TryGhost/Ghost
1
0
Fork 0
mirror of https://github.com/TryGhost/Ghost.git synced 2024-12-14 09:52:09 +03:00
Code Issues Projects Releases Wiki Activity
d3feda719a
Ghost/core/test/unit/middleware_spec.js

460 lines
17 KiB
JavaScript
Raw Normal View History

Cache control headers & query string asset management closes #1470 issue #1405 - added cache control middleware - added defaults for all routes, assets, etc - updated asset helper to add a query string with a timestamp hash to all assets - added unit tests for asset and ghostScriptTags helpers - added cache-control checks to route tests
2013-12-31 03:13:25 +04:00
/*globals describe, beforeEach, afterEach, it*/
Cleaning up the unit tests
2014-06-05 01:26:03 +04:00
/*jshint expr:true*/
Move middleware functions into middleware module and create associated tests Note: this only moves middleware functions that have associated tests.
2013-11-05 09:41:36 +04:00
var assert = require('assert'),
should = require('should'),
sinon = require('sinon'),
added password protection closes #4993 - brings password protection to the frontend of blogs - adds testing for password protection - upgrades bcrypt-js to 2.1.0
2015-03-26 10:01:39 +03:00
Promise = require('bluebird'),
middleware = require('../../server/middleware').middleware,
api = require('../../server/api'),
errors = require('../../server/errors'),
bcrypt = require('bcryptjs'),
fs = require('fs');
Lock down theme static directory to not serve templates, markdown and text files. closes #942 - insert custom middleware to check for blacklisted files - redirect to express.static if file accepted - if not valid return next() to do nothing - currently black listing .hbs, .txt, .md and .json - debatable which is best, black list or white list, either one will probably need tweaks but erred on side of letting a theme serve unknown types
2013-10-05 14:17:08 +04:00
describe('Middleware', function () {
added password protection closes #4993 - brings password protection to the frontend of blogs - adds testing for password protection - upgrades bcrypt-js to 2.1.0
2015-03-26 10:01:39 +03:00
var sandbox,
apiSettingsStub;
beforeEach(function () {
sandbox = sinon.sandbox.create();
});
afterEach(function () {
sandbox.restore();
});
oAuth closes #2759 closes #3027 - added oauth2orize library for server side oAuth handling - added ember-simple-auth library for admin oAuth handling - added tables for client, accesstoken and refreshtoken - implemented RFC6749 4.3 Ressouce Owner Password Credentials Grant - updated api tests with oAuth - removed session, authentication is now token based Known issues: - Restore spam prevention #3128 - Signin after Signup #3125 - Signin validation #3125 **Attention** - oldClient doesn't work with this PR anymore, session authentication was removed
2014-06-30 16:58:10 +04:00
// TODO: needs new test for ember admin
// describe('redirectToDashboard', function () {
// var req, res;
// beforeEach(function () {
// req = {
// session: {}
// };
// res = {
// redirect: sinon.spy()
// };
// });
// it('should redirect to dashboard', function () {
// req.session.user = {};
// middleware.redirectToDashboard(req, res, null);
// assert(res.redirect.calledWithMatch('/ghost/'));
// });
// it('should call next if no user in session', function (done) {
// middleware.redirectToDashboard(req, res, function (a) {
// should.not.exist(a);
// assert(res.redirect.calledOnce.should.be.false);
// done();
// });
// });
// });
Move middleware functions into middleware module and create associated tests Note: this only moves middleware functions that have associated tests.
2013-11-05 09:41:36 +04:00
Cache control headers & query string asset management closes #1470 issue #1405 - added cache control middleware - added defaults for all routes, assets, etc - updated asset helper to add a query string with a timestamp hash to all assets - added unit tests for asset and ghostScriptTags helpers - added cache-control checks to route tests
2013-12-31 03:13:25 +04:00
describe('cacheControl', function () {
Move middleware functions into middleware module and create associated tests Note: this only moves middleware functions that have associated tests.
2013-11-05 09:41:36 +04:00
var res;
Test file cleanup on accoutn of OCD
2013-11-11 14:37:09 +04:00
beforeEach(function () {
Move middleware functions into middleware module and create associated tests Note: this only moves middleware functions that have associated tests.
2013-11-05 09:41:36 +04:00
res = {
set: sinon.spy()
};
});
Cache control headers & query string asset management closes #1470 issue #1405 - added cache control middleware - added defaults for all routes, assets, etc - updated asset helper to add a query string with a timestamp hash to all assets - added unit tests for asset and ghostScriptTags helpers - added cache-control checks to route tests
2013-12-31 03:13:25 +04:00
it('correctly sets the public profile headers', function (done) {
middleware.cacheControl('public')(null, res, function (a) {
should.not.exist(a);
res.set.calledOnce.should.be.true;
res.set.calledWith({'Cache-Control': 'public, max-age=0'});
updated error handling on all mocha tests - switch to using catch - added error handling where missing
2014-05-06 00:58:58 +04:00
done();
Cache control headers & query string asset management closes #1470 issue #1405 - added cache control middleware - added defaults for all routes, assets, etc - updated asset helper to add a query string with a timestamp hash to all assets - added unit tests for asset and ghostScriptTags helpers - added cache-control checks to route tests
2013-12-31 03:13:25 +04:00
});
});
it('correctly sets the private profile headers', function (done) {
middleware.cacheControl('private')(null, res, function (a) {
should.not.exist(a);
res.set.calledOnce.should.be.true;
Cleaning up the unit tests
2014-06-05 01:26:03 +04:00
res.set.calledWith({
'Cache-Control':
'no-cache, private, no-store, must-revalidate, max-stale=0, post-check=0, pre-check=0'
});
updated error handling on all mocha tests - switch to using catch - added error handling where missing
2014-05-06 00:58:58 +04:00
done();
Cache control headers & query string asset management closes #1470 issue #1405 - added cache control middleware - added defaults for all routes, assets, etc - updated asset helper to add a query string with a timestamp hash to all assets - added unit tests for asset and ghostScriptTags helpers - added cache-control checks to route tests
2013-12-31 03:13:25 +04:00
});
});
it('will not set headers without a profile', function (done) {
middleware.cacheControl()(null, res, function (a) {
should.not.exist(a);
res.set.called.should.be.false;
updated error handling on all mocha tests - switch to using catch - added error handling where missing
2014-05-06 00:58:58 +04:00
done();
Move middleware functions into middleware module and create associated tests Note: this only moves middleware functions that have associated tests.
2013-11-05 09:41:36 +04:00
});
});
});
Test file cleanup on accoutn of OCD
2013-11-11 14:37:09 +04:00
describe('whenEnabled', function () {
Naming cleanup closes #4069 - Rename everything from camelCase to lowercase + dashes - Remove usage of `server`, `app` and `instance`
2014-09-19 20:17:58 +04:00
var cbFn, blogApp;
Move middleware functions into middleware module and create associated tests Note: this only moves middleware functions that have associated tests.
2013-11-05 09:41:36 +04:00
Test file cleanup on accoutn of OCD
2013-11-11 14:37:09 +04:00
beforeEach(function () {
Move middleware functions into middleware module and create associated tests Note: this only moves middleware functions that have associated tests.
2013-11-05 09:41:36 +04:00
cbFn = sinon.spy();
Naming cleanup closes #4069 - Rename everything from camelCase to lowercase + dashes - Remove usage of `server`, `app` and `instance`
2014-09-19 20:17:58 +04:00
blogApp = {
Test file cleanup on accoutn of OCD
2013-11-11 14:37:09 +04:00
enabled: function (setting) {
Move middleware functions into middleware module and create associated tests Note: this only moves middleware functions that have associated tests.
2013-11-05 09:41:36 +04:00
if (setting === 'enabled') {
return true;
} else {
return false;
}
}
};
Naming cleanup closes #4069 - Rename everything from camelCase to lowercase + dashes - Remove usage of `server`, `app` and `instance`
2014-09-19 20:17:58 +04:00
middleware.cacheBlogApp(blogApp);
Move middleware functions into middleware module and create associated tests Note: this only moves middleware functions that have associated tests.
2013-11-05 09:41:36 +04:00
});
Test file cleanup on accoutn of OCD
2013-11-11 14:37:09 +04:00
it('should call function if setting is enabled', function (done) {
Move middleware functions into middleware module and create associated tests Note: this only moves middleware functions that have associated tests.
2013-11-05 09:41:36 +04:00
var req = 1, res = 2, next = 3;
Test file cleanup on accoutn of OCD
2013-11-11 14:37:09 +04:00
middleware.whenEnabled('enabled', function (a, b, c) {
Move middleware functions into middleware module and create associated tests Note: this only moves middleware functions that have associated tests.
2013-11-05 09:41:36 +04:00
assert.equal(a, 1);
assert.equal(b, 2);
assert.equal(c, 3);
updated error handling on all mocha tests - switch to using catch - added error handling where missing
2014-05-06 00:58:58 +04:00
done();
Move middleware functions into middleware module and create associated tests Note: this only moves middleware functions that have associated tests.
2013-11-05 09:41:36 +04:00
})(req, res, next);
});
Test file cleanup on accoutn of OCD
2013-11-11 14:37:09 +04:00
it('should call next() if setting is disabled', function (done) {
middleware.whenEnabled('rando', cbFn)(null, null, function (a) {
Move middleware functions into middleware module and create associated tests Note: this only moves middleware functions that have associated tests.
2013-11-05 09:41:36 +04:00
should.not.exist(a);
cbFn.calledOnce.should.be.false;
updated error handling on all mocha tests - switch to using catch - added error handling where missing
2014-05-06 00:58:58 +04:00
done();
Move middleware functions into middleware module and create associated tests Note: this only moves middleware functions that have associated tests.
2013-11-05 09:41:36 +04:00
});
});
});
Lock down theme static directory to not serve templates, markdown and text files. closes #942 - insert custom middleware to check for blacklisted files - redirect to express.static if file accepted - if not valid return next() to do nothing - currently black listing .hbs, .txt, .md and .json - debatable which is best, black list or white list, either one will probably need tweaks but erred on side of letting a theme serve unknown types
2013-10-05 14:17:08 +04:00
describe('staticTheme', function () {
beforeEach(function () {
sinon.stub(middleware, 'forwardToExpressStatic').yields();
});
afterEach(function () {
middleware.forwardToExpressStatic.restore();
});
it('should call next if hbs file type', function (done) {
var req = {
url: 'mytemplate.hbs'
};
middleware.staticTheme(null)(req, null, function (a) {
should.not.exist(a);
middleware.forwardToExpressStatic.calledOnce.should.be.false;
updated error handling on all mocha tests - switch to using catch - added error handling where missing
2014-05-06 00:58:58 +04:00
done();
Lock down theme static directory to not serve templates, markdown and text files. closes #942 - insert custom middleware to check for blacklisted files - redirect to express.static if file accepted - if not valid return next() to do nothing - currently black listing .hbs, .txt, .md and .json - debatable which is best, black list or white list, either one will probably need tweaks but erred on side of letting a theme serve unknown types
2013-10-05 14:17:08 +04:00
});
});
it('should call next if md file type', function (done) {
var req = {
url: 'README.md'
};
middleware.staticTheme(null)(req, null, function (a) {
should.not.exist(a);
middleware.forwardToExpressStatic.calledOnce.should.be.false;
updated error handling on all mocha tests - switch to using catch - added error handling where missing
2014-05-06 00:58:58 +04:00
done();
Lock down theme static directory to not serve templates, markdown and text files. closes #942 - insert custom middleware to check for blacklisted files - redirect to express.static if file accepted - if not valid return next() to do nothing - currently black listing .hbs, .txt, .md and .json - debatable which is best, black list or white list, either one will probably need tweaks but erred on side of letting a theme serve unknown types
2013-10-05 14:17:08 +04:00
});
});
it('should call next if json file type', function (done) {
var req = {
url: 'sample.json'
Move middleware functions into middleware module and create associated tests Note: this only moves middleware functions that have associated tests.
2013-11-05 09:41:36 +04:00
};
Lock down theme static directory to not serve templates, markdown and text files. closes #942 - insert custom middleware to check for blacklisted files - redirect to express.static if file accepted - if not valid return next() to do nothing - currently black listing .hbs, .txt, .md and .json - debatable which is best, black list or white list, either one will probably need tweaks but erred on side of letting a theme serve unknown types
2013-10-05 14:17:08 +04:00
middleware.staticTheme(null)(req, null, function (a) {
should.not.exist(a);
middleware.forwardToExpressStatic.calledOnce.should.be.false;
updated error handling on all mocha tests - switch to using catch - added error handling where missing
2014-05-06 00:58:58 +04:00
done();
Lock down theme static directory to not serve templates, markdown and text files. closes #942 - insert custom middleware to check for blacklisted files - redirect to express.static if file accepted - if not valid return next() to do nothing - currently black listing .hbs, .txt, .md and .json - debatable which is best, black list or white list, either one will probably need tweaks but erred on side of letting a theme serve unknown types
2013-10-05 14:17:08 +04:00
});
});
it('should call express.static if valid file type', function (done) {
Cleaning up the unit tests
2014-06-05 01:26:03 +04:00
var req = {
Test file cleanup on accoutn of OCD
2013-11-11 14:37:09 +04:00
url: 'myvalidfile.css'
};
Lock down theme static directory to not serve templates, markdown and text files. closes #942 - insert custom middleware to check for blacklisted files - redirect to express.static if file accepted - if not valid return next() to do nothing - currently black listing .hbs, .txt, .md and .json - debatable which is best, black list or white list, either one will probably need tweaks but erred on side of letting a theme serve unknown types
2013-10-05 14:17:08 +04:00
Create the config module, initially used to standardise getting paths and absolute URLs. Easy to extend for other configurations we may need.
2013-11-20 17:58:52 +04:00
middleware.staticTheme(null)(req, null, function (reqArg, res, next) {
Cleaning up the unit tests
2014-06-05 01:26:03 +04:00
/*jshint unused:false */
Lock down theme static directory to not serve templates, markdown and text files. closes #942 - insert custom middleware to check for blacklisted files - redirect to express.static if file accepted - if not valid return next() to do nothing - currently black listing .hbs, .txt, .md and .json - debatable which is best, black list or white list, either one will probably need tweaks but erred on side of letting a theme serve unknown types
2013-10-05 14:17:08 +04:00
middleware.forwardToExpressStatic.calledOnce.should.be.true;
Create the config module, initially used to standardise getting paths and absolute URLs. Easy to extend for other configurations we may need.
2013-11-20 17:58:52 +04:00
assert.deepEqual(middleware.forwardToExpressStatic.args[0][0], req);
updated error handling on all mocha tests - switch to using catch - added error handling where missing
2014-05-06 00:58:58 +04:00
done();
Lock down theme static directory to not serve templates, markdown and text files. closes #942 - insert custom middleware to check for blacklisted files - redirect to express.static if file accepted - if not valid return next() to do nothing - currently black listing .hbs, .txt, .md and .json - debatable which is best, black list or white list, either one will probably need tweaks but erred on side of letting a theme serve unknown types
2013-10-05 14:17:08 +04:00
});
});
});
Refactor: Make checkSSL unit-testable and add unit tests for it. - Code was moved to core/server/middleware/middleware.js, which is the home for unit-testable middleware. - Functional code coverage for this code also exists at: test/functional/routes/admin_test.js
2015-01-18 21:44:50 +03:00
describe('isSSLRequired', function () {
var isSSLrequired = middleware.isSSLrequired;
it('SSL is required if config.url starts with https', function () {
isSSLrequired(undefined, 'https://example.com', undefined).should.be.true;
});
it('SSL is required if isAdmin and config.forceAdminSSL is set', function () {
isSSLrequired(true, 'http://example.com', true).should.be.true;
});
it('SSL is not required if config.url starts with "http:/" and forceAdminSSL is not set', function () {
isSSLrequired(false, 'http://example.com', false).should.be.false;
});
});
describe('sslForbiddenOrRedirect', function () {
var sslForbiddenOrRedirect = middleware.sslForbiddenOrRedirect;
it('Return forbidden if config forces admin SSL for AdminSSL redirect is false.', function () {
var response = sslForbiddenOrRedirect({
forceAdminSSL: {redirect: false},
configUrl: 'http://example.com'
});
response.isForbidden.should.be.true;
});
it('If not forbidden, should produce SSL to redirect to when config.url ends with no slash', function () {
var response = sslForbiddenOrRedirect({
forceAdminSSL: {redirect: true},
configUrl: 'http://example.com/config/path',
reqUrl: '/req/path'
});
response.isForbidden.should.be.false;
response.redirectUrl({}).should.equal('https://example.com/config/path/req/path');
});
it('If config ends is slash, potential double-slash in resulting URL is removed', function () {
var response = sslForbiddenOrRedirect({
forceAdminSSL: {redirect: true},
configUrl: 'http://example.com/config/path/',
reqUrl: '/req/path'
});
response.redirectUrl({}).should.equal('https://example.com/config/path/req/path');
});
it('If config.urlSSL is provided it is preferred over config.url', function () {
var response = sslForbiddenOrRedirect({
forceAdminSSL: {redirect: true},
configUrl: 'http://example.com/config/path/',
configUrlSSL: 'https://example.com/ssl/config/path/',
reqUrl: '/req/path'
});
response.redirectUrl({}).should.equal('https://example.com/ssl/config/path/req/path');
});
it('query string in request is preserved in redirect URL', function () {
var response = sslForbiddenOrRedirect({
forceAdminSSL: {redirect: true},
configUrl: 'http://example.com/config/path/',
configUrlSSL: 'https://example.com/ssl/config/path/',
reqUrl: '/req/path'
});
response.redirectUrl({a: 'b'}).should.equal('https://example.com/ssl/config/path/req/path?a=b');
});
});
added password protection closes #4993 - brings password protection to the frontend of blogs - adds testing for password protection - upgrades bcrypt-js to 2.1.0
2015-03-26 10:01:39 +03:00
describe('passProtect', function () {
var req, res, next;
beforeEach(function () {
req = {}, res = {};
apiSettingsStub = sandbox.stub(api.settings, 'read');
next = sinon.spy();
});
it('checkIsPrivate should call next if not private', function (done) {
apiSettingsStub.withArgs(sinon.match.has('key', 'isPrivate')).returns(Promise.resolve({
settings: [{
key: 'isPrivate',
value: 'false'
}]
}));
middleware.checkIsPrivate(req, res, next).then(function () {
next.called.should.be.true;
res.isPrivateBlog.should.be.false;
done();
});
});
it('checkIsPrivate should load session if private', function (done) {
apiSettingsStub.withArgs(sinon.match.has('key', 'isPrivate')).returns(Promise.resolve({
settings: [{
key: 'isPrivate',
value: 'true'
}]
}));
middleware.checkIsPrivate(req, res, next).then(function () {
res.isPrivateBlog.should.be.true;
done();
});
});
describe('not private', function () {
beforeEach(function () {
res.isPrivateBlog = false;
});
it('filterPrivateRoutes should call next if not private', function () {
middleware.filterPrivateRoutes(req, res, next);
next.called.should.be.true;
});
it('isPrivateSessionAuth should redirect if blog is not private', function () {
res = {
redirect: sinon.spy(),
isPrivateBlog: false
};
middleware.isPrivateSessionAuth(req, res, next);
res.redirect.called.should.be.true;
});
});
describe('private', function () {
var errorSpy;
beforeEach(function () {
res.isPrivateBlog = true;
errorSpy = sandbox.spy(errors, 'error404');
res = {
status: function () {
return this;
},
send: function () {},
set: function () {},
isPrivateBlog: true
};
});
it('filterPrivateRoutes should call next if admin', function () {
res.isAdmin = true;
middleware.filterPrivateRoutes(req, res, next);
next.called.should.be.true;
});
it('filterPrivateRoutes should call next if is the "private" route', function () {
req.url = '/private/';
middleware.filterPrivateRoutes(req, res, next);
next.called.should.be.true;
});
it('filterPrivateRoutes should throw 404 if url is sitemap', function () {
req.url = '/sitemap.xml';
middleware.filterPrivateRoutes(req, res, next);
errorSpy.called.should.be.true;
});
it('filterPrivateRoutes should throw 404 if url is rss', function () {
req.url = '/rss';
middleware.filterPrivateRoutes(req, res, next);
errorSpy.called.should.be.true;
});
it('filterPrivateRoutes should throw 404 if url is rss plus something', function () {
req.url = '/rss/sometag';
middleware.filterPrivateRoutes(req, res, next);
errorSpy.called.should.be.true;
});
it('filterPrivateRoutes should render custom robots.txt', function () {
req.url = '/robots.txt';
res.writeHead = sinon.spy();
res.end = sinon.spy();
sandbox.stub(fs, 'readFile', function (file, cb) {
cb(null, 'User-agent: * Disallow: /');
});
middleware.filterPrivateRoutes(req, res, next);
res.writeHead.called.should.be.true;
res.end.called.should.be.true;
});
it('authenticateProtection should call next if error', function () {
res.error = 'Test Error';
middleware.authenticateProtection(req, res, next);
next.called.should.be.true;
});
describe('with hash verification', function () {
beforeEach(function () {
sandbox.stub(bcrypt, 'compare', function (check, hash, cb) {
var isVerified = (check === hash) ? true : false;
cb(null, isVerified);
});
apiSettingsStub.withArgs(sinon.match.has('key', 'password')).returns(Promise.resolve({
settings: [{
key: 'password',
value: 'rightpassword'
}]
}));
});
it('authenticatePrivateSession should return next if hash is verified', function (done) {
req.session = {
token: 'rightpassword'
};
middleware.authenticatePrivateSession(req, res, next).then(function () {
next.called.should.be.true;
done();
});
});
it('authenticatePrivateSession should redirect if hash is not verified', function (done) {
req.url = '/welcome-to-ghost';
req.session = {
token: 'wrongpassword'
};
res.redirect = sinon.spy();
middleware.authenticatePrivateSession(req, res, next).then(function () {
res.redirect.called.should.be.true;
done();
});
});
it('isPrivateSessionAuth should redirect if hash is verified', function (done) {
req.session = {
token: 'rightpassword'
};
res.redirect = sandbox.spy();
middleware.isPrivateSessionAuth(req, res, next).then(function () {
res.redirect.called.should.be.true;
done();
});
});
it('isPrivateSessionAuth should return next if hash is not verified', function (done) {
req.session = {
token: 'wrongpassword'
};
middleware.isPrivateSessionAuth(req, res, next).then(function () {
next.called.should.be.true;
done();
});
});
it('authenticateProtection should return next if password is incorrect', function (done) {
req.body = {password:'wrongpassword'};
middleware.authenticateProtection(req, res, next).then(function () {
res.error.should.not.be.empty;
next.called.should.be.true;
done();
});
});
it('authenticateProtection should redirect if password is correct', function (done) {
req.body = {password:'rightpassword'};
req.session = {};
res.redirect = sandbox.spy();
sandbox.stub(bcrypt, 'hash', function (pass, salt, cb) {
cb(null, pass + 'hash');
});
middleware.authenticateProtection(req, res, next).then(function () {
req.session.token.should.equal('rightpasswordhash');
res.redirect.called.should.be.true;
done();
});
});
});
});
});
Lock down theme static directory to not serve templates, markdown and text files. closes #942 - insert custom middleware to check for blacklisted files - redirect to express.static if file accepted - if not valid return next() to do nothing - currently black listing .hbs, .txt, .md and .json - debatable which is best, black list or white list, either one will probably need tweaks but erred on side of letting a theme serve unknown types
2013-10-05 14:17:08 +04:00
});
Reference in New Issue Copy Permalink