bookstack/tests/Api/ApiAuthTest.php

<?php

namespace Tests\Api;

use BookStack\Auth\Permissions\RolePermission;
use BookStack\Auth\Role;
use BookStack\Auth\User;
use Carbon\Carbon;
use Tests\TestCase;

class ApiAuthTest extends TestCase
{
    use TestsApi;

    protected $endpoint = '/api/books';

    public function test_requests_succeed_with_default_auth()
    {
        $viewer = $this->users->viewer();
        $this->permissions->grantUserRolePermissions($viewer, ['access-api']);

        $resp = $this->get($this->endpoint);
        $resp->assertStatus(401);

        $this->actingAs($viewer, 'standard');

        $resp = $this->get($this->endpoint);
        $resp->assertStatus(200);
    }

    public function test_no_token_throws_error()
    {
        $resp = $this->get($this->endpoint);
        $resp->assertStatus(401);
        $resp->assertJson($this->errorResponse('No authorization token found on the request', 401));
    }

    public function test_bad_token_format_throws_error()
    {
        $resp = $this->get($this->endpoint, ['Authorization' => 'Token abc123']);
        $resp->assertStatus(401);
        $resp->assertJson($this->errorResponse('An authorization token was found on the request but the format appeared incorrect', 401));
    }

    public function test_token_with_non_existing_id_throws_error()
    {
        $resp = $this->get($this->endpoint, ['Authorization' => 'Token abc:123']);
        $resp->assertStatus(401);
        $resp->assertJson($this->errorResponse('No matching API token was found for the provided authorization token', 401));
    }

    public function test_token_with_bad_secret_value_throws_error()
    {
        $resp = $this->get($this->endpoint, ['Authorization' => "Token {$this->apiTokenId}:123"]);
        $resp->assertStatus(401);
        $resp->assertJson($this->errorResponse('The secret provided for the given used API token is incorrect', 401));
    }

    public function test_api_access_permission_required_to_access_api()
    {
        $resp = $this->get($this->endpoint, $this->apiAuthHeader());
        $resp->assertStatus(200);
        auth()->logout();

        $accessApiPermission = RolePermission::getByName('access-api');
        $editorRole = $this->users->editor()->roles()->first();
        $editorRole->detachPermission($accessApiPermission);

        $resp = $this->get($this->endpoint, $this->apiAuthHeader());
        $resp->assertStatus(403);
        $resp->assertJson($this->errorResponse('The owner of the used API token does not have permission to make API calls', 403));
    }

    public function test_api_access_permission_required_to_access_api_with_session_auth()
    {
        $editor = $this->users->editor();
        $this->actingAs($editor, 'standard');

        $resp = $this->get($this->endpoint);
        $resp->assertStatus(200);
        auth('standard')->logout();

        $accessApiPermission = RolePermission::getByName('access-api');
        $editorRole = $this->users->editor()->roles()->first();
        $editorRole->detachPermission($accessApiPermission);

        $editor = User::query()->where('id', '=', $editor->id)->first();

        $this->actingAs($editor, 'standard');
        $resp = $this->get($this->endpoint);
        $resp->assertStatus(403);
        $resp->assertJson($this->errorResponse('The owner of the used API token does not have permission to make API calls', 403));
    }

    public function test_access_prevented_for_guest_users_with_api_permission_while_public_access_disabled()
    {
        $this->disableCookieEncryption();
        $publicRole = Role::getSystemRole('public');
        $accessApiPermission = RolePermission::getByName('access-api');
        $publicRole->attachPermission($accessApiPermission);

        $this->withCookie('bookstack_session', 'abc123');

        // Test API access when not public
        setting()->put('app-public', false);
        $resp = $this->get($this->endpoint);
        $resp->assertStatus(403);

        // Test API access when public
        setting()->put('app-public', true);
        $resp = $this->get($this->endpoint);
        $resp->assertStatus(200);
    }

    public function test_token_expiry_checked()
    {
        $editor = $this->users->editor();
        $token = $editor->apiTokens()->first();

        $resp = $this->get($this->endpoint, $this->apiAuthHeader());
        $resp->assertStatus(200);
        auth()->logout();

        $token->expires_at = Carbon::now()->subDay()->format('Y-m-d');
        $token->save();

        $resp = $this->get($this->endpoint, $this->apiAuthHeader());
        $resp->assertJson($this->errorResponse('The authorization token used has expired', 403));
    }

    public function test_email_confirmation_checked_using_api_auth()
    {
        $editor = $this->users->editor();
        $editor->email_confirmed = false;
        $editor->save();

        // Set settings and get user instance
        $this->setSettings(['registration-enabled' => 'true', 'registration-confirmation' => 'true']);

        $resp = $this->get($this->endpoint, $this->apiAuthHeader());
        $resp->assertStatus(401);
        $resp->assertJson($this->errorResponse('The email address for the account in use needs to be confirmed', 401));
    }

    public function test_rate_limit_headers_active_on_requests()
    {
        $resp = $this->actingAsApiEditor()->get($this->endpoint);
        $resp->assertHeader('x-ratelimit-limit', 180);
        $resp->assertHeader('x-ratelimit-remaining', 179);
        $resp = $this->actingAsApiEditor()->get($this->endpoint);
        $resp->assertHeader('x-ratelimit-remaining', 178);
    }

    public function test_rate_limit_hit_gives_json_error()
    {
        config()->set(['api.requests_per_minute' => 1]);
        $resp = $this->actingAsApiEditor()->get($this->endpoint);
        $resp->assertStatus(200);

        $resp = $this->actingAsApiEditor()->get($this->endpoint);
        $resp->assertStatus(429);
        $resp->assertHeader('x-ratelimit-remaining', 0);
        $resp->assertHeader('retry-after');
        $resp->assertJson([
            'error' => [
                'code' => 429,
            ],
        ]);
    }
}
Apply fixes from StyleCI 2021-06-26 23:23:15 +08:00			`<?php`

			`namespace Tests\Api;`
Added testing coverage to API token auth 2019-12-31 03:42:46 +08:00
			`use BookStack\Auth\Permissions\RolePermission;`
Updated API session auth to consider public access setting For #3091 2021-11-30 21:55:56 +08:00			`use BookStack\Auth\Role;`
Fixed test class names + add perm. check to api session auth 2020-01-02 01:01:36 +08:00			`use BookStack\Auth\User;`
Added expiry checking to API token auth - Added test to cover to ensure its checked going forward 2019-12-31 03:51:41 +08:00			`use Carbon\Carbon;`
Updated test files to be PSR-4 compliant Closes #1924 2020-04-04 08:16:05 +08:00			`use Tests\TestCase;`
Added testing coverage to API token auth 2019-12-31 03:42:46 +08:00
			`class ApiAuthTest extends TestCase`
			`{`
			`use TestsApi;`

			`protected $endpoint = '/api/books';`

			`public function test_requests_succeed_with_default_auth()`
			`{`
Copied over work from user_permissions branch Only that relevant to the additional testing work. 2023-01-21 19:08:34 +08:00			`$viewer = $this->users->viewer();`
			`$this->permissions->grantUserRolePermissions($viewer, ['access-api']);`
Fixed test class names + add perm. check to api session auth 2020-01-02 01:01:36 +08:00
Added testing coverage to API token auth 2019-12-31 03:42:46 +08:00			`$resp = $this->get($this->endpoint);`
			`$resp->assertStatus(401);`

Simplified guard names and rolled out guard route checks - Included tests to cover for LDAP and SAML - Updated wording for external auth id option. - Updated 'assertPermissionError' test case to be usable in BrowserKitTests 2020-02-02 21:10:21 +08:00			`$this->actingAs($viewer, 'standard');`
Added testing coverage to API token auth 2019-12-31 03:42:46 +08:00
			`$resp = $this->get($this->endpoint);`
			`$resp->assertStatus(200);`
			`}`

			`public function test_no_token_throws_error()`
			`{`
			`$resp = $this->get($this->endpoint);`
			`$resp->assertStatus(401);`
Apply fixes from StyleCI 2021-06-26 23:23:15 +08:00			`$resp->assertJson($this->errorResponse('No authorization token found on the request', 401));`
Added testing coverage to API token auth 2019-12-31 03:42:46 +08:00			`}`

			`public function test_bad_token_format_throws_error()`
			`{`
Apply fixes from StyleCI 2021-06-26 23:23:15 +08:00			`$resp = $this->get($this->endpoint, ['Authorization' => 'Token abc123']);`
Added testing coverage to API token auth 2019-12-31 03:42:46 +08:00			`$resp->assertStatus(401);`
Apply fixes from StyleCI 2021-06-26 23:23:15 +08:00			`$resp->assertJson($this->errorResponse('An authorization token was found on the request but the format appeared incorrect', 401));`
Added testing coverage to API token auth 2019-12-31 03:42:46 +08:00			`}`

			`public function test_token_with_non_existing_id_throws_error()`
			`{`
Apply fixes from StyleCI 2021-06-26 23:23:15 +08:00			`$resp = $this->get($this->endpoint, ['Authorization' => 'Token abc:123']);`
Added testing coverage to API token auth 2019-12-31 03:42:46 +08:00			`$resp->assertStatus(401);`
Apply fixes from StyleCI 2021-06-26 23:23:15 +08:00			`$resp->assertJson($this->errorResponse('No matching API token was found for the provided authorization token', 401));`
Added testing coverage to API token auth 2019-12-31 03:42:46 +08:00			`}`

			`public function test_token_with_bad_secret_value_throws_error()`
			`{`
			`$resp = $this->get($this->endpoint, ['Authorization' => "Token {$this->apiTokenId}:123"]);`
			`$resp->assertStatus(401);`
Apply fixes from StyleCI 2021-06-26 23:23:15 +08:00			`$resp->assertJson($this->errorResponse('The secret provided for the given used API token is incorrect', 401));`
Added testing coverage to API token auth 2019-12-31 03:42:46 +08:00			`}`

			`public function test_api_access_permission_required_to_access_api()`
			`{`
Added expiry checking to API token auth - Added test to cover to ensure its checked going forward 2019-12-31 03:51:41 +08:00			`$resp = $this->get($this->endpoint, $this->apiAuthHeader());`
Added testing coverage to API token auth 2019-12-31 03:42:46 +08:00			`$resp->assertStatus(200);`
			`auth()->logout();`

			`$accessApiPermission = RolePermission::getByName('access-api');`
Copied over work from user_permissions branch Only that relevant to the additional testing work. 2023-01-21 19:08:34 +08:00			`$editorRole = $this->users->editor()->roles()->first();`
Added testing coverage to API token auth 2019-12-31 03:42:46 +08:00			`$editorRole->detachPermission($accessApiPermission);`

Added expiry checking to API token auth - Added test to cover to ensure its checked going forward 2019-12-31 03:51:41 +08:00			`$resp = $this->get($this->endpoint, $this->apiAuthHeader());`
Fixed test class names + add perm. check to api session auth 2020-01-02 01:01:36 +08:00			`$resp->assertStatus(403);`
Apply fixes from StyleCI 2021-06-26 23:23:15 +08:00			`$resp->assertJson($this->errorResponse('The owner of the used API token does not have permission to make API calls', 403));`
Fixed test class names + add perm. check to api session auth 2020-01-02 01:01:36 +08:00			`}`

			`public function test_api_access_permission_required_to_access_api_with_session_auth()`
			`{`
Copied over work from user_permissions branch Only that relevant to the additional testing work. 2023-01-21 19:08:34 +08:00			`$editor = $this->users->editor();`
Simplified guard names and rolled out guard route checks - Included tests to cover for LDAP and SAML - Updated wording for external auth id option. - Updated 'assertPermissionError' test case to be usable in BrowserKitTests 2020-02-02 21:10:21 +08:00			`$this->actingAs($editor, 'standard');`
Fixed test class names + add perm. check to api session auth 2020-01-02 01:01:36 +08:00
			`$resp = $this->get($this->endpoint);`
			`$resp->assertStatus(200);`
Simplified guard names and rolled out guard route checks - Included tests to cover for LDAP and SAML - Updated wording for external auth id option. - Updated 'assertPermissionError' test case to be usable in BrowserKitTests 2020-02-02 21:10:21 +08:00			`auth('standard')->logout();`
Fixed test class names + add perm. check to api session auth 2020-01-02 01:01:36 +08:00
			`$accessApiPermission = RolePermission::getByName('access-api');`
Copied over work from user_permissions branch Only that relevant to the additional testing work. 2023-01-21 19:08:34 +08:00			`$editorRole = $this->users->editor()->roles()->first();`
Fixed test class names + add perm. check to api session auth 2020-01-02 01:01:36 +08:00			`$editorRole->detachPermission($accessApiPermission);`

			`$editor = User::query()->where('id', '=', $editor->id)->first();`

Simplified guard names and rolled out guard route checks - Included tests to cover for LDAP and SAML - Updated wording for external auth id option. - Updated 'assertPermissionError' test case to be usable in BrowserKitTests 2020-02-02 21:10:21 +08:00			`$this->actingAs($editor, 'standard');`
Fixed test class names + add perm. check to api session auth 2020-01-02 01:01:36 +08:00			`$resp = $this->get($this->endpoint);`
			`$resp->assertStatus(403);`
Apply fixes from StyleCI 2021-06-26 23:23:15 +08:00			`$resp->assertJson($this->errorResponse('The owner of the used API token does not have permission to make API calls', 403));`
Added testing coverage to API token auth 2019-12-31 03:42:46 +08:00			`}`

Updated API session auth to consider public access setting For #3091 2021-11-30 21:55:56 +08:00			`public function test_access_prevented_for_guest_users_with_api_permission_while_public_access_disabled()`
			`{`
			`$this->disableCookieEncryption();`
			`$publicRole = Role::getSystemRole('public');`
			`$accessApiPermission = RolePermission::getByName('access-api');`
			`$publicRole->attachPermission($accessApiPermission);`

			`$this->withCookie('bookstack_session', 'abc123');`

			`// Test API access when not public`
			`setting()->put('app-public', false);`
			`$resp = $this->get($this->endpoint);`
			`$resp->assertStatus(403);`

			`// Test API access when public`
			`setting()->put('app-public', true);`
			`$resp = $this->get($this->endpoint);`
			`$resp->assertStatus(200);`
			`}`

Added expiry checking to API token auth - Added test to cover to ensure its checked going forward 2019-12-31 03:51:41 +08:00			`public function test_token_expiry_checked()`
			`{`
Copied over work from user_permissions branch Only that relevant to the additional testing work. 2023-01-21 19:08:34 +08:00			`$editor = $this->users->editor();`
Added expiry checking to API token auth - Added test to cover to ensure its checked going forward 2019-12-31 03:51:41 +08:00			`$token = $editor->apiTokens()->first();`

			`$resp = $this->get($this->endpoint, $this->apiAuthHeader());`
			`$resp->assertStatus(200);`
			`auth()->logout();`

			`$token->expires_at = Carbon::now()->subDay()->format('Y-m-d');`
			`$token->save();`

			`$resp = $this->get($this->endpoint, $this->apiAuthHeader());`
Apply fixes from StyleCI 2021-06-26 23:23:15 +08:00			`$resp->assertJson($this->errorResponse('The authorization token used has expired', 403));`
Added expiry checking to API token auth - Added test to cover to ensure its checked going forward 2019-12-31 03:51:41 +08:00			`}`
Added testing coverage to API token auth 2019-12-31 03:42:46 +08:00
Added expiry checking to API token auth - Added test to cover to ensure its checked going forward 2019-12-31 03:51:41 +08:00			`public function test_email_confirmation_checked_using_api_auth()`
Added testing coverage to API token auth 2019-12-31 03:42:46 +08:00			`{`
Copied over work from user_permissions branch Only that relevant to the additional testing work. 2023-01-21 19:08:34 +08:00			`$editor = $this->users->editor();`
Added testing coverage to API token auth 2019-12-31 03:42:46 +08:00			`$editor->email_confirmed = false;`
			`$editor->save();`

			`// Set settings and get user instance`
			`$this->setSettings(['registration-enabled' => 'true', 'registration-confirmation' => 'true']);`

Added expiry checking to API token auth - Added test to cover to ensure its checked going forward 2019-12-31 03:51:41 +08:00			`$resp = $this->get($this->endpoint, $this->apiAuthHeader());`
Added testing coverage to API token auth 2019-12-31 03:42:46 +08:00			`$resp->assertStatus(401);`
Apply fixes from StyleCI 2021-06-26 23:23:15 +08:00			`$resp->assertJson($this->errorResponse('The email address for the account in use needs to be confirmed', 401));`
Added testing coverage to API token auth 2019-12-31 03:42:46 +08:00			`}`

Added configurable API throttling, Handled API errors standardly 2020-01-18 23:03:28 +08:00			`public function test_rate_limit_headers_active_on_requests()`
			`{`
			`$resp = $this->actingAsApiEditor()->get($this->endpoint);`
			`$resp->assertHeader('x-ratelimit-limit', 180);`
			`$resp->assertHeader('x-ratelimit-remaining', 179);`
			`$resp = $this->actingAsApiEditor()->get($this->endpoint);`
			`$resp->assertHeader('x-ratelimit-remaining', 178);`
			`}`

			`public function test_rate_limit_hit_gives_json_error()`
			`{`
			`config()->set(['api.requests_per_minute' => 1]);`
			`$resp = $this->actingAsApiEditor()->get($this->endpoint);`
			`$resp->assertStatus(200);`

			`$resp = $this->actingAsApiEditor()->get($this->endpoint);`
			`$resp->assertStatus(429);`
			`$resp->assertHeader('x-ratelimit-remaining', 0);`
			`$resp->assertHeader('retry-after');`
			`$resp->assertJson([`
			`'error' => [`
			`'code' => 429,`
Apply fixes from StyleCI 2021-06-26 23:23:15 +08:00			`],`
Added configurable API throttling, Handled API errors standardly 2020-01-18 23:03:28 +08:00			`]);`
			`}`
Apply fixes from StyleCI 2021-06-26 23:23:15 +08:00			`}`