2019-01-23 15:22:47 +03:00
|
|
|
const should = require('should');
|
|
|
|
const supertest = require('supertest');
|
2019-09-20 18:02:45 +03:00
|
|
|
const testUtils = require('../../utils');
|
2020-05-27 20:47:53 +03:00
|
|
|
const config = require('../../../core/shared/config');
|
2019-01-23 15:22:47 +03:00
|
|
|
const localUtils = require('./utils');
|
2021-04-09 15:45:26 +03:00
|
|
|
const configUtils = require('../../utils/configUtils');
|
2023-03-03 20:58:19 +03:00
|
|
|
const sinon = require('sinon');
|
|
|
|
const logging = require('@tryghost/logging');
|
2019-01-23 15:22:47 +03:00
|
|
|
|
2019-02-04 17:16:24 +03:00
|
|
|
describe('Admin API key authentication', function () {
|
2019-01-23 15:22:47 +03:00
|
|
|
let request;
|
|
|
|
|
2020-11-30 17:25:22 +03:00
|
|
|
before(async function () {
|
2021-11-18 11:55:35 +03:00
|
|
|
await localUtils.startGhost();
|
2020-11-30 17:25:22 +03:00
|
|
|
request = supertest.agent(config.get('url'));
|
|
|
|
await testUtils.initFixtures('api_keys');
|
2019-01-23 15:22:47 +03:00
|
|
|
});
|
|
|
|
|
2023-03-03 20:58:19 +03:00
|
|
|
afterEach(function () {
|
|
|
|
sinon.restore();
|
|
|
|
});
|
|
|
|
|
2020-11-30 17:25:22 +03:00
|
|
|
it('Can not access endpoint without a token header', async function () {
|
2023-03-03 20:58:19 +03:00
|
|
|
const loggingStub = sinon.stub(logging, 'error');
|
2020-11-30 17:25:22 +03:00
|
|
|
await request.get(localUtils.API.getApiQuery('posts/'))
|
2019-01-23 15:22:47 +03:00
|
|
|
.set('Authorization', `Ghost`)
|
|
|
|
.expect('Content-Type', /json/)
|
|
|
|
.expect('Cache-Control', testUtils.cacheRules.private)
|
|
|
|
.expect(401);
|
2023-03-03 20:58:19 +03:00
|
|
|
sinon.assert.calledOnce(loggingStub);
|
2019-01-23 15:22:47 +03:00
|
|
|
});
|
|
|
|
|
2020-11-30 17:25:22 +03:00
|
|
|
it('Can not access endpoint with a wrong endpoint token', async function () {
|
2023-03-03 20:58:19 +03:00
|
|
|
const loggingStub = sinon.stub(logging, 'error');
|
2020-11-30 17:25:22 +03:00
|
|
|
await request.get(localUtils.API.getApiQuery('posts/'))
|
2019-01-23 15:22:47 +03:00
|
|
|
.set('Authorization', `Ghost ${localUtils.getValidAdminToken('https://wrong.com')}`)
|
|
|
|
.expect('Content-Type', /json/)
|
|
|
|
.expect('Cache-Control', testUtils.cacheRules.private)
|
|
|
|
.expect(401);
|
2023-03-03 20:58:19 +03:00
|
|
|
sinon.assert.calledOnce(loggingStub);
|
2019-01-23 15:22:47 +03:00
|
|
|
});
|
|
|
|
|
2020-11-30 17:25:22 +03:00
|
|
|
it('Can access browse endpoint with correct token', async function () {
|
|
|
|
await request.get(localUtils.API.getApiQuery('posts/'))
|
2022-03-11 14:27:43 +03:00
|
|
|
.set('Authorization', `Ghost ${localUtils.getValidAdminToken('/admin/')}`)
|
2019-01-23 15:22:47 +03:00
|
|
|
.expect('Content-Type', /json/)
|
|
|
|
.expect('Cache-Control', testUtils.cacheRules.private)
|
|
|
|
.expect(200);
|
|
|
|
});
|
|
|
|
|
2020-11-30 17:25:22 +03:00
|
|
|
it('Can create post', async function () {
|
2019-01-23 15:22:47 +03:00
|
|
|
const post = {
|
|
|
|
title: 'Post created with api_key'
|
|
|
|
};
|
|
|
|
|
2020-11-30 17:25:22 +03:00
|
|
|
const res = await request
|
2019-02-25 11:16:32 +03:00
|
|
|
.post(localUtils.API.getApiQuery('posts/?include=authors'))
|
2019-01-23 15:22:47 +03:00
|
|
|
.set('Origin', config.get('url'))
|
2022-03-11 14:27:43 +03:00
|
|
|
.set('Authorization', `Ghost ${localUtils.getValidAdminToken('/admin/')}`)
|
2019-01-23 15:22:47 +03:00
|
|
|
.send({
|
|
|
|
posts: [post]
|
|
|
|
})
|
|
|
|
.expect('Content-Type', /json/)
|
|
|
|
.expect('Cache-Control', testUtils.cacheRules.private)
|
2020-11-30 17:25:22 +03:00
|
|
|
.expect(201);
|
|
|
|
|
|
|
|
// falls back to owner user
|
|
|
|
res.body.posts[0].authors.length.should.eql(1);
|
2019-01-23 15:22:47 +03:00
|
|
|
});
|
2019-03-06 12:17:41 +03:00
|
|
|
|
2020-11-30 17:25:22 +03:00
|
|
|
it('Can read users', async function () {
|
|
|
|
const res = await request
|
2019-03-06 12:17:41 +03:00
|
|
|
.get(localUtils.API.getApiQuery('users/'))
|
|
|
|
.set('Origin', config.get('url'))
|
2022-03-11 14:27:43 +03:00
|
|
|
.set('Authorization', `Ghost ${localUtils.getValidAdminToken('/admin/')}`)
|
2019-03-06 12:17:41 +03:00
|
|
|
.expect('Content-Type', /json/)
|
|
|
|
.expect('Cache-Control', testUtils.cacheRules.private)
|
2020-11-30 17:25:22 +03:00
|
|
|
.expect(200);
|
|
|
|
|
|
|
|
localUtils.API.checkResponse(res.body.users[0], 'user');
|
2019-03-06 12:17:41 +03:00
|
|
|
});
|
2021-04-09 15:45:26 +03:00
|
|
|
|
|
|
|
describe('Host Settings: custom integration limits', function () {
|
|
|
|
afterEach(function () {
|
|
|
|
configUtils.set('hostSettings:limits', undefined);
|
|
|
|
});
|
|
|
|
|
|
|
|
it('Blocks the request when host limit is in place for custom integrations', async function () {
|
|
|
|
configUtils.set('hostSettings:limits', {
|
|
|
|
customIntegrations: {
|
|
|
|
disabled: true,
|
|
|
|
error: 'Custom limit error message'
|
|
|
|
}
|
|
|
|
});
|
|
|
|
|
|
|
|
// NOTE: need to do a full reboot to reinitialize hostSettings
|
2021-11-18 11:55:35 +03:00
|
|
|
await localUtils.startGhost();
|
2022-08-09 13:15:30 +03:00
|
|
|
await testUtils.initFixtures('integrations');
|
2021-04-09 15:45:26 +03:00
|
|
|
await testUtils.initFixtures('api_keys');
|
|
|
|
|
2023-03-03 20:58:19 +03:00
|
|
|
const loggingStub = sinon.stub(logging, 'error');
|
|
|
|
|
2022-08-09 13:15:30 +03:00
|
|
|
const firstResponse = await request.get(localUtils.API.getApiQuery('posts/'))
|
2022-03-11 14:27:43 +03:00
|
|
|
.set('Authorization', `Ghost ${localUtils.getValidAdminToken('/admin/')}`)
|
2021-04-09 15:45:26 +03:00
|
|
|
.expect('Content-Type', /json/)
|
|
|
|
.expect('Cache-Control', testUtils.cacheRules.private)
|
|
|
|
.expect(403);
|
|
|
|
|
2022-08-09 13:15:30 +03:00
|
|
|
firstResponse.body.errors[0].type.should.equal('HostLimitError');
|
|
|
|
firstResponse.body.errors[0].message.should.equal('Custom limit error message');
|
2023-03-03 20:58:19 +03:00
|
|
|
sinon.assert.calledOnce(loggingStub);
|
2022-08-09 13:15:30 +03:00
|
|
|
|
|
|
|
// CASE: Test with a different API key, related to a core integration
|
|
|
|
const secondResponse = await request.get(localUtils.API.getApiQuery('explore/'))
|
|
|
|
.set('Authorization', `Ghost ${localUtils.getValidAdminToken('/admin/', 4)}`)
|
|
|
|
.expect('Content-Type', /json/)
|
|
|
|
.expect('Cache-Control', testUtils.cacheRules.private)
|
|
|
|
.expect(200);
|
|
|
|
|
|
|
|
should.exist(secondResponse.body.explore);
|
2021-04-09 15:45:26 +03:00
|
|
|
});
|
|
|
|
});
|
2019-01-23 15:22:47 +03:00
|
|
|
});
|