* Additional unit test for the authorization API

sulkaharo · sulkaharo · commit 46e4d172bb69 · 2021-01-04T23:43:16.000+02:00
* Stop logging the API SECRET
diff --git a/lib/api/index.js b/lib/api/index.js
@@ -16,8 +16,10 @@ function create (env, ctx) {
   // Only allow access to the API if API_SECRET is set on the server.
   app.disable('api');
   if (env.api_secret) {
-    console.log('API_SECRET', env.api_secret);
+    console.log('API_SECRET present, enabling API');
     app.enable('api');
+  } else {
+    console.log('API_SECRET not found, API disabled');
   }
 
   if (env.settings.enable) {
diff --git a/tests/api.security.test.js b/tests/api.security.test.js
@@ -0,0 +1,135 @@
+/* eslint require-atomic-updates: 0 */
+'use strict';
+
+const request = require('supertest');
+var language = require('../lib/language')();
+require('should');
+const jwt = require('jsonwebtoken');
+
+describe('Security of REST API V1', function() {
+  const self = this
+    , instance = require('./fixtures/api3/instance')
+    , authSubject = require('./fixtures/api3/authSubject');
+
+  this.timeout(30000);
+
+  before(function(done) {
+    var api = require('../lib/api/');
+    self.env = require('../env')();
+    self.env.api_secret = 'this is my long pass phrase';
+    self.env.settings.authDefaultRoles = 'denied';
+    this.wares = require('../lib/middleware/')(self.env);
+    self.app = require('express')();
+    self.app.enable('api');
+    require('../lib/server/bootevent')(self.env, language).boot(async function booted (ctx) {
+      self.app.use('/api/v1', api(self.env, ctx));
+      self.app.use('/api/v2/authorization', ctx.authorization.endpoints);
+      let authResult = await authSubject(ctx.authorization.storage);
+      self.subject = authResult.subject;
+      self.token = authResult.token;
+
+      done();
+    });
+  });
+
+  it('Should fail on false token', function(done) {
+    request(self.app)
+      .get('/api/v2/authorization/request/12345')
+      .expect(401)
+      .end(function(err, res) {
+        console.log(res.error);
+        res.error.status.should.equal(401);
+        done();
+      });
+  });
+
+  it('Data load should fail unauthenticated', function(done) {
+    request(self.app)
+      .get('/api/v1/entries.json')
+      .expect(401)
+      .end(function(err, res) {
+        console.log(res.error);
+        res.error.status.should.equal(401);
+        done();
+      });
+  });
+
+  it('Should return a JWT on token', function(done) {
+    const now = Math.round(Date.now() / 1000) - 1;
+    request(self.app)
+      .get('/api/v2/authorization/request/' + self.token.read)
+      .expect(200)
+      .end(function(err, res) {
+        const decodedToken = jwt.decode(res.body.token);
+        decodedToken.accessToken.should.equal(self.token.read);
+        decodedToken.iat.should.be.aboveOrEqual(now);
+        decodedToken.exp.should.be.above(decodedToken.iat);
+        done();
+      });
+  });
+
+  it('Data load should succeed with API SECRET', function(done) {
+    request(self.app)
+      .get('/api/v1/entries.json')
+      .set('api-secret', self.env.api_secret)
+      .expect(200)
+      .end(function(err, res) {
+        done();
+      });
+  });
+
+  it('Data load should succeed with token in place of a secret', function(done) {
+    request(self.app)
+      .get('/api/v1/entries.json')
+      .set('api-secret', self.token.read)
+      .expect(200)
+      .end(function(err, res) {
+        done();
+      });
+  });
+
+  it('Data load should succeed with a bearer token', function(done) {
+    request(self.app)
+      .get('/api/v2/authorization/request/' + self.token.read)
+      .expect(200)
+      .end(function(err, res) {
+        const token = res.body.token;
+        request(self.app)
+          .get('/api/v1/entries.json')
+          .set('Authorization', 'Bearer ' + token)
+          .expect(200)
+          .end(function(err, res) {
+            done();
+          });
+      });
+  });
+
+  it('Data load fail succeed with a false bearer token', function(done) {
+    request(self.app)
+      .get('/api/v1/entries.json')
+      .set('Authorization', 'Bearer 1234567890')
+      .expect(401)
+      .end(function(err, res) {
+        done();
+      });
+  });
+
+  it('/verifyauth should return OK for Bearer tokens', function (done) {
+    request(self.app)
+    .get('/api/v2/authorization/request/' + self.token.adminAll)
+    .expect(200)
+    .end(function(err, res) {
+      const token = res.body.token;
+      request(self.app)
+      .get('/api/v1/verifyauth')
+      .set('Authorization', 'Bearer ' + token)
+      .expect(200)
+      .end(function(err, res) {
+        res.body.message.message.should.equal('OK');
+        res.body.message.isAdmin.should.equal(true);        
+        done();
+      });
+    });
+  });
+
+});
diff --git a/tests/fixtures/api3/authSubject.js b/tests/fixtures/api3/authSubject.js
@@ -59,6 +59,8 @@ function createTestSubject (authStorage, subjectName, roles) {
 
 async function authSubject (authStorage) {
 
+  await createRole(authStorage, 'admin', '*');
+  await createRole(authStorage, 'readable', '*:*:read');
   await createRole(authStorage, 'apiAll', 'api:*:*');
   await createRole(authStorage, 'apiAdmin', 'api:*:admin');
   await createRole(authStorage, 'apiCreate', 'api:*:create');
@@ -85,7 +87,9 @@ async function authSubject (authStorage) {
     read: subject.apiRead.accessToken,
     update: subject.apiUpdate.accessToken,
     delete: subject.apiDelete.accessToken,
-    denied: subject.denied.accessToken
+    denied: subject.denied.accessToken,
+    adminAll: subject.admin.accessToken,
+    readable: subject.readable.accessToken
   };
 
   return {subject, token};
