `)
1067
-
1068
- expect(
1069
- userClient.request(gql`
1070
- mutation deleteTest1{
1071
- deleteTest1(input: {id: "${res.createTest1.test1.id}"}) {
1072
- test1 {
1073
- id
1074
- }
1075
- }
1076
- }
1077
- `),
1078
- ).rejects.toThrow('Permission denied to read class Test1')
1079
-
1080
- expect(
1081
- userClient.request(gql`
1082
- mutation deleteTest1s {
1083
- deleteTest1s(input: { where: { name: { equalTo: "test1" } } }) {
1084
- edges {
1085
- node {
1086
- id
1087
- }
1088
- }
1089
- }
1090
- }
1091
- `),
1092
- ).rejects.toThrow('Permission denied to read class Test1')
1093
-
1094
- await closeTests(wabe)
1095
- })
1096
-
1097
- it("should throw an error if the user try to update an object and doesn't have access to read the object", async () => {
1098
- const setup = await setupTests([
1099
- {
1100
- name: 'Test1',
1101
- fields: {
1102
- name: {
1103
- type: 'String',
1104
- },
1105
- },
1106
- permissions: {
1107
- read: {
1108
- authorizedRoles: [],
1109
- requireAuthentication: true,
1110
- },
1111
- create: {
1112
- authorizedRoles: ['Client'],
1113
- requireAuthentication: true,
1114
- },
1115
- update: {
1116
- authorizedRoles: ['Client'],
1117
- requireAuthentication: true,
1118
- },
1119
- },
1120
- },
1121
- ])
1122
- const wabe = setup.wabe
1123
- const port = setup.port
1124
- const rootClient = getGraphqlClient(port)
1125
-
1126
- const { userClient } = await createUserAndUpdateRole({
1127
- anonymousClient: getAnonymousClient(port),
1128
- port,
1129
- roleName: 'Client',
1130
- rootClient,
1131
- })
1132
-
1133
- const res = await rootClient.request<any>(gql`
1134
- mutation createTest1 {
1135
- createTest1(input: { fields: { name: "test1" } }) {
1136
- test1 {
1137
- id
1138
- }
1139
- }
1140
- }
1141
- `)
1142
-
1143
- expect(
1144
- userClient.request(gql`
1145
- mutation updateTest1{
1146
- updateTest1(input: {id: "${res.createTest1.test1.id}", fields: {name: "test1"}}) {
1147
- test1 {
1148
- id
1149
- }
1150
- }
1151
- }
1152
- `),
1153
- ).rejects.toThrow('Permission denied to read class Test1')
1154
-
1155
- expect(
1156
- userClient.request(gql`
1157
- mutation updateTest1s {
1158
- updateTest1s(input: { where: { name: { equalTo: "test1" } }, fields: { name: "test1" } }) {
1159
- edges {
1160
- node {
1161
- id
1162
- }
1163
- }
1164
- }
1165
- }
1166
- `),
1167
- ).rejects.toThrow('Permission denied to read class Test1')
1168
-
1169
- await closeTests(wabe)
1170
- })
1171
-
1172
- it('should not create object in relation if not have permission to create', async () => {
1173
- const setup = await setupTests([
1174
- {
1175
- name: 'Test1',
1176
- fields: {
1177
- name: {
1178
- type: 'String',
1179
- },
1180
- },
1181
- permissions: {
1182
- read: {
1183
- authorizedRoles: ['Admin'],
1184
- requireAuthentication: true,
1185
- },
1186
- create: {
1187
- authorizedRoles: ['Admin'],
1188
- requireAuthentication: true,
1189
- },
1190
- },
1191
- },
1192
- {
1193
- name: 'Test2',
1194
- fields: {
1195
- field1: {
1196
- type: 'Relation',
1197
- class: 'Test1',
1198
- },
1199
- field2: {
1200
- type: 'Pointer',
1201
- class: 'Test1',
1202
- },
1203
- },
1204
- permissions: {
1205
- read: {
1206
- authorizedRoles: ['Client'],
1207
- requireAuthentication: true,
1208
- },
1209
- create: {
1210
- authorizedRoles: ['Client'],
1211
- requireAuthentication: true,
1212
- },
1213
- },
1214
- },
1215
- ])
1216
- const wabe = setup.wabe
1217
- const port = setup.port
1218
- const client = getAnonymousClient(port)
1219
- const rootClient = getGraphqlClient(port)
1220
-
1221
- const { userClient } = await createUserAndUpdateRole({
1222
- anonymousClient: client,
1223
- port,
1224
- roleName: 'Client',
1225
- rootClient,
1226
- })
1227
-
1228
- expect(
1229
- userClient.request<any>(gql`
1230
- mutation createTest2 {
1231
- createTest2(input: { fields: { field1: { createAndAdd: [{ name: "toto" }] } } }) {
1232
- test2 {
1233
- id
1234
- }
1235
- }
1236
- }
1237
- `),
1238
- ).rejects.toThrow('Permission denied to create class Test1')
1239
-
1240
- await closeTests(wabe)
1241
- })
1242
-
1243
- it('should not create object in pointer if not have permission to create', async () => {
1244
- const setup = await setupTests([
1245
- {
1246
- name: 'Test1',
1247
- fields: {
1248
- name: {
1249
- type: 'String',
1250
- },
1251
- },
1252
- permissions: {
1253
- read: {
1254
- authorizedRoles: ['Admin'],
1255
- requireAuthentication: true,
1256
- },
1257
- create: {
1258
- authorizedRoles: ['Admin'],
1259
- requireAuthentication: true,
1260
- },
1261
- },
1262
- },
1263
- {
1264
- name: 'Test2',
1265
- fields: {
1266
- field1: {
1267
- type: 'Relation',
1268
- class: 'Test1',
1269
- },
1270
- field2: {
1271
- type: 'Pointer',
1272
- class: 'Test1',
1273
- },
1274
- },
1275
- permissions: {
1276
- read: {
1277
- authorizedRoles: ['Client'],
1278
- requireAuthentication: true,
1279
- },
1280
- create: {
1281
- authorizedRoles: ['Client'],
1282
- requireAuthentication: true,
1283
- },
1284
- },
1285
- },
1286
- ])
1287
- const wabe = setup.wabe
1288
- const port = setup.port
1289
- const client = getAnonymousClient(port)
1290
- const rootClient = getGraphqlClient(port)
1291
-
1292
- const { userClient } = await createUserAndUpdateRole({
1293
- anonymousClient: client,
1294
- port,
1295
- roleName: 'Client',
1296
- rootClient,
1297
- })
1298
-
1299
- expect(
1300
- userClient.request<any>(gql`
1301
- mutation createTest2 {
1302
- createTest2(input: { fields: { field2: { createAndLink: { name: "toto" } } } }) {
1303
- test2 {
1304
- id
1305
- }
1306
- }
1307
- }
1308
- `),
1309
- ).rejects.toThrow('Permission denied to create class Test1')
1310
-
1311
- await closeTests(wabe)
1312
- })
1313
-
1314
- it("should not be able to access to a relation if user doesn't have access on read", async () => {
1315
- const setup = await setupTests([
1316
- {
1317
- name: 'Test1',
1318
- fields: {
1319
- name: {
1320
- type: 'String',
1321
- },
1322
- },
1323
- permissions: {
1324
- read: {
1325
- authorizedRoles: ['Admin'],
1326
- requireAuthentication: true,
1327
- },
1328
- create: {
1329
- authorizedRoles: ['Admin'],
1330
- requireAuthentication: true,
1331
- },
1332
- },
1333
- },
1334
- {
1335
- name: 'Test2',
1336
- fields: {
1337
- field1: {
1338
- type: 'Relation',
1339
- class: 'Test1',
1340
- },
1341
- field2: {
1342
- type: 'Pointer',
1343
- class: 'Test1',
1344
- },
1345
- },
1346
- permissions: {
1347
- read: {
1348
- authorizedRoles: ['Client'],
1349
- requireAuthentication: true,
1350
- },
1351
- create: {
1352
- authorizedRoles: ['Client'],
1353
- requireAuthentication: true,
1354
- },
1355
- },
1356
- },
1357
- ])
1358
- const wabe = setup.wabe
1359
- const port = setup.port
1360
- const client = getAnonymousClient(port)
1361
- const rootClient = getGraphqlClient(port)
1362
-
1363
- await rootClient.request<any>(gql`
1364
- mutation createTest2 {
1365
- createTest2(input: { fields: { field1: { createAndAdd: [{ name: "toto" }] } } }) {
1366
- test2 {
1367
- id
1368
- }
1369
- }
1370
- }
1371
- `)
1372
-
1373
- const { userClient } = await createUserAndUpdateRole({
1374
- anonymousClient: client,
1375
- port,
1376
- roleName: 'Client',
1377
- rootClient,
1378
- })
1379
-
1380
- expect(
1381
- userClient.request(gql`
1382
- query test2s {
1383
- test2s {
1384
- edges {
1385
- node {
1386
- id
1387
- field1 {
1388
- edges {
1389
- node {
1390
- id
1391
- }
1392
- }
1393
- }
1394
- }
1395
- }
1396
- }
1397
- }
1398
- `),
1399
- ).rejects.toThrow('Permission denied to read class Test1')
1400
-
1401
- await closeTests(wabe)
1402
- })
1403
-
1404
- it("should not be able to access to a pointer if user doesn't have access on read", async () => {
1405
- const setup = await setupTests([
1406
- {
1407
- name: 'Test1',
1408
- fields: {
1409
- name: {
1410
- type: 'String',
1411
- },
1412
- },
1413
- permissions: {
1414
- read: {
1415
- authorizedRoles: ['Admin'],
1416
- requireAuthentication: true,
1417
- },
1418
- create: {
1419
- authorizedRoles: ['Admin'],
1420
- requireAuthentication: true,
1421
- },
1422
- },
1423
- },
1424
- {
1425
- name: 'Test2',
1426
- fields: {
1427
- field1: {
1428
- type: 'Relation',
1429
- class: 'Test1',
1430
- },
1431
- field2: {
1432
- type: 'Pointer',
1433
- class: 'Test1',
1434
- },
1435
- },
1436
- permissions: {
1437
- read: {
1438
- authorizedRoles: ['Client'],
1439
- requireAuthentication: true,
1440
- },
1441
- create: {
1442
- authorizedRoles: ['Client'],
1443
- requireAuthentication: true,
1444
- },
1445
- },
1446
- },
1447
- ])
1448
- const wabe = setup.wabe
1449
- const port = setup.port
1450
- const client = getAnonymousClient(port)
1451
- const rootClient = getGraphqlClient(port)
1452
-
1453
- await rootClient.request<any>(gql`
1454
- mutation createTest2 {
1455
- createTest2(input: { fields: { field2: { createAndLink: { name: "toto" } } } }) {
1456
- test2 {
1457
- id
1458
- }
1459
- }
1460
- }
1461
- `)
1462
-
1463
- const { userClient } = await createUserAndUpdateRole({
1464
- anonymousClient: client,
1465
- port,
1466
- roleName: 'Client',
1467
- rootClient,
1468
- })
1469
-
1470
- expect(
1471
- userClient.request(gql`
1472
- query test2s {
1473
- test2s {
1474
- edges {
1475
- node {
1476
- id
1477
- field2 {
1478
- id
1479
- }
1480
- }
1481
- }
1482
- }
1483
- }
1484
- `),
1485
- ).rejects.toThrow('Permission denied to read class Test1')
1486
-
1487
- await closeTests(wabe)
1488
- })
1489
-
1490
- it('should not be able to create / update / delete a role (except root)', async () => {
1491
- const setup = await setupTests()
1492
- const wabe = setup.wabe
1493
-
1494
- const adminRole = await wabe.controllers.database.getObjects({
1495
- className: 'Role',
1496
- where: {
1497
- name: { equalTo: 'Admin' },
1498
- },
1499
- first: 1,
1500
- select: { id: true },
1501
- context: {
1502
- wabe,
1503
- isRoot: true,
1504
- },
1505
- })
1506
-
1507
- const adminRoleId = adminRole[0]?.id
1508
-
1509
- const adminClient = await getAdminUserClient(wabe.config.port, wabe, {
1510
- email: 'admin@wabe.dev',
1511
- password: 'admin',
1512
- })
1513
-
1514
- expect(
1515
- adminClient.request<any>(gql`
1516
- mutation deleteRole {
1517
- deleteRole(input: { id: "${adminRoleId}" }) {
1518
- role {
1519
- id
1520
- }
1521
- }
1522
- }
1523
- `),
1524
- ).rejects.toThrowError('Permission denied to delete class Role')
1525
-
1526
- expect(
1527
- adminClient.request<any>(gql`
1528
- mutation updateRole {
1529
- updateRole(input: { id: "${adminRoleId}", fields: {name: "Admin2"} }) {
1530
- role {
1531
- id
1532
- }
1533
- }
1534
- }
1535
- `),
1536
- ).rejects.toThrowError('Permission denied to update class Role')
1537
-
1538
- expect(
1539
- adminClient.request<any>(gql`
1540
- mutation createRole {
1541
- createRole(input: { fields: { name: "Admin2" } }) {
1542
- role {
1543
- id
1544
- }
1545
- }
1546
- }
1547
- `),
1548
- ).rejects.toThrowError('Permission denied to create class Role')
1549
-
1550
- await closeTests(wabe)
1551
- })
1552
-
1553
- it('should not be able to create / update / delete a session (except root)', async () => {
1554
- const setup = await setupTests()
1555
- const wabe = setup.wabe
1556
-
1557
- const adminClient = await getAdminUserClient(wabe.config.port, wabe, {
1558
- email: 'admin@wabe.dev',
1559
- password: 'admin',
1560
- })
1561
-
1562
- expect(
1563
- adminClient.request<any>(gql`
1564
- mutation create_Session {
1565
- create_Session(
1566
- input: {
1567
- fields: {
1568
- accessTokenEncrypted: "token"
1569
- accessTokenExpiresAt: "2025-01-01T00:00:00.000Z"
1570
- refreshTokenEncrypted: "refresh"
1571
- refreshTokenExpiresAt: "2025-01-02T00:00:00.000Z"
1572
- }
1573
- }
1574
- ) {
1575
- _session {
1576
- id
1577
- }
1578
- }
1579
- }
1580
- `),
1581
- ).rejects.toThrowError('Permission denied to create class _Session')
1582
-
1583
- const res = await adminClient.request<any>(gql`
1584
- query me {
1585
- me {
1586
- user {
1587
- id
1588
- }
1589
- }
1590
- }
1591
- `)
1592
-
1593
- const session = await wabe.controllers.database.createObject({
1594
- className: '_Session',
1595
- context: {
1596
- wabe,
1597
- isRoot: true,
1598
- },
1599
- data: {
1600
- accessTokenEncrypted: 'token',
1601
- user: res.me.user.id,
1602
- accessTokenExpiresAt: new Date(),
1603
- refreshTokenEncrypted: 'refreshToken',
1604
- refreshTokenExpiresAt: new Date(),
1605
- },
1606
- select: { id: true },
1607
- })
1608
-
1609
- const sessionId = session?.id
1610
-
1611
- if (!sessionId) throw new Error('Session not created')
1612
-
1613
- expect(
1614
- adminClient.request<any>(gql`
1615
- mutation update_Session {
1616
- update_Session(input: { id: "${sessionId}", fields: {accessTokenEncrypted: "token2"} }) {
1617
- _session {
1618
- id
1619
- }
1620
- }
1621
- }
1622
- `),
1623
- ).rejects.toThrowError('Permission denied to update class _Session')
1624
-
1625
- expect(
1626
- adminClient.request<any>(gql`
1627
- mutation delete_Session {
1628
- delete_Session(input: { id:"${sessionId}" }) {
1629
- _session {
1630
- id
1631
- }
1632
- }
1633
- }
1634
- `),
1635
- // Read because we call getObject before delete the object
1636
- ).rejects.toThrowError('Permission denied to delete class _Session')
1637
-
1638
- const sessionAfterDelete = await wabe.controllers.database.getObject({
1639
- className: '_Session',
1640
- id: sessionId || '',
1641
- context: {
1642
- wabe,
1643
- isRoot: true,
1644
- },
1645
- select: { id: true },
1646
- })
1647
-
1648
- expect(sessionAfterDelete?.id).toEqual(sessionId)
1649
-
1650
- await closeTests(wabe)
1651
- })
1652
-
1653
- it('should not be able to do some actions with expired session', async () => {
1654
- const setup = await setupTests([
1655
- {
1656
- name: 'Test1',
1657
- fields: {
1658
- name: {
1659
- type: 'String',
1660
- },
1661
- },
1662
- permissions: {
1663
- read: {
1664
- authorizedRoles: ['Admin'],
1665
- requireAuthentication: true,
1666
- },
1667
- create: {
1668
- authorizedRoles: ['Admin'],
1669
- requireAuthentication: true,
1670
- },
1671
- },
1672
- },
1673
- ])
1674
- const wabe = setup.wabe
1675
-
1676
- const adminClient = await getAdminUserClient(wabe.config.port, wabe, {
1677
- email: 'admin@wabe.dev',
1678
- password: 'admin',
1679
- })
1680
-
1681
- expect(
1682
- adminClient.request(gql`
1683
- mutation createTest1 {
1684
- createTest1(input: { fields: { name: "test1" } }) {
1685
- test1 {
1686
- id
1687
- }
1688
- }
1689
- }
1690
- `),
1691
- ).resolves.toEqual(expect.anything())
1692
-
1693
- await wabe.controllers.database.updateObjects({
1694
- className: '_Session',
1695
- context: {
1696
- wabe,
1697
- isRoot: true,
1698
- },
1699
- select: { id: true, accessTokenExpiresAt: true },
1700
- data: {
1701
- accessTokenExpiresAt: new Date(Date.now() - 1000 * 3600), // 1 hour ago
1702
- refreshTokenExpiresAt: new Date(Date.now() - 1000 * 3600), // 1 hour ago
1703
- },
1704
- where: {},
1705
- })
1706
-
1707
- expect(
1708
- adminClient.request(gql`
1709
- mutation createTest1 {
1710
- createTest1(input: { fields: { name: "test1" } }) {
1711
- test1 {
1712
- id
1713
- }
1714
- }
1715
- }
1716
- `),
1717
- ).rejects.toThrow('Permission denied to create class Test1')
1718
-
1719
- await closeTests(wabe)
1720
- })
1721
-
1722
- it('should be able to refresh session if refresh token is not expired but access token expired', async () => {
1723
- const setup = await setupTests([
1724
- {
1725
- name: 'Test1',
1726
- fields: {
1727
- name: {
1728
- type: 'String',
1729
- },
1730
- },
1731
- permissions: {
1732
- read: {
1733
- authorizedRoles: ['Admin'],
1734
- requireAuthentication: true,
1735
- },
1736
- create: {
1737
- authorizedRoles: ['Admin'],
1738
- requireAuthentication: true,
1739
- },
1740
- },
1741
- },
1742
- ])
1743
- const wabe = setup.wabe
1744
-
1745
- const adminClient = await getAdminUserClient(wabe.config.port, wabe, {
1746
- email: 'admin@wabe.dev',
1747
- password: 'admin',
1748
- })
1749
-
1750
- expect(
1751
- adminClient.request(gql`
1752
- mutation createTest1 {
1753
- createTest1(input: { fields: { name: "test1" } }) {
1754
- test1 {
1755
- id
1756
- }
1757
- }
1758
- }
1759
- `),
1760
- ).resolves.toEqual(expect.anything())
1761
-
1762
- await wabe.controllers.database.updateObjects({
1763
- className: '_Session',
1764
- context: {
1765
- wabe,
1766
- isRoot: true,
1767
- },
1768
- data: {
1769
- accessTokenExpiresAt: new Date(Date.now() - 1000 * 3600), // 1 hour ago
1770
- refreshTokenExpiresAt: new Date(Date.now() + 1000 * 3600), // 1 hour in future
1771
- },
1772
- where: {},
1773
- })
1774
-
1775
- expect(
1776
- adminClient.request(gql`
1777
- mutation createTest1 {
1778
- createTest1(input: { fields: { name: "test1" } }) {
1779
- test1 {
1780
- id
1781
- }
1782
- }
1783
- }
1784
- `),
1785
- ).resolves.toEqual(expect.anything())
1786
-
1787
- await closeTests(wabe)
1788
- })
1789
-
1790
- it('should access to an object', async () => {
1791
- const setup = await setupTests([
1792
- {
1793
- name: 'Test4',
1794
- fields: {
1795
- name: { type: 'String' },
1796
- },
1797
- permissions: {
1798
- create: {
1799
- requireAuthentication: true,
1800
- authorizedRoles: ['Client'],
1801
- },
1802
- read: {
1803
- requireAuthentication: true,
1804
- authorizedRoles: ['Client', 'Client2'],
1805
- },
1806
- },
1807
- },
1808
- ])
1809
- const wabe = setup.wabe
1810
- const port = setup.port
1811
- const client = getAnonymousClient(port)
1812
- const rootClient = getGraphqlClient(port)
1813
-
1814
- const { userClient } = await createUserAndUpdateRole({
1815
- anonymousClient: client,
1816
- port,
1817
- roleName: 'Client',
1818
- rootClient,
1819
- })
1820
-
1821
- const { userClient: userClient2 } = await createUserAndUpdateRole({
1822
- anonymousClient: client,
1823
- port,
1824
- roleName: 'Client2',
1825
- rootClient,
1826
- })
1827
-
1828
- await userClient.request<any>(gql`
1829
- mutation createTest4 {
1830
- createTest4(input: { fields: { name: "test" } }) {
1831
- test4 {
1832
- id
1833
- }
1834
- }
1835
- }
1836
- `)
1837
-
1838
- const res = await userClient2.request<any>(gql`
1839
- query test4s {
1840
- test4s {
1841
- edges {
1842
- node {
1843
- id
1844
- name
1845
- }
1846
- }
1847
- }
1848
- }
1849
- `)
1850
-
1851
- expect(res.test4s.edges.length).toEqual(1)
1852
- expect(res.test4s.edges[0].node.name).toEqual('test')
1853
-
1854
- await closeTests(wabe)
1855
- })
1856
-
1857
- it('should access to an object created by another user without ACL', async () => {
1858
- const setup = await setupTests([
1859
- {
1860
- name: 'Test4',
1861
- fields: {
1862
- name: { type: 'String' },
1863
- },
1864
- permissions: {
1865
- create: {
1866
- requireAuthentication: true,
1867
- authorizedRoles: ['Client'],
1868
- },
1869
- read: {
1870
- requireAuthentication: true,
1871
- authorizedRoles: ['Client', 'Client2'],
1872
- },
1873
- },
1874
- },
1875
- ])
1876
- const wabe = setup.wabe
1877
- const port = setup.port
1878
- const client = getAnonymousClient(port)
1879
- const rootClient = getGraphqlClient(port)
1880
-
1881
- const { userClient } = await createUserAndUpdateRole({
1882
- anonymousClient: client,
1883
- port,
1884
- roleName: 'Client',
1885
- rootClient,
1886
- })
1887
-
1888
- const { userClient: userClient2 } = await createUserAndUpdateRole({
1889
- anonymousClient: client,
1890
- port,
1891
- roleName: 'Client2',
1892
- rootClient,
1893
- })
1894
-
1895
- await userClient.request<any>(gql`
1896
- mutation createTest4 {
1897
- createTest4(input: { fields: { name: "test" } }) {
1898
- test4 {
1899
- id
1900
- }
1901
- }
1902
- }
1903
- `)
1904
-
1905
- const res = await userClient2.request<any>(gql`
1906
- query test4s {
1907
- test4s {
1908
- edges {
1909
- node {
1910
- id
1911
- name
1912
- }
1913
- }
1914
- }
1915
- }
1916
- `)
1917
-
1918
- expect(res.test4s.edges.length).toEqual(1)
1919
- expect(res.test4s.edges[0].node.name).toEqual('test')
1920
-
1921
- await closeTests(wabe)
1922
- })
1923
-
1924
- it('should authorize user to access to created object with self acl but not an other user', async () => {
1925
- const setup = await setupTests([
1926
- {
1927
- name: 'Test3',
1928
- fields: {
1929
- name: { type: 'String' },
1930
- },
1931
- permissions: {
1932
- create: {
1933
- requireAuthentication: false,
1934
- },
1935
- read: {
1936
- requireAuthentication: false,
1937
- },
1938
- acl: async (hookObject) => {
1939
- await hookObject.addACL('users', {
1940
- userId: hookObject.context.user?.id || '',
1941
- read: true,
1942
- write: true,
1943
- })
1944
-
1945
- await hookObject.addACL('roles', null)
1946
- },
1947
- },
1948
- },
1949
- ])
1950
- const wabe = setup.wabe
1951
- const port = setup.port
1952
- const client = getAnonymousClient(port)
1953
- const rootClient = getGraphqlClient(port)
1954
-
1955
- const { userClient } = await createUserAndUpdateRole({
1956
- anonymousClient: client,
1957
- port,
1958
- roleName: 'Client',
1959
- rootClient,
1960
- })
1961
-
1962
- const { userClient: userClient2 } = await createUserAndUpdateRole({
1963
- anonymousClient: client,
1964
- port,
1965
- roleName: 'Client',
1966
- rootClient,
1967
- email: 'email2@test.fr',
1968
- })
1969
-
1970
- const res = await userClient.request<any>(gql`
1971
- mutation createTest3 {
1972
- createTest3(input: { fields: { name: "test" } }) {
1973
- test3 {
1974
- id
1975
- }
1976
- }
1977
- }
1978
- `)
1979
-
1980
- const res2 = await userClient2.request<any>(gql`
1981
- query test3s {
1982
- test3s {
1983
- edges {
1984
- node {
1985
- id
1986
- }
1987
- }
1988
- }
1989
- }
1990
- `)
1991
-
1992
- const res3 = await getAnonymousClient(port).request<any>(gql`
1993
- query test3s {
1994
- test3s {
1995
- edges {
1996
- node {
1997
- id
1998
- }
1999
- }
2000
- }
2001
- }
2002
- `)
2003
-
2004
- expect(res.createTest3.test3.id).toBeDefined()
2005
- expect(res2.test3s.edges.length).toEqual(0)
2006
- expect(res3.test3s.edges.length).toEqual(0)
2007
-
2008
- await closeTests(wabe)
2009
- })
2010
-
2011
- it('should not authorize create object when authorizedRoles is empty', async () => {
2012
- const setup = await setupTests([
2013
- {
2014
- name: 'Test2',
2015
- fields: {
2016
- name: { type: 'String' },
2017
- age: { type: 'Int' },
2018
- },
2019
- permissions: {
2020
- read: {
2021
- authorizedRoles: ['Client', 'Client2'],
2022
- requireAuthentication: true,
2023
- },
2024
- create: {
2025
- authorizedRoles: [],
2026
- requireAuthentication: true,
2027
- },
2028
- },
2029
- },
2030
- ])
2031
- const wabe = setup.wabe
2032
- const port = setup.port
2033
- const client = getAnonymousClient(port)
2034
- const rootClient = getGraphqlClient(port)
2035
-
2036
- const { userClient } = await createUserAndUpdateRole({
2037
- anonymousClient: client,
2038
- port,
2039
- roleName: 'Client',
2040
- rootClient,
2041
- })
2042
-
2043
- expect(
2044
- userClient.request<any>(gql`
2045
- mutation createTest2 {
2046
- createTest2(input: { fields: { name: "test" } }) {
2047
- test2 {
2048
- id
2049
- }
2050
- }
2051
- }
2052
- `),
2053
- ).rejects.toThrow('Permission denied to create class Test2')
2054
-
2055
- expect(() =>
2056
- rootClient.request<any>(gql`
2057
- mutation createTest2 {
2058
- createTest2(input: { fields: { name: "test" } }) {
2059
- test2 {
2060
- id
2061
- }
2062
- }
2063
- }
2064
- `),
2065
- ).not.toThrow()
2066
-
2067
- await closeTests(wabe)
2068
- })
2069
-
2070
- it('should not authorize an user to read an object when the user has not access on read to the object (ACL)', async () => {
2071
- const setup = await setupTests([
2072
- {
2073
- name: 'Test',
2074
- fields: {
2075
- name: { type: 'String' },
2076
- pointer: {
2077
- type: 'Pointer',
2078
- class: 'Test2',
2079
- },
2080
- relation: {
2081
- type: 'Relation',
2082
- class: 'Test2',
2083
- },
2084
- },
2085
- permissions: {
2086
- read: {
2087
- authorizedRoles: ['Client', 'Client2'],
2088
- requireAuthentication: true,
2089
- },
2090
- update: {
2091
- authorizedRoles: ['Client'],
2092
- requireAuthentication: true,
2093
- },
2094
- delete: {
2095
- authorizedRoles: ['Client'],
2096
- requireAuthentication: true,
2097
- },
2098
- create: {
2099
- authorizedRoles: ['Client2'],
2100
- requireAuthentication: true,
2101
- },
2102
- },
2103
- },
2104
- {
2105
- name: 'Test2',
2106
- fields: {
2107
- name: { type: 'String' },
2108
- age: { type: 'Int' },
2109
- },
2110
- permissions: {
2111
- read: {
2112
- authorizedRoles: ['Client', 'Client2'],
2113
- requireAuthentication: true,
2114
- },
2115
- create: {
2116
- authorizedRoles: [],
2117
- requireAuthentication: true,
2118
- },
2119
- },
2120
- },
2121
- ])
2122
- const wabe = setup.wabe
2123
- const port = setup.port
2124
- const client = getAnonymousClient(port)
2125
- const rootClient = getGraphqlClient(port)
2126
-
2127
- const { userClient, userId } = await createUserAndUpdateRole({
2128
- anonymousClient: client,
2129
- port,
2130
- roleName: 'Client',
2131
- rootClient,
2132
- })
2133
-
2134
- const objectCreated = await rootClient.request<any>(gql`
2135
- mutation createTest {
2136
- createTest(input: { fields: { name: "test" } }) {
2137
- test {
2138
- id
2139
- }
2140
- }
2141
- }
2142
- `)
2143
-
2144
- const objectId = objectCreated.createTest.test.id
2145
-
2146
- await rootClient.request<any>(gql`
2147
- mutation updateACL{
2148
- updateTest(input:{id: "${objectId}", fields: {acl:{
2149
- users: [{
2150
- userId: "${userId}",
2151
- read: false,
2152
- write: true
2153
- }]
2154
- }}}){
2155
- test{
2156
- id
2157
- }
2158
- }
2159
- }
2160
- `)
2161
-
2162
- const res = await userClient.request<any>(gql`
2163
- query tests {
2164
- tests {
2165
- edges {
2166
- node {
2167
- id
2168
- }
2169
- }
2170
- }
2171
- }
2172
- `)
2173
-
2174
- expect(res.tests.edges.length).toEqual(0)
2175
-
2176
- await closeTests(wabe)
2177
- })
2178
-
2179
- it('should return undefined for virtual field (object type) when user has read:false and write:true in ACL', async () => {
2180
- const setup = await setupTests([
2181
- {
2182
- name: 'VirtualFieldAclTest',
2183
- fields: {
2184
- name: { type: 'String' },
2185
- secret: {
2186
- type: 'String',
2187
- },
2188
- secretInfo: {
2189
- type: 'Virtual',
2190
- returnType: 'Object',
2191
- object: {
2192
- name: 'SecretInfo',
2193
- fields: {
2194
- summary: { type: 'String' },
2195
- },
2196
- },
2197
- dependsOn: ['secret'],
2198
- callback: (object: any) =>
2199
- object.secret != null ? { summary: `${object.secret.slice(0, 3)}...` } : null,
2200
- },
2201
- },
2202
- permissions: {
2203
- read: {
2204
- authorizedRoles: ['Client'],
2205
- requireAuthentication: true,
2206
- },
2207
- create: {
2208
- authorizedRoles: ['Client'],
2209
- requireAuthentication: true,
2210
- },
2211
- acl: async (hookObject) => {
2212
- await hookObject.addACL('roles', {
2213
- role: RoleEnum.Client,
2214
- read: true,
2215
- write: true,
2216
- })
2217
- },
2218
- },
2219
- },
2220
- ])
2221
-
2222
- const wabe = setup.wabe
2223
- const port = setup.port
2224
- const client = getAnonymousClient(port)
2225
- const rootClient = getGraphqlClient(port)
2226
-
2227
- const { userClient, userId } = await createUserAndUpdateRole({
2228
- anonymousClient: client,
2229
- port,
2230
- roleName: 'Client',
2231
- rootClient,
2232
- })
2233
-
2234
- const objectCreated = await rootClient.request<any>(gql`
2235
- mutation createVirtualFieldAclTest {
2236
- createVirtualFieldAclTest(input: { fields: { name: "test", secret: "sensitive" } }) {
2237
- virtualFieldAclTest {
2238
- id
2239
- }
2240
- }
2241
- }
2242
- `)
2243
-
2244
- const objectId = objectCreated.createVirtualFieldAclTest.virtualFieldAclTest.id
2245
-
2246
- await rootClient.request<any>(gql`
2247
- mutation updateACL {
2248
- updateVirtualFieldAclTest(input: {
2249
- id: "${objectId}",
2250
- fields: {
2251
- acl: {
2252
- users: [{
2253
- userId: "${userId}",
2254
- read: false,
2255
- write: true
2256
- }]
2257
- }
2258
- }
2259
- }) {
2260
- virtualFieldAclTest {
2261
- id
2262
- }
2263
- }
2264
- }
2265
- `)
2266
-
2267
- const resList = await userClient.request<any>(gql`
2268
- query virtualFieldAclTests {
2269
- virtualFieldAclTests {
2270
- edges {
2271
- node {
2272
- id
2273
- name
2274
- secretInfo {
2275
- summary
2276
- }
2277
- }
2278
- }
2279
- }
2280
- }
2281
- `)
2282
-
2283
- expect(resList.virtualFieldAclTests.edges.length).toEqual(0)
2284
-
2285
- await expect(
2286
- userClient.request<any>(gql`
2287
- query virtualFieldAclTest {
2288
- virtualFieldAclTest(id: "${objectId}") {
2289
- id
2290
- name
2291
- secretInfo {
2292
- summary
2293
- }
2294
- }
2295
- }
2296
- `),
2297
- ).rejects.toThrow('Object not found')
2298
-
2299
- await closeTests(wabe)
2300
- })
2301
-
2302
- it('should return undefined for virtual field (object type) when user cannot read a protected dependency field', async () => {
2303
- const setup = await setupTests([
2304
- {
2305
- name: 'VirtualFieldProtectedTest',
2306
- fields: {
2307
- name: { type: 'String' },
2308
- secret: {
2309
- type: 'String',
2310
- protected: {
2311
- authorizedRoles: ['rootOnly'],
2312
- protectedOperations: ['read'],
2313
- },
2314
- },
2315
- secretInfo: {
2316
- type: 'Virtual',
2317
- returnType: 'Object',
2318
- object: {
2319
- name: 'SecretInfo',
2320
- fields: {
2321
- summary: { type: 'String' },
2322
- },
2323
- },
2324
- dependsOn: ['secret'],
2325
- callback: (object: any) =>
2326
- object.secret != null ? { summary: `${object.secret.slice(0, 3)}...` } : null,
2327
- },
2328
- },
2329
- permissions: {
2330
- read: {
2331
- authorizedRoles: ['Client'],
2332
- requireAuthentication: true,
2333
- },
2334
- create: {
2335
- authorizedRoles: ['Client'],
2336
- requireAuthentication: true,
2337
- },
2338
- acl: async (hookObject) => {
2339
- await hookObject.addACL('roles', {
2340
- role: RoleEnum.Client,
2341
- read: true,
2342
- write: true,
2343
- })
2344
- },
2345
- },
2346
- },
2347
- ])
2348
-
2349
- const wabe = setup.wabe
2350
- const port = setup.port
2351
- const client = getAnonymousClient(port)
2352
- const rootClient = getGraphqlClient(port)
2353
-
2354
- const { userClient } = await createUserAndUpdateRole({
2355
- anonymousClient: client,
2356
- port,
2357
- roleName: 'Client',
2358
- rootClient,
2359
- })
2360
-
2361
- const objectCreated = await rootClient.request<any>(gql`
2362
- mutation createVirtualFieldProtectedTest {
2363
- createVirtualFieldProtectedTest(input: { fields: { name: "test", secret: "sensitive" } }) {
2364
- virtualFieldProtectedTest {
2365
- id
2366
- }
2367
- }
2368
- }
2369
- `)
2370
-
2371
- const objectId = objectCreated.createVirtualFieldProtectedTest.virtualFieldProtectedTest.id
2372
-
2373
- const res = await userClient.request<any>(gql`
2374
- query virtualFieldProtectedTest {
2375
- virtualFieldProtectedTest(id: "${objectId}") {
2376
- id
2377
- name
2378
- secretInfo {
2379
- summary
2380
- }
2381
- }
2382
- }
2383
- `)
2384
-
2385
- expect(res.virtualFieldProtectedTest).toBeDefined()
2386
- expect(res.virtualFieldProtectedTest.name).toBe('test')
2387
- expect(res.virtualFieldProtectedTest.secretInfo).toBeNull()
2388
-
2389
- await closeTests(wabe)
2390
- })
2391
-
2392
- it('should not authorize an user to read an object when explicitly denied in acl.users even if role has access (MongoDB notContains)', async () => {
2393
- const setup = await setupTests([
2394
- {
2395
- name: 'TestNotContains',
2396
- fields: {
2397
- name: { type: 'String' },
2398
- },
2399
- permissions: {
2400
- read: {
2401
- authorizedRoles: ['Client'],
2402
- requireAuthentication: true,
2403
- },
2404
- create: {
2405
- authorizedRoles: ['Client'],
2406
- requireAuthentication: true,
2407
- },
2408
- },
2409
- },
2410
- ])
2411
- const wabe = setup.wabe
2412
- const port = setup.port
2413
- const client = getAnonymousClient(port)
2414
- const rootClient = getGraphqlClient(port)
2415
-
2416
- const { userClient, userId } = await createUserAndUpdateRole({
2417
- anonymousClient: client,
2418
- port,
2419
- roleName: 'Client',
2420
- rootClient,
2421
- })
2422
-
2423
- const clientRole = await rootClient.request<any>(gql`
2424
- query getClientRole {
2425
- roles(where: { name: { equalTo: "Client" } }) {
2426
- edges {
2427
- node {
2428
- id
2429
- }
2430
- }
2431
- }
2432
- }
2433
- `)
2434
-
2435
- const clientRoleId = clientRole.roles.edges[0].node.id
2436
-
2437
- const objectCreated = await rootClient.request<any>(gql`
2438
- mutation createTestNotContains {
2439
- createTestNotContains(input: { fields: { name: "secret" } }) {
2440
- testNotContains {
2441
- id
2442
- }
2443
- }
2444
- }
2445
- `)
2446
-
2447
- const objectId = objectCreated.createTestNotContains.testNotContains.id
2448
-
2449
- await rootClient.request<any>(gql`
2450
- mutation updateACL {
2451
- updateTestNotContains(input: {
2452
- id: "${objectId}",
2453
- fields: {
2454
- acl: {
2455
- users: [{
2456
- userId: "${userId}",
2457
- read: false,
2458
- write: false
2459
- }],
2460
- roles: [{
2461
- roleId: "${clientRoleId}",
2462
- read: true,
2463
- write: true
2464
- }]
2465
- }
2466
- }
2467
- }) {
2468
- testNotContains {
2469
- id
2470
- }
2471
- }
2472
- }
2473
- `)
2474
-
2475
- await expect(
2476
- userClient.request<any>(gql`
2477
- query testNotContains {
2478
- testNotContains(id: "${objectId}") {
2479
- id
2480
- name
2481
- }
2482
- }
2483
- `),
2484
- ).rejects.toThrow('Object not found')
2485
-
2486
- const resList = await userClient.request<any>(gql`
2487
- query testNotContainses {
2488
- testNotContainses {
2489
- edges {
2490
- node {
2491
- id
2492
- name
2493
- }
2494
- }
2495
- }
2496
- }
2497
- `)
2498
-
2499
- expect(resList.testNotContainses.edges.length).toEqual(0)
2500
-
2501
- await closeTests(wabe)
2502
- })
2503
-
2504
- it('should correctly filter with nested notContains without recursion overwrite (MongoDB buildMongoWhereQuery)', async () => {
2505
- const setup = await setupTests([
2506
- {
2507
- name: 'TestRecursion',
2508
- fields: {
2509
- data: {
2510
- type: 'Object',
2511
- object: {
2512
- name: 'TestRecursionData',
2513
- fields: {
2514
- array: {
2515
- type: 'Array',
2516
- typeValue: 'Object',
2517
- object: {
2518
- name: 'TestRecursionArrayItem',
2519
- fields: {
2520
- string: { type: 'String' },
2521
- },
2522
- },
2523
- },
2524
- },
2525
- },
2526
- },
2527
- },
2528
- permissions: {
2529
- read: { requireAuthentication: false },
2530
- create: { requireAuthentication: false },
2531
- },
2532
- },
2533
- ])
2534
-
2535
- const wabe = setup.wabe
2536
- const port = setup.port
2537
- const rootClient = getGraphqlClient(port)
2538
-
2539
- await rootClient.request<any>(gql`
2540
- mutation create1 {
2541
- createTestRecursion(input: { fields: { data: { array: [{ string: "user1" }] } } }) {
2542
- testRecursion {
2543
- id
2544
- }
2545
- }
2546
- }
2547
- `)
2548
-
2549
- await rootClient.request<any>(gql`
2550
- mutation create2 {
2551
- createTestRecursion(input: { fields: { data: { array: [{ string: "user2" }] } } }) {
2552
- testRecursion {
2553
- id
2554
- }
2555
- }
2556
- }
2557
- `)
2558
-
2559
- const res = await wabe.controllers.database.getObjects({
2560
- className: 'TestRecursion' as any,
2561
- context: { isRoot: true, wabe } as any,
2562
- where: {
2563
- data: {
2564
- array: {
2565
- notContains: { string: { equalTo: 'user1' } },
2566
- },
2567
- },
2568
- } as any,
2569
- select: { data: true } as any,
2570
- })
2571
-
2572
- expect(res.length).toBe(1)
2573
- expect((res[0] as any)?.data?.array).toEqual([{ string: 'user2' }])
2574
-
2575
- await closeTests(wabe)
2576
- })
2577
-
2578
- it('should not authorize an user to write (delete) an object when the user has not access on write to the object (ACL)', async () => {
2579
- const setup = await setupTests([
2580
- {
2581
- name: 'Test',
2582
- fields: {
2583
- name: { type: 'String' },
2584
- pointer: {
2585
- type: 'Pointer',
2586
- class: 'Test2',
2587
- },
2588
- relation: {
2589
- type: 'Relation',
2590
- class: 'Test2',
2591
- },
2592
- },
2593
- permissions: {
2594
- read: {
2595
- authorizedRoles: ['Client', 'Client2'],
2596
- requireAuthentication: true,
2597
- },
2598
- update: {
2599
- authorizedRoles: ['Client'],
2600
- requireAuthentication: true,
2601
- },
2602
- delete: {
2603
- authorizedRoles: ['Client'],
2604
- requireAuthentication: true,
2605
- },
2606
- create: {
2607
- authorizedRoles: ['Client2'],
2608
- requireAuthentication: true,
2609
- },
2610
- },
2611
- },
2612
- {
2613
- name: 'Test2',
2614
- fields: {
2615
- name: { type: 'String' },
2616
- age: { type: 'Int' },
2617
- },
2618
- permissions: {
2619
- read: {
2620
- authorizedRoles: ['Client', 'Client2'],
2621
- requireAuthentication: true,
2622
- },
2623
- create: {
2624
- authorizedRoles: [],
2625
- requireAuthentication: true,
2626
- },
2627
- },
2628
- },
2629
- ])
2630
- const wabe = setup.wabe
2631
- const port = setup.port
2632
- const client = getAnonymousClient(port)
2633
- const rootClient = getGraphqlClient(port)
2634
-
2635
- const { userClient, userId } = await createUserAndUpdateRole({
2636
- anonymousClient: client,
2637
- port,
2638
- roleName: 'Client',
2639
- rootClient,
2640
- })
2641
-
2642
- const objectCreated = await rootClient.request<any>(gql`
2643
- mutation createTest {
2644
- createTest(input: { fields: { name: "test" } }) {
2645
- test {
2646
- id
2647
- }
2648
- }
2649
- }
2650
- `)
2651
-
2652
- const objectId = objectCreated.createTest.test.id
2653
-
2654
- await rootClient.request<any>(gql`
2655
- mutation updateACL{
2656
- updateTest(input:{id: "${objectId}", fields: {acl:{
2657
- users: [{
2658
- userId: "${userId}",
2659
- read: true,
2660
- write: false
2661
- }]
2662
- }}}){
2663
- test{
2664
- id
2665
- }
2666
- }
2667
- }
2668
- `)
2669
-
2670
- expect(
2671
- userClient.request<any>(gql`
2672
- mutation deleteTest{
2673
- deleteTest(input:{id: "${objectId}"}){
2674
- test{
2675
- id
2676
- }
2677
- }
2678
- }
2679
- `),
2680
- ).rejects.toThrow('Object not found')
2681
-
2682
- await closeTests(wabe)
2683
- })
2684
-
2685
- it('should not authorize an user to get the result of mutation (read) when he has access on write but not on read (ACL)', async () => {
2686
- const setup = await setupTests([
2687
- {
2688
- name: 'Test',
2689
- fields: {
2690
- name: { type: 'String' },
2691
- pointer: {
2692
- type: 'Pointer',
2693
- class: 'Test2',
2694
- },
2695
- relation: {
2696
- type: 'Relation',
2697
- class: 'Test2',
2698
- },
2699
- },
2700
- permissions: {
2701
- read: {
2702
- authorizedRoles: ['Client', 'Client2'],
2703
- requireAuthentication: true,
2704
- },
2705
- update: {
2706
- authorizedRoles: ['Client'],
2707
- requireAuthentication: true,
2708
- },
2709
- delete: {
2710
- authorizedRoles: ['Client'],
2711
- requireAuthentication: true,
2712
- },
2713
- create: {
2714
- authorizedRoles: ['Client2'],
2715
- requireAuthentication: true,
2716
- },
2717
- },
2718
- },
2719
- {
2720
- name: 'Test2',
2721
- fields: {
2722
- name: { type: 'String' },
2723
- age: { type: 'Int' },
2724
- },
2725
- permissions: {
2726
- read: {
2727
- authorizedRoles: ['Client', 'Client2'],
2728
- requireAuthentication: true,
2729
- },
2730
- create: {
2731
- authorizedRoles: [],
2732
- requireAuthentication: true,
2733
- },
2734
- },
2735
- },
2736
- ])
2737
- const wabe = setup.wabe
2738
- const port = setup.port
2739
- const client = getAnonymousClient(port)
2740
- const rootClient = getGraphqlClient(port)
2741
-
2742
- const { userClient, userId } = await createUserAndUpdateRole({
2743
- anonymousClient: client,
2744
- port,
2745
- roleName: 'Client',
2746
- rootClient,
2747
- })
2748
-
2749
- const objectCreated = await rootClient.request<any>(gql`
2750
- mutation createTest {
2751
- createTest(input: { fields: { name: "test" } }) {
2752
- test {
2753
- id
2754
- }
2755
- }
2756
- }
2757
- `)
2758
-
2759
- const objectId = objectCreated.createTest.test.id
2760
-
2761
- await rootClient.request<any>(gql`
2762
- mutation updateACL{
2763
- updateTest(input:{id: "${objectId}", fields: {acl:{
2764
- users: [{
2765
- userId: "${userId}",
2766
- read: false,
2767
- write: true
2768
- }]
2769
- }}}){
2770
- test{
2771
- id
2772
- }
2773
- }
2774
- }
2775
- `)
2776
-
2777
- expect(
2778
- userClient.request<any>(gql`
2779
- mutation updateTest{
2780
- updateTest(input:{id: "${objectId}", fields : {name: "tata"}}){
2781
- test{
2782
- id
2783
- }
2784
- }
2785
- }
2786
- `),
2787
- ).rejects.toThrow('Object not found')
2788
-
2789
- await closeTests(wabe)
2790
- })
2791
-
2792
- it('should not authorize an user to write (update) an object when the user has not access on write to the object (ACL)', async () => {
2793
- const setup = await setupTests([
2794
- {
2795
- name: 'Test',
2796
- fields: {
2797
- name: { type: 'String' },
2798
- pointer: {
2799
- type: 'Pointer',
2800
- class: 'Test2',
2801
- },
2802
- relation: {
2803
- type: 'Relation',
2804
- class: 'Test2',
2805
- },
2806
- },
2807
- permissions: {
2808
- read: {
2809
- authorizedRoles: ['Client', 'Client2'],
2810
- requireAuthentication: true,
2811
- },
2812
- update: {
2813
- authorizedRoles: ['Client'],
2814
- requireAuthentication: true,
2815
- },
2816
- delete: {
2817
- authorizedRoles: ['Client'],
2818
- requireAuthentication: true,
2819
- },
2820
- create: {
2821
- authorizedRoles: ['Client2'],
2822
- requireAuthentication: true,
2823
- },
2824
- },
2825
- },
2826
- {
2827
- name: 'Test2',
2828
- fields: {
2829
- name: { type: 'String' },
2830
- age: { type: 'Int' },
2831
- },
2832
- permissions: {
2833
- read: {
2834
- authorizedRoles: ['Client', 'Client2'],
2835
- requireAuthentication: true,
2836
- },
2837
- create: {
2838
- authorizedRoles: [],
2839
- requireAuthentication: true,
2840
- },
2841
- },
2842
- },
2843
- ])
2844
- const wabe = setup.wabe
2845
- const port = setup.port
2846
- const client = getAnonymousClient(port)
2847
- const rootClient = getGraphqlClient(port)
2848
-
2849
- const { userClient, userId } = await createUserAndUpdateRole({
2850
- anonymousClient: client,
2851
- port,
2852
- roleName: 'Client',
2853
- rootClient,
2854
- })
2855
-
2856
- const objectCreated = await rootClient.request<any>(gql`
2857
- mutation createTest {
2858
- createTest(input: { fields: { name: "test" } }) {
2859
- test {
2860
- id
2861
- }
2862
- }
2863
- }
2864
- `)
2865
-
2866
- const objectId = objectCreated.createTest.test.id
2867
-
2868
- await rootClient.request<any>(gql`
2869
- mutation updateACL{
2870
- updateTest(input:{id: "${objectId}", fields: {acl:{
2871
- users: [{
2872
- userId: "${userId}",
2873
- read: true,
2874
- write: false
2875
- }]
2876
- }}}){
2877
- test{
2878
- id
2879
- }
2880
- }
2881
- }
2882
- `)
2883
-
2884
- expect(
2885
- userClient.request<any>(gql`
2886
- mutation updateTest{
2887
- updateTest(input:{id: "${objectId}", fields : {name: "tata"}}){
2888
- test{
2889
- id
2890
- }
2891
- }
2892
- }
2893
- `),
2894
- ).rejects.toThrow('Object not found')
2895
-
2896
- await closeTests(wabe)
2897
- })
2898
-
2899
- it('should authorize an user to read an object when the user has access on read to the object (ACL)', async () => {
2900
- const setup = await setupTests([
2901
- {
2902
- name: 'Test',
2903
- fields: {
2904
- name: { type: 'String' },
2905
- pointer: {
2906
- type: 'Pointer',
2907
- class: 'Test2',
2908
- },
2909
- relation: {
2910
- type: 'Relation',
2911
- class: 'Test2',
2912
- },
2913
- },
2914
- permissions: {
2915
- read: {
2916
- authorizedRoles: ['Client', 'Client2'],
2917
- requireAuthentication: true,
2918
- },
2919
- update: {
2920
- authorizedRoles: ['Client'],
2921
- requireAuthentication: true,
2922
- },
2923
- delete: {
2924
- authorizedRoles: ['Client'],
2925
- requireAuthentication: true,
2926
- },
2927
- create: {
2928
- authorizedRoles: ['Client2'],
2929
- requireAuthentication: true,
2930
- },
2931
- },
2932
- },
2933
- {
2934
- name: 'Test2',
2935
- fields: {
2936
- name: { type: 'String' },
2937
- age: { type: 'Int' },
2938
- },
2939
- permissions: {
2940
- read: {
2941
- authorizedRoles: ['Client', 'Client2'],
2942
- requireAuthentication: true,
2943
- },
2944
- create: {
2945
- authorizedRoles: [],
2946
- requireAuthentication: true,
2947
- },
2948
- },
2949
- },
2950
- ])
2951
- const wabe = setup.wabe
2952
- const port = setup.port
2953
- const client = getAnonymousClient(port)
2954
- const rootClient = getGraphqlClient(port)
2955
-
2956
- const { userClient, userId } = await createUserAndUpdateRole({
2957
- anonymousClient: client,
2958
- port,
2959
- roleName: 'Client',
2960
- rootClient,
2961
- })
2962
-
2963
- const objectCreated = await rootClient.request<any>(gql`
2964
- mutation createTest {
2965
- createTest(input: { fields: { name: "test" } }) {
2966
- test {
2967
- id
2968
- }
2969
- }
2970
- }
2971
- `)
2972
-
2973
- const objectId = objectCreated.createTest.test.id
2974
-
2975
- await rootClient.request<any>(gql`
2976
- mutation updateACL{
2977
- updateTest(input:{id: "${objectId}", fields: {acl:{
2978
- users: [{
2979
- userId: "${userId}",
2980
- read: true,
2981
- write: false
2982
- }]
2983
- }}}){
2984
- test{
2985
- id
2986
- }
2987
- }
2988
- }
2989
- `)
2990
-
2991
- const res = await userClient.request<any>(gql`
2992
- query tests {
2993
- tests {
2994
- edges {
2995
- node {
2996
- id
2997
- }
2998
- }
2999
- }
3000
- }
3001
- `)
3002
-
3003
- expect(res.tests.edges.length).toEqual(1)
3004
-
3005
- await closeTests(wabe)
3006
- })
3007
-
3008
- it('should not authorized an user to read an object on another class with pointer when the user do not have ACL to read the other class', async () => {
3009
- const setup = await setupTests([
3010
- {
3011
- name: 'Test',
3012
- fields: {
3013
- name: { type: 'String' },
3014
- pointer: {
3015
- type: 'Pointer',
3016
- class: 'Test2',
3017
- },
3018
- relation: {
3019
- type: 'Relation',
3020
- class: 'Test2',
3021
- },
3022
- },
3023
- permissions: {
3024
- read: {
3025
- authorizedRoles: ['Client', 'Client2'],
3026
- requireAuthentication: true,
3027
- },
3028
- update: {
3029
- authorizedRoles: ['Client'],
3030
- requireAuthentication: true,
3031
- },
3032
- delete: {
3033
- authorizedRoles: ['Client'],
3034
- requireAuthentication: true,
3035
- },
3036
- create: {
3037
- authorizedRoles: ['Client2'],
3038
- requireAuthentication: true,
3039
- },
3040
- },
3041
- },
3042
- {
3043
- name: 'Test2',
3044
- fields: {
3045
- name: { type: 'String' },
3046
- age: { type: 'Int' },
3047
- },
3048
- permissions: {
3049
- read: {
3050
- authorizedRoles: ['Client', 'Client2'],
3051
- requireAuthentication: true,
3052
- },
3053
- create: {
3054
- authorizedRoles: [],
3055
- requireAuthentication: true,
3056
- },
3057
- },
3058
- },
3059
- ])
3060
- const wabe = setup.wabe
3061
- const port = setup.port
3062
- const client = getAnonymousClient(port)
3063
- const rootClient = getGraphqlClient(port)
3064
-
3065
- const { userClient, userId } = await createUserAndUpdateRole({
3066
- anonymousClient: client,
3067
- port,
3068
- roleName: 'Client',
3069
- rootClient,
3070
- })
3071
-
3072
- const objectCreated = await rootClient.request<any>(gql`
3073
- mutation createTest {
3074
- createTest(input: { fields: { name: "test", pointer: { createAndLink: { name: "tata" } } } }) {
3075
- test {
3076
- id
3077
- pointer {
3078
- id
3079
- }
3080
- }
3081
- }
3082
- }
3083
- `)
3084
-
3085
- const pointerId = objectCreated.createTest.test.pointer.id
3086
- const testId = objectCreated.createTest.test.id
3087
-
3088
- await rootClient.request<any>(gql`
3089
- mutation updateACL{
3090
- updateTest(input:{id: "${testId}", fields: {acl:{
3091
- users: [{
3092
- userId: "${userId}",
3093
- read: true,
3094
- write: false
3095
- }]
3096
- }}}){
3097
- test{
3098
- id
3099
- }
3100
- }
3101
- }
3102
- `)
3103
-
3104
- await rootClient.request<any>(gql`
3105
- mutation updateACL{
3106
- updateTest2(input:{id: "${pointerId}", fields: {acl:{
3107
- users: [{
3108
- userId: "${userId}",
3109
- read: false,
3110
- write: false
3111
- }]
3112
- }}}){
3113
- test2{
3114
- id
3115
- }
3116
- }
3117
- }
3118
- `)
3119
-
3120
- expect(
3121
- userClient.request<any>(gql`
3122
- query tests {
3123
- tests {
3124
- edges {
3125
- node {
3126
- id
3127
- name
3128
- }
3129
- }
3130
- }
3131
- }
3132
- `),
3133
- ).resolves.toEqual(expect.anything())
3134
-
3135
- expect(
3136
- userClient.request<any>(gql`
3137
- query tests {
3138
- tests {
3139
- edges {
3140
- node {
3141
- id
3142
- name
3143
- pointer {
3144
- id
3145
- }
3146
- }
3147
- }
3148
- }
3149
- }
3150
- `),
3151
- ).rejects.toThrow('Object not found')
3152
-
3153
- await closeTests(wabe)
3154
- })
3155
-
3156
- it('should not authorized an user to read an object on another class with relation when the user do not have ACL to read the other class', async () => {
3157
- const setup = await setupTests([
3158
- {
3159
- name: 'Test',
3160
- fields: {
3161
- name: { type: 'String' },
3162
- pointer: {
3163
- type: 'Pointer',
3164
- class: 'Test2',
3165
- },
3166
- relation: {
3167
- type: 'Relation',
3168
- class: 'Test2',
3169
- },
3170
- },
3171
- permissions: {
3172
- read: {
3173
- authorizedRoles: ['Client', 'Client2'],
3174
- requireAuthentication: true,
3175
- },
3176
- update: {
3177
- authorizedRoles: ['Client'],
3178
- requireAuthentication: true,
3179
- },
3180
- delete: {
3181
- authorizedRoles: ['Client'],
3182
- requireAuthentication: true,
3183
- },
3184
- create: {
3185
- authorizedRoles: ['Client2'],
3186
- requireAuthentication: true,
3187
- },
3188
- },
3189
- },
3190
- {
3191
- name: 'Test2',
3192
- fields: {
3193
- name: { type: 'String' },
3194
- age: { type: 'Int' },
3195
- },
3196
- permissions: {
3197
- read: {
3198
- authorizedRoles: ['Client', 'Client2'],
3199
- requireAuthentication: true,
3200
- },
3201
- create: {
3202
- authorizedRoles: [],
3203
- requireAuthentication: true,
3204
- },
3205
- },
3206
- },
3207
- ])
3208
- const wabe = setup.wabe
3209
- const port = setup.port
3210
- const client = getAnonymousClient(port)
3211
- const rootClient = getGraphqlClient(port)
3212
-
3213
- const { userClient, userId } = await createUserAndUpdateRole({
3214
- anonymousClient: client,
3215
- port,
3216
- roleName: 'Client',
3217
- rootClient,
3218
- })
3219
-
3220
- const objectCreated = await rootClient.request<any>(gql`
3221
- mutation createTest {
3222
- createTest(input: { fields: { name: "test", relation: { createAndAdd: [{ name: "tata" }] } } }) {
3223
- test {
3224
- id
3225
- relation {
3226
- edges {
3227
- node {
3228
- id
3229
- }
3230
- }
3231
- }
3232
- }
3233
- }
3234
- }
3235
- `)
3236
-
3237
- const relationId = objectCreated.createTest.test.relation.edges[0].node.id
3238
- const testId = objectCreated.createTest.test.id
3239
-
3240
- await rootClient.request<any>(gql`
3241
- mutation updateACL{
3242
- updateTest(input:{id: "${testId}", fields: {acl:{
3243
- users: [{
3244
- userId: "${userId}",
3245
- read: true,
3246
- write: false
3247
- }]
3248
- }}}){
3249
- test{
3250
- id
3251
- }
3252
- }
3253
- }
3254
- `)
3255
-
3256
- await rootClient.request<any>(gql`
3257
- mutation updateACL{
3258
- updateTest2(input:{id: "${relationId}", fields: {acl:{
3259
- users: [{
3260
- userId: "${userId}",
3261
- read: false,
3262
- write: false
3263
- }]
3264
- }}}){
3265
- test2{
3266
- id
3267
- }
3268
- }
3269
- }
3270
- `)
3271
-
3272
- expect(
3273
- userClient.request<any>(gql`
3274
- query tests {
3275
- tests {
3276
- edges {
3277
- node {
3278
- id
3279
- name
3280
- }
3281
- }
3282
- }
3283
- }
3284
- `),
3285
- ).resolves.toEqual(expect.anything())
3286
-
3287
- const res = await userClient.request<any>(gql`
3288
- query tests {
3289
- tests {
3290
- edges {
3291
- node {
3292
- id
3293
- name
3294
- relation {
3295
- edges {
3296
- node {
3297
- id
3298
- }
3299
- }
3300
- }
3301
- }
3302
- }
3303
- }
3304
- }
3305
- `)
3306
-
3307
- expect(res.tests.edges[0].node.relation.edges.length).toEqual(0)
3308
-
3309
- await closeTests(wabe)
3310
- })
3311
-
3312
- it('should not authorize an user to create an object on another class with pointer when the user do not have access to write the other class with (CLP)', async () => {
3313
- const setup = await setupTests([
3314
- {
3315
- name: 'Test',
3316
- fields: {
3317
- name: { type: 'String' },
3318
- pointer: {
3319
- type: 'Pointer',
3320
- class: 'Test2',
3321
- },
3322
- relation: {
3323
- type: 'Relation',
3324
- class: 'Test2',
3325
- },
3326
- },
3327
- permissions: {
3328
- read: {
3329
- authorizedRoles: ['Client', 'Client2'],
3330
- requireAuthentication: true,
3331
- },
3332
- update: {
3333
- authorizedRoles: ['Client'],
3334
- requireAuthentication: true,
3335
- },
3336
- delete: {
3337
- authorizedRoles: ['Client'],
3338
- requireAuthentication: true,
3339
- },
3340
- create: {
3341
- authorizedRoles: ['Client2'],
3342
- requireAuthentication: true,
3343
- },
3344
- },
3345
- },
3346
- {
3347
- name: 'Test2',
3348
- fields: {
3349
- name: { type: 'String' },
3350
- age: { type: 'Int' },
3351
- },
3352
- permissions: {
3353
- read: {
3354
- authorizedRoles: ['Client', 'Client2'],
3355
- requireAuthentication: true,
3356
- },
3357
- create: {
3358
- authorizedRoles: [],
3359
- requireAuthentication: true,
3360
- },
3361
- },
3362
- },
3363
- ])
3364
- const wabe = setup.wabe
3365
- const port = setup.port
3366
- const client = getAnonymousClient(port)
3367
- const rootClient = getGraphqlClient(port)
3368
-
3369
- const { userClient } = await createUserAndUpdateRole({
3370
- anonymousClient: client,
3371
- port,
3372
- roleName: 'Client2',
3373
- rootClient,
3374
- })
3375
-
3376
- expect(
3377
- userClient.request<any>(gql`
3378
- mutation createTest {
3379
- createTest(input: { fields: { name: "test", pointer: { createAndLink: { name: "tata" } } } }) {
3380
- test {
3381
- id
3382
- pointer {
3383
- id
3384
- }
3385
- }
3386
- }
3387
- }
3388
- `),
3389
- ).rejects.toThrow('Permission denied to create class Test2')
3390
-
3391
- await closeTests(wabe)
3392
- })
3393
-
3394
- it('should authorize a connected user to access to a protected resource', async () => {
3395
- const setup = await setupTests([
3396
- {
3397
- name: 'Test',
3398
- fields: {
3399
- name: { type: 'String' },
3400
- pointer: {
3401
- type: 'Pointer',
3402
- class: 'Test2',
3403
- },
3404
- relation: {
3405
- type: 'Relation',
3406
- class: 'Test2',
3407
- },
3408
- },
3409
- permissions: {
3410
- read: {
3411
- authorizedRoles: ['Client', 'Client2'],
3412
- requireAuthentication: true,
3413
- },
3414
- update: {
3415
- authorizedRoles: ['Client'],
3416
- requireAuthentication: true,
3417
- },
3418
- delete: {
3419
- authorizedRoles: ['Client'],
3420
- requireAuthentication: true,
3421
- },
3422
- create: {
3423
- authorizedRoles: ['Client2'],
3424
- requireAuthentication: true,
3425
- },
3426
- },
3427
- },
3428
- {
3429
- name: 'Test2',
3430
- fields: {
3431
- name: { type: 'String' },
3432
- age: { type: 'Int' },
3433
- },
3434
- permissions: {
3435
- read: {
3436
- authorizedRoles: ['Client', 'Client2'],
3437
- requireAuthentication: true,
3438
- },
3439
- create: {
3440
- authorizedRoles: [],
3441
- requireAuthentication: true,
3442
- },
3443
- },
3444
- },
3445
- ])
3446
- const wabe = setup.wabe
3447
- const port = setup.port
3448
- const client = getAnonymousClient(port)
3449
- const rootClient = getGraphqlClient(port)
3450
-
3451
- const { userClient } = await createUserAndUpdateRole({
3452
- anonymousClient: client,
3453
- port,
3454
- roleName: 'Client',
3455
- rootClient,
3456
- })
3457
-
3458
- const resOfTest = await userClient.request<any>(gql`
3459
- query tests {
3460
- tests {
3461
- edges {
3462
- node {
3463
- id
3464
- }
3465
- }
3466
- }
3467
- }
3468
- `)
3469
-
3470
- expect(resOfTest.tests.edges.length).toEqual(0)
3471
-
3472
- await closeTests(wabe)
3473
- })
3474
-
3475
- it('should authorize a connected user to access to protected resource after the user refresh his token', async () => {
3476
- const setup = await setupTests([
3477
- {
3478
- name: 'Test',
3479
- fields: {
3480
- name: { type: 'String' },
3481
- pointer: {
3482
- type: 'Pointer',
3483
- class: 'Test2',
3484
- },
3485
- relation: {
3486
- type: 'Relation',
3487
- class: 'Test2',
3488
- },
3489
- },
3490
- permissions: {
3491
- read: {
3492
- authorizedRoles: ['Client', 'Client2'],
3493
- requireAuthentication: true,
3494
- },
3495
- update: {
3496
- authorizedRoles: ['Client'],
3497
- requireAuthentication: true,
3498
- },
3499
- delete: {
3500
- authorizedRoles: ['Client'],
3501
- requireAuthentication: true,
3502
- },
3503
- create: {
3504
- authorizedRoles: ['Client2'],
3505
- requireAuthentication: true,
3506
- },
3507
- },
3508
- },
3509
- {
3510
- name: 'Test2',
3511
- fields: {
3512
- name: { type: 'String' },
3513
- age: { type: 'Int' },
3514
- },
3515
- permissions: {
3516
- read: {
3517
- authorizedRoles: ['Client', 'Client2'],
3518
- requireAuthentication: true,
3519
- },
3520
- create: {
3521
- authorizedRoles: [],
3522
- requireAuthentication: true,
3523
- },
3524
- },
3525
- },
3526
- ])
3527
- const wabe = setup.wabe
3528
- const port = setup.port
3529
- const client = getAnonymousClient(port)
3530
- const rootClient = getGraphqlClient(port)
3531
-
3532
- const { userClient, refreshToken, accessToken } = await createUserAndUpdateRole({
3533
- anonymousClient: client,
3534
- port,
3535
- roleName: 'Client',
3536
- rootClient,
3537
- })
3538
-
3539
- const resAfterRefresh = await userClient.request<any>(graphql.refresh, {
3540
- input: {
3541
- accessToken,
3542
- refreshToken,
3543
- },
3544
- })
3545
-
3546
- const userClientAfterRefresh = getUserClient(port, {
3547
- accessToken: resAfterRefresh.refresh.accessToken,
3548
- })
3549
-
3550
- const resOfTest = await userClientAfterRefresh.request<any>(gql`
3551
- query tests {
3552
- tests {
3553
- edges {
3554
- node {
3555
- id
3556
- }
3557
- }
3558
- }
3559
- }
3560
- `)
3561
-
3562
- expect(resOfTest.tests.edges.length).toEqual(0)
3563
-
3564
- await closeTests(wabe)
3565
- })
3566
-
3567
- it('should not authorize to access to protected resource if the user is not connected', async () => {
3568
- const setup = await setupTests([
3569
- {
3570
- name: 'Test',
3571
- fields: {
3572
- name: { type: 'String' },
3573
- pointer: {
3574
- type: 'Pointer',
3575
- class: 'Test2',
3576
- },
3577
- relation: {
3578
- type: 'Relation',
3579
- class: 'Test2',
3580
- },
3581
- },
3582
- permissions: {
3583
- read: {
3584
- authorizedRoles: ['Client', 'Client2'],
3585
- requireAuthentication: true,
3586
- },
3587
- update: {
3588
- authorizedRoles: ['Client'],
3589
- requireAuthentication: true,
3590
- },
3591
- delete: {
3592
- authorizedRoles: ['Client'],
3593
- requireAuthentication: true,
3594
- },
3595
- create: {
3596
- authorizedRoles: ['Client2'],
3597
- requireAuthentication: true,
3598
- },
3599
- },
3600
- },
3601
- {
3602
- name: 'Test2',
3603
- fields: {
3604
- name: { type: 'String' },
3605
- age: { type: 'Int' },
3606
- },
3607
- permissions: {
3608
- read: {
3609
- authorizedRoles: ['Client', 'Client2'],
3610
- requireAuthentication: true,
3611
- },
3612
- create: {
3613
- authorizedRoles: [],
3614
- requireAuthentication: true,
3615
- },
3616
- },
3617
- },
3618
- ])
3619
- const wabe = setup.wabe
3620
- const port = setup.port
3621
- const client = getAnonymousClient(port)
3622
- const rootClient = getGraphqlClient(port)
3623
-
3624
- await createUserAndUpdateRole({
3625
- anonymousClient: client,
3626
- port,
3627
- roleName: 'Client3',
3628
- rootClient,
3629
- })
3630
-
3631
- const userClient = getUserClient(port, { accessToken: 'invalidToken' })
3632
-
3633
- expect(
3634
- userClient.request<any>(gql`
3635
- query tests {
3636
- tests {
3637
- edges {
3638
- node {
3639
- id
3640
- }
3641
- }
3642
- }
3643
- }
3644
- `),
3645
- ).rejects.toThrow('Permission denied to read class Test')
3646
-
3647
- await closeTests(wabe)
3648
- })
3649
-
3650
- it("should not authorized to read an object if the user doesn't had an authorized role (read one)", async () => {
3651
- const setup = await setupTests([
3652
- {
3653
- name: 'Test',
3654
- fields: {
3655
- name: { type: 'String' },
3656
- pointer: {
3657
- type: 'Pointer',
3658
- class: 'Test2',
3659
- },
3660
- relation: {
3661
- type: 'Relation',
3662
- class: 'Test2',
3663
- },
3664
- },
3665
- permissions: {
3666
- read: {
3667
- authorizedRoles: ['Client', 'Client2'],
3668
- requireAuthentication: true,
3669
- },
3670
- update: {
3671
- authorizedRoles: ['Client'],
3672
- requireAuthentication: true,
3673
- },
3674
- delete: {
3675
- authorizedRoles: ['Client'],
3676
- requireAuthentication: true,
3677
- },
3678
- create: {
3679
- authorizedRoles: ['Client2'],
3680
- requireAuthentication: true,
3681
- },
3682
- },
3683
- },
3684
- {
3685
- name: 'Test2',
3686
- fields: {
3687
- name: { type: 'String' },
3688
- age: { type: 'Int' },
3689
- },
3690
- permissions: {
3691
- read: {
3692
- authorizedRoles: ['Client', 'Client2'],
3693
- requireAuthentication: true,
3694
- },
3695
- create: {
3696
- authorizedRoles: [],
3697
- requireAuthentication: true,
3698
- },
3699
- },
3700
- },
3701
- ])
3702
- const wabe = setup.wabe
3703
- const port = setup.port
3704
- const client = getAnonymousClient(port)
3705
- const rootClient = getGraphqlClient(port)
3706
-
3707
- const { userClient } = await createUserAndUpdateRole({
3708
- anonymousClient: client,
3709
- port,
3710
- roleName: 'Client3',
3711
- rootClient,
3712
- })
3713
-
3714
- const res = await rootClient.request<any>(gql`
3715
- mutation createTest {
3716
- createTest(input: { fields: { name: "test" } }) {
3717
- test {
3718
- id
3719
- }
3720
- }
3721
- }
3722
- `)
3723
-
3724
- const testId = res.createTest.test.id
3725
-
3726
- expect(
3727
- userClient.request<any>(gql`
3728
- query test{
3729
- test(id: "${testId}") {
3730
- id
3731
- }
3732
- }
3733
- `),
3734
- ).rejects.toThrow('Permission denied to read class Test')
3735
-
3736
- await closeTests(wabe)
3737
- })
3738
-
3739
- it("should not authorized to read an object if the user doesn't had an authorized role (read many)", async () => {
3740
- const setup = await setupTests([
3741
- {
3742
- name: 'Test',
3743
- fields: {
3744
- name: { type: 'String' },
3745
- pointer: {
3746
- type: 'Pointer',
3747
- class: 'Test2',
3748
- },
3749
- relation: {
3750
- type: 'Relation',
3751
- class: 'Test2',
3752
- },
3753
- },
3754
- permissions: {
3755
- read: {
3756
- authorizedRoles: ['Client', 'Client2'],
3757
- requireAuthentication: true,
3758
- },
3759
- update: {
3760
- authorizedRoles: ['Client'],
3761
- requireAuthentication: true,
3762
- },
3763
- delete: {
3764
- authorizedRoles: ['Client'],
3765
- requireAuthentication: true,
3766
- },
3767
- create: {
3768
- authorizedRoles: ['Client2'],
3769
- requireAuthentication: true,
3770
- },
3771
- },
3772
- },
3773
- {
3774
- name: 'Test2',
3775
- fields: {
3776
- name: { type: 'String' },
3777
- age: { type: 'Int' },
3778
- },
3779
- permissions: {
3780
- read: {
3781
- authorizedRoles: ['Client', 'Client2'],
3782
- requireAuthentication: true,
3783
- },
3784
- create: {
3785
- authorizedRoles: [],
3786
- requireAuthentication: true,
3787
- },
3788
- },
3789
- },
3790
- ])
3791
- const wabe = setup.wabe
3792
- const port = setup.port
3793
- const client = getAnonymousClient(port)
3794
- const rootClient = getGraphqlClient(port)
3795
-
3796
- const { userClient } = await createUserAndUpdateRole({
3797
- anonymousClient: client,
3798
- port,
3799
- roleName: 'Client3',
3800
- rootClient,
3801
- })
3802
-
3803
- expect(
3804
- userClient.request<any>(gql`
3805
- query tests {
3806
- tests {
3807
- edges {
3808
- node {
3809
- id
3810
- }
3811
- }
3812
- }
3813
- }
3814
- `),
3815
- ).rejects.toThrow('Permission denied to read class Test')
3816
-
3817
- await closeTests(wabe)
3818
- })
3819
-
3820
- it("should not authorized to delete an object if the user doesn't had an authorized role (delete)", async () => {
3821
- const setup = await setupTests([
3822
- {
3823
- name: 'Test',
3824
- fields: {
3825
- name: { type: 'String' },
3826
- pointer: {
3827
- type: 'Pointer',
3828
- class: 'Test2',
3829
- },
3830
- relation: {
3831
- type: 'Relation',
3832
- class: 'Test2',
3833
- },
3834
- },
3835
- permissions: {
3836
- read: {
3837
- authorizedRoles: ['Client', 'Client2'],
3838
- requireAuthentication: true,
3839
- },
3840
- update: {
3841
- authorizedRoles: ['Client'],
3842
- requireAuthentication: true,
3843
- },
3844
- delete: {
3845
- authorizedRoles: ['Client'],
3846
- requireAuthentication: true,
3847
- },
3848
- create: {
3849
- authorizedRoles: ['Client2'],
3850
- requireAuthentication: true,
3851
- },
3852
- },
3853
- },
3854
- {
3855
- name: 'Test2',
3856
- fields: {
3857
- name: { type: 'String' },
3858
- age: { type: 'Int' },
3859
- },
3860
- permissions: {
3861
- read: {
3862
- authorizedRoles: ['Client', 'Client2'],
3863
- requireAuthentication: true,
3864
- },
3865
- create: {
3866
- authorizedRoles: [],
3867
- requireAuthentication: true,
3868
- },
3869
- },
3870
- },
3871
- ])
3872
- const wabe = setup.wabe
3873
- const port = setup.port
3874
- const client = getAnonymousClient(port)
3875
- const rootClient = getGraphqlClient(port)
3876
-
3877
- const { userClient } = await createUserAndUpdateRole({
3878
- anonymousClient: client,
3879
- port,
3880
- roleName: 'Client2',
3881
- rootClient,
3882
- })
3883
-
3884
- await rootClient.request<any>(gql`
3885
- mutation createTest {
3886
- createTest(input: { fields: { name: "test" } }) {
3887
- test {
3888
- id
3889
- }
3890
- }
3891
- }
3892
- `)
3893
-
3894
- expect(
3895
- userClient.request<any>(gql`
3896
- mutation deleteTests {
3897
- deleteTests(input: { where: { name: { equalTo: "test" } } }) {
3898
- edges {
3899
- node {
3900
- id
3901
- }
3902
- }
3903
- }
3904
- }
3905
- `),
3906
- ).rejects.toThrow('Permission denied to delete class Test')
3907
-
3908
- await closeTests(wabe)
3909
- })
3910
-
3911
- it("should not authorized to create an object if the user doesn't had an authorized role (create)", async () => {
3912
- const setup = await setupTests([
3913
- {
3914
- name: 'Test',
3915
- fields: {
3916
- name: { type: 'String' },
3917
- pointer: {
3918
- type: 'Pointer',
3919
- class: 'Test2',
3920
- },
3921
- relation: {
3922
- type: 'Relation',
3923
- class: 'Test2',
3924
- },
3925
- },
3926
- permissions: {
3927
- read: {
3928
- authorizedRoles: ['Client', 'Client2'],
3929
- requireAuthentication: true,
3930
- },
3931
- update: {
3932
- authorizedRoles: ['Client'],
3933
- requireAuthentication: true,
3934
- },
3935
- delete: {
3936
- authorizedRoles: ['Client'],
3937
- requireAuthentication: true,
3938
- },
3939
- create: {
3940
- authorizedRoles: ['Client2'],
3941
- requireAuthentication: true,
3942
- },
3943
- },
3944
- },
3945
- {
3946
- name: 'Test2',
3947
- fields: {
3948
- name: { type: 'String' },
3949
- age: { type: 'Int' },
3950
- },
3951
- permissions: {
3952
- read: {
3953
- authorizedRoles: ['Client', 'Client2'],
3954
- requireAuthentication: true,
3955
- },
3956
- create: {
3957
- authorizedRoles: [],
3958
- requireAuthentication: true,
3959
- },
3960
- },
3961
- },
3962
- ])
3963
- const wabe = setup.wabe
3964
- const port = setup.port
3965
- const client = getAnonymousClient(port)
3966
- const rootClient = getGraphqlClient(port)
3967
-
3968
- const { userClient } = await createUserAndUpdateRole({
3969
- anonymousClient: client,
3970
- port,
3971
- roleName: 'Client',
3972
- rootClient,
3973
- })
3974
-
3975
- expect(
3976
- userClient.request<any>(gql`
3977
- mutation createTest2 {
3978
- createTest2(input: { fields: { name: "test" } }) {
3979
- test2 {
3980
- id
3981
- }
3982
- }
3983
- }
3984
- `),
3985
- ).rejects.toThrow('Permission denied to create class Test')
3986
-
3987
- await closeTests(wabe)
3988
- })
3989
-
3990
- it("should not authorized to udpdate an object if the user doesn't had an authorized role (update)", async () => {
3991
- const setup = await setupTests([
3992
- {
3993
- name: 'Test',
3994
- fields: {
3995
- name: { type: 'String' },
3996
- pointer: {
3997
- type: 'Pointer',
3998
- class: 'Test2',
3999
- },
4000
- relation: {
4001
- type: 'Relation',
4002
- class: 'Test2',
4003
- },
4004
- },
4005
- permissions: {
4006
- read: {
4007
- authorizedRoles: ['Client', 'Client2'],
4008
- requireAuthentication: true,
4009
- },
4010
- update: {
4011
- authorizedRoles: ['Client'],
4012
- requireAuthentication: true,
4013
- },
4014
- delete: {
4015
- authorizedRoles: ['Client'],
4016
- requireAuthentication: true,
4017
- },
4018
- create: {
4019
- authorizedRoles: ['Client2'],
4020
- requireAuthentication: true,
4021
- },
4022
- },
4023
- },
4024
- {
4025
- name: 'Test2',
4026
- fields: {
4027
- name: { type: 'String' },
4028
- age: { type: 'Int' },
4029
- },
4030
- permissions: {
4031
- read: {
4032
- authorizedRoles: ['Client', 'Client2'],
4033
- requireAuthentication: true,
4034
- },
4035
- create: {
4036
- authorizedRoles: [],
4037
- requireAuthentication: true,
4038
- },
4039
- },
4040
- },
4041
- ])
4042
- const wabe = setup.wabe
4043
- const port = setup.port
4044
- const client = getAnonymousClient(port)
4045
- const rootClient = getGraphqlClient(port)
4046
-
4047
- const { userClient } = await createUserAndUpdateRole({
4048
- anonymousClient: client,
4049
- port,
4050
- roleName: 'Client2',
4051
- rootClient,
4052
- })
4053
-
4054
- const res = await rootClient.request<any>(gql`
4055
- mutation createTest {
4056
- createTest(input: { fields: { name: "test" } }) {
4057
- test {
4058
- id
4059
- }
4060
- }
4061
- }
4062
- `)
4063
-
4064
- expect(
4065
- userClient.request<any>(gql`
4066
- mutation updateTest{
4067
- updateTest(input: {id: "${res.createTest.test.id}", fields : {name: "tata"}}){
4068
- test{
4069
- id
4070
- }
4071
- }
4072
- }
4073
- `),
4074
- ).rejects.toThrow('Permission denied to update class Test')
4075
-
4076
- await closeTests(wabe)
4077
- })
4078
- })
4079
-
4080
- const graphql = {
4081
- deleteTests: gql`
4082
- mutation deleteTests {
4083
- deleteTests(input: { where: { name: { equalTo: "test" } } }) {
4084
- edges {
4085
- node {
4086
- id
4087
- }
4088
- }
4089
- }
4090
- }
4091
- `,
4092
- deleteUsers: gql`
4093
- mutation deleteUser {
4094
- deleteUsers(
4095
- input: { where: { authentication: { emailPassword: { email: { equalTo: "email@test.fr" } } } } }
4096
- ) {
4097
- edges {
4098
- node {
4099
- id
4100
- }
4101
- }
4102
- }
4103
- }
4104
- `,
4105
- signInWith: gql`
4106
- mutation signInWith($input: SignInWithInput!) {
4107
- signInWith(input: $input) {
4108
- id
4109
- accessToken
4110
- refreshToken
4111
- }
4112
- }
4113
- `,
4114
- signUpWith: gql`
4115
- mutation signUpWith($input: SignUpWithInput!) {
4116
- signUpWith(input: $input) {
4117
- id
4118
- accessToken
4119
- refreshToken
4120
- }
4121
- }
4122
- `,
4123
- signOut: gql`
4124
- mutation signOut {
4125
- signOut
4126
- }
4127
- `,
4128
- refresh: gql`
4129
- mutation refresh($input: RefreshInput!) {
4130
- refresh(input: $input) {
4131
- accessToken
4132
- refreshToken
4133
- }
4134
- }
4135
- `,
4136
- }