bookstack/tests/User/UserApiTokenTest.php

<?php

namespace Tests\User;

use BookStack\Actions\ActivityType;
use BookStack\Api\ApiToken;
use Carbon\Carbon;
use Tests\TestCase;

class UserApiTokenTest extends TestCase
{
    protected $testTokenData = [
        'name'       => 'My test API token',
        'expires_at' => '2050-04-01',
    ];

    public function test_tokens_section_not_visible_without_access_api_permission()
    {
        $user = $this->users->viewer();

        $resp = $this->actingAs($user)->get($user->getEditUrl());
        $resp->assertDontSeeText('API Tokens');

        $this->permissions->grantUserRolePermissions($user, ['access-api']);

        $resp = $this->actingAs($user)->get($user->getEditUrl());
        $resp->assertSeeText('API Tokens');
        $resp->assertSeeText('Create Token');
    }

    public function test_those_with_manage_users_can_view_other_user_tokens_but_not_create()
    {
        $viewer = $this->users->viewer();
        $editor = $this->users->editor();
        $this->permissions->grantUserRolePermissions($viewer, ['users-manage']);

        $resp = $this->actingAs($viewer)->get($editor->getEditUrl());
        $resp->assertSeeText('API Tokens');
        $resp->assertDontSeeText('Create Token');
    }

    public function test_create_api_token()
    {
        $editor = $this->users->editor();

        $resp = $this->asAdmin()->get($editor->getEditUrl('/create-api-token'));
        $resp->assertStatus(200);
        $resp->assertSee('Create API Token');
        $resp->assertSee('Token Secret');

        $resp = $this->post($editor->getEditUrl('/create-api-token'), $this->testTokenData);
        $token = ApiToken::query()->latest()->first();
        $resp->assertRedirect($editor->getEditUrl('/api-tokens/' . $token->id));
        $this->assertDatabaseHas('api_tokens', [
            'user_id'    => $editor->id,
            'name'       => $this->testTokenData['name'],
            'expires_at' => $this->testTokenData['expires_at'],
        ]);

        // Check secret token
        $this->assertSessionHas('api-token-secret:' . $token->id);
        $secret = session('api-token-secret:' . $token->id);
        $this->assertDatabaseMissing('api_tokens', [
            'secret' => $secret,
        ]);
        $this->assertTrue(\Hash::check($secret, $token->secret));

        $this->assertTrue(strlen($token->token_id) === 32);
        $this->assertTrue(strlen($secret) === 32);

        $this->assertSessionHas('success');
        $this->assertActivityExists(ActivityType::API_TOKEN_CREATE);
    }

    public function test_create_with_no_expiry_sets_expiry_hundred_years_away()
    {
        $editor = $this->users->editor();
        $this->asAdmin()->post($editor->getEditUrl('/create-api-token'), ['name' => 'No expiry token', 'expires_at' => '']);
        $token = ApiToken::query()->latest()->first();

        $over = Carbon::now()->addYears(101);
        $under = Carbon::now()->addYears(99);
        $this->assertTrue(
            ($token->expires_at < $over && $token->expires_at > $under),
            'Token expiry set at 100 years in future'
        );
    }

    public function test_created_token_displays_on_profile_page()
    {
        $editor = $this->users->editor();
        $this->asAdmin()->post($editor->getEditUrl('/create-api-token'), $this->testTokenData);
        $token = ApiToken::query()->latest()->first();

        $resp = $this->get($editor->getEditUrl());
        $this->withHtml($resp)->assertElementExists('#api_tokens');
        $this->withHtml($resp)->assertElementContains('#api_tokens', $token->name);
        $this->withHtml($resp)->assertElementContains('#api_tokens', $token->token_id);
        $this->withHtml($resp)->assertElementContains('#api_tokens', $token->expires_at->format('Y-m-d'));
    }

    public function test_secret_shown_once_after_creation()
    {
        $editor = $this->users->editor();
        $resp = $this->asAdmin()->followingRedirects()->post($editor->getEditUrl('/create-api-token'), $this->testTokenData);
        $resp->assertSeeText('Token Secret');

        $token = ApiToken::query()->latest()->first();
        $this->assertNull(session('api-token-secret:' . $token->id));

        $resp = $this->get($editor->getEditUrl('/api-tokens/' . $token->id));
        $resp->assertDontSeeText('Client Secret');
    }

    public function test_token_update()
    {
        $editor = $this->users->editor();
        $this->asAdmin()->post($editor->getEditUrl('/create-api-token'), $this->testTokenData);
        $token = ApiToken::query()->latest()->first();
        $updateData = [
            'name'       => 'My updated token',
            'expires_at' => '2011-01-01',
        ];

        $resp = $this->put($editor->getEditUrl('/api-tokens/' . $token->id), $updateData);
        $resp->assertRedirect($editor->getEditUrl('/api-tokens/' . $token->id));

        $this->assertDatabaseHas('api_tokens', array_merge($updateData, ['id' => $token->id]));
        $this->assertSessionHas('success');
        $this->assertActivityExists(ActivityType::API_TOKEN_UPDATE);
    }

    public function test_token_update_with_blank_expiry_sets_to_hundred_years_away()
    {
        $editor = $this->users->editor();
        $this->asAdmin()->post($editor->getEditUrl('/create-api-token'), $this->testTokenData);
        $token = ApiToken::query()->latest()->first();

        $resp = $this->put($editor->getEditUrl('/api-tokens/' . $token->id), [
            'name'       => 'My updated token',
            'expires_at' => '',
        ]);
        $token->refresh();

        $over = Carbon::now()->addYears(101);
        $under = Carbon::now()->addYears(99);
        $this->assertTrue(
            ($token->expires_at < $over && $token->expires_at > $under),
            'Token expiry set at 100 years in future'
        );
    }

    public function test_token_delete()
    {
        $editor = $this->users->editor();
        $this->asAdmin()->post($editor->getEditUrl('/create-api-token'), $this->testTokenData);
        $token = ApiToken::query()->latest()->first();

        $tokenUrl = $editor->getEditUrl('/api-tokens/' . $token->id);

        $resp = $this->get($tokenUrl . '/delete');
        $resp->assertSeeText('Delete Token');
        $resp->assertSeeText($token->name);
        $this->withHtml($resp)->assertElementExists('form[action="' . $tokenUrl . '"]');

        $resp = $this->delete($tokenUrl);
        $resp->assertRedirect($editor->getEditUrl('#api_tokens'));
        $this->assertDatabaseMissing('api_tokens', ['id' => $token->id]);
        $this->assertActivityExists(ActivityType::API_TOKEN_DELETE);
    }

    public function test_user_manage_can_delete_token_without_api_permission_themselves()
    {
        $viewer = $this->users->viewer();
        $editor = $this->users->editor();
        $this->permissions->grantUserRolePermissions($editor, ['users-manage']);

        $this->asAdmin()->post($viewer->getEditUrl('/create-api-token'), $this->testTokenData);
        $token = ApiToken::query()->latest()->first();

        $resp = $this->actingAs($editor)->get($viewer->getEditUrl('/api-tokens/' . $token->id));
        $resp->assertStatus(200);
        $resp->assertSeeText('Delete Token');

        $resp = $this->actingAs($editor)->delete($viewer->getEditUrl('/api-tokens/' . $token->id));
        $resp->assertRedirect($viewer->getEditUrl('#api_tokens'));
        $this->assertDatabaseMissing('api_tokens', ['id' => $token->id]);
    }
}
Apply fixes from StyleCI 2021-06-26 23:23:15 +08:00			`<?php`

			`namespace Tests\User;`
Added testing coverage to user API token interfaces 2019-12-30 03:46:46 +08:00
Implemented user, api_tokem & role activity logging Also refactored some role content, primarily updating the permission controller to be RoleController since it only dealt with roles. 2020-11-21 02:53:01 +08:00			`use BookStack\Actions\ActivityType;`
Added testing coverage to user API token interfaces 2019-12-30 03:46:46 +08:00			`use BookStack\Api\ApiToken;`
			`use Carbon\Carbon;`
			`use Tests\TestCase;`

			`class UserApiTokenTest extends TestCase`
			`{`
			`protected $testTokenData = [`
Apply fixes from StyleCI 2021-06-26 23:23:15 +08:00			`'name' => 'My test API token',`
Fixed some empty-expiry conditions of token ui flows 2019-12-30 04:18:37 +08:00			`'expires_at' => '2050-04-01',`
Added testing coverage to user API token interfaces 2019-12-30 03:46:46 +08:00			`];`

			`public function test_tokens_section_not_visible_without_access_api_permission()`
			`{`
Copied over work from user_permissions branch Only that relevant to the additional testing work. 2023-01-21 19:08:34 +08:00			`$user = $this->users->viewer();`
Added testing coverage to user API token interfaces 2019-12-30 03:46:46 +08:00
			`$resp = $this->actingAs($user)->get($user->getEditUrl());`
			`$resp->assertDontSeeText('API Tokens');`

Copied over work from user_permissions branch Only that relevant to the additional testing work. 2023-01-21 19:08:34 +08:00			`$this->permissions->grantUserRolePermissions($user, ['access-api']);`
Added testing coverage to user API token interfaces 2019-12-30 03:46:46 +08:00
			`$resp = $this->actingAs($user)->get($user->getEditUrl());`
			`$resp->assertSeeText('API Tokens');`
			`$resp->assertSeeText('Create Token');`
			`}`

			`public function test_those_with_manage_users_can_view_other_user_tokens_but_not_create()`
			`{`
Copied over work from user_permissions branch Only that relevant to the additional testing work. 2023-01-21 19:08:34 +08:00			`$viewer = $this->users->viewer();`
			`$editor = $this->users->editor();`
			`$this->permissions->grantUserRolePermissions($viewer, ['users-manage']);`
Added testing coverage to user API token interfaces 2019-12-30 03:46:46 +08:00
Added testing coverage to API token auth 2019-12-31 03:42:46 +08:00			`$resp = $this->actingAs($viewer)->get($editor->getEditUrl());`
Added testing coverage to user API token interfaces 2019-12-30 03:46:46 +08:00			`$resp->assertSeeText('API Tokens');`
			`$resp->assertDontSeeText('Create Token');`
			`}`

			`public function test_create_api_token()`
			`{`
Copied over work from user_permissions branch Only that relevant to the additional testing work. 2023-01-21 19:08:34 +08:00			`$editor = $this->users->editor();`
Added testing coverage to user API token interfaces 2019-12-30 03:46:46 +08:00
			`$resp = $this->asAdmin()->get($editor->getEditUrl('/create-api-token'));`
			`$resp->assertStatus(200);`
			`$resp->assertSee('Create API Token');`
Removed token 'client' text, avoid confusion w/ oAuth - Instead have a token_id and a secret. - Displayed a 'Token ID' and 'Token Secret'. 2019-12-30 04:07:28 +08:00			`$resp->assertSee('Token Secret');`
Added testing coverage to user API token interfaces 2019-12-30 03:46:46 +08:00
			`$resp = $this->post($editor->getEditUrl('/create-api-token'), $this->testTokenData);`
			`$token = ApiToken::query()->latest()->first();`
			`$resp->assertRedirect($editor->getEditUrl('/api-tokens/' . $token->id));`
			`$this->assertDatabaseHas('api_tokens', [`
Apply fixes from StyleCI 2021-06-26 23:23:15 +08:00			`'user_id' => $editor->id,`
			`'name' => $this->testTokenData['name'],`
Added testing coverage to user API token interfaces 2019-12-30 03:46:46 +08:00			`'expires_at' => $this->testTokenData['expires_at'],`
			`]);`

			`// Check secret token`
			`$this->assertSessionHas('api-token-secret:' . $token->id);`
			`$secret = session('api-token-secret:' . $token->id);`
			`$this->assertDatabaseMissing('api_tokens', [`
Removed token 'client' text, avoid confusion w/ oAuth - Instead have a token_id and a secret. - Displayed a 'Token ID' and 'Token Secret'. 2019-12-30 04:07:28 +08:00			`'secret' => $secret,`
Added testing coverage to user API token interfaces 2019-12-30 03:46:46 +08:00			`]);`
Removed token 'client' text, avoid confusion w/ oAuth - Instead have a token_id and a secret. - Displayed a 'Token ID' and 'Token Secret'. 2019-12-30 04:07:28 +08:00			`$this->assertTrue(\Hash::check($secret, $token->secret));`
Added testing coverage to user API token interfaces 2019-12-30 03:46:46 +08:00
Removed token 'client' text, avoid confusion w/ oAuth - Instead have a token_id and a secret. - Displayed a 'Token ID' and 'Token Secret'. 2019-12-30 04:07:28 +08:00			`$this->assertTrue(strlen($token->token_id) === 32);`
Added testing coverage to user API token interfaces 2019-12-30 03:46:46 +08:00			`$this->assertTrue(strlen($secret) === 32);`

			`$this->assertSessionHas('success');`
Implemented user, api_tokem & role activity logging Also refactored some role content, primarily updating the permission controller to be RoleController since it only dealt with roles. 2020-11-21 02:53:01 +08:00			`$this->assertActivityExists(ActivityType::API_TOKEN_CREATE);`
Added testing coverage to user API token interfaces 2019-12-30 03:46:46 +08:00			`}`

			`public function test_create_with_no_expiry_sets_expiry_hundred_years_away()`
			`{`
Copied over work from user_permissions branch Only that relevant to the additional testing work. 2023-01-21 19:08:34 +08:00			`$editor = $this->users->editor();`
Fixed some empty-expiry conditions of token ui flows 2019-12-30 04:18:37 +08:00			`$this->asAdmin()->post($editor->getEditUrl('/create-api-token'), ['name' => 'No expiry token', 'expires_at' => '']);`
Added testing coverage to user API token interfaces 2019-12-30 03:46:46 +08:00			`$token = ApiToken::query()->latest()->first();`

			`$over = Carbon::now()->addYears(101);`
			`$under = Carbon::now()->addYears(99);`
			`$this->assertTrue(`
			`($token->expires_at < $over && $token->expires_at > $under),`
Apply fixes from StyleCI 2021-06-26 23:23:15 +08:00			`'Token expiry set at 100 years in future'`
Added testing coverage to user API token interfaces 2019-12-30 03:46:46 +08:00			`);`
			`}`

			`public function test_created_token_displays_on_profile_page()`
			`{`
Copied over work from user_permissions branch Only that relevant to the additional testing work. 2023-01-21 19:08:34 +08:00			`$editor = $this->users->editor();`
Added testing coverage to user API token interfaces 2019-12-30 03:46:46 +08:00			`$this->asAdmin()->post($editor->getEditUrl('/create-api-token'), $this->testTokenData);`
			`$token = ApiToken::query()->latest()->first();`

			`$resp = $this->get($editor->getEditUrl());`
Updated tests to use ssddanbrown/asserthtml package Closes #3519 2022-07-23 22:10:18 +08:00			`$this->withHtml($resp)->assertElementExists('#api_tokens');`
			`$this->withHtml($resp)->assertElementContains('#api_tokens', $token->name);`
			`$this->withHtml($resp)->assertElementContains('#api_tokens', $token->token_id);`
			`$this->withHtml($resp)->assertElementContains('#api_tokens', $token->expires_at->format('Y-m-d'));`
Added testing coverage to user API token interfaces 2019-12-30 03:46:46 +08:00			`}`

Removed token 'client' text, avoid confusion w/ oAuth - Instead have a token_id and a secret. - Displayed a 'Token ID' and 'Token Secret'. 2019-12-30 04:07:28 +08:00			`public function test_secret_shown_once_after_creation()`
Added testing coverage to user API token interfaces 2019-12-30 03:46:46 +08:00			`{`
Copied over work from user_permissions branch Only that relevant to the additional testing work. 2023-01-21 19:08:34 +08:00			`$editor = $this->users->editor();`
Added testing coverage to user API token interfaces 2019-12-30 03:46:46 +08:00			`$resp = $this->asAdmin()->followingRedirects()->post($editor->getEditUrl('/create-api-token'), $this->testTokenData);`
Removed token 'client' text, avoid confusion w/ oAuth - Instead have a token_id and a secret. - Displayed a 'Token ID' and 'Token Secret'. 2019-12-30 04:07:28 +08:00			`$resp->assertSeeText('Token Secret');`
Added testing coverage to user API token interfaces 2019-12-30 03:46:46 +08:00
			`$token = ApiToken::query()->latest()->first();`
			`$this->assertNull(session('api-token-secret:' . $token->id));`

			`$resp = $this->get($editor->getEditUrl('/api-tokens/' . $token->id));`
			`$resp->assertDontSeeText('Client Secret');`
			`}`

			`public function test_token_update()`
			`{`
Copied over work from user_permissions branch Only that relevant to the additional testing work. 2023-01-21 19:08:34 +08:00			`$editor = $this->users->editor();`
Added testing coverage to user API token interfaces 2019-12-30 03:46:46 +08:00			`$this->asAdmin()->post($editor->getEditUrl('/create-api-token'), $this->testTokenData);`
			`$token = ApiToken::query()->latest()->first();`
			`$updateData = [`
Apply fixes from StyleCI 2021-06-26 23:23:15 +08:00			`'name' => 'My updated token',`
Added testing coverage to user API token interfaces 2019-12-30 03:46:46 +08:00			`'expires_at' => '2011-01-01',`
			`];`

			`$resp = $this->put($editor->getEditUrl('/api-tokens/' . $token->id), $updateData);`
			`$resp->assertRedirect($editor->getEditUrl('/api-tokens/' . $token->id));`

			`$this->assertDatabaseHas('api_tokens', array_merge($updateData, ['id' => $token->id]));`
			`$this->assertSessionHas('success');`
Implemented user, api_tokem & role activity logging Also refactored some role content, primarily updating the permission controller to be RoleController since it only dealt with roles. 2020-11-21 02:53:01 +08:00			`$this->assertActivityExists(ActivityType::API_TOKEN_UPDATE);`
Added testing coverage to user API token interfaces 2019-12-30 03:46:46 +08:00			`}`

Fixed some empty-expiry conditions of token ui flows 2019-12-30 04:18:37 +08:00			`public function test_token_update_with_blank_expiry_sets_to_hundred_years_away()`
			`{`
Copied over work from user_permissions branch Only that relevant to the additional testing work. 2023-01-21 19:08:34 +08:00			`$editor = $this->users->editor();`
Fixed some empty-expiry conditions of token ui flows 2019-12-30 04:18:37 +08:00			`$this->asAdmin()->post($editor->getEditUrl('/create-api-token'), $this->testTokenData);`
			`$token = ApiToken::query()->latest()->first();`

			`$resp = $this->put($editor->getEditUrl('/api-tokens/' . $token->id), [`
Apply fixes from StyleCI 2021-06-26 23:23:15 +08:00			`'name' => 'My updated token',`
Fixed some empty-expiry conditions of token ui flows 2019-12-30 04:18:37 +08:00			`'expires_at' => '',`
			`]);`
			`$token->refresh();`

			`$over = Carbon::now()->addYears(101);`
			`$under = Carbon::now()->addYears(99);`
			`$this->assertTrue(`
			`($token->expires_at < $over && $token->expires_at > $under),`
Apply fixes from StyleCI 2021-06-26 23:23:15 +08:00			`'Token expiry set at 100 years in future'`
Fixed some empty-expiry conditions of token ui flows 2019-12-30 04:18:37 +08:00			`);`
			`}`

Added testing coverage to user API token interfaces 2019-12-30 03:46:46 +08:00			`public function test_token_delete()`
			`{`
Copied over work from user_permissions branch Only that relevant to the additional testing work. 2023-01-21 19:08:34 +08:00			`$editor = $this->users->editor();`
Added testing coverage to user API token interfaces 2019-12-30 03:46:46 +08:00			`$this->asAdmin()->post($editor->getEditUrl('/create-api-token'), $this->testTokenData);`
			`$token = ApiToken::query()->latest()->first();`

			`$tokenUrl = $editor->getEditUrl('/api-tokens/' . $token->id);`

			`$resp = $this->get($tokenUrl . '/delete');`
			`$resp->assertSeeText('Delete Token');`
			`$resp->assertSeeText($token->name);`
Updated tests to use ssddanbrown/asserthtml package Closes #3519 2022-07-23 22:10:18 +08:00			`$this->withHtml($resp)->assertElementExists('form[action="' . $tokenUrl . '"]');`
Added testing coverage to user API token interfaces 2019-12-30 03:46:46 +08:00
			`$resp = $this->delete($tokenUrl);`
			`$resp->assertRedirect($editor->getEditUrl('#api_tokens'));`
			`$this->assertDatabaseMissing('api_tokens', ['id' => $token->id]);`
Implemented user, api_tokem & role activity logging Also refactored some role content, primarily updating the permission controller to be RoleController since it only dealt with roles. 2020-11-21 02:53:01 +08:00			`$this->assertActivityExists(ActivityType::API_TOKEN_DELETE);`
Added testing coverage to user API token interfaces 2019-12-30 03:46:46 +08:00			`}`

			`public function test_user_manage_can_delete_token_without_api_permission_themselves()`
			`{`
Copied over work from user_permissions branch Only that relevant to the additional testing work. 2023-01-21 19:08:34 +08:00			`$viewer = $this->users->viewer();`
			`$editor = $this->users->editor();`
			`$this->permissions->grantUserRolePermissions($editor, ['users-manage']);`
Added testing coverage to user API token interfaces 2019-12-30 03:46:46 +08:00
			`$this->asAdmin()->post($viewer->getEditUrl('/create-api-token'), $this->testTokenData);`
			`$token = ApiToken::query()->latest()->first();`

			`$resp = $this->actingAs($editor)->get($viewer->getEditUrl('/api-tokens/' . $token->id));`
			`$resp->assertStatus(200);`
			`$resp->assertSeeText('Delete Token');`

			`$resp = $this->actingAs($editor)->delete($viewer->getEditUrl('/api-tokens/' . $token->id));`
			`$resp->assertRedirect($viewer->getEditUrl('#api_tokens'));`
			`$this->assertDatabaseMissing('api_tokens', ['id' => $token->id]);`
			`}`
Apply fixes from StyleCI 2021-06-26 23:23:15 +08:00			`}`