colin
/
bookstack
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
bookstack/tests/Api/ApiAuthTest.php

147 lines
5.2 KiB
PHP
Raw Normal View History

Updated test files to be PSR-4 compliant Closes #1924
2020-04-04 08:16:05 +08:00
<?php namespace Tests\Api;
Added testing coverage to API token auth
2019-12-31 03:42:46 +08:00
use BookStack\Auth\Permissions\RolePermission;
Fixed test class names + add perm. check to api session auth
2020-01-02 01:01:36 +08:00
use BookStack\Auth\User;
Added expiry checking to API token auth - Added test to cover to ensure its checked going forward
2019-12-31 03:51:41 +08:00
use Carbon\Carbon;
Updated test files to be PSR-4 compliant Closes #1924
2020-04-04 08:16:05 +08:00
use Tests\TestCase;
Added testing coverage to API token auth
2019-12-31 03:42:46 +08:00
class ApiAuthTest extends TestCase
{
use TestsApi;
protected $endpoint = '/api/books';
public function test_requests_succeed_with_default_auth()
{
$viewer = $this->getViewer();
Fixed test class names + add perm. check to api session auth
2020-01-02 01:01:36 +08:00
$this->giveUserPermissions($viewer, ['access-api']);
Added testing coverage to API token auth
2019-12-31 03:42:46 +08:00
$resp = $this->get($this->endpoint);
$resp->assertStatus(401);
Simplified guard names and rolled out guard route checks - Included tests to cover for LDAP and SAML - Updated wording for external auth id option. - Updated 'assertPermissionError' test case to be usable in BrowserKitTests
2020-02-02 21:10:21 +08:00
$this->actingAs($viewer, 'standard');
Added testing coverage to API token auth
2019-12-31 03:42:46 +08:00
$resp = $this->get($this->endpoint);
$resp->assertStatus(200);
}
public function test_no_token_throws_error()
{
$resp = $this->get($this->endpoint);
$resp->assertStatus(401);
$resp->assertJson($this->errorResponse("No authorization token found on the request", 401));
}
public function test_bad_token_format_throws_error()
{
$resp = $this->get($this->endpoint, ['Authorization' => "Token abc123"]);
$resp->assertStatus(401);
$resp->assertJson($this->errorResponse("An authorization token was found on the request but the format appeared incorrect", 401));
}
public function test_token_with_non_existing_id_throws_error()
{
$resp = $this->get($this->endpoint, ['Authorization' => "Token abc:123"]);
$resp->assertStatus(401);
$resp->assertJson($this->errorResponse("No matching API token was found for the provided authorization token", 401));
}
public function test_token_with_bad_secret_value_throws_error()
{
$resp = $this->get($this->endpoint, ['Authorization' => "Token {$this->apiTokenId}:123"]);
$resp->assertStatus(401);
$resp->assertJson($this->errorResponse("The secret provided for the given used API token is incorrect", 401));
}
public function test_api_access_permission_required_to_access_api()
{
Added expiry checking to API token auth - Added test to cover to ensure its checked going forward
2019-12-31 03:51:41 +08:00
$resp = $this->get($this->endpoint, $this->apiAuthHeader());
Added testing coverage to API token auth
2019-12-31 03:42:46 +08:00
$resp->assertStatus(200);
auth()->logout();
$accessApiPermission = RolePermission::getByName('access-api');
$editorRole = $this->getEditor()->roles()->first();
$editorRole->detachPermission($accessApiPermission);
Added expiry checking to API token auth - Added test to cover to ensure its checked going forward
2019-12-31 03:51:41 +08:00
$resp = $this->get($this->endpoint, $this->apiAuthHeader());
Fixed test class names + add perm. check to api session auth
2020-01-02 01:01:36 +08:00
$resp->assertStatus(403);
$resp->assertJson($this->errorResponse("The owner of the used API token does not have permission to make API calls", 403));
}
public function test_api_access_permission_required_to_access_api_with_session_auth()
{
$editor = $this->getEditor();
Simplified guard names and rolled out guard route checks - Included tests to cover for LDAP and SAML - Updated wording for external auth id option. - Updated 'assertPermissionError' test case to be usable in BrowserKitTests
2020-02-02 21:10:21 +08:00
$this->actingAs($editor, 'standard');
Fixed test class names + add perm. check to api session auth
2020-01-02 01:01:36 +08:00
$resp = $this->get($this->endpoint);
$resp->assertStatus(200);
Simplified guard names and rolled out guard route checks - Included tests to cover for LDAP and SAML - Updated wording for external auth id option. - Updated 'assertPermissionError' test case to be usable in BrowserKitTests
2020-02-02 21:10:21 +08:00
auth('standard')->logout();
Fixed test class names + add perm. check to api session auth
2020-01-02 01:01:36 +08:00
$accessApiPermission = RolePermission::getByName('access-api');
$editorRole = $this->getEditor()->roles()->first();
$editorRole->detachPermission($accessApiPermission);
$editor = User::query()->where('id', '=', $editor->id)->first();
Simplified guard names and rolled out guard route checks - Included tests to cover for LDAP and SAML - Updated wording for external auth id option. - Updated 'assertPermissionError' test case to be usable in BrowserKitTests
2020-02-02 21:10:21 +08:00
$this->actingAs($editor, 'standard');
Fixed test class names + add perm. check to api session auth
2020-01-02 01:01:36 +08:00
$resp = $this->get($this->endpoint);
$resp->assertStatus(403);
Added testing coverage to API token auth
2019-12-31 03:42:46 +08:00
$resp->assertJson($this->errorResponse("The owner of the used API token does not have permission to make API calls", 403));
}
Added expiry checking to API token auth - Added test to cover to ensure its checked going forward
2019-12-31 03:51:41 +08:00
public function test_token_expiry_checked()
{
$editor = $this->getEditor();
$token = $editor->apiTokens()->first();
$resp = $this->get($this->endpoint, $this->apiAuthHeader());
$resp->assertStatus(200);
auth()->logout();
$token->expires_at = Carbon::now()->subDay()->format('Y-m-d');
$token->save();
$resp = $this->get($this->endpoint, $this->apiAuthHeader());
$resp->assertJson($this->errorResponse("The authorization token used has expired", 403));
}
Added testing coverage to API token auth
2019-12-31 03:42:46 +08:00
Added expiry checking to API token auth - Added test to cover to ensure its checked going forward
2019-12-31 03:51:41 +08:00
public function test_email_confirmation_checked_using_api_auth()
Added testing coverage to API token auth
2019-12-31 03:42:46 +08:00
{
$editor = $this->getEditor();
$editor->email_confirmed = false;
$editor->save();
// Set settings and get user instance
$this->setSettings(['registration-enabled' => 'true', 'registration-confirmation' => 'true']);
Added expiry checking to API token auth - Added test to cover to ensure its checked going forward
2019-12-31 03:51:41 +08:00
$resp = $this->get($this->endpoint, $this->apiAuthHeader());
Added testing coverage to API token auth
2019-12-31 03:42:46 +08:00
$resp->assertStatus(401);
$resp->assertJson($this->errorResponse("The email address for the account in use needs to be confirmed", 401));
}
Added configurable API throttling, Handled API errors standardly
2020-01-18 23:03:28 +08:00
public function test_rate_limit_headers_active_on_requests()
{
$resp = $this->actingAsApiEditor()->get($this->endpoint);
$resp->assertHeader('x-ratelimit-limit', 180);
$resp->assertHeader('x-ratelimit-remaining', 179);
$resp = $this->actingAsApiEditor()->get($this->endpoint);
$resp->assertHeader('x-ratelimit-remaining', 178);
}
public function test_rate_limit_hit_gives_json_error()
{
config()->set(['api.requests_per_minute' => 1]);
$resp = $this->actingAsApiEditor()->get($this->endpoint);
$resp->assertStatus(200);
$resp = $this->actingAsApiEditor()->get($this->endpoint);
$resp->assertStatus(429);
$resp->assertHeader('x-ratelimit-remaining', 0);
$resp->assertHeader('retry-after');
$resp->assertJson([
'error' => [
'code' => 429,
]
]);
}
Added testing coverage to API token auth
2019-12-31 03:42:46 +08:00
}