wabe 0.6.9 → 0.6.11

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (162) hide show
  1. package/README.md +156 -50
  2. package/bucket/b.txt +1 -0
  3. package/dev/index.ts +215 -0
  4. package/dist/authentication/Session.d.ts +4 -1
  5. package/dist/authentication/interface.d.ts +16 -0
  6. package/dist/cron/index.d.ts +0 -1
  7. package/dist/database/DatabaseController.d.ts +41 -13
  8. package/dist/database/interface.d.ts +1 -0
  9. package/dist/email/DevAdapter.d.ts +0 -1
  10. package/dist/email/interface.d.ts +1 -1
  11. package/dist/graphql/resolvers.d.ts +4 -2
  12. package/dist/hooks/index.d.ts +8 -2
  13. package/dist/index.d.ts +0 -1
  14. package/dist/index.js +32144 -32058
  15. package/dist/schema/Schema.d.ts +2 -1
  16. package/dist/server/index.d.ts +4 -2
  17. package/dist/utils/crypto.d.ts +7 -0
  18. package/dist/utils/helper.d.ts +5 -1
  19. package/generated/schema.graphql +22 -14
  20. package/generated/wabe.ts +4 -4
  21. package/package.json +23 -23
  22. package/src/authentication/OTP.test.ts +69 -0
  23. package/src/authentication/OTP.ts +64 -0
  24. package/src/authentication/Session.test.ts +629 -0
  25. package/src/authentication/Session.ts +493 -0
  26. package/src/authentication/defaultAuthentication.ts +209 -0
  27. package/src/authentication/index.ts +3 -0
  28. package/src/authentication/interface.ts +155 -0
  29. package/src/authentication/oauth/GitHub.test.ts +91 -0
  30. package/src/authentication/oauth/GitHub.ts +121 -0
  31. package/src/authentication/oauth/Google.test.ts +91 -0
  32. package/src/authentication/oauth/Google.ts +101 -0
  33. package/src/authentication/oauth/Oauth2Client.test.ts +219 -0
  34. package/src/authentication/oauth/Oauth2Client.ts +135 -0
  35. package/src/authentication/oauth/index.ts +2 -0
  36. package/src/authentication/oauth/utils.test.ts +33 -0
  37. package/src/authentication/oauth/utils.ts +27 -0
  38. package/src/authentication/providers/EmailOTP.test.ts +127 -0
  39. package/src/authentication/providers/EmailOTP.ts +84 -0
  40. package/src/authentication/providers/EmailPassword.test.ts +176 -0
  41. package/src/authentication/providers/EmailPassword.ts +116 -0
  42. package/src/authentication/providers/EmailPasswordSRP.test.ts +208 -0
  43. package/src/authentication/providers/EmailPasswordSRP.ts +179 -0
  44. package/src/authentication/providers/GitHub.ts +24 -0
  45. package/src/authentication/providers/Google.ts +24 -0
  46. package/src/authentication/providers/OAuth.test.ts +185 -0
  47. package/src/authentication/providers/OAuth.ts +106 -0
  48. package/src/authentication/providers/PhonePassword.test.ts +176 -0
  49. package/src/authentication/providers/PhonePassword.ts +115 -0
  50. package/src/authentication/providers/QRCodeOTP.test.ts +77 -0
  51. package/src/authentication/providers/QRCodeOTP.ts +58 -0
  52. package/src/authentication/providers/index.ts +6 -0
  53. package/src/authentication/resolvers/refreshResolver.test.ts +30 -0
  54. package/src/authentication/resolvers/refreshResolver.ts +19 -0
  55. package/src/authentication/resolvers/signInWithResolver.inte.test.ts +59 -0
  56. package/src/authentication/resolvers/signInWithResolver.test.ts +293 -0
  57. package/src/authentication/resolvers/signInWithResolver.ts +92 -0
  58. package/src/authentication/resolvers/signOutResolver.test.ts +38 -0
  59. package/src/authentication/resolvers/signOutResolver.ts +18 -0
  60. package/src/authentication/resolvers/signUpWithResolver.test.ts +180 -0
  61. package/src/authentication/resolvers/signUpWithResolver.ts +65 -0
  62. package/src/authentication/resolvers/verifyChallenge.test.ts +133 -0
  63. package/src/authentication/resolvers/verifyChallenge.ts +62 -0
  64. package/src/authentication/roles.test.ts +49 -0
  65. package/src/authentication/roles.ts +40 -0
  66. package/src/authentication/utils.test.ts +97 -0
  67. package/src/authentication/utils.ts +39 -0
  68. package/src/cache/InMemoryCache.test.ts +62 -0
  69. package/src/cache/InMemoryCache.ts +45 -0
  70. package/src/cron/index.test.ts +17 -0
  71. package/src/cron/index.ts +43 -0
  72. package/src/database/DatabaseController.test.ts +613 -0
  73. package/src/database/DatabaseController.ts +1007 -0
  74. package/src/database/index.test.ts +1372 -0
  75. package/src/database/index.ts +9 -0
  76. package/src/database/interface.ts +302 -0
  77. package/src/email/DevAdapter.ts +7 -0
  78. package/src/email/EmailController.test.ts +29 -0
  79. package/src/email/EmailController.ts +13 -0
  80. package/src/email/index.ts +2 -0
  81. package/src/email/interface.ts +36 -0
  82. package/src/email/templates/sendOtpCode.ts +120 -0
  83. package/src/file/FileController.ts +28 -0
  84. package/src/file/FileDevAdapter.ts +51 -0
  85. package/src/file/hookDeleteFile.ts +25 -0
  86. package/src/file/hookReadFile.ts +66 -0
  87. package/src/file/hookUploadFile.ts +50 -0
  88. package/src/file/index.test.ts +932 -0
  89. package/src/file/index.ts +2 -0
  90. package/src/file/interface.ts +39 -0
  91. package/src/graphql/GraphQLSchema.test.ts +4408 -0
  92. package/src/graphql/GraphQLSchema.ts +880 -0
  93. package/src/graphql/index.ts +2 -0
  94. package/src/graphql/parseGraphqlSchema.ts +85 -0
  95. package/src/graphql/parser.test.ts +203 -0
  96. package/src/graphql/parser.ts +542 -0
  97. package/src/graphql/pointerAndRelationFunction.ts +191 -0
  98. package/src/graphql/resolvers.ts +442 -0
  99. package/src/graphql/tests/aggregation.test.ts +1115 -0
  100. package/src/graphql/tests/e2e.test.ts +590 -0
  101. package/src/graphql/tests/scalars.test.ts +250 -0
  102. package/src/graphql/types.ts +227 -0
  103. package/src/hooks/HookObject.test.ts +122 -0
  104. package/src/hooks/HookObject.ts +165 -0
  105. package/src/hooks/authentication.ts +67 -0
  106. package/src/hooks/createUser.test.ts +77 -0
  107. package/src/hooks/createUser.ts +10 -0
  108. package/src/hooks/defaultFields.test.ts +176 -0
  109. package/src/hooks/defaultFields.ts +32 -0
  110. package/src/hooks/deleteSession.test.ts +181 -0
  111. package/src/hooks/deleteSession.ts +20 -0
  112. package/src/hooks/hashFieldHook.test.ts +152 -0
  113. package/src/hooks/hashFieldHook.ts +89 -0
  114. package/src/hooks/index.test.ts +258 -0
  115. package/src/hooks/index.ts +414 -0
  116. package/src/hooks/permissions.test.ts +412 -0
  117. package/src/hooks/permissions.ts +93 -0
  118. package/src/hooks/protected.test.ts +551 -0
  119. package/src/hooks/protected.ts +60 -0
  120. package/src/hooks/searchableFields.test.ts +147 -0
  121. package/src/hooks/searchableFields.ts +86 -0
  122. package/src/hooks/session.test.ts +134 -0
  123. package/src/hooks/session.ts +76 -0
  124. package/src/hooks/setEmail.test.ts +216 -0
  125. package/src/hooks/setEmail.ts +33 -0
  126. package/src/hooks/setupAcl.test.ts +618 -0
  127. package/src/hooks/setupAcl.ts +25 -0
  128. package/src/index.ts +9 -0
  129. package/src/schema/Schema.test.ts +482 -0
  130. package/src/schema/Schema.ts +757 -0
  131. package/src/schema/defaultResolvers.ts +93 -0
  132. package/src/schema/index.ts +1 -0
  133. package/src/schema/resolvers/meResolver.test.ts +62 -0
  134. package/src/schema/resolvers/meResolver.ts +10 -0
  135. package/src/schema/resolvers/resetPassword.test.ts +341 -0
  136. package/src/schema/resolvers/resetPassword.ts +63 -0
  137. package/src/schema/resolvers/sendEmail.test.ts +118 -0
  138. package/src/schema/resolvers/sendEmail.ts +21 -0
  139. package/src/schema/resolvers/sendOtpCode.test.ts +141 -0
  140. package/src/schema/resolvers/sendOtpCode.ts +52 -0
  141. package/src/security.test.ts +3434 -0
  142. package/src/server/defaultSessionHandler.test.ts +62 -0
  143. package/src/server/defaultSessionHandler.ts +105 -0
  144. package/src/server/generateCodegen.ts +433 -0
  145. package/src/server/index.test.ts +532 -0
  146. package/src/server/index.ts +334 -0
  147. package/src/server/interface.ts +11 -0
  148. package/src/server/routes/authHandler.ts +169 -0
  149. package/src/server/routes/index.ts +39 -0
  150. package/src/utils/crypto.test.ts +41 -0
  151. package/src/utils/crypto.ts +105 -0
  152. package/src/utils/export.ts +11 -0
  153. package/src/utils/helper.ts +204 -0
  154. package/src/utils/index.test.ts +11 -0
  155. package/src/utils/index.ts +189 -0
  156. package/src/utils/preload.ts +8 -0
  157. package/src/utils/testHelper.ts +116 -0
  158. package/tsconfig.json +32 -0
  159. package/bunfig.toml +0 -4
  160. package/dist/ai/index.d.ts +0 -1
  161. package/dist/ai/interface.d.ts +0 -9
  162. /package/dist/server/{defaultHandlers.d.ts → defaultSessionHandler.d.ts} +0 -0
package/src/security.test.ts ADDED
@@ -0,0 +1,3434 @@
1
+ import { describe, it, expect } from 'bun:test'
2
+ import { decode, sign } from 'jsonwebtoken'
3
+ import { gql } from 'graphql-request'
4
+ import {
5
+ getAdminUserClient,
6
+ getGraphqlClient,
7
+ getAnonymousClient,
8
+ createUserAndUpdateRole,
9
+ getUserClient,
10
+ } from './utils/helper'
11
+ import { setupTests, closeTests } from './utils/testHelper'
12
+ import { RoleEnum } from 'generated/wabe'
13
+ import { Session } from './authentication/Session'
14
+
15
+ describe('Security tests', () => {
16
+ it('should not return private fields (acl) on createObject, getObject and getObjects if not root', async () => {
17
+ const setup = await setupTests([
18
+ {
19
+ name: 'Secret',
20
+ fields: {
21
+ name: { type: 'String' },
22
+ },
23
+ permissions: {
24
+ create: {
25
+ requireAuthentication: true,
26
+ authorizedRoles: ['Client'],
27
+ },
28
+ read: {
29
+ requireAuthentication: true,
30
+ authorizedRoles: ['Client'],
31
+ },
32
+ acl: async (hookObject) => {
33
+ await hookObject.addACL('roles', {
34
+ read: true,
35
+ write: true,
36
+ role: RoleEnum.Client,
37
+ })
38
+ },
39
+ },
40
+ },
41
+ ])
42
+
43
+ const wabe = setup.wabe
44
+ const port = setup.port
45
+ const client = getAnonymousClient(port)
46
+ const rootClient = getGraphqlClient(port)
47
+
48
+ const { userClient } = await createUserAndUpdateRole({
49
+ anonymousClient: client,
50
+ port,
51
+ roleName: 'Client',
52
+ rootClient,
53
+ })
54
+
55
+ const res = await userClient.request<any>(gql`
56
+ mutation createSecret {
57
+ createSecret(input: { fields: { name: "n" } }) {
58
+ secret {
59
+ id
60
+ acl {
61
+ roles {
62
+ roleId
63
+ read
64
+ write
65
+ }
66
+ }
67
+ }
68
+ }
69
+ }
70
+ `)
71
+
72
+ expect(res.createSecret.secret.acl).toBeNull()
73
+
74
+ const res2 = await userClient.request<any>(gql`
75
+ query secret {
76
+ secret(id: "${res.createSecret.secret.id}") {
77
+ id
78
+ acl {
79
+ roles {
80
+ roleId
81
+ read
82
+ write
83
+ }
84
+ }
85
+ }
86
+ }
87
+ `)
88
+
89
+ expect(res2.secret.acl).toBeNull()
90
+
91
+ const res3 = await userClient.request<any>(gql`
92
+ query secrets {
93
+ secrets {
94
+ edges {
95
+ node {
96
+ id
97
+ acl {
98
+ roles {
99
+ roleId
100
+ read
101
+ write
102
+ }
103
+ }
104
+ }
105
+ }
106
+ }
107
+ }
108
+ `)
109
+
110
+ expect(res3.secrets.edges[0].node.acl).toBeNull()
111
+
112
+ const res4 = await rootClient.request<any>(gql`
113
+ query secret {
114
+ secret(id: "${res.createSecret.secret.id}") {
115
+ id
116
+ name
117
+ acl {
118
+ roles {
119
+ roleId
120
+ read
121
+ write
122
+ }
123
+ }
124
+ }
125
+ }
126
+ `)
127
+
128
+ expect(res4.secret.acl.roles).not.toBeNull()
129
+
130
+ await closeTests(wabe)
131
+ })
132
+
133
+ it('should block requests without a valid CSRF token', async () => {
134
+ const setup = await setupTests(
135
+ [
136
+ {
137
+ name: 'TestCSRF',
138
+ fields: {
139
+ name: { type: 'String' },
140
+ },
141
+ permissions: {
142
+ create: {
143
+ authorizedRoles: ['Client'],
144
+ requireAuthentication: true,
145
+ },
146
+ read: {
147
+ authorizedRoles: ['Client'],
148
+ requireAuthentication: true,
149
+ },
150
+ },
151
+ },
152
+ ],
153
+ { disableCSRFProtection: false },
154
+ )
155
+
156
+ const wabe = setup.wabe
157
+ const port = setup.port
158
+ const client = getAnonymousClient(port)
159
+ const rootClient = getGraphqlClient(port)
160
+
161
+ const { userClient, accessToken, userId } = await createUserAndUpdateRole({
162
+ anonymousClient: client,
163
+ port,
164
+ roleName: 'Client',
165
+ rootClient,
166
+ })
167
+
168
+ expect(
169
+ userClient.request(gql`
170
+ mutation createTestCSRF {
171
+ createTestCSRF(input: { fields: { name: "CSRF Test" } }) {
172
+ testCSRF {
173
+ id
174
+ }
175
+ }
176
+ }
177
+ `),
178
+ ).rejects.toThrow('Permission denied to create class TestCSRF')
179
+
180
+ const invalidCsrfClient = getUserClient(port, {
181
+ accessToken,
182
+ })
183
+ expect(
184
+ invalidCsrfClient.request(gql`
185
+ mutation createTestCSRF {
186
+ createTestCSRF(input: { fields: { name: "CSRF Test" } }) {
187
+ testCSRF {
188
+ id
189
+ }
190
+ }
191
+ }
192
+ `),
193
+ ).rejects.toThrow('Permission denied to create class TestCSRF')
194
+
195
+ const session = new Session()
196
+
197
+ const { csrfToken, accessToken: validAccessToken } = await session.create(userId, {
198
+ wabe,
199
+ isRoot: false,
200
+ })
201
+
202
+ const validCsrfClient = getUserClient(port, {
203
+ accessToken: validAccessToken,
204
+ csrfToken,
205
+ })
206
+
207
+ const res = await validCsrfClient.request<any>(gql`
208
+ mutation createTestCSRF {
209
+ createTestCSRF(input: { fields: { name: "CSRF Test" } }) {
210
+ testCSRF {
211
+ id
212
+ }
213
+ }
214
+ }
215
+ `)
216
+
217
+ expect(res.createTestCSRF.testCSRF.id).toBeDefined()
218
+
219
+ await closeTests(wabe)
220
+ })
221
+
222
+ it('should not block requests without a valid CSRF token if security.csrfToken is to false', async () => {
223
+ const setup = await setupTests([
224
+ {
225
+ name: 'TestCSRF',
226
+ fields: {
227
+ name: { type: 'String' },
228
+ },
229
+ permissions: {
230
+ create: {
231
+ authorizedRoles: ['Client'],
232
+ requireAuthentication: true,
233
+ },
234
+ read: {
235
+ authorizedRoles: ['Client'],
236
+ requireAuthentication: true,
237
+ },
238
+ },
239
+ },
240
+ ])
241
+
242
+ const wabe = setup.wabe
243
+ const port = setup.port
244
+ const client = getAnonymousClient(port)
245
+ const rootClient = getGraphqlClient(port)
246
+
247
+ const { accessToken } = await createUserAndUpdateRole({
248
+ anonymousClient: client,
249
+ port,
250
+ roleName: 'Client',
251
+ rootClient,
252
+ })
253
+
254
+ const invalidCsrfClient = getUserClient(port, {
255
+ accessToken,
256
+ })
257
+
258
+ const res = await invalidCsrfClient.request<any>(gql`
259
+ mutation createTestCSRF {
260
+ createTestCSRF(input: { fields: { name: "CSRF Test" } }) {
261
+ testCSRF {
262
+ id
263
+ }
264
+ }
265
+ }
266
+ `)
267
+
268
+ expect(res.createTestCSRF.testCSRF.id).toBeDefined()
269
+
270
+ await closeTests(wabe)
271
+ })
272
+
273
+ it('should not return protected fields in creation response when user is not authorized to read them', async () => {
274
+ const setup = await setupTests([
275
+ {
276
+ name: 'Secret',
277
+ fields: {
278
+ name: { type: 'String' },
279
+ secret: {
280
+ type: 'String',
281
+ protected: {
282
+ protectedOperations: ['read'],
283
+ authorizedRoles: ['Admin'],
284
+ },
285
+ },
286
+ },
287
+ permissions: {
288
+ create: {
289
+ requireAuthentication: true,
290
+ authorizedRoles: ['Client'],
291
+ },
292
+ read: {
293
+ requireAuthentication: true,
294
+ authorizedRoles: ['Client'],
295
+ },
296
+ },
297
+ },
298
+ ])
299
+
300
+ const wabe = setup.wabe
301
+ const port = setup.port
302
+ const client = getAnonymousClient(port)
303
+ const rootClient = getGraphqlClient(port)
304
+
305
+ const { userClient } = await createUserAndUpdateRole({
306
+ anonymousClient: client,
307
+ port,
308
+ roleName: 'Client',
309
+ rootClient,
310
+ })
311
+
312
+ expect(
313
+ userClient.request<any>(gql`
314
+ mutation createSecret {
315
+ createSecret(input: { fields: { name: "n", secret: "s" } }) {
316
+ secret {
317
+ id
318
+ secret
319
+ }
320
+ }
321
+ }
322
+ `),
323
+ ).rejects.toThrow('You are not authorized to read this field')
324
+
325
+ await closeTests(wabe)
326
+ })
327
+
328
+ it('should apply ACL filtering to count queries', async () => {
329
+ const setup = await setupTests([
330
+ {
331
+ name: 'CountAcl',
332
+ fields: {
333
+ name: { type: 'String' },
334
+ },
335
+ permissions: {
336
+ create: {
337
+ requireAuthentication: true,
338
+ authorizedRoles: ['Client'],
339
+ },
340
+ read: {
341
+ requireAuthentication: true,
342
+ authorizedRoles: ['Client'],
343
+ },
344
+ acl: async (hookObject) => {
345
+ await hookObject.addACL('users', null)
346
+ await hookObject.addACL('roles', null)
347
+ },
348
+ },
349
+ },
350
+ ])
351
+
352
+ const wabe = setup.wabe
353
+ const port = setup.port
354
+ const client = getAnonymousClient(port)
355
+ const rootClient = getGraphqlClient(port)
356
+
357
+ const { userClient } = await createUserAndUpdateRole({
358
+ anonymousClient: client,
359
+ port,
360
+ roleName: 'Client',
361
+ rootClient,
362
+ })
363
+
364
+ await rootClient.request<any>(gql`
365
+ mutation createCountAcl {
366
+ createCountAcl(input: { fields: { name: "toto" } }) {
367
+ countAcl {
368
+ id
369
+ }
370
+ }
371
+ }
372
+ `)
373
+
374
+ const res = await userClient.request<any>(gql`
375
+ query countAcls {
376
+ countAcls {
377
+ totalCount
378
+ }
379
+ }
380
+ `)
381
+
382
+ expect(res.countAcls.totalCount).toEqual(0)
383
+
384
+ await closeTests(wabe)
385
+ })
386
+
387
+ it('should block GraphQL introspection queries for anonymous and authenticated users for isProduction server', async () => {
388
+ const setup = await setupTests([], { isProduction: true })
389
+ const wabe = setup.wabe
390
+ const port = setup.port
391
+ const client = getAnonymousClient(port)
392
+ const rootClient = getGraphqlClient(port)
393
+
394
+ // Test pour un utilisateur anonyme
395
+ expect(
396
+ client.request(gql`
397
+ query IntrospectionQuery {
398
+ __schema {
399
+ types {
400
+ name
401
+ }
402
+ }
403
+ }
404
+ `),
405
+ ).rejects.toThrow('GraphQL introspection is not allowed in production')
406
+
407
+ // Test pour un utilisateur authentifié (même un admin)
408
+ const { userClient } = await createUserAndUpdateRole({
409
+ anonymousClient: client,
410
+ port,
411
+ roleName: 'Admin',
412
+ rootClient,
413
+ })
414
+
415
+ expect(
416
+ userClient.request(gql`
417
+ query IntrospectionQuery {
418
+ __schema {
419
+ types {
420
+ name
421
+ }
422
+ }
423
+ }
424
+ `),
425
+ ).rejects.toThrow('GraphQL introspection is not allowed in production')
426
+
427
+ await closeTests(wabe)
428
+ })
429
+
430
+ it('should return null if the accessToken is an invalid accessToken', async () => {
431
+ const setup = await setupTests()
432
+ const wabe = setup.wabe
433
+ const port = setup.port
434
+ const rootClient = getGraphqlClient(port)
435
+
436
+ const { accessToken } = await createUserAndUpdateRole({
437
+ anonymousClient: getAnonymousClient(port),
438
+ port,
439
+ roleName: 'Client',
440
+ rootClient,
441
+ })
442
+
443
+ const decoded = decode(accessToken) as any
444
+
445
+ const invalidToken = sign(
446
+ {
447
+ ...decoded,
448
+ sub: 'fake-user-id',
449
+ },
450
+ 'dev',
451
+ )
452
+
453
+ const userClient = getUserClient(port, { accessToken: invalidToken })
454
+
455
+ const res = await userClient.request<any>(gql`
456
+ query me {
457
+ me {
458
+ user {
459
+ id
460
+ }
461
+ }
462
+ }
463
+ `)
464
+
465
+ expect(res.me.user).toBeNull()
466
+
467
+ await closeTests(wabe)
468
+ })
469
+
470
+ it('should throw an error if try to access to a class with empty authorizedRoles but not requireAuthentication', async () => {
471
+ const setup = await setupTests([
472
+ {
473
+ name: 'Test',
474
+ fields: {
475
+ name: {
476
+ type: 'String',
477
+ },
478
+ },
479
+ permissions: {
480
+ read: {
481
+ authorizedRoles: [],
482
+ },
483
+ },
484
+ },
485
+ ])
486
+ const wabe = setup.wabe
487
+ const port = setup.port
488
+ const client = getAnonymousClient(port)
489
+
490
+ expect(
491
+ client.request(gql`
492
+ query tests {
493
+ tests {
494
+ totalCount
495
+ }
496
+ }
497
+ `),
498
+ ).rejects.toThrow('Permission denied to read class Test')
499
+
500
+ await closeTests(wabe)
501
+ })
502
+
503
+ it('should throw an error if try to count the number of objects in anonymous', async () => {
504
+ const setup = await setupTests([
505
+ {
506
+ name: 'Test',
507
+ fields: {
508
+ name: {
509
+ type: 'String',
510
+ },
511
+ },
512
+ permissions: {
513
+ read: {
514
+ authorizedRoles: [],
515
+ requireAuthentication: true,
516
+ },
517
+ },
518
+ },
519
+ ])
520
+ const wabe = setup.wabe
521
+ const port = setup.port
522
+ const client = getAnonymousClient(port)
523
+
524
+ expect(
525
+ client.request(gql`
526
+ query tests {
527
+ tests {
528
+ totalCount
529
+ }
530
+ }
531
+ `),
532
+ ).rejects.toThrow('Permission denied to read class Test')
533
+
534
+ await closeTests(wabe)
535
+ })
536
+
537
+ it('should throw an error when I try to update and create ACL field without root access', async () => {
538
+ const setup = await setupTests([
539
+ {
540
+ name: 'Test',
541
+ fields: {
542
+ name: {
543
+ type: 'String',
544
+ },
545
+ },
546
+ permissions: {
547
+ create: {
548
+ authorizedRoles: ['Client'],
549
+ requireAuthentication: true,
550
+ },
551
+ read: {
552
+ authorizedRoles: ['Client'],
553
+ requireAuthentication: true,
554
+ },
555
+ update: {
556
+ authorizedRoles: ['Client'],
557
+ requireAuthentication: true,
558
+ },
559
+ },
560
+ },
561
+ ])
562
+ const wabe = setup.wabe
563
+ const port = setup.port
564
+ const rootClient = getGraphqlClient(port)
565
+
566
+ const { userClient } = await createUserAndUpdateRole({
567
+ anonymousClient: getAnonymousClient(port),
568
+ port,
569
+ roleName: 'Client',
570
+ rootClient,
571
+ })
572
+
573
+ const res = await userClient.request<any>(gql`
574
+ mutation createTest {
575
+ createTest(input: { fields: { name: "Test" } }) {
576
+ test {
577
+ id
578
+ }
579
+ }
580
+ }
581
+ `)
582
+
583
+ const testId = res.createTest.test.id
584
+
585
+ expect(
586
+ userClient.request(gql`
587
+ mutation updateTest {
588
+ updateTest(input: {id: "${testId}", fields: {acl: {users: [{userId: "2"}]}}}) {
589
+ test {
590
+ id
591
+ }
592
+ }
593
+ }
594
+ `),
595
+ ).rejects.toThrow('You are not authorized to update this field')
596
+
597
+ expect(
598
+ userClient.request(gql`
599
+ mutation createTest {
600
+ createTest(input: { fields: { acl: { users: [{ userId: "2" }] } } }) {
601
+ test {
602
+ id
603
+ }
604
+ }
605
+ }
606
+ `),
607
+ ).rejects.toThrow('You are not authorized to create this field')
608
+
609
+ await closeTests(wabe)
610
+ })
611
+
612
+ it('should throw an error when I try to create an user with a role without root access', async () => {
613
+ const setup = await setupTests()
614
+ const wabe = setup.wabe
615
+ const port = setup.port
616
+ const client = getAnonymousClient(port)
617
+
618
+ const adminRole = await wabe.controllers.database.getObjects({
619
+ className: 'Role',
620
+ where: {
621
+ name: { equalTo: 'Admin' },
622
+ },
623
+ first: 1,
624
+ select: { id: true },
625
+ context: {
626
+ wabe,
627
+ isRoot: true,
628
+ },
629
+ })
630
+
631
+ expect(
632
+ client.request(gql`
633
+ mutation createUser {
634
+ createUser(input: { fields: {role: {link: "${adminRole[0]?.id}"}} }) {
635
+ user {
636
+ id
637
+ }
638
+ }
639
+ }
640
+ `),
641
+ ).rejects.toThrow('You are not authorized to create this field')
642
+
643
+ await closeTests(wabe)
644
+ })
645
+
646
+ it('should not be able to update role pointer in the User class', async () => {
647
+ const setup = await setupTests()
648
+ const wabe = setup.wabe
649
+ const port = setup.port
650
+ const rootClient = getGraphqlClient(port)
651
+
652
+ const { userId } = await createUserAndUpdateRole({
653
+ anonymousClient: getAnonymousClient(port),
654
+ port,
655
+ roleName: 'Client',
656
+ rootClient,
657
+ })
658
+
659
+ expect(
660
+ wabe.controllers.database.updateObject({
661
+ className: 'User',
662
+ id: userId,
663
+ context: {
664
+ wabe,
665
+ isRoot: false,
666
+ },
667
+ data: {
668
+ role: 'newid',
669
+ },
670
+ }),
671
+ ).rejects.toThrow('You are not authorized to update this field')
672
+
673
+ await closeTests(wabe)
674
+ })
675
+
676
+ it('should not be able to create / update sessions relation in the User class', async () => {
677
+ const setup = await setupTests()
678
+ const wabe = setup.wabe
679
+ const port = setup.port
680
+ const rootClient = getGraphqlClient(port)
681
+
682
+ const { userId } = await createUserAndUpdateRole({
683
+ anonymousClient: getAnonymousClient(port),
684
+ port,
685
+ roleName: 'Client',
686
+ rootClient,
687
+ })
688
+
689
+ expect(
690
+ wabe.controllers.database.updateObject({
691
+ className: 'User',
692
+ id: userId,
693
+ context: {
694
+ wabe,
695
+ isRoot: false,
696
+ },
697
+ data: {
698
+ sessions: ['newid'],
699
+ },
700
+ }),
701
+ ).rejects.toThrow('You are not authorized to update this field')
702
+
703
+ expect(
704
+ wabe.controllers.database.createObject({
705
+ className: 'User',
706
+ context: {
707
+ wabe,
708
+ isRoot: false,
709
+ },
710
+ data: {
711
+ sessions: ['newid'],
712
+ },
713
+ }),
714
+ ).rejects.toThrow('You are not authorized to create this field')
715
+
716
+ await closeTests(wabe)
717
+ })
718
+
719
+ it("should throw an error if the user tries to delete an object and doesn't have access to read the object", async () => {
720
+ const setup = await setupTests([
721
+ {
722
+ name: 'Test1',
723
+ fields: {
724
+ name: {
725
+ type: 'String',
726
+ },
727
+ },
728
+ permissions: {
729
+ read: {
730
+ authorizedRoles: [],
731
+ requireAuthentication: true,
732
+ },
733
+ create: {
734
+ authorizedRoles: ['Client'],
735
+ requireAuthentication: true,
736
+ },
737
+ delete: {
738
+ authorizedRoles: ['Client'],
739
+ requireAuthentication: true,
740
+ },
741
+ },
742
+ },
743
+ ])
744
+ const wabe = setup.wabe
745
+ const port = setup.port
746
+ const rootClient = getGraphqlClient(port)
747
+
748
+ const { userClient } = await createUserAndUpdateRole({
749
+ anonymousClient: getAnonymousClient(port),
750
+ port,
751
+ roleName: 'Client',
752
+ rootClient,
753
+ })
754
+
755
+ const res = await rootClient.request<any>(gql`
756
+ mutation createTest1 {
757
+ createTest1(input: { fields: { name: "test1" } }) {
758
+ test1 {
759
+ id
760
+ }
761
+ }
762
+ }
763
+ `)
764
+
765
+ expect(
766
+ userClient.request(gql`
767
+ mutation deleteTest1{
768
+ deleteTest1(input: {id: "${res.createTest1.test1.id}"}) {
769
+ test1 {
770
+ id
771
+ }
772
+ }
773
+ }
774
+ `),
775
+ ).rejects.toThrow('Permission denied to read class Test1')
776
+
777
+ expect(
778
+ userClient.request(gql`
779
+ mutation deleteTest1s {
780
+ deleteTest1s(input: { where: { name: { equalTo: "test1" } } }) {
781
+ edges {
782
+ node {
783
+ id
784
+ }
785
+ }
786
+ }
787
+ }
788
+ `),
789
+ ).rejects.toThrow('Permission denied to read class Test1')
790
+
791
+ await closeTests(wabe)
792
+ })
793
+
794
+ it("should throw an error if the user try to update an object and doesn't have access to read the object", async () => {
795
+ const setup = await setupTests([
796
+ {
797
+ name: 'Test1',
798
+ fields: {
799
+ name: {
800
+ type: 'String',
801
+ },
802
+ },
803
+ permissions: {
804
+ read: {
805
+ authorizedRoles: [],
806
+ requireAuthentication: true,
807
+ },
808
+ create: {
809
+ authorizedRoles: ['Client'],
810
+ requireAuthentication: true,
811
+ },
812
+ update: {
813
+ authorizedRoles: ['Client'],
814
+ requireAuthentication: true,
815
+ },
816
+ },
817
+ },
818
+ ])
819
+ const wabe = setup.wabe
820
+ const port = setup.port
821
+ const rootClient = getGraphqlClient(port)
822
+
823
+ const { userClient } = await createUserAndUpdateRole({
824
+ anonymousClient: getAnonymousClient(port),
825
+ port,
826
+ roleName: 'Client',
827
+ rootClient,
828
+ })
829
+
830
+ const res = await rootClient.request<any>(gql`
831
+ mutation createTest1 {
832
+ createTest1(input: { fields: { name: "test1" } }) {
833
+ test1 {
834
+ id
835
+ }
836
+ }
837
+ }
838
+ `)
839
+
840
+ expect(
841
+ userClient.request(gql`
842
+ mutation updateTest1{
843
+ updateTest1(input: {id: "${res.createTest1.test1.id}", fields: {name: "test1"}}) {
844
+ test1 {
845
+ id
846
+ }
847
+ }
848
+ }
849
+ `),
850
+ ).rejects.toThrow('Permission denied to read class Test1')
851
+
852
+ expect(
853
+ userClient.request(gql`
854
+ mutation updateTest1s {
855
+ updateTest1s(input: { where: { name: { equalTo: "test1" } }, fields: { name: "test1" } }) {
856
+ edges {
857
+ node {
858
+ id
859
+ }
860
+ }
861
+ }
862
+ }
863
+ `),
864
+ ).rejects.toThrow('Permission denied to read class Test1')
865
+
866
+ await closeTests(wabe)
867
+ })
868
+
869
+ it('should not create object in relation if not have permission to create', async () => {
870
+ const setup = await setupTests([
871
+ {
872
+ name: 'Test1',
873
+ fields: {
874
+ name: {
875
+ type: 'String',
876
+ },
877
+ },
878
+ permissions: {
879
+ read: {
880
+ authorizedRoles: ['Admin'],
881
+ requireAuthentication: true,
882
+ },
883
+ create: {
884
+ authorizedRoles: ['Admin'],
885
+ requireAuthentication: true,
886
+ },
887
+ },
888
+ },
889
+ {
890
+ name: 'Test2',
891
+ fields: {
892
+ field1: {
893
+ type: 'Relation',
894
+ class: 'Test1',
895
+ },
896
+ field2: {
897
+ type: 'Pointer',
898
+ class: 'Test1',
899
+ },
900
+ },
901
+ permissions: {
902
+ read: {
903
+ authorizedRoles: ['Client'],
904
+ requireAuthentication: true,
905
+ },
906
+ create: {
907
+ authorizedRoles: ['Client'],
908
+ requireAuthentication: true,
909
+ },
910
+ },
911
+ },
912
+ ])
913
+ const wabe = setup.wabe
914
+ const port = setup.port
915
+ const client = getAnonymousClient(port)
916
+ const rootClient = getGraphqlClient(port)
917
+
918
+ const { userClient } = await createUserAndUpdateRole({
919
+ anonymousClient: client,
920
+ port,
921
+ roleName: 'Client',
922
+ rootClient,
923
+ })
924
+
925
+ expect(
926
+ userClient.request<any>(gql`
927
+ mutation createTest2 {
928
+ createTest2(input: { fields: { field1: { createAndAdd: [{ name: "toto" }] } } }) {
929
+ test2 {
930
+ id
931
+ }
932
+ }
933
+ }
934
+ `),
935
+ ).rejects.toThrow('Permission denied to create class Test1')
936
+
937
+ await closeTests(wabe)
938
+ })
939
+
940
+ it('should not create object in pointer if not have permission to create', async () => {
941
+ const setup = await setupTests([
942
+ {
943
+ name: 'Test1',
944
+ fields: {
945
+ name: {
946
+ type: 'String',
947
+ },
948
+ },
949
+ permissions: {
950
+ read: {
951
+ authorizedRoles: ['Admin'],
952
+ requireAuthentication: true,
953
+ },
954
+ create: {
955
+ authorizedRoles: ['Admin'],
956
+ requireAuthentication: true,
957
+ },
958
+ },
959
+ },
960
+ {
961
+ name: 'Test2',
962
+ fields: {
963
+ field1: {
964
+ type: 'Relation',
965
+ class: 'Test1',
966
+ },
967
+ field2: {
968
+ type: 'Pointer',
969
+ class: 'Test1',
970
+ },
971
+ },
972
+ permissions: {
973
+ read: {
974
+ authorizedRoles: ['Client'],
975
+ requireAuthentication: true,
976
+ },
977
+ create: {
978
+ authorizedRoles: ['Client'],
979
+ requireAuthentication: true,
980
+ },
981
+ },
982
+ },
983
+ ])
984
+ const wabe = setup.wabe
985
+ const port = setup.port
986
+ const client = getAnonymousClient(port)
987
+ const rootClient = getGraphqlClient(port)
988
+
989
+ const { userClient } = await createUserAndUpdateRole({
990
+ anonymousClient: client,
991
+ port,
992
+ roleName: 'Client',
993
+ rootClient,
994
+ })
995
+
996
+ expect(
997
+ userClient.request<any>(gql`
998
+ mutation createTest2 {
999
+ createTest2(input: { fields: { field2: { createAndLink: { name: "toto" } } } }) {
1000
+ test2 {
1001
+ id
1002
+ }
1003
+ }
1004
+ }
1005
+ `),
1006
+ ).rejects.toThrow('Permission denied to create class Test1')
1007
+
1008
+ await closeTests(wabe)
1009
+ })
1010
+
1011
+ it("should not be able to access to a relation if user doesn't have access on read", async () => {
1012
+ const setup = await setupTests([
1013
+ {
1014
+ name: 'Test1',
1015
+ fields: {
1016
+ name: {
1017
+ type: 'String',
1018
+ },
1019
+ },
1020
+ permissions: {
1021
+ read: {
1022
+ authorizedRoles: ['Admin'],
1023
+ requireAuthentication: true,
1024
+ },
1025
+ create: {
1026
+ authorizedRoles: ['Admin'],
1027
+ requireAuthentication: true,
1028
+ },
1029
+ },
1030
+ },
1031
+ {
1032
+ name: 'Test2',
1033
+ fields: {
1034
+ field1: {
1035
+ type: 'Relation',
1036
+ class: 'Test1',
1037
+ },
1038
+ field2: {
1039
+ type: 'Pointer',
1040
+ class: 'Test1',
1041
+ },
1042
+ },
1043
+ permissions: {
1044
+ read: {
1045
+ authorizedRoles: ['Client'],
1046
+ requireAuthentication: true,
1047
+ },
1048
+ create: {
1049
+ authorizedRoles: ['Client'],
1050
+ requireAuthentication: true,
1051
+ },
1052
+ },
1053
+ },
1054
+ ])
1055
+ const wabe = setup.wabe
1056
+ const port = setup.port
1057
+ const client = getAnonymousClient(port)
1058
+ const rootClient = getGraphqlClient(port)
1059
+
1060
+ await rootClient.request<any>(gql`
1061
+ mutation createTest2 {
1062
+ createTest2(input: { fields: { field1: { createAndAdd: [{ name: "toto" }] } } }) {
1063
+ test2 {
1064
+ id
1065
+ }
1066
+ }
1067
+ }
1068
+ `)
1069
+
1070
+ const { userClient } = await createUserAndUpdateRole({
1071
+ anonymousClient: client,
1072
+ port,
1073
+ roleName: 'Client',
1074
+ rootClient,
1075
+ })
1076
+
1077
+ expect(
1078
+ userClient.request(gql`
1079
+ query test2s {
1080
+ test2s {
1081
+ edges {
1082
+ node {
1083
+ id
1084
+ field1 {
1085
+ edges {
1086
+ node {
1087
+ id
1088
+ }
1089
+ }
1090
+ }
1091
+ }
1092
+ }
1093
+ }
1094
+ }
1095
+ `),
1096
+ ).rejects.toThrow('Permission denied to read class Test1')
1097
+
1098
+ await closeTests(wabe)
1099
+ })
1100
+
1101
+ it("should not be able to access to a pointer if user doesn't have access on read", async () => {
1102
+ const setup = await setupTests([
1103
+ {
1104
+ name: 'Test1',
1105
+ fields: {
1106
+ name: {
1107
+ type: 'String',
1108
+ },
1109
+ },
1110
+ permissions: {
1111
+ read: {
1112
+ authorizedRoles: ['Admin'],
1113
+ requireAuthentication: true,
1114
+ },
1115
+ create: {
1116
+ authorizedRoles: ['Admin'],
1117
+ requireAuthentication: true,
1118
+ },
1119
+ },
1120
+ },
1121
+ {
1122
+ name: 'Test2',
1123
+ fields: {
1124
+ field1: {
1125
+ type: 'Relation',
1126
+ class: 'Test1',
1127
+ },
1128
+ field2: {
1129
+ type: 'Pointer',
1130
+ class: 'Test1',
1131
+ },
1132
+ },
1133
+ permissions: {
1134
+ read: {
1135
+ authorizedRoles: ['Client'],
1136
+ requireAuthentication: true,
1137
+ },
1138
+ create: {
1139
+ authorizedRoles: ['Client'],
1140
+ requireAuthentication: true,
1141
+ },
1142
+ },
1143
+ },
1144
+ ])
1145
+ const wabe = setup.wabe
1146
+ const port = setup.port
1147
+ const client = getAnonymousClient(port)
1148
+ const rootClient = getGraphqlClient(port)
1149
+
1150
+ await rootClient.request<any>(gql`
1151
+ mutation createTest2 {
1152
+ createTest2(input: { fields: { field2: { createAndLink: { name: "toto" } } } }) {
1153
+ test2 {
1154
+ id
1155
+ }
1156
+ }
1157
+ }
1158
+ `)
1159
+
1160
+ const { userClient } = await createUserAndUpdateRole({
1161
+ anonymousClient: client,
1162
+ port,
1163
+ roleName: 'Client',
1164
+ rootClient,
1165
+ })
1166
+
1167
+ expect(
1168
+ userClient.request(gql`
1169
+ query test2s {
1170
+ test2s {
1171
+ edges {
1172
+ node {
1173
+ id
1174
+ field2 {
1175
+ id
1176
+ }
1177
+ }
1178
+ }
1179
+ }
1180
+ }
1181
+ `),
1182
+ ).rejects.toThrow('Permission denied to read class Test1')
1183
+
1184
+ await closeTests(wabe)
1185
+ })
1186
+
1187
+ it('should not be able to create / update / delete a role (except root)', async () => {
1188
+ const setup = await setupTests()
1189
+ const wabe = setup.wabe
1190
+
1191
+ const adminRole = await wabe.controllers.database.getObjects({
1192
+ className: 'Role',
1193
+ where: {
1194
+ name: { equalTo: 'Admin' },
1195
+ },
1196
+ first: 1,
1197
+ select: { id: true },
1198
+ context: {
1199
+ wabe,
1200
+ isRoot: true,
1201
+ },
1202
+ })
1203
+
1204
+ const adminRoleId = adminRole[0]?.id
1205
+
1206
+ const adminClient = await getAdminUserClient(wabe.config.port, wabe, {
1207
+ email: 'admin@wabe.dev',
1208
+ password: 'admin',
1209
+ })
1210
+
1211
+ expect(
1212
+ adminClient.request<any>(gql`
1213
+ mutation deleteRole {
1214
+ deleteRole(input: { id: "${adminRoleId}" }) {
1215
+ role {
1216
+ id
1217
+ }
1218
+ }
1219
+ }
1220
+ `),
1221
+ ).rejects.toThrowError('Permission denied to delete class Role')
1222
+
1223
+ expect(
1224
+ adminClient.request<any>(gql`
1225
+ mutation updateRole {
1226
+ updateRole(input: { id: "${adminRoleId}", fields: {name: "Admin2"} }) {
1227
+ role {
1228
+ id
1229
+ }
1230
+ }
1231
+ }
1232
+ `),
1233
+ ).rejects.toThrowError('Permission denied to update class Role')
1234
+
1235
+ expect(
1236
+ adminClient.request<any>(gql`
1237
+ mutation createRole {
1238
+ createRole(input: { fields: { name: "Admin2" } }) {
1239
+ role {
1240
+ id
1241
+ }
1242
+ }
1243
+ }
1244
+ `),
1245
+ ).rejects.toThrowError('Permission denied to create class Role')
1246
+
1247
+ await closeTests(wabe)
1248
+ })
1249
+
1250
+ it('should not be able to create / update / delete a session (except root)', async () => {
1251
+ const setup = await setupTests()
1252
+ const wabe = setup.wabe
1253
+
1254
+ const adminClient = await getAdminUserClient(wabe.config.port, wabe, {
1255
+ email: 'admin@wabe.dev',
1256
+ password: 'admin',
1257
+ })
1258
+
1259
+ expect(
1260
+ adminClient.request<any>(gql`
1261
+ mutation create_Session {
1262
+ create_Session(
1263
+ input: {
1264
+ fields: {
1265
+ accessTokenEncrypted: "token"
1266
+ accessTokenExpiresAt: "2025-01-01T00:00:00.000Z"
1267
+ refreshTokenEncrypted: "refresh"
1268
+ refreshTokenExpiresAt: "2025-01-02T00:00:00.000Z"
1269
+ }
1270
+ }
1271
+ ) {
1272
+ _session {
1273
+ id
1274
+ }
1275
+ }
1276
+ }
1277
+ `),
1278
+ ).rejects.toThrowError('Permission denied to create class _Session')
1279
+
1280
+ const res = await adminClient.request<any>(gql`
1281
+ query me {
1282
+ me {
1283
+ user {
1284
+ id
1285
+ }
1286
+ }
1287
+ }
1288
+ `)
1289
+
1290
+ const session = await wabe.controllers.database.createObject({
1291
+ className: '_Session',
1292
+ context: {
1293
+ wabe,
1294
+ isRoot: true,
1295
+ },
1296
+ data: {
1297
+ accessTokenEncrypted: 'token',
1298
+ user: res.me.user.id,
1299
+ accessTokenExpiresAt: new Date(),
1300
+ refreshTokenEncrypted: 'refreshToken',
1301
+ refreshTokenExpiresAt: new Date(),
1302
+ },
1303
+ select: { id: true },
1304
+ })
1305
+
1306
+ const sessionId = session?.id
1307
+
1308
+ if (!sessionId) throw new Error('Session not created')
1309
+
1310
+ expect(
1311
+ adminClient.request<any>(gql`
1312
+ mutation update_Session {
1313
+ update_Session(input: { id: "${sessionId}", fields: {accessTokenEncrypted: "token2"} }) {
1314
+ _session {
1315
+ id
1316
+ }
1317
+ }
1318
+ }
1319
+ `),
1320
+ ).rejects.toThrowError('Permission denied to update class _Session')
1321
+
1322
+ expect(
1323
+ adminClient.request<any>(gql`
1324
+ mutation delete_Session {
1325
+ delete_Session(input: { id:"${sessionId}" }) {
1326
+ _session {
1327
+ id
1328
+ }
1329
+ }
1330
+ }
1331
+ `),
1332
+ // Read because we call getObject before delete the object
1333
+ ).rejects.toThrowError('Permission denied to delete class _Session')
1334
+
1335
+ const sessionAfterDelete = await wabe.controllers.database.getObject({
1336
+ className: '_Session',
1337
+ id: sessionId || '',
1338
+ context: {
1339
+ wabe,
1340
+ isRoot: true,
1341
+ },
1342
+ select: { id: true },
1343
+ })
1344
+
1345
+ expect(sessionAfterDelete?.id).toEqual(sessionId)
1346
+
1347
+ await closeTests(wabe)
1348
+ })
1349
+
1350
+ it('should not be able to do some actions with expired session', async () => {
1351
+ const setup = await setupTests([
1352
+ {
1353
+ name: 'Test1',
1354
+ fields: {
1355
+ name: {
1356
+ type: 'String',
1357
+ },
1358
+ },
1359
+ permissions: {
1360
+ read: {
1361
+ authorizedRoles: ['Admin'],
1362
+ requireAuthentication: true,
1363
+ },
1364
+ create: {
1365
+ authorizedRoles: ['Admin'],
1366
+ requireAuthentication: true,
1367
+ },
1368
+ },
1369
+ },
1370
+ ])
1371
+ const wabe = setup.wabe
1372
+
1373
+ const adminClient = await getAdminUserClient(wabe.config.port, wabe, {
1374
+ email: 'admin@wabe.dev',
1375
+ password: 'admin',
1376
+ })
1377
+
1378
+ expect(
1379
+ adminClient.request(gql`
1380
+ mutation createTest1 {
1381
+ createTest1(input: { fields: { name: "test1" } }) {
1382
+ test1 {
1383
+ id
1384
+ }
1385
+ }
1386
+ }
1387
+ `),
1388
+ ).resolves.toEqual(expect.anything())
1389
+
1390
+ await wabe.controllers.database.updateObjects({
1391
+ className: '_Session',
1392
+ context: {
1393
+ wabe,
1394
+ isRoot: true,
1395
+ },
1396
+ select: { id: true, accessTokenExpiresAt: true },
1397
+ data: {
1398
+ accessTokenExpiresAt: new Date(Date.now() - 1000 * 3600), // 1 hour ago
1399
+ refreshTokenExpiresAt: new Date(Date.now() - 1000 * 3600), // 1 hour ago
1400
+ },
1401
+ where: {},
1402
+ })
1403
+
1404
+ expect(
1405
+ adminClient.request(gql`
1406
+ mutation createTest1 {
1407
+ createTest1(input: { fields: { name: "test1" } }) {
1408
+ test1 {
1409
+ id
1410
+ }
1411
+ }
1412
+ }
1413
+ `),
1414
+ ).rejects.toThrow('Permission denied to create class Test1')
1415
+
1416
+ await closeTests(wabe)
1417
+ })
1418
+
1419
+ it('should be able to refresh session if refresh token is not expired but access token expired', async () => {
1420
+ const setup = await setupTests([
1421
+ {
1422
+ name: 'Test1',
1423
+ fields: {
1424
+ name: {
1425
+ type: 'String',
1426
+ },
1427
+ },
1428
+ permissions: {
1429
+ read: {
1430
+ authorizedRoles: ['Admin'],
1431
+ requireAuthentication: true,
1432
+ },
1433
+ create: {
1434
+ authorizedRoles: ['Admin'],
1435
+ requireAuthentication: true,
1436
+ },
1437
+ },
1438
+ },
1439
+ ])
1440
+ const wabe = setup.wabe
1441
+
1442
+ const adminClient = await getAdminUserClient(wabe.config.port, wabe, {
1443
+ email: 'admin@wabe.dev',
1444
+ password: 'admin',
1445
+ })
1446
+
1447
+ expect(
1448
+ adminClient.request(gql`
1449
+ mutation createTest1 {
1450
+ createTest1(input: { fields: { name: "test1" } }) {
1451
+ test1 {
1452
+ id
1453
+ }
1454
+ }
1455
+ }
1456
+ `),
1457
+ ).resolves.toEqual(expect.anything())
1458
+
1459
+ await wabe.controllers.database.updateObjects({
1460
+ className: '_Session',
1461
+ context: {
1462
+ wabe,
1463
+ isRoot: true,
1464
+ },
1465
+ data: {
1466
+ accessTokenExpiresAt: new Date(Date.now() - 1000 * 3600), // 1 hour ago
1467
+ refreshTokenExpiresAt: new Date(Date.now() + 1000 * 3600), // 1 hour in future
1468
+ },
1469
+ where: {},
1470
+ })
1471
+
1472
+ expect(
1473
+ adminClient.request(gql`
1474
+ mutation createTest1 {
1475
+ createTest1(input: { fields: { name: "test1" } }) {
1476
+ test1 {
1477
+ id
1478
+ }
1479
+ }
1480
+ }
1481
+ `),
1482
+ ).resolves.toEqual(expect.anything())
1483
+
1484
+ await closeTests(wabe)
1485
+ })
1486
+
1487
+ it('should access to an object', async () => {
1488
+ const setup = await setupTests([
1489
+ {
1490
+ name: 'Test4',
1491
+ fields: {
1492
+ name: { type: 'String' },
1493
+ },
1494
+ permissions: {
1495
+ create: {
1496
+ requireAuthentication: true,
1497
+ authorizedRoles: ['Client'],
1498
+ },
1499
+ read: {
1500
+ requireAuthentication: true,
1501
+ authorizedRoles: ['Client', 'Client2'],
1502
+ },
1503
+ },
1504
+ },
1505
+ ])
1506
+ const wabe = setup.wabe
1507
+ const port = setup.port
1508
+ const client = getAnonymousClient(port)
1509
+ const rootClient = getGraphqlClient(port)
1510
+
1511
+ const { userClient } = await createUserAndUpdateRole({
1512
+ anonymousClient: client,
1513
+ port,
1514
+ roleName: 'Client',
1515
+ rootClient,
1516
+ })
1517
+
1518
+ const { userClient: userClient2 } = await createUserAndUpdateRole({
1519
+ anonymousClient: client,
1520
+ port,
1521
+ roleName: 'Client2',
1522
+ rootClient,
1523
+ })
1524
+
1525
+ await userClient.request<any>(gql`
1526
+ mutation createTest4 {
1527
+ createTest4(input: { fields: { name: "test" } }) {
1528
+ test4 {
1529
+ id
1530
+ }
1531
+ }
1532
+ }
1533
+ `)
1534
+
1535
+ const res = await userClient2.request<any>(gql`
1536
+ query test4s {
1537
+ test4s {
1538
+ edges {
1539
+ node {
1540
+ id
1541
+ name
1542
+ }
1543
+ }
1544
+ }
1545
+ }
1546
+ `)
1547
+
1548
+ expect(res.test4s.edges.length).toEqual(1)
1549
+ expect(res.test4s.edges[0].node.name).toEqual('test')
1550
+
1551
+ await closeTests(wabe)
1552
+ })
1553
+
1554
+ it('should access to an object created by another user without ACL', async () => {
1555
+ const setup = await setupTests([
1556
+ {
1557
+ name: 'Test4',
1558
+ fields: {
1559
+ name: { type: 'String' },
1560
+ },
1561
+ permissions: {
1562
+ create: {
1563
+ requireAuthentication: true,
1564
+ authorizedRoles: ['Client'],
1565
+ },
1566
+ read: {
1567
+ requireAuthentication: true,
1568
+ authorizedRoles: ['Client', 'Client2'],
1569
+ },
1570
+ },
1571
+ },
1572
+ ])
1573
+ const wabe = setup.wabe
1574
+ const port = setup.port
1575
+ const client = getAnonymousClient(port)
1576
+ const rootClient = getGraphqlClient(port)
1577
+
1578
+ const { userClient } = await createUserAndUpdateRole({
1579
+ anonymousClient: client,
1580
+ port,
1581
+ roleName: 'Client',
1582
+ rootClient,
1583
+ })
1584
+
1585
+ const { userClient: userClient2 } = await createUserAndUpdateRole({
1586
+ anonymousClient: client,
1587
+ port,
1588
+ roleName: 'Client2',
1589
+ rootClient,
1590
+ })
1591
+
1592
+ await userClient.request<any>(gql`
1593
+ mutation createTest4 {
1594
+ createTest4(input: { fields: { name: "test" } }) {
1595
+ test4 {
1596
+ id
1597
+ }
1598
+ }
1599
+ }
1600
+ `)
1601
+
1602
+ const res = await userClient2.request<any>(gql`
1603
+ query test4s {
1604
+ test4s {
1605
+ edges {
1606
+ node {
1607
+ id
1608
+ name
1609
+ }
1610
+ }
1611
+ }
1612
+ }
1613
+ `)
1614
+
1615
+ expect(res.test4s.edges.length).toEqual(1)
1616
+ expect(res.test4s.edges[0].node.name).toEqual('test')
1617
+
1618
+ await closeTests(wabe)
1619
+ })
1620
+
1621
+ it('should authorize user to access to created object with self acl but not an other user', async () => {
1622
+ const setup = await setupTests([
1623
+ {
1624
+ name: 'Test3',
1625
+ fields: {
1626
+ name: { type: 'String' },
1627
+ },
1628
+ permissions: {
1629
+ create: {
1630
+ requireAuthentication: false,
1631
+ },
1632
+ read: {
1633
+ requireAuthentication: false,
1634
+ },
1635
+ acl: async (hookObject) => {
1636
+ await hookObject.addACL('users', {
1637
+ userId: hookObject.context.user?.id || '',
1638
+ read: true,
1639
+ write: true,
1640
+ })
1641
+
1642
+ await hookObject.addACL('roles', null)
1643
+ },
1644
+ },
1645
+ },
1646
+ ])
1647
+ const wabe = setup.wabe
1648
+ const port = setup.port
1649
+ const client = getAnonymousClient(port)
1650
+ const rootClient = getGraphqlClient(port)
1651
+
1652
+ const { userClient } = await createUserAndUpdateRole({
1653
+ anonymousClient: client,
1654
+ port,
1655
+ roleName: 'Client',
1656
+ rootClient,
1657
+ })
1658
+
1659
+ const { userClient: userClient2 } = await createUserAndUpdateRole({
1660
+ anonymousClient: client,
1661
+ port,
1662
+ roleName: 'Client',
1663
+ rootClient,
1664
+ email: 'email2@test.fr',
1665
+ })
1666
+
1667
+ const res = await userClient.request<any>(gql`
1668
+ mutation createTest3 {
1669
+ createTest3(input: { fields: { name: "test" } }) {
1670
+ test3 {
1671
+ id
1672
+ }
1673
+ }
1674
+ }
1675
+ `)
1676
+
1677
+ const res2 = await userClient2.request<any>(gql`
1678
+ query test3s {
1679
+ test3s {
1680
+ edges {
1681
+ node {
1682
+ id
1683
+ }
1684
+ }
1685
+ }
1686
+ }
1687
+ `)
1688
+
1689
+ const res3 = await getAnonymousClient(port).request<any>(gql`
1690
+ query test3s {
1691
+ test3s {
1692
+ edges {
1693
+ node {
1694
+ id
1695
+ }
1696
+ }
1697
+ }
1698
+ }
1699
+ `)
1700
+
1701
+ expect(res.createTest3.test3.id).toBeDefined()
1702
+ expect(res2.test3s.edges.length).toEqual(0)
1703
+ expect(res3.test3s.edges.length).toEqual(0)
1704
+
1705
+ await closeTests(wabe)
1706
+ })
1707
+
1708
+ it('should not authorize create object when authorizedRoles is empty', async () => {
1709
+ const setup = await setupTests([
1710
+ {
1711
+ name: 'Test2',
1712
+ fields: {
1713
+ name: { type: 'String' },
1714
+ age: { type: 'Int' },
1715
+ },
1716
+ permissions: {
1717
+ read: {
1718
+ authorizedRoles: ['Client', 'Client2'],
1719
+ requireAuthentication: true,
1720
+ },
1721
+ create: {
1722
+ authorizedRoles: [],
1723
+ requireAuthentication: true,
1724
+ },
1725
+ },
1726
+ },
1727
+ ])
1728
+ const wabe = setup.wabe
1729
+ const port = setup.port
1730
+ const client = getAnonymousClient(port)
1731
+ const rootClient = getGraphqlClient(port)
1732
+
1733
+ const { userClient } = await createUserAndUpdateRole({
1734
+ anonymousClient: client,
1735
+ port,
1736
+ roleName: 'Client',
1737
+ rootClient,
1738
+ })
1739
+
1740
+ expect(
1741
+ userClient.request<any>(gql`
1742
+ mutation createTest2 {
1743
+ createTest2(input: { fields: { name: "test" } }) {
1744
+ test2 {
1745
+ id
1746
+ }
1747
+ }
1748
+ }
1749
+ `),
1750
+ ).rejects.toThrow('Permission denied to create class Test2')
1751
+
1752
+ expect(() =>
1753
+ rootClient.request<any>(gql`
1754
+ mutation createTest2 {
1755
+ createTest2(input: { fields: { name: "test" } }) {
1756
+ test2 {
1757
+ id
1758
+ }
1759
+ }
1760
+ }
1761
+ `),
1762
+ ).not.toThrow()
1763
+
1764
+ await closeTests(wabe)
1765
+ })
1766
+
1767
+ it('should not authorize an user to read an object when the user has not access on read to the object (ACL)', async () => {
1768
+ const setup = await setupTests([
1769
+ {
1770
+ name: 'Test',
1771
+ fields: {
1772
+ name: { type: 'String' },
1773
+ pointer: {
1774
+ type: 'Pointer',
1775
+ class: 'Test2',
1776
+ },
1777
+ relation: {
1778
+ type: 'Relation',
1779
+ class: 'Test2',
1780
+ },
1781
+ },
1782
+ permissions: {
1783
+ read: {
1784
+ authorizedRoles: ['Client', 'Client2'],
1785
+ requireAuthentication: true,
1786
+ },
1787
+ update: {
1788
+ authorizedRoles: ['Client'],
1789
+ requireAuthentication: true,
1790
+ },
1791
+ delete: {
1792
+ authorizedRoles: ['Client'],
1793
+ requireAuthentication: true,
1794
+ },
1795
+ create: {
1796
+ authorizedRoles: ['Client2'],
1797
+ requireAuthentication: true,
1798
+ },
1799
+ },
1800
+ },
1801
+ {
1802
+ name: 'Test2',
1803
+ fields: {
1804
+ name: { type: 'String' },
1805
+ age: { type: 'Int' },
1806
+ },
1807
+ permissions: {
1808
+ read: {
1809
+ authorizedRoles: ['Client', 'Client2'],
1810
+ requireAuthentication: true,
1811
+ },
1812
+ create: {
1813
+ authorizedRoles: [],
1814
+ requireAuthentication: true,
1815
+ },
1816
+ },
1817
+ },
1818
+ ])
1819
+ const wabe = setup.wabe
1820
+ const port = setup.port
1821
+ const client = getAnonymousClient(port)
1822
+ const rootClient = getGraphqlClient(port)
1823
+
1824
+ const { userClient, userId } = await createUserAndUpdateRole({
1825
+ anonymousClient: client,
1826
+ port,
1827
+ roleName: 'Client',
1828
+ rootClient,
1829
+ })
1830
+
1831
+ const objectCreated = await rootClient.request<any>(gql`
1832
+ mutation createTest {
1833
+ createTest(input: { fields: { name: "test" } }) {
1834
+ test {
1835
+ id
1836
+ }
1837
+ }
1838
+ }
1839
+ `)
1840
+
1841
+ const objectId = objectCreated.createTest.test.id
1842
+
1843
+ await rootClient.request<any>(gql`
1844
+ mutation updateACL{
1845
+ updateTest(input:{id: "${objectId}", fields: {acl:{
1846
+ users: [{
1847
+ userId: "${userId}",
1848
+ read: false,
1849
+ write: true
1850
+ }]
1851
+ }}}){
1852
+ test{
1853
+ id
1854
+ }
1855
+ }
1856
+ }
1857
+ `)
1858
+
1859
+ const res = await userClient.request<any>(gql`
1860
+ query tests {
1861
+ tests {
1862
+ edges {
1863
+ node {
1864
+ id
1865
+ }
1866
+ }
1867
+ }
1868
+ }
1869
+ `)
1870
+
1871
+ expect(res.tests.edges.length).toEqual(0)
1872
+
1873
+ await closeTests(wabe)
1874
+ })
1875
+
1876
+ it('should not authorize an user to write (delete) an object when the user has not access on write to the object (ACL)', async () => {
1877
+ const setup = await setupTests([
1878
+ {
1879
+ name: 'Test',
1880
+ fields: {
1881
+ name: { type: 'String' },
1882
+ pointer: {
1883
+ type: 'Pointer',
1884
+ class: 'Test2',
1885
+ },
1886
+ relation: {
1887
+ type: 'Relation',
1888
+ class: 'Test2',
1889
+ },
1890
+ },
1891
+ permissions: {
1892
+ read: {
1893
+ authorizedRoles: ['Client', 'Client2'],
1894
+ requireAuthentication: true,
1895
+ },
1896
+ update: {
1897
+ authorizedRoles: ['Client'],
1898
+ requireAuthentication: true,
1899
+ },
1900
+ delete: {
1901
+ authorizedRoles: ['Client'],
1902
+ requireAuthentication: true,
1903
+ },
1904
+ create: {
1905
+ authorizedRoles: ['Client2'],
1906
+ requireAuthentication: true,
1907
+ },
1908
+ },
1909
+ },
1910
+ {
1911
+ name: 'Test2',
1912
+ fields: {
1913
+ name: { type: 'String' },
1914
+ age: { type: 'Int' },
1915
+ },
1916
+ permissions: {
1917
+ read: {
1918
+ authorizedRoles: ['Client', 'Client2'],
1919
+ requireAuthentication: true,
1920
+ },
1921
+ create: {
1922
+ authorizedRoles: [],
1923
+ requireAuthentication: true,
1924
+ },
1925
+ },
1926
+ },
1927
+ ])
1928
+ const wabe = setup.wabe
1929
+ const port = setup.port
1930
+ const client = getAnonymousClient(port)
1931
+ const rootClient = getGraphqlClient(port)
1932
+
1933
+ const { userClient, userId } = await createUserAndUpdateRole({
1934
+ anonymousClient: client,
1935
+ port,
1936
+ roleName: 'Client',
1937
+ rootClient,
1938
+ })
1939
+
1940
+ const objectCreated = await rootClient.request<any>(gql`
1941
+ mutation createTest {
1942
+ createTest(input: { fields: { name: "test" } }) {
1943
+ test {
1944
+ id
1945
+ }
1946
+ }
1947
+ }
1948
+ `)
1949
+
1950
+ const objectId = objectCreated.createTest.test.id
1951
+
1952
+ await rootClient.request<any>(gql`
1953
+ mutation updateACL{
1954
+ updateTest(input:{id: "${objectId}", fields: {acl:{
1955
+ users: [{
1956
+ userId: "${userId}",
1957
+ read: true,
1958
+ write: false
1959
+ }]
1960
+ }}}){
1961
+ test{
1962
+ id
1963
+ }
1964
+ }
1965
+ }
1966
+ `)
1967
+
1968
+ expect(
1969
+ userClient.request<any>(gql`
1970
+ mutation deleteTest{
1971
+ deleteTest(input:{id: "${objectId}"}){
1972
+ test{
1973
+ id
1974
+ }
1975
+ }
1976
+ }
1977
+ `),
1978
+ ).rejects.toThrow('Object not found')
1979
+
1980
+ await closeTests(wabe)
1981
+ })
1982
+
1983
+ it('should not authorize an user to get the result of mutation (read) when he has access on write but not on read (ACL)', async () => {
1984
+ const setup = await setupTests([
1985
+ {
1986
+ name: 'Test',
1987
+ fields: {
1988
+ name: { type: 'String' },
1989
+ pointer: {
1990
+ type: 'Pointer',
1991
+ class: 'Test2',
1992
+ },
1993
+ relation: {
1994
+ type: 'Relation',
1995
+ class: 'Test2',
1996
+ },
1997
+ },
1998
+ permissions: {
1999
+ read: {
2000
+ authorizedRoles: ['Client', 'Client2'],
2001
+ requireAuthentication: true,
2002
+ },
2003
+ update: {
2004
+ authorizedRoles: ['Client'],
2005
+ requireAuthentication: true,
2006
+ },
2007
+ delete: {
2008
+ authorizedRoles: ['Client'],
2009
+ requireAuthentication: true,
2010
+ },
2011
+ create: {
2012
+ authorizedRoles: ['Client2'],
2013
+ requireAuthentication: true,
2014
+ },
2015
+ },
2016
+ },
2017
+ {
2018
+ name: 'Test2',
2019
+ fields: {
2020
+ name: { type: 'String' },
2021
+ age: { type: 'Int' },
2022
+ },
2023
+ permissions: {
2024
+ read: {
2025
+ authorizedRoles: ['Client', 'Client2'],
2026
+ requireAuthentication: true,
2027
+ },
2028
+ create: {
2029
+ authorizedRoles: [],
2030
+ requireAuthentication: true,
2031
+ },
2032
+ },
2033
+ },
2034
+ ])
2035
+ const wabe = setup.wabe
2036
+ const port = setup.port
2037
+ const client = getAnonymousClient(port)
2038
+ const rootClient = getGraphqlClient(port)
2039
+
2040
+ const { userClient, userId } = await createUserAndUpdateRole({
2041
+ anonymousClient: client,
2042
+ port,
2043
+ roleName: 'Client',
2044
+ rootClient,
2045
+ })
2046
+
2047
+ const objectCreated = await rootClient.request<any>(gql`
2048
+ mutation createTest {
2049
+ createTest(input: { fields: { name: "test" } }) {
2050
+ test {
2051
+ id
2052
+ }
2053
+ }
2054
+ }
2055
+ `)
2056
+
2057
+ const objectId = objectCreated.createTest.test.id
2058
+
2059
+ await rootClient.request<any>(gql`
2060
+ mutation updateACL{
2061
+ updateTest(input:{id: "${objectId}", fields: {acl:{
2062
+ users: [{
2063
+ userId: "${userId}",
2064
+ read: false,
2065
+ write: true
2066
+ }]
2067
+ }}}){
2068
+ test{
2069
+ id
2070
+ }
2071
+ }
2072
+ }
2073
+ `)
2074
+
2075
+ expect(
2076
+ userClient.request<any>(gql`
2077
+ mutation updateTest{
2078
+ updateTest(input:{id: "${objectId}", fields : {name: "tata"}}){
2079
+ test{
2080
+ id
2081
+ }
2082
+ }
2083
+ }
2084
+ `),
2085
+ ).rejects.toThrow('Object not found')
2086
+
2087
+ await closeTests(wabe)
2088
+ })
2089
+
2090
+ it('should not authorize an user to write (update) an object when the user has not access on write to the object (ACL)', async () => {
2091
+ const setup = await setupTests([
2092
+ {
2093
+ name: 'Test',
2094
+ fields: {
2095
+ name: { type: 'String' },
2096
+ pointer: {
2097
+ type: 'Pointer',
2098
+ class: 'Test2',
2099
+ },
2100
+ relation: {
2101
+ type: 'Relation',
2102
+ class: 'Test2',
2103
+ },
2104
+ },
2105
+ permissions: {
2106
+ read: {
2107
+ authorizedRoles: ['Client', 'Client2'],
2108
+ requireAuthentication: true,
2109
+ },
2110
+ update: {
2111
+ authorizedRoles: ['Client'],
2112
+ requireAuthentication: true,
2113
+ },
2114
+ delete: {
2115
+ authorizedRoles: ['Client'],
2116
+ requireAuthentication: true,
2117
+ },
2118
+ create: {
2119
+ authorizedRoles: ['Client2'],
2120
+ requireAuthentication: true,
2121
+ },
2122
+ },
2123
+ },
2124
+ {
2125
+ name: 'Test2',
2126
+ fields: {
2127
+ name: { type: 'String' },
2128
+ age: { type: 'Int' },
2129
+ },
2130
+ permissions: {
2131
+ read: {
2132
+ authorizedRoles: ['Client', 'Client2'],
2133
+ requireAuthentication: true,
2134
+ },
2135
+ create: {
2136
+ authorizedRoles: [],
2137
+ requireAuthentication: true,
2138
+ },
2139
+ },
2140
+ },
2141
+ ])
2142
+ const wabe = setup.wabe
2143
+ const port = setup.port
2144
+ const client = getAnonymousClient(port)
2145
+ const rootClient = getGraphqlClient(port)
2146
+
2147
+ const { userClient, userId } = await createUserAndUpdateRole({
2148
+ anonymousClient: client,
2149
+ port,
2150
+ roleName: 'Client',
2151
+ rootClient,
2152
+ })
2153
+
2154
+ const objectCreated = await rootClient.request<any>(gql`
2155
+ mutation createTest {
2156
+ createTest(input: { fields: { name: "test" } }) {
2157
+ test {
2158
+ id
2159
+ }
2160
+ }
2161
+ }
2162
+ `)
2163
+
2164
+ const objectId = objectCreated.createTest.test.id
2165
+
2166
+ await rootClient.request<any>(gql`
2167
+ mutation updateACL{
2168
+ updateTest(input:{id: "${objectId}", fields: {acl:{
2169
+ users: [{
2170
+ userId: "${userId}",
2171
+ read: true,
2172
+ write: false
2173
+ }]
2174
+ }}}){
2175
+ test{
2176
+ id
2177
+ }
2178
+ }
2179
+ }
2180
+ `)
2181
+
2182
+ expect(
2183
+ userClient.request<any>(gql`
2184
+ mutation updateTest{
2185
+ updateTest(input:{id: "${objectId}", fields : {name: "tata"}}){
2186
+ test{
2187
+ id
2188
+ }
2189
+ }
2190
+ }
2191
+ `),
2192
+ ).rejects.toThrow('Object not found')
2193
+
2194
+ await closeTests(wabe)
2195
+ })
2196
+
2197
+ it('should authorize an user to read an object when the user has access on read to the object (ACL)', async () => {
2198
+ const setup = await setupTests([
2199
+ {
2200
+ name: 'Test',
2201
+ fields: {
2202
+ name: { type: 'String' },
2203
+ pointer: {
2204
+ type: 'Pointer',
2205
+ class: 'Test2',
2206
+ },
2207
+ relation: {
2208
+ type: 'Relation',
2209
+ class: 'Test2',
2210
+ },
2211
+ },
2212
+ permissions: {
2213
+ read: {
2214
+ authorizedRoles: ['Client', 'Client2'],
2215
+ requireAuthentication: true,
2216
+ },
2217
+ update: {
2218
+ authorizedRoles: ['Client'],
2219
+ requireAuthentication: true,
2220
+ },
2221
+ delete: {
2222
+ authorizedRoles: ['Client'],
2223
+ requireAuthentication: true,
2224
+ },
2225
+ create: {
2226
+ authorizedRoles: ['Client2'],
2227
+ requireAuthentication: true,
2228
+ },
2229
+ },
2230
+ },
2231
+ {
2232
+ name: 'Test2',
2233
+ fields: {
2234
+ name: { type: 'String' },
2235
+ age: { type: 'Int' },
2236
+ },
2237
+ permissions: {
2238
+ read: {
2239
+ authorizedRoles: ['Client', 'Client2'],
2240
+ requireAuthentication: true,
2241
+ },
2242
+ create: {
2243
+ authorizedRoles: [],
2244
+ requireAuthentication: true,
2245
+ },
2246
+ },
2247
+ },
2248
+ ])
2249
+ const wabe = setup.wabe
2250
+ const port = setup.port
2251
+ const client = getAnonymousClient(port)
2252
+ const rootClient = getGraphqlClient(port)
2253
+
2254
+ const { userClient, userId } = await createUserAndUpdateRole({
2255
+ anonymousClient: client,
2256
+ port,
2257
+ roleName: 'Client',
2258
+ rootClient,
2259
+ })
2260
+
2261
+ const objectCreated = await rootClient.request<any>(gql`
2262
+ mutation createTest {
2263
+ createTest(input: { fields: { name: "test" } }) {
2264
+ test {
2265
+ id
2266
+ }
2267
+ }
2268
+ }
2269
+ `)
2270
+
2271
+ const objectId = objectCreated.createTest.test.id
2272
+
2273
+ await rootClient.request<any>(gql`
2274
+ mutation updateACL{
2275
+ updateTest(input:{id: "${objectId}", fields: {acl:{
2276
+ users: [{
2277
+ userId: "${userId}",
2278
+ read: true,
2279
+ write: false
2280
+ }]
2281
+ }}}){
2282
+ test{
2283
+ id
2284
+ }
2285
+ }
2286
+ }
2287
+ `)
2288
+
2289
+ const res = await userClient.request<any>(gql`
2290
+ query tests {
2291
+ tests {
2292
+ edges {
2293
+ node {
2294
+ id
2295
+ }
2296
+ }
2297
+ }
2298
+ }
2299
+ `)
2300
+
2301
+ expect(res.tests.edges.length).toEqual(1)
2302
+
2303
+ await closeTests(wabe)
2304
+ })
2305
+
2306
+ it('should not authorized an user to read an object on another class with pointer when the user do not have ACL to read the other class', async () => {
2307
+ const setup = await setupTests([
2308
+ {
2309
+ name: 'Test',
2310
+ fields: {
2311
+ name: { type: 'String' },
2312
+ pointer: {
2313
+ type: 'Pointer',
2314
+ class: 'Test2',
2315
+ },
2316
+ relation: {
2317
+ type: 'Relation',
2318
+ class: 'Test2',
2319
+ },
2320
+ },
2321
+ permissions: {
2322
+ read: {
2323
+ authorizedRoles: ['Client', 'Client2'],
2324
+ requireAuthentication: true,
2325
+ },
2326
+ update: {
2327
+ authorizedRoles: ['Client'],
2328
+ requireAuthentication: true,
2329
+ },
2330
+ delete: {
2331
+ authorizedRoles: ['Client'],
2332
+ requireAuthentication: true,
2333
+ },
2334
+ create: {
2335
+ authorizedRoles: ['Client2'],
2336
+ requireAuthentication: true,
2337
+ },
2338
+ },
2339
+ },
2340
+ {
2341
+ name: 'Test2',
2342
+ fields: {
2343
+ name: { type: 'String' },
2344
+ age: { type: 'Int' },
2345
+ },
2346
+ permissions: {
2347
+ read: {
2348
+ authorizedRoles: ['Client', 'Client2'],
2349
+ requireAuthentication: true,
2350
+ },
2351
+ create: {
2352
+ authorizedRoles: [],
2353
+ requireAuthentication: true,
2354
+ },
2355
+ },
2356
+ },
2357
+ ])
2358
+ const wabe = setup.wabe
2359
+ const port = setup.port
2360
+ const client = getAnonymousClient(port)
2361
+ const rootClient = getGraphqlClient(port)
2362
+
2363
+ const { userClient, userId } = await createUserAndUpdateRole({
2364
+ anonymousClient: client,
2365
+ port,
2366
+ roleName: 'Client',
2367
+ rootClient,
2368
+ })
2369
+
2370
+ const objectCreated = await rootClient.request<any>(gql`
2371
+ mutation createTest {
2372
+ createTest(input: { fields: { name: "test", pointer: { createAndLink: { name: "tata" } } } }) {
2373
+ test {
2374
+ id
2375
+ pointer {
2376
+ id
2377
+ }
2378
+ }
2379
+ }
2380
+ }
2381
+ `)
2382
+
2383
+ const pointerId = objectCreated.createTest.test.pointer.id
2384
+ const testId = objectCreated.createTest.test.id
2385
+
2386
+ await rootClient.request<any>(gql`
2387
+ mutation updateACL{
2388
+ updateTest(input:{id: "${testId}", fields: {acl:{
2389
+ users: [{
2390
+ userId: "${userId}",
2391
+ read: true,
2392
+ write: false
2393
+ }]
2394
+ }}}){
2395
+ test{
2396
+ id
2397
+ }
2398
+ }
2399
+ }
2400
+ `)
2401
+
2402
+ await rootClient.request<any>(gql`
2403
+ mutation updateACL{
2404
+ updateTest2(input:{id: "${pointerId}", fields: {acl:{
2405
+ users: [{
2406
+ userId: "${userId}",
2407
+ read: false,
2408
+ write: false
2409
+ }]
2410
+ }}}){
2411
+ test2{
2412
+ id
2413
+ }
2414
+ }
2415
+ }
2416
+ `)
2417
+
2418
+ expect(
2419
+ userClient.request<any>(gql`
2420
+ query tests {
2421
+ tests {
2422
+ edges {
2423
+ node {
2424
+ id
2425
+ name
2426
+ }
2427
+ }
2428
+ }
2429
+ }
2430
+ `),
2431
+ ).resolves.toEqual(expect.anything())
2432
+
2433
+ expect(
2434
+ userClient.request<any>(gql`
2435
+ query tests {
2436
+ tests {
2437
+ edges {
2438
+ node {
2439
+ id
2440
+ name
2441
+ pointer {
2442
+ id
2443
+ }
2444
+ }
2445
+ }
2446
+ }
2447
+ }
2448
+ `),
2449
+ ).rejects.toThrow('Object not found')
2450
+
2451
+ await closeTests(wabe)
2452
+ })
2453
+
2454
+ it('should not authorized an user to read an object on another class with relation when the user do not have ACL to read the other class', async () => {
2455
+ const setup = await setupTests([
2456
+ {
2457
+ name: 'Test',
2458
+ fields: {
2459
+ name: { type: 'String' },
2460
+ pointer: {
2461
+ type: 'Pointer',
2462
+ class: 'Test2',
2463
+ },
2464
+ relation: {
2465
+ type: 'Relation',
2466
+ class: 'Test2',
2467
+ },
2468
+ },
2469
+ permissions: {
2470
+ read: {
2471
+ authorizedRoles: ['Client', 'Client2'],
2472
+ requireAuthentication: true,
2473
+ },
2474
+ update: {
2475
+ authorizedRoles: ['Client'],
2476
+ requireAuthentication: true,
2477
+ },
2478
+ delete: {
2479
+ authorizedRoles: ['Client'],
2480
+ requireAuthentication: true,
2481
+ },
2482
+ create: {
2483
+ authorizedRoles: ['Client2'],
2484
+ requireAuthentication: true,
2485
+ },
2486
+ },
2487
+ },
2488
+ {
2489
+ name: 'Test2',
2490
+ fields: {
2491
+ name: { type: 'String' },
2492
+ age: { type: 'Int' },
2493
+ },
2494
+ permissions: {
2495
+ read: {
2496
+ authorizedRoles: ['Client', 'Client2'],
2497
+ requireAuthentication: true,
2498
+ },
2499
+ create: {
2500
+ authorizedRoles: [],
2501
+ requireAuthentication: true,
2502
+ },
2503
+ },
2504
+ },
2505
+ ])
2506
+ const wabe = setup.wabe
2507
+ const port = setup.port
2508
+ const client = getAnonymousClient(port)
2509
+ const rootClient = getGraphqlClient(port)
2510
+
2511
+ const { userClient, userId } = await createUserAndUpdateRole({
2512
+ anonymousClient: client,
2513
+ port,
2514
+ roleName: 'Client',
2515
+ rootClient,
2516
+ })
2517
+
2518
+ const objectCreated = await rootClient.request<any>(gql`
2519
+ mutation createTest {
2520
+ createTest(input: { fields: { name: "test", relation: { createAndAdd: [{ name: "tata" }] } } }) {
2521
+ test {
2522
+ id
2523
+ relation {
2524
+ edges {
2525
+ node {
2526
+ id
2527
+ }
2528
+ }
2529
+ }
2530
+ }
2531
+ }
2532
+ }
2533
+ `)
2534
+
2535
+ const relationId = objectCreated.createTest.test.relation.edges[0].node.id
2536
+ const testId = objectCreated.createTest.test.id
2537
+
2538
+ await rootClient.request<any>(gql`
2539
+ mutation updateACL{
2540
+ updateTest(input:{id: "${testId}", fields: {acl:{
2541
+ users: [{
2542
+ userId: "${userId}",
2543
+ read: true,
2544
+ write: false
2545
+ }]
2546
+ }}}){
2547
+ test{
2548
+ id
2549
+ }
2550
+ }
2551
+ }
2552
+ `)
2553
+
2554
+ await rootClient.request<any>(gql`
2555
+ mutation updateACL{
2556
+ updateTest2(input:{id: "${relationId}", fields: {acl:{
2557
+ users: [{
2558
+ userId: "${userId}",
2559
+ read: false,
2560
+ write: false
2561
+ }]
2562
+ }}}){
2563
+ test2{
2564
+ id
2565
+ }
2566
+ }
2567
+ }
2568
+ `)
2569
+
2570
+ expect(
2571
+ userClient.request<any>(gql`
2572
+ query tests {
2573
+ tests {
2574
+ edges {
2575
+ node {
2576
+ id
2577
+ name
2578
+ }
2579
+ }
2580
+ }
2581
+ }
2582
+ `),
2583
+ ).resolves.toEqual(expect.anything())
2584
+
2585
+ const res = await userClient.request<any>(gql`
2586
+ query tests {
2587
+ tests {
2588
+ edges {
2589
+ node {
2590
+ id
2591
+ name
2592
+ relation {
2593
+ edges {
2594
+ node {
2595
+ id
2596
+ }
2597
+ }
2598
+ }
2599
+ }
2600
+ }
2601
+ }
2602
+ }
2603
+ `)
2604
+
2605
+ expect(res.tests.edges[0].node.relation.edges.length).toEqual(0)
2606
+
2607
+ await closeTests(wabe)
2608
+ })
2609
+
2610
+ it('should not authorize an user to create an object on another class with pointer when the user do not have access to write the other class with (CLP)', async () => {
2611
+ const setup = await setupTests([
2612
+ {
2613
+ name: 'Test',
2614
+ fields: {
2615
+ name: { type: 'String' },
2616
+ pointer: {
2617
+ type: 'Pointer',
2618
+ class: 'Test2',
2619
+ },
2620
+ relation: {
2621
+ type: 'Relation',
2622
+ class: 'Test2',
2623
+ },
2624
+ },
2625
+ permissions: {
2626
+ read: {
2627
+ authorizedRoles: ['Client', 'Client2'],
2628
+ requireAuthentication: true,
2629
+ },
2630
+ update: {
2631
+ authorizedRoles: ['Client'],
2632
+ requireAuthentication: true,
2633
+ },
2634
+ delete: {
2635
+ authorizedRoles: ['Client'],
2636
+ requireAuthentication: true,
2637
+ },
2638
+ create: {
2639
+ authorizedRoles: ['Client2'],
2640
+ requireAuthentication: true,
2641
+ },
2642
+ },
2643
+ },
2644
+ {
2645
+ name: 'Test2',
2646
+ fields: {
2647
+ name: { type: 'String' },
2648
+ age: { type: 'Int' },
2649
+ },
2650
+ permissions: {
2651
+ read: {
2652
+ authorizedRoles: ['Client', 'Client2'],
2653
+ requireAuthentication: true,
2654
+ },
2655
+ create: {
2656
+ authorizedRoles: [],
2657
+ requireAuthentication: true,
2658
+ },
2659
+ },
2660
+ },
2661
+ ])
2662
+ const wabe = setup.wabe
2663
+ const port = setup.port
2664
+ const client = getAnonymousClient(port)
2665
+ const rootClient = getGraphqlClient(port)
2666
+
2667
+ const { userClient } = await createUserAndUpdateRole({
2668
+ anonymousClient: client,
2669
+ port,
2670
+ roleName: 'Client2',
2671
+ rootClient,
2672
+ })
2673
+
2674
+ expect(
2675
+ userClient.request<any>(gql`
2676
+ mutation createTest {
2677
+ createTest(input: { fields: { name: "test", pointer: { createAndLink: { name: "tata" } } } }) {
2678
+ test {
2679
+ id
2680
+ pointer {
2681
+ id
2682
+ }
2683
+ }
2684
+ }
2685
+ }
2686
+ `),
2687
+ ).rejects.toThrow('Permission denied to create class Test2')
2688
+
2689
+ await closeTests(wabe)
2690
+ })
2691
+
2692
+ it('should authorize a connected user to access to a protected resource', async () => {
2693
+ const setup = await setupTests([
2694
+ {
2695
+ name: 'Test',
2696
+ fields: {
2697
+ name: { type: 'String' },
2698
+ pointer: {
2699
+ type: 'Pointer',
2700
+ class: 'Test2',
2701
+ },
2702
+ relation: {
2703
+ type: 'Relation',
2704
+ class: 'Test2',
2705
+ },
2706
+ },
2707
+ permissions: {
2708
+ read: {
2709
+ authorizedRoles: ['Client', 'Client2'],
2710
+ requireAuthentication: true,
2711
+ },
2712
+ update: {
2713
+ authorizedRoles: ['Client'],
2714
+ requireAuthentication: true,
2715
+ },
2716
+ delete: {
2717
+ authorizedRoles: ['Client'],
2718
+ requireAuthentication: true,
2719
+ },
2720
+ create: {
2721
+ authorizedRoles: ['Client2'],
2722
+ requireAuthentication: true,
2723
+ },
2724
+ },
2725
+ },
2726
+ {
2727
+ name: 'Test2',
2728
+ fields: {
2729
+ name: { type: 'String' },
2730
+ age: { type: 'Int' },
2731
+ },
2732
+ permissions: {
2733
+ read: {
2734
+ authorizedRoles: ['Client', 'Client2'],
2735
+ requireAuthentication: true,
2736
+ },
2737
+ create: {
2738
+ authorizedRoles: [],
2739
+ requireAuthentication: true,
2740
+ },
2741
+ },
2742
+ },
2743
+ ])
2744
+ const wabe = setup.wabe
2745
+ const port = setup.port
2746
+ const client = getAnonymousClient(port)
2747
+ const rootClient = getGraphqlClient(port)
2748
+
2749
+ const { userClient } = await createUserAndUpdateRole({
2750
+ anonymousClient: client,
2751
+ port,
2752
+ roleName: 'Client',
2753
+ rootClient,
2754
+ })
2755
+
2756
+ const resOfTest = await userClient.request<any>(gql`
2757
+ query tests {
2758
+ tests {
2759
+ edges {
2760
+ node {
2761
+ id
2762
+ }
2763
+ }
2764
+ }
2765
+ }
2766
+ `)
2767
+
2768
+ expect(resOfTest.tests.edges.length).toEqual(0)
2769
+
2770
+ await closeTests(wabe)
2771
+ })
2772
+
2773
+ it('should authorize a connected user to access to protected resource after the user refresh his token', async () => {
2774
+ const setup = await setupTests([
2775
+ {
2776
+ name: 'Test',
2777
+ fields: {
2778
+ name: { type: 'String' },
2779
+ pointer: {
2780
+ type: 'Pointer',
2781
+ class: 'Test2',
2782
+ },
2783
+ relation: {
2784
+ type: 'Relation',
2785
+ class: 'Test2',
2786
+ },
2787
+ },
2788
+ permissions: {
2789
+ read: {
2790
+ authorizedRoles: ['Client', 'Client2'],
2791
+ requireAuthentication: true,
2792
+ },
2793
+ update: {
2794
+ authorizedRoles: ['Client'],
2795
+ requireAuthentication: true,
2796
+ },
2797
+ delete: {
2798
+ authorizedRoles: ['Client'],
2799
+ requireAuthentication: true,
2800
+ },
2801
+ create: {
2802
+ authorizedRoles: ['Client2'],
2803
+ requireAuthentication: true,
2804
+ },
2805
+ },
2806
+ },
2807
+ {
2808
+ name: 'Test2',
2809
+ fields: {
2810
+ name: { type: 'String' },
2811
+ age: { type: 'Int' },
2812
+ },
2813
+ permissions: {
2814
+ read: {
2815
+ authorizedRoles: ['Client', 'Client2'],
2816
+ requireAuthentication: true,
2817
+ },
2818
+ create: {
2819
+ authorizedRoles: [],
2820
+ requireAuthentication: true,
2821
+ },
2822
+ },
2823
+ },
2824
+ ])
2825
+ const wabe = setup.wabe
2826
+ const port = setup.port
2827
+ const client = getAnonymousClient(port)
2828
+ const rootClient = getGraphqlClient(port)
2829
+
2830
+ const { userClient, refreshToken, accessToken } = await createUserAndUpdateRole({
2831
+ anonymousClient: client,
2832
+ port,
2833
+ roleName: 'Client',
2834
+ rootClient,
2835
+ })
2836
+
2837
+ const resAfterRefresh = await userClient.request<any>(graphql.refresh, {
2838
+ input: {
2839
+ accessToken,
2840
+ refreshToken,
2841
+ },
2842
+ })
2843
+
2844
+ const userClientAfterRefresh = getUserClient(port, {
2845
+ accessToken: resAfterRefresh.refresh.accessToken,
2846
+ })
2847
+
2848
+ const resOfTest = await userClientAfterRefresh.request<any>(gql`
2849
+ query tests {
2850
+ tests {
2851
+ edges {
2852
+ node {
2853
+ id
2854
+ }
2855
+ }
2856
+ }
2857
+ }
2858
+ `)
2859
+
2860
+ expect(resOfTest.tests.edges.length).toEqual(0)
2861
+
2862
+ await closeTests(wabe)
2863
+ })
2864
+
2865
+ it('should not authorize to access to protected resource if the user is not connected', async () => {
2866
+ const setup = await setupTests([
2867
+ {
2868
+ name: 'Test',
2869
+ fields: {
2870
+ name: { type: 'String' },
2871
+ pointer: {
2872
+ type: 'Pointer',
2873
+ class: 'Test2',
2874
+ },
2875
+ relation: {
2876
+ type: 'Relation',
2877
+ class: 'Test2',
2878
+ },
2879
+ },
2880
+ permissions: {
2881
+ read: {
2882
+ authorizedRoles: ['Client', 'Client2'],
2883
+ requireAuthentication: true,
2884
+ },
2885
+ update: {
2886
+ authorizedRoles: ['Client'],
2887
+ requireAuthentication: true,
2888
+ },
2889
+ delete: {
2890
+ authorizedRoles: ['Client'],
2891
+ requireAuthentication: true,
2892
+ },
2893
+ create: {
2894
+ authorizedRoles: ['Client2'],
2895
+ requireAuthentication: true,
2896
+ },
2897
+ },
2898
+ },
2899
+ {
2900
+ name: 'Test2',
2901
+ fields: {
2902
+ name: { type: 'String' },
2903
+ age: { type: 'Int' },
2904
+ },
2905
+ permissions: {
2906
+ read: {
2907
+ authorizedRoles: ['Client', 'Client2'],
2908
+ requireAuthentication: true,
2909
+ },
2910
+ create: {
2911
+ authorizedRoles: [],
2912
+ requireAuthentication: true,
2913
+ },
2914
+ },
2915
+ },
2916
+ ])
2917
+ const wabe = setup.wabe
2918
+ const port = setup.port
2919
+ const client = getAnonymousClient(port)
2920
+ const rootClient = getGraphqlClient(port)
2921
+
2922
+ await createUserAndUpdateRole({
2923
+ anonymousClient: client,
2924
+ port,
2925
+ roleName: 'Client3',
2926
+ rootClient,
2927
+ })
2928
+
2929
+ const userClient = getUserClient(port, { accessToken: 'invalidToken' })
2930
+
2931
+ expect(
2932
+ userClient.request<any>(gql`
2933
+ query tests {
2934
+ tests {
2935
+ edges {
2936
+ node {
2937
+ id
2938
+ }
2939
+ }
2940
+ }
2941
+ }
2942
+ `),
2943
+ ).rejects.toThrow('Permission denied to read class Test')
2944
+
2945
+ await closeTests(wabe)
2946
+ })
2947
+
2948
+ it("should not authorized to read an object if the user doesn't had an authorized role (read one)", async () => {
2949
+ const setup = await setupTests([
2950
+ {
2951
+ name: 'Test',
2952
+ fields: {
2953
+ name: { type: 'String' },
2954
+ pointer: {
2955
+ type: 'Pointer',
2956
+ class: 'Test2',
2957
+ },
2958
+ relation: {
2959
+ type: 'Relation',
2960
+ class: 'Test2',
2961
+ },
2962
+ },
2963
+ permissions: {
2964
+ read: {
2965
+ authorizedRoles: ['Client', 'Client2'],
2966
+ requireAuthentication: true,
2967
+ },
2968
+ update: {
2969
+ authorizedRoles: ['Client'],
2970
+ requireAuthentication: true,
2971
+ },
2972
+ delete: {
2973
+ authorizedRoles: ['Client'],
2974
+ requireAuthentication: true,
2975
+ },
2976
+ create: {
2977
+ authorizedRoles: ['Client2'],
2978
+ requireAuthentication: true,
2979
+ },
2980
+ },
2981
+ },
2982
+ {
2983
+ name: 'Test2',
2984
+ fields: {
2985
+ name: { type: 'String' },
2986
+ age: { type: 'Int' },
2987
+ },
2988
+ permissions: {
2989
+ read: {
2990
+ authorizedRoles: ['Client', 'Client2'],
2991
+ requireAuthentication: true,
2992
+ },
2993
+ create: {
2994
+ authorizedRoles: [],
2995
+ requireAuthentication: true,
2996
+ },
2997
+ },
2998
+ },
2999
+ ])
3000
+ const wabe = setup.wabe
3001
+ const port = setup.port
3002
+ const client = getAnonymousClient(port)
3003
+ const rootClient = getGraphqlClient(port)
3004
+
3005
+ const { userClient } = await createUserAndUpdateRole({
3006
+ anonymousClient: client,
3007
+ port,
3008
+ roleName: 'Client3',
3009
+ rootClient,
3010
+ })
3011
+
3012
+ const res = await rootClient.request<any>(gql`
3013
+ mutation createTest {
3014
+ createTest(input: { fields: { name: "test" } }) {
3015
+ test {
3016
+ id
3017
+ }
3018
+ }
3019
+ }
3020
+ `)
3021
+
3022
+ const testId = res.createTest.test.id
3023
+
3024
+ expect(
3025
+ userClient.request<any>(gql`
3026
+ query test{
3027
+ test(id: "${testId}") {
3028
+ id
3029
+ }
3030
+ }
3031
+ `),
3032
+ ).rejects.toThrow('Permission denied to read class Test')
3033
+
3034
+ await closeTests(wabe)
3035
+ })
3036
+
3037
+ it("should not authorized to read an object if the user doesn't had an authorized role (read many)", async () => {
3038
+ const setup = await setupTests([
3039
+ {
3040
+ name: 'Test',
3041
+ fields: {
3042
+ name: { type: 'String' },
3043
+ pointer: {
3044
+ type: 'Pointer',
3045
+ class: 'Test2',
3046
+ },
3047
+ relation: {
3048
+ type: 'Relation',
3049
+ class: 'Test2',
3050
+ },
3051
+ },
3052
+ permissions: {
3053
+ read: {
3054
+ authorizedRoles: ['Client', 'Client2'],
3055
+ requireAuthentication: true,
3056
+ },
3057
+ update: {
3058
+ authorizedRoles: ['Client'],
3059
+ requireAuthentication: true,
3060
+ },
3061
+ delete: {
3062
+ authorizedRoles: ['Client'],
3063
+ requireAuthentication: true,
3064
+ },
3065
+ create: {
3066
+ authorizedRoles: ['Client2'],
3067
+ requireAuthentication: true,
3068
+ },
3069
+ },
3070
+ },
3071
+ {
3072
+ name: 'Test2',
3073
+ fields: {
3074
+ name: { type: 'String' },
3075
+ age: { type: 'Int' },
3076
+ },
3077
+ permissions: {
3078
+ read: {
3079
+ authorizedRoles: ['Client', 'Client2'],
3080
+ requireAuthentication: true,
3081
+ },
3082
+ create: {
3083
+ authorizedRoles: [],
3084
+ requireAuthentication: true,
3085
+ },
3086
+ },
3087
+ },
3088
+ ])
3089
+ const wabe = setup.wabe
3090
+ const port = setup.port
3091
+ const client = getAnonymousClient(port)
3092
+ const rootClient = getGraphqlClient(port)
3093
+
3094
+ const { userClient } = await createUserAndUpdateRole({
3095
+ anonymousClient: client,
3096
+ port,
3097
+ roleName: 'Client3',
3098
+ rootClient,
3099
+ })
3100
+
3101
+ expect(
3102
+ userClient.request<any>(gql`
3103
+ query tests {
3104
+ tests {
3105
+ edges {
3106
+ node {
3107
+ id
3108
+ }
3109
+ }
3110
+ }
3111
+ }
3112
+ `),
3113
+ ).rejects.toThrow('Permission denied to read class Test')
3114
+
3115
+ await closeTests(wabe)
3116
+ })
3117
+
3118
+ it("should not authorized to delete an object if the user doesn't had an authorized role (delete)", async () => {
3119
+ const setup = await setupTests([
3120
+ {
3121
+ name: 'Test',
3122
+ fields: {
3123
+ name: { type: 'String' },
3124
+ pointer: {
3125
+ type: 'Pointer',
3126
+ class: 'Test2',
3127
+ },
3128
+ relation: {
3129
+ type: 'Relation',
3130
+ class: 'Test2',
3131
+ },
3132
+ },
3133
+ permissions: {
3134
+ read: {
3135
+ authorizedRoles: ['Client', 'Client2'],
3136
+ requireAuthentication: true,
3137
+ },
3138
+ update: {
3139
+ authorizedRoles: ['Client'],
3140
+ requireAuthentication: true,
3141
+ },
3142
+ delete: {
3143
+ authorizedRoles: ['Client'],
3144
+ requireAuthentication: true,
3145
+ },
3146
+ create: {
3147
+ authorizedRoles: ['Client2'],
3148
+ requireAuthentication: true,
3149
+ },
3150
+ },
3151
+ },
3152
+ {
3153
+ name: 'Test2',
3154
+ fields: {
3155
+ name: { type: 'String' },
3156
+ age: { type: 'Int' },
3157
+ },
3158
+ permissions: {
3159
+ read: {
3160
+ authorizedRoles: ['Client', 'Client2'],
3161
+ requireAuthentication: true,
3162
+ },
3163
+ create: {
3164
+ authorizedRoles: [],
3165
+ requireAuthentication: true,
3166
+ },
3167
+ },
3168
+ },
3169
+ ])
3170
+ const wabe = setup.wabe
3171
+ const port = setup.port
3172
+ const client = getAnonymousClient(port)
3173
+ const rootClient = getGraphqlClient(port)
3174
+
3175
+ const { userClient } = await createUserAndUpdateRole({
3176
+ anonymousClient: client,
3177
+ port,
3178
+ roleName: 'Client2',
3179
+ rootClient,
3180
+ })
3181
+
3182
+ await rootClient.request<any>(gql`
3183
+ mutation createTest {
3184
+ createTest(input: { fields: { name: "test" } }) {
3185
+ test {
3186
+ id
3187
+ }
3188
+ }
3189
+ }
3190
+ `)
3191
+
3192
+ expect(
3193
+ userClient.request<any>(gql`
3194
+ mutation deleteTests {
3195
+ deleteTests(input: { where: { name: { equalTo: "test" } } }) {
3196
+ edges {
3197
+ node {
3198
+ id
3199
+ }
3200
+ }
3201
+ }
3202
+ }
3203
+ `),
3204
+ ).rejects.toThrow('Permission denied to delete class Test')
3205
+
3206
+ await closeTests(wabe)
3207
+ })
3208
+
3209
+ it("should not authorized to create an object if the user doesn't had an authorized role (create)", async () => {
3210
+ const setup = await setupTests([
3211
+ {
3212
+ name: 'Test',
3213
+ fields: {
3214
+ name: { type: 'String' },
3215
+ pointer: {
3216
+ type: 'Pointer',
3217
+ class: 'Test2',
3218
+ },
3219
+ relation: {
3220
+ type: 'Relation',
3221
+ class: 'Test2',
3222
+ },
3223
+ },
3224
+ permissions: {
3225
+ read: {
3226
+ authorizedRoles: ['Client', 'Client2'],
3227
+ requireAuthentication: true,
3228
+ },
3229
+ update: {
3230
+ authorizedRoles: ['Client'],
3231
+ requireAuthentication: true,
3232
+ },
3233
+ delete: {
3234
+ authorizedRoles: ['Client'],
3235
+ requireAuthentication: true,
3236
+ },
3237
+ create: {
3238
+ authorizedRoles: ['Client2'],
3239
+ requireAuthentication: true,
3240
+ },
3241
+ },
3242
+ },
3243
+ {
3244
+ name: 'Test2',
3245
+ fields: {
3246
+ name: { type: 'String' },
3247
+ age: { type: 'Int' },
3248
+ },
3249
+ permissions: {
3250
+ read: {
3251
+ authorizedRoles: ['Client', 'Client2'],
3252
+ requireAuthentication: true,
3253
+ },
3254
+ create: {
3255
+ authorizedRoles: [],
3256
+ requireAuthentication: true,
3257
+ },
3258
+ },
3259
+ },
3260
+ ])
3261
+ const wabe = setup.wabe
3262
+ const port = setup.port
3263
+ const client = getAnonymousClient(port)
3264
+ const rootClient = getGraphqlClient(port)
3265
+
3266
+ const { userClient } = await createUserAndUpdateRole({
3267
+ anonymousClient: client,
3268
+ port,
3269
+ roleName: 'Client',
3270
+ rootClient,
3271
+ })
3272
+
3273
+ expect(
3274
+ userClient.request<any>(gql`
3275
+ mutation createTest2 {
3276
+ createTest2(input: { fields: { name: "test" } }) {
3277
+ test2 {
3278
+ id
3279
+ }
3280
+ }
3281
+ }
3282
+ `),
3283
+ ).rejects.toThrow('Permission denied to create class Test')
3284
+
3285
+ await closeTests(wabe)
3286
+ })
3287
+
3288
+ it("should not authorized to udpdate an object if the user doesn't had an authorized role (update)", async () => {
3289
+ const setup = await setupTests([
3290
+ {
3291
+ name: 'Test',
3292
+ fields: {
3293
+ name: { type: 'String' },
3294
+ pointer: {
3295
+ type: 'Pointer',
3296
+ class: 'Test2',
3297
+ },
3298
+ relation: {
3299
+ type: 'Relation',
3300
+ class: 'Test2',
3301
+ },
3302
+ },
3303
+ permissions: {
3304
+ read: {
3305
+ authorizedRoles: ['Client', 'Client2'],
3306
+ requireAuthentication: true,
3307
+ },
3308
+ update: {
3309
+ authorizedRoles: ['Client'],
3310
+ requireAuthentication: true,
3311
+ },
3312
+ delete: {
3313
+ authorizedRoles: ['Client'],
3314
+ requireAuthentication: true,
3315
+ },
3316
+ create: {
3317
+ authorizedRoles: ['Client2'],
3318
+ requireAuthentication: true,
3319
+ },
3320
+ },
3321
+ },
3322
+ {
3323
+ name: 'Test2',
3324
+ fields: {
3325
+ name: { type: 'String' },
3326
+ age: { type: 'Int' },
3327
+ },
3328
+ permissions: {
3329
+ read: {
3330
+ authorizedRoles: ['Client', 'Client2'],
3331
+ requireAuthentication: true,
3332
+ },
3333
+ create: {
3334
+ authorizedRoles: [],
3335
+ requireAuthentication: true,
3336
+ },
3337
+ },
3338
+ },
3339
+ ])
3340
+ const wabe = setup.wabe
3341
+ const port = setup.port
3342
+ const client = getAnonymousClient(port)
3343
+ const rootClient = getGraphqlClient(port)
3344
+
3345
+ const { userClient } = await createUserAndUpdateRole({
3346
+ anonymousClient: client,
3347
+ port,
3348
+ roleName: 'Client2',
3349
+ rootClient,
3350
+ })
3351
+
3352
+ const res = await rootClient.request<any>(gql`
3353
+ mutation createTest {
3354
+ createTest(input: { fields: { name: "test" } }) {
3355
+ test {
3356
+ id
3357
+ }
3358
+ }
3359
+ }
3360
+ `)
3361
+
3362
+ expect(
3363
+ userClient.request<any>(gql`
3364
+ mutation updateTest{
3365
+ updateTest(input: {id: "${res.createTest.test.id}", fields : {name: "tata"}}){
3366
+ test{
3367
+ id
3368
+ }
3369
+ }
3370
+ }
3371
+ `),
3372
+ ).rejects.toThrow('Permission denied to update class Test')
3373
+
3374
+ await closeTests(wabe)
3375
+ })
3376
+ })
3377
+
3378
+ const graphql = {
3379
+ deleteTests: gql`
3380
+ mutation deleteTests {
3381
+ deleteTests(input: { where: { name: { equalTo: "test" } } }) {
3382
+ edges {
3383
+ node {
3384
+ id
3385
+ }
3386
+ }
3387
+ }
3388
+ }
3389
+ `,
3390
+ deleteUsers: gql`
3391
+ mutation deleteUser {
3392
+ deleteUsers(
3393
+ input: { where: { authentication: { emailPassword: { email: { equalTo: "email@test.fr" } } } } }
3394
+ ) {
3395
+ edges {
3396
+ node {
3397
+ id
3398
+ }
3399
+ }
3400
+ }
3401
+ }
3402
+ `,
3403
+ signInWith: gql`
3404
+ mutation signInWith($input: SignInWithInput!) {
3405
+ signInWith(input: $input) {
3406
+ id
3407
+ accessToken
3408
+ refreshToken
3409
+ }
3410
+ }
3411
+ `,
3412
+ signUpWith: gql`
3413
+ mutation signUpWith($input: SignUpWithInput!) {
3414
+ signUpWith(input: $input) {
3415
+ id
3416
+ accessToken
3417
+ refreshToken
3418
+ }
3419
+ }
3420
+ `,
3421
+ signOut: gql`
3422
+ mutation signOut {
3423
+ signOut
3424
+ }
3425
+ `,
3426
+ refresh: gql`
3427
+ mutation refresh($input: RefreshInput!) {
3428
+ refresh(input: $input) {
3429
+ accessToken
3430
+ refreshToken
3431
+ }
3432
+ }
3433
+ `,
3434
+ }