TryGhost/Ghost
1
0
Fork 0
mirror of https://github.com/TryGhost/Ghost.git synced 2024-12-18 16:01:40 +03:00
Code Issues Projects Releases Wiki Activity
f52e3e779b
Ghost/core/test/unit/auth/authenticate_spec.js

363 lines
12 KiB
JavaScript
Raw Normal View History

Unify usage of config in unit tests no issue - provide a single point for accessing config in unit tests - create a single way to set and restore config - ensure that restore deletes top level optional keys that are now undefined - use this._config in check deprecations, otherwise the config gets cached - solves issues with interdependent tests
2015-12-14 23:05:11 +03:00
var sinon = require('sinon'),
Public API refs #4180 closes #4181 - added client and user authentication - added authenticatePublic/authenticatePrivate as workaround for missing permissions - added domain validation - added CORS header for valid clients - merged authenticate.js and client-auth.js into auth.js - removed middleware/api-error-handlers.js - removed authentication middleware - added and updated tests
2015-10-22 16:28:47 +03:00
should = require('should'),
passport = require('passport'),
rewire = require('rewire'),
Improvements to client auth error logging no issue - If client credentials are missing, or not valid, output a clear message in the server console - Still defaults to sending the 'access denied to url' error to the frontend
2015-12-14 18:35:19 +03:00
errors = require('../../../server/errors'),
✨ Ghost OAuth (#7451) issue #7452 Remote oauth2 authentication with Ghost.org. This PR supports: - oauth2 login or local login - authentication on blog setup - authentication on invite - normal authentication - does not contain many, many tests, but we'll improve in the next alpha weeks
2016-09-30 14:45:59 +03:00
auth = rewire('../../../server/auth'),
🎨 configurable logging with bunyan (#7431) - 🛠 add bunyan and prettyjson, remove morgan - ✨ add logging module - GhostLogger class that handles setup of bunyan - PrettyStream for stdout - ✨ config for logging - @TODO: testing level fatal? - ✨ log each request via GhostLogger (express middleware) - @TODO: add errors to output - 🔥 remove errors.updateActiveTheme - we can read the value from config - 🔥 remove 15 helper functions in core/server/errors/index.js - all these functions get replaced by modules: 1. logging 2. error middleware handling for html/json 3. error creation (which will be part of PR #7477) - ✨ add express error handler for html/json - one true error handler for express responses - contains still some TODO's, but they are not high priority for first implementation/integration - this middleware only takes responsibility of either rendering html responses or return json error responses - 🎨 use new express error handler in middleware/index - 404 and 500 handling - 🎨 return error instead of error message in permissions/index.js - the rule for error handling should be: if you call a unit, this unit should return a custom Ghost error - 🎨 wrap serve static module - rule: if you call a module/unit, you should always wrap this error - it's always the same rule - so the caller never has to worry about what comes back - it's always a clear error instance - in this case: we return our notfounderror if serve static does not find the resource - this avoid having checks everywhere - 🎨 replace usages of errors/index.js functions and adapt tests - use logging.error, logging.warn - make tests green - remove some usages of logging and throwing api errors -> because when a request is involved, logging happens automatically - 🐛 return errorDetails to Ghost-Admin - errorDetails is used for Theme error handling - 🎨 use 500er error for theme is missing error in theme-handler - 🎨 extend file rotation to 1w
2016-10-04 18:33:43 +03:00
logging = require('../../../server/logging'),
Public API refs #4180 closes #4181 - added client and user authentication - added authenticatePublic/authenticatePrivate as workaround for missing permissions - added domain validation - added CORS header for valid clients - merged authenticate.js and client-auth.js into auth.js - removed middleware/api-error-handlers.js - removed authentication middleware - added and updated tests
2015-10-22 16:28:47 +03:00
BearerStrategy = require('passport-http-bearer').Strategy,
ClientPasswordStrategy = require('passport-oauth2-client-password').Strategy,
user = {id: 1},
info = {scope: '*'},
token = 'test_token',
testClient = 'test_client',
testSecret = 'not_available',
client = {
id: 2,
type: 'ua'
Improvements to client auth error logging no issue - If client credentials are missing, or not valid, output a clear message in the server console - Still defaults to sending the 'access denied to url' error to the frontend
2015-12-14 18:35:19 +03:00
},
sandbox = sinon.sandbox.create();
Middleware Refactor - Refactor SSL middleware into separate module. - Refactor redirectToSetup to separate module + tests - Refactor serveStaticFile + tests - Refactor authentication middleware + tests - Refactor private blogging middleware refs #5286
2015-07-15 19:01:23 +03:00
should.equal(true, true);
Auth tests - added tests for authentication middleware - changed use of auth strategies
2015-08-09 13:50:05 +03:00
function registerSuccessfulBearerStrategy() {
// register fake BearerStrategy which always authenticates
passport.use(new BearerStrategy(
function strategy(accessToken, done) {
accessToken.should.eql(token);
return done(null, user, info);
}
));
}
function registerUnsuccessfulBearerStrategy() {
// register fake BearerStrategy which always authenticates
passport.use(new BearerStrategy(
function strategy(accessToken, done) {
accessToken.should.eql(token);
return done(null, false);
}
));
}
Public API refs #4180 closes #4181 - added client and user authentication - added authenticatePublic/authenticatePrivate as workaround for missing permissions - added domain validation - added CORS header for valid clients - merged authenticate.js and client-auth.js into auth.js - removed middleware/api-error-handlers.js - removed authentication middleware - added and updated tests
2015-10-22 16:28:47 +03:00
function registerFaultyBearerStrategy() {
// register fake BearerStrategy which always authenticates
passport.use(new BearerStrategy(
function strategy(accessToken, done) {
accessToken.should.eql(token);
return done('error');
}
));
}
function registerSuccessfulClientPasswordStrategy() {
// register fake BearerStrategy which always authenticates
passport.use(new ClientPasswordStrategy(
function strategy(clientId, clientSecret, done) {
clientId.should.eql(testClient);
clientSecret.should.eql('not_available');
return done(null, client);
}
));
}
function registerUnsuccessfulClientPasswordStrategy() {
// register fake BearerStrategy which always authenticates
passport.use(new ClientPasswordStrategy(
function strategy(clientId, clientSecret, done) {
clientId.should.eql(testClient);
clientSecret.should.eql('not_available');
return done(null, false);
}
));
}
function registerFaultyClientPasswordStrategy() {
// register fake BearerStrategy which always authenticates
passport.use(new ClientPasswordStrategy(
function strategy(clientId, clientSecret, done) {
clientId.should.eql(testClient);
clientSecret.should.eql('not_available');
return done('error');
}
));
}
describe('Auth', function () {
🎨 configurable logging with bunyan (#7431) - 🛠 add bunyan and prettyjson, remove morgan - ✨ add logging module - GhostLogger class that handles setup of bunyan - PrettyStream for stdout - ✨ config for logging - @TODO: testing level fatal? - ✨ log each request via GhostLogger (express middleware) - @TODO: add errors to output - 🔥 remove errors.updateActiveTheme - we can read the value from config - 🔥 remove 15 helper functions in core/server/errors/index.js - all these functions get replaced by modules: 1. logging 2. error middleware handling for html/json 3. error creation (which will be part of PR #7477) - ✨ add express error handler for html/json - one true error handler for express responses - contains still some TODO's, but they are not high priority for first implementation/integration - this middleware only takes responsibility of either rendering html responses or return json error responses - 🎨 use new express error handler in middleware/index - 404 and 500 handling - 🎨 return error instead of error message in permissions/index.js - the rule for error handling should be: if you call a unit, this unit should return a custom Ghost error - 🎨 wrap serve static module - rule: if you call a module/unit, you should always wrap this error - it's always the same rule - so the caller never has to worry about what comes back - it's always a clear error instance - in this case: we return our notfounderror if serve static does not find the resource - this avoid having checks everywhere - 🎨 replace usages of errors/index.js functions and adapt tests - use logging.error, logging.warn - make tests green - remove some usages of logging and throwing api errors -> because when a request is involved, logging happens automatically - 🐛 return errorDetails to Ghost-Admin - errorDetails is used for Theme error handling - 🎨 use 500er error for theme is missing error in theme-handler - 🎨 extend file rotation to 1w
2016-10-04 18:33:43 +03:00
var res, req, next, loggingStub;
Middleware Refactor - Refactor SSL middleware into separate module. - Refactor redirectToSetup to separate module + tests - Refactor serveStaticFile + tests - Refactor authentication middleware + tests - Refactor private blogging middleware refs #5286
2015-07-15 19:01:23 +03:00
beforeEach(function () {
Auth tests - added tests for authentication middleware - changed use of auth strategies
2015-08-09 13:50:05 +03:00
req = {};
res = {};
next = sandbox.spy();
🎨 configurable logging with bunyan (#7431) - 🛠 add bunyan and prettyjson, remove morgan - ✨ add logging module - GhostLogger class that handles setup of bunyan - PrettyStream for stdout - ✨ config for logging - @TODO: testing level fatal? - ✨ log each request via GhostLogger (express middleware) - @TODO: add errors to output - 🔥 remove errors.updateActiveTheme - we can read the value from config - 🔥 remove 15 helper functions in core/server/errors/index.js - all these functions get replaced by modules: 1. logging 2. error middleware handling for html/json 3. error creation (which will be part of PR #7477) - ✨ add express error handler for html/json - one true error handler for express responses - contains still some TODO's, but they are not high priority for first implementation/integration - this middleware only takes responsibility of either rendering html responses or return json error responses - 🎨 use new express error handler in middleware/index - 404 and 500 handling - 🎨 return error instead of error message in permissions/index.js - the rule for error handling should be: if you call a unit, this unit should return a custom Ghost error - 🎨 wrap serve static module - rule: if you call a module/unit, you should always wrap this error - it's always the same rule - so the caller never has to worry about what comes back - it's always a clear error instance - in this case: we return our notfounderror if serve static does not find the resource - this avoid having checks everywhere - 🎨 replace usages of errors/index.js functions and adapt tests - use logging.error, logging.warn - make tests green - remove some usages of logging and throwing api errors -> because when a request is involved, logging happens automatically - 🐛 return errorDetails to Ghost-Admin - errorDetails is used for Theme error handling - 🎨 use 500er error for theme is missing error in theme-handler - 🎨 extend file rotation to 1w
2016-10-04 18:33:43 +03:00
loggingStub = sandbox.stub(logging, 'error');
Middleware Refactor - Refactor SSL middleware into separate module. - Refactor redirectToSetup to separate module + tests - Refactor serveStaticFile + tests - Refactor authentication middleware + tests - Refactor private blogging middleware refs #5286
2015-07-15 19:01:23 +03:00
});
afterEach(function () {
sandbox.restore();
});
Public API refs #4180 closes #4181 - added client and user authentication - added authenticatePublic/authenticatePrivate as workaround for missing permissions - added domain validation - added CORS header for valid clients - merged authenticate.js and client-auth.js into auth.js - removed middleware/api-error-handlers.js - removed authentication middleware - added and updated tests
2015-10-22 16:28:47 +03:00
it('should require authorized user (user exists)', function (done) {
req.user = {id: 1};
Middleware Refactor - Refactor SSL middleware into separate module. - Refactor redirectToSetup to separate module + tests - Refactor serveStaticFile + tests - Refactor authentication middleware + tests - Refactor private blogging middleware refs #5286
2015-07-15 19:01:23 +03:00
✨ Ghost OAuth (#7451) issue #7452 Remote oauth2 authentication with Ghost.org. This PR supports: - oauth2 login or local login - authentication on blog setup - authentication on invite - normal authentication - does not contain many, many tests, but we'll improve in the next alpha weeks
2016-09-30 14:45:59 +03:00
auth.authorize.requiresAuthorizedUser(req, res, next);
deps: should@8.2.1 closes #6448 -upgraded should.js to the latest version (8.2.1) -Changed the tests so that they comply with the breaking changes introduced in the new version of should.js -Installs the package should-http so should.be.json() can be used -Installs the package should-sinon so that should.be.calledOnce() can be used
2016-02-08 00:27:01 +03:00
next.called.should.be.true();
next.calledWith().should.be.true();
Auth tests - added tests for authentication middleware - changed use of auth strategies
2015-08-09 13:50:05 +03:00
done();
Middleware Refactor - Refactor SSL middleware into separate module. - Refactor redirectToSetup to separate module + tests - Refactor serveStaticFile + tests - Refactor authentication middleware + tests - Refactor private blogging middleware refs #5286
2015-07-15 19:01:23 +03:00
});
Public API refs #4180 closes #4181 - added client and user authentication - added authenticatePublic/authenticatePrivate as workaround for missing permissions - added domain validation - added CORS header for valid clients - merged authenticate.js and client-auth.js into auth.js - removed middleware/api-error-handlers.js - removed authentication middleware - added and updated tests
2015-10-22 16:28:47 +03:00
it('should require authorized user (user is missing)', function (done) {
req.user = false;
res.status = {};
Auth tests - added tests for authentication middleware - changed use of auth strategies
2015-08-09 13:50:05 +03:00
🎨 configurable logging with bunyan (#7431) - 🛠 add bunyan and prettyjson, remove morgan - ✨ add logging module - GhostLogger class that handles setup of bunyan - PrettyStream for stdout - ✨ config for logging - @TODO: testing level fatal? - ✨ log each request via GhostLogger (express middleware) - @TODO: add errors to output - 🔥 remove errors.updateActiveTheme - we can read the value from config - 🔥 remove 15 helper functions in core/server/errors/index.js - all these functions get replaced by modules: 1. logging 2. error middleware handling for html/json 3. error creation (which will be part of PR #7477) - ✨ add express error handler for html/json - one true error handler for express responses - contains still some TODO's, but they are not high priority for first implementation/integration - this middleware only takes responsibility of either rendering html responses or return json error responses - 🎨 use new express error handler in middleware/index - 404 and 500 handling - 🎨 return error instead of error message in permissions/index.js - the rule for error handling should be: if you call a unit, this unit should return a custom Ghost error - 🎨 wrap serve static module - rule: if you call a module/unit, you should always wrap this error - it's always the same rule - so the caller never has to worry about what comes back - it's always a clear error instance - in this case: we return our notfounderror if serve static does not find the resource - this avoid having checks everywhere - 🎨 replace usages of errors/index.js functions and adapt tests - use logging.error, logging.warn - make tests green - remove some usages of logging and throwing api errors -> because when a request is involved, logging happens automatically - 🐛 return errorDetails to Ghost-Admin - errorDetails is used for Theme error handling - 🎨 use 500er error for theme is missing error in theme-handler - 🎨 extend file rotation to 1w
2016-10-04 18:33:43 +03:00
var next = function next(err) {
err.statusCode.should.eql(403);
(err instanceof errors.NoPermissionError).should.eql(true);
done();
};
Auth tests - added tests for authentication middleware - changed use of auth strategies
2015-08-09 13:50:05 +03:00
✨ Ghost OAuth (#7451) issue #7452 Remote oauth2 authentication with Ghost.org. This PR supports: - oauth2 login or local login - authentication on blog setup - authentication on invite - normal authentication - does not contain many, many tests, but we'll improve in the next alpha weeks
2016-09-30 14:45:59 +03:00
auth.authorize.requiresAuthorizedUser(req, res, next);
Auth tests - added tests for authentication middleware - changed use of auth strategies
2015-08-09 13:50:05 +03:00
});
Public API refs #4180 closes #4181 - added client and user authentication - added authenticatePublic/authenticatePrivate as workaround for missing permissions - added domain validation - added CORS header for valid clients - merged authenticate.js and client-auth.js into auth.js - removed middleware/api-error-handlers.js - removed authentication middleware - added and updated tests
2015-10-22 16:28:47 +03:00
describe('User Authentication', function () {
it('should authenticate user', function (done) {
req.headers = {};
req.headers.authorization = 'Bearer ' + token;
Auth tests - added tests for authentication middleware - changed use of auth strategies
2015-08-09 13:50:05 +03:00
Public API refs #4180 closes #4181 - added client and user authentication - added authenticatePublic/authenticatePrivate as workaround for missing permissions - added domain validation - added CORS header for valid clients - merged authenticate.js and client-auth.js into auth.js - removed middleware/api-error-handlers.js - removed authentication middleware - added and updated tests
2015-10-22 16:28:47 +03:00
registerSuccessfulBearerStrategy();
✨ Ghost OAuth (#7451) issue #7452 Remote oauth2 authentication with Ghost.org. This PR supports: - oauth2 login or local login - authentication on blog setup - authentication on invite - normal authentication - does not contain many, many tests, but we'll improve in the next alpha weeks
2016-09-30 14:45:59 +03:00
auth.authenticate.authenticateUser(req, res, next);
Auth tests - added tests for authentication middleware - changed use of auth strategies
2015-08-09 13:50:05 +03:00
deps: should@8.2.1 closes #6448 -upgraded should.js to the latest version (8.2.1) -Changed the tests so that they comply with the breaking changes introduced in the new version of should.js -Installs the package should-http so should.be.json() can be used -Installs the package should-sinon so that should.be.calledOnce() can be used
2016-02-08 00:27:01 +03:00
next.called.should.be.true();
next.calledWith(null, user, info).should.be.true();
Public API refs #4180 closes #4181 - added client and user authentication - added authenticatePublic/authenticatePrivate as workaround for missing permissions - added domain validation - added CORS header for valid clients - merged authenticate.js and client-auth.js into auth.js - removed middleware/api-error-handlers.js - removed authentication middleware - added and updated tests
2015-10-22 16:28:47 +03:00
done();
});
Auth tests - added tests for authentication middleware - changed use of auth strategies
2015-08-09 13:50:05 +03:00
Public API refs #4180 closes #4181 - added client and user authentication - added authenticatePublic/authenticatePrivate as workaround for missing permissions - added domain validation - added CORS header for valid clients - merged authenticate.js and client-auth.js into auth.js - removed middleware/api-error-handlers.js - removed authentication middleware - added and updated tests
2015-10-22 16:28:47 +03:00
it('shouldn\'t pass with client, no bearer token', function (done) {
req.headers = {};
req.client = {id: 1};
res.status = {};
Auth tests - added tests for authentication middleware - changed use of auth strategies
2015-08-09 13:50:05 +03:00
✨ Ghost OAuth (#7451) issue #7452 Remote oauth2 authentication with Ghost.org. This PR supports: - oauth2 login or local login - authentication on blog setup - authentication on invite - normal authentication - does not contain many, many tests, but we'll improve in the next alpha weeks
2016-09-30 14:45:59 +03:00
auth.authenticate.authenticateUser(req, res, next);
Auth tests - added tests for authentication middleware - changed use of auth strategies
2015-08-09 13:50:05 +03:00
deps: should@8.2.1 closes #6448 -upgraded should.js to the latest version (8.2.1) -Changed the tests so that they comply with the breaking changes introduced in the new version of should.js -Installs the package should-http so should.be.json() can be used -Installs the package should-sinon so that should.be.calledOnce() can be used
2016-02-08 00:27:01 +03:00
next.called.should.be.true();
next.calledWith().should.be.true();
Public API refs #4180 closes #4181 - added client and user authentication - added authenticatePublic/authenticatePrivate as workaround for missing permissions - added domain validation - added CORS header for valid clients - merged authenticate.js and client-auth.js into auth.js - removed middleware/api-error-handlers.js - removed authentication middleware - added and updated tests
2015-10-22 16:28:47 +03:00
done();
});
Auth tests - added tests for authentication middleware - changed use of auth strategies
2015-08-09 13:50:05 +03:00
Public API refs #4180 closes #4181 - added client and user authentication - added authenticatePublic/authenticatePrivate as workaround for missing permissions - added domain validation - added CORS header for valid clients - merged authenticate.js and client-auth.js into auth.js - removed middleware/api-error-handlers.js - removed authentication middleware - added and updated tests
2015-10-22 16:28:47 +03:00
it('shouldn\'t authenticate user', function (done) {
req.headers = {};
req.headers.authorization = 'Bearer ' + token;
res.status = {};
🎨 configurable logging with bunyan (#7431) - 🛠 add bunyan and prettyjson, remove morgan - ✨ add logging module - GhostLogger class that handles setup of bunyan - PrettyStream for stdout - ✨ config for logging - @TODO: testing level fatal? - ✨ log each request via GhostLogger (express middleware) - @TODO: add errors to output - 🔥 remove errors.updateActiveTheme - we can read the value from config - 🔥 remove 15 helper functions in core/server/errors/index.js - all these functions get replaced by modules: 1. logging 2. error middleware handling for html/json 3. error creation (which will be part of PR #7477) - ✨ add express error handler for html/json - one true error handler for express responses - contains still some TODO's, but they are not high priority for first implementation/integration - this middleware only takes responsibility of either rendering html responses or return json error responses - 🎨 use new express error handler in middleware/index - 404 and 500 handling - 🎨 return error instead of error message in permissions/index.js - the rule for error handling should be: if you call a unit, this unit should return a custom Ghost error - 🎨 wrap serve static module - rule: if you call a module/unit, you should always wrap this error - it's always the same rule - so the caller never has to worry about what comes back - it's always a clear error instance - in this case: we return our notfounderror if serve static does not find the resource - this avoid having checks everywhere - 🎨 replace usages of errors/index.js functions and adapt tests - use logging.error, logging.warn - make tests green - remove some usages of logging and throwing api errors -> because when a request is involved, logging happens automatically - 🐛 return errorDetails to Ghost-Admin - errorDetails is used for Theme error handling - 🎨 use 500er error for theme is missing error in theme-handler - 🎨 extend file rotation to 1w
2016-10-04 18:33:43 +03:00
var next = function next(err) {
err.statusCode.should.eql(401);
(err instanceof errors.UnauthorizedError).should.eql(true);
done();
};
Public API refs #4180 closes #4181 - added client and user authentication - added authenticatePublic/authenticatePrivate as workaround for missing permissions - added domain validation - added CORS header for valid clients - merged authenticate.js and client-auth.js into auth.js - removed middleware/api-error-handlers.js - removed authentication middleware - added and updated tests
2015-10-22 16:28:47 +03:00
registerUnsuccessfulBearerStrategy();
✨ Ghost OAuth (#7451) issue #7452 Remote oauth2 authentication with Ghost.org. This PR supports: - oauth2 login or local login - authentication on blog setup - authentication on invite - normal authentication - does not contain many, many tests, but we'll improve in the next alpha weeks
2016-09-30 14:45:59 +03:00
auth.authenticate.authenticateUser(req, res, next);
Public API refs #4180 closes #4181 - added client and user authentication - added authenticatePublic/authenticatePrivate as workaround for missing permissions - added domain validation - added CORS header for valid clients - merged authenticate.js and client-auth.js into auth.js - removed middleware/api-error-handlers.js - removed authentication middleware - added and updated tests
2015-10-22 16:28:47 +03:00
});
it('shouldn\'t authenticate without bearer token', function (done) {
req.headers = {};
res.status = {};
🎨 configurable logging with bunyan (#7431) - 🛠 add bunyan and prettyjson, remove morgan - ✨ add logging module - GhostLogger class that handles setup of bunyan - PrettyStream for stdout - ✨ config for logging - @TODO: testing level fatal? - ✨ log each request via GhostLogger (express middleware) - @TODO: add errors to output - 🔥 remove errors.updateActiveTheme - we can read the value from config - 🔥 remove 15 helper functions in core/server/errors/index.js - all these functions get replaced by modules: 1. logging 2. error middleware handling for html/json 3. error creation (which will be part of PR #7477) - ✨ add express error handler for html/json - one true error handler for express responses - contains still some TODO's, but they are not high priority for first implementation/integration - this middleware only takes responsibility of either rendering html responses or return json error responses - 🎨 use new express error handler in middleware/index - 404 and 500 handling - 🎨 return error instead of error message in permissions/index.js - the rule for error handling should be: if you call a unit, this unit should return a custom Ghost error - 🎨 wrap serve static module - rule: if you call a module/unit, you should always wrap this error - it's always the same rule - so the caller never has to worry about what comes back - it's always a clear error instance - in this case: we return our notfounderror if serve static does not find the resource - this avoid having checks everywhere - 🎨 replace usages of errors/index.js functions and adapt tests - use logging.error, logging.warn - make tests green - remove some usages of logging and throwing api errors -> because when a request is involved, logging happens automatically - 🐛 return errorDetails to Ghost-Admin - errorDetails is used for Theme error handling - 🎨 use 500er error for theme is missing error in theme-handler - 🎨 extend file rotation to 1w
2016-10-04 18:33:43 +03:00
var next = function next(err) {
err.statusCode.should.eql(401);
(err instanceof errors.UnauthorizedError).should.eql(true);
done();
};
Public API refs #4180 closes #4181 - added client and user authentication - added authenticatePublic/authenticatePrivate as workaround for missing permissions - added domain validation - added CORS header for valid clients - merged authenticate.js and client-auth.js into auth.js - removed middleware/api-error-handlers.js - removed authentication middleware - added and updated tests
2015-10-22 16:28:47 +03:00
registerUnsuccessfulBearerStrategy();
✨ Ghost OAuth (#7451) issue #7452 Remote oauth2 authentication with Ghost.org. This PR supports: - oauth2 login or local login - authentication on blog setup - authentication on invite - normal authentication - does not contain many, many tests, but we'll improve in the next alpha weeks
2016-09-30 14:45:59 +03:00
auth.authenticate.authenticateUser(req, res, next);
Public API refs #4180 closes #4181 - added client and user authentication - added authenticatePublic/authenticatePrivate as workaround for missing permissions - added domain validation - added CORS header for valid clients - merged authenticate.js and client-auth.js into auth.js - removed middleware/api-error-handlers.js - removed authentication middleware - added and updated tests
2015-10-22 16:28:47 +03:00
});
it('shouldn\'t authenticate with bearer token and client', function (done) {
req.headers = {};
req.headers.authorization = 'Bearer ' + token;
req.client = {id: 1};
res.status = {};
🎨 configurable logging with bunyan (#7431) - 🛠 add bunyan and prettyjson, remove morgan - ✨ add logging module - GhostLogger class that handles setup of bunyan - PrettyStream for stdout - ✨ config for logging - @TODO: testing level fatal? - ✨ log each request via GhostLogger (express middleware) - @TODO: add errors to output - 🔥 remove errors.updateActiveTheme - we can read the value from config - 🔥 remove 15 helper functions in core/server/errors/index.js - all these functions get replaced by modules: 1. logging 2. error middleware handling for html/json 3. error creation (which will be part of PR #7477) - ✨ add express error handler for html/json - one true error handler for express responses - contains still some TODO's, but they are not high priority for first implementation/integration - this middleware only takes responsibility of either rendering html responses or return json error responses - 🎨 use new express error handler in middleware/index - 404 and 500 handling - 🎨 return error instead of error message in permissions/index.js - the rule for error handling should be: if you call a unit, this unit should return a custom Ghost error - 🎨 wrap serve static module - rule: if you call a module/unit, you should always wrap this error - it's always the same rule - so the caller never has to worry about what comes back - it's always a clear error instance - in this case: we return our notfounderror if serve static does not find the resource - this avoid having checks everywhere - 🎨 replace usages of errors/index.js functions and adapt tests - use logging.error, logging.warn - make tests green - remove some usages of logging and throwing api errors -> because when a request is involved, logging happens automatically - 🐛 return errorDetails to Ghost-Admin - errorDetails is used for Theme error handling - 🎨 use 500er error for theme is missing error in theme-handler - 🎨 extend file rotation to 1w
2016-10-04 18:33:43 +03:00
var next = function next(err) {
err.statusCode.should.eql(401);
(err instanceof errors.UnauthorizedError).should.eql(true);
done();
};
Public API refs #4180 closes #4181 - added client and user authentication - added authenticatePublic/authenticatePrivate as workaround for missing permissions - added domain validation - added CORS header for valid clients - merged authenticate.js and client-auth.js into auth.js - removed middleware/api-error-handlers.js - removed authentication middleware - added and updated tests
2015-10-22 16:28:47 +03:00
registerUnsuccessfulBearerStrategy();
✨ Ghost OAuth (#7451) issue #7452 Remote oauth2 authentication with Ghost.org. This PR supports: - oauth2 login or local login - authentication on blog setup - authentication on invite - normal authentication - does not contain many, many tests, but we'll improve in the next alpha weeks
2016-09-30 14:45:59 +03:00
auth.authenticate.authenticateUser(req, res, next);
Public API refs #4180 closes #4181 - added client and user authentication - added authenticatePublic/authenticatePrivate as workaround for missing permissions - added domain validation - added CORS header for valid clients - merged authenticate.js and client-auth.js into auth.js - removed middleware/api-error-handlers.js - removed authentication middleware - added and updated tests
2015-10-22 16:28:47 +03:00
});
it('shouldn\'t authenticate when error', function (done) {
req.headers = {};
req.headers.authorization = 'Bearer ' + token;
registerFaultyBearerStrategy();
✨ Ghost OAuth (#7451) issue #7452 Remote oauth2 authentication with Ghost.org. This PR supports: - oauth2 login or local login - authentication on blog setup - authentication on invite - normal authentication - does not contain many, many tests, but we'll improve in the next alpha weeks
2016-09-30 14:45:59 +03:00
auth.authenticate.authenticateUser(req, res, next);
Public API refs #4180 closes #4181 - added client and user authentication - added authenticatePublic/authenticatePrivate as workaround for missing permissions - added domain validation - added CORS header for valid clients - merged authenticate.js and client-auth.js into auth.js - removed middleware/api-error-handlers.js - removed authentication middleware - added and updated tests
2015-10-22 16:28:47 +03:00
deps: should@8.2.1 closes #6448 -upgraded should.js to the latest version (8.2.1) -Changed the tests so that they comply with the breaking changes introduced in the new version of should.js -Installs the package should-http so should.be.json() can be used -Installs the package should-sinon so that should.be.calledOnce() can be used
2016-02-08 00:27:01 +03:00
next.called.should.be.true();
next.calledWith('error').should.be.true();
Public API refs #4180 closes #4181 - added client and user authentication - added authenticatePublic/authenticatePrivate as workaround for missing permissions - added domain validation - added CORS header for valid clients - merged authenticate.js and client-auth.js into auth.js - removed middleware/api-error-handlers.js - removed authentication middleware - added and updated tests
2015-10-22 16:28:47 +03:00
done();
});
Auth tests - added tests for authentication middleware - changed use of auth strategies
2015-08-09 13:50:05 +03:00
});
Public API refs #4180 closes #4181 - added client and user authentication - added authenticatePublic/authenticatePrivate as workaround for missing permissions - added domain validation - added CORS header for valid clients - merged authenticate.js and client-auth.js into auth.js - removed middleware/api-error-handlers.js - removed authentication middleware - added and updated tests
2015-10-22 16:28:47 +03:00
describe('Client Authentication', function () {
it('shouldn\'t require authorized client with bearer token', function (done) {
req.headers = {};
req.headers.authorization = 'Bearer ' + token;
Auth tests - added tests for authentication middleware - changed use of auth strategies
2015-08-09 13:50:05 +03:00
✨ Ghost OAuth (#7451) issue #7452 Remote oauth2 authentication with Ghost.org. This PR supports: - oauth2 login or local login - authentication on blog setup - authentication on invite - normal authentication - does not contain many, many tests, but we'll improve in the next alpha weeks
2016-09-30 14:45:59 +03:00
auth.authenticate.authenticateClient(req, res, next);
deps: should@8.2.1 closes #6448 -upgraded should.js to the latest version (8.2.1) -Changed the tests so that they comply with the breaking changes introduced in the new version of should.js -Installs the package should-http so should.be.json() can be used -Installs the package should-sinon so that should.be.calledOnce() can be used
2016-02-08 00:27:01 +03:00
next.called.should.be.true();
next.calledWith().should.be.true();
Public API refs #4180 closes #4181 - added client and user authentication - added authenticatePublic/authenticatePrivate as workaround for missing permissions - added domain validation - added CORS header for valid clients - merged authenticate.js and client-auth.js into auth.js - removed middleware/api-error-handlers.js - removed authentication middleware - added and updated tests
2015-10-22 16:28:47 +03:00
done();
});
Middleware Refactor - Refactor SSL middleware into separate module. - Refactor redirectToSetup to separate module + tests - Refactor serveStaticFile + tests - Refactor authentication middleware + tests - Refactor private blogging middleware refs #5286
2015-07-15 19:01:23 +03:00
Public API refs #4180 closes #4181 - added client and user authentication - added authenticatePublic/authenticatePrivate as workaround for missing permissions - added domain validation - added CORS header for valid clients - merged authenticate.js and client-auth.js into auth.js - removed middleware/api-error-handlers.js - removed authentication middleware - added and updated tests
2015-10-22 16:28:47 +03:00
it('shouldn\'t authenticate client with broken bearer token', function (done) {
req.body = {};
req.headers = {};
req.headers.authorization = 'Bearer';
res.status = {};
🎨 configurable logging with bunyan (#7431) - 🛠 add bunyan and prettyjson, remove morgan - ✨ add logging module - GhostLogger class that handles setup of bunyan - PrettyStream for stdout - ✨ config for logging - @TODO: testing level fatal? - ✨ log each request via GhostLogger (express middleware) - @TODO: add errors to output - 🔥 remove errors.updateActiveTheme - we can read the value from config - 🔥 remove 15 helper functions in core/server/errors/index.js - all these functions get replaced by modules: 1. logging 2. error middleware handling for html/json 3. error creation (which will be part of PR #7477) - ✨ add express error handler for html/json - one true error handler for express responses - contains still some TODO's, but they are not high priority for first implementation/integration - this middleware only takes responsibility of either rendering html responses or return json error responses - 🎨 use new express error handler in middleware/index - 404 and 500 handling - 🎨 return error instead of error message in permissions/index.js - the rule for error handling should be: if you call a unit, this unit should return a custom Ghost error - 🎨 wrap serve static module - rule: if you call a module/unit, you should always wrap this error - it's always the same rule - so the caller never has to worry about what comes back - it's always a clear error instance - in this case: we return our notfounderror if serve static does not find the resource - this avoid having checks everywhere - 🎨 replace usages of errors/index.js functions and adapt tests - use logging.error, logging.warn - make tests green - remove some usages of logging and throwing api errors -> because when a request is involved, logging happens automatically - 🐛 return errorDetails to Ghost-Admin - errorDetails is used for Theme error handling - 🎨 use 500er error for theme is missing error in theme-handler - 🎨 extend file rotation to 1w
2016-10-04 18:33:43 +03:00
var next = function next(err) {
err.statusCode.should.eql(401);
(err instanceof errors.UnauthorizedError).should.eql(true);
done();
};
Public API refs #4180 closes #4181 - added client and user authentication - added authenticatePublic/authenticatePrivate as workaround for missing permissions - added domain validation - added CORS header for valid clients - merged authenticate.js and client-auth.js into auth.js - removed middleware/api-error-handlers.js - removed authentication middleware - added and updated tests
2015-10-22 16:28:47 +03:00
✨ Ghost OAuth (#7451) issue #7452 Remote oauth2 authentication with Ghost.org. This PR supports: - oauth2 login or local login - authentication on blog setup - authentication on invite - normal authentication - does not contain many, many tests, but we'll improve in the next alpha weeks
2016-09-30 14:45:59 +03:00
auth.authenticate.authenticateClient(req, res, next);
Middleware Refactor - Refactor SSL middleware into separate module. - Refactor redirectToSetup to separate module + tests - Refactor serveStaticFile + tests - Refactor authentication middleware + tests - Refactor private blogging middleware refs #5286
2015-07-15 19:01:23 +03:00
});
Public API refs #4180 closes #4181 - added client and user authentication - added authenticatePublic/authenticatePrivate as workaround for missing permissions - added domain validation - added CORS header for valid clients - merged authenticate.js and client-auth.js into auth.js - removed middleware/api-error-handlers.js - removed authentication middleware - added and updated tests
2015-10-22 16:28:47 +03:00
it('shouldn\'t authenticate client without client_id/client_secret', function (done) {
req.body = {};
res.status = {};
🎨 configurable logging with bunyan (#7431) - 🛠 add bunyan and prettyjson, remove morgan - ✨ add logging module - GhostLogger class that handles setup of bunyan - PrettyStream for stdout - ✨ config for logging - @TODO: testing level fatal? - ✨ log each request via GhostLogger (express middleware) - @TODO: add errors to output - 🔥 remove errors.updateActiveTheme - we can read the value from config - 🔥 remove 15 helper functions in core/server/errors/index.js - all these functions get replaced by modules: 1. logging 2. error middleware handling for html/json 3. error creation (which will be part of PR #7477) - ✨ add express error handler for html/json - one true error handler for express responses - contains still some TODO's, but they are not high priority for first implementation/integration - this middleware only takes responsibility of either rendering html responses or return json error responses - 🎨 use new express error handler in middleware/index - 404 and 500 handling - 🎨 return error instead of error message in permissions/index.js - the rule for error handling should be: if you call a unit, this unit should return a custom Ghost error - 🎨 wrap serve static module - rule: if you call a module/unit, you should always wrap this error - it's always the same rule - so the caller never has to worry about what comes back - it's always a clear error instance - in this case: we return our notfounderror if serve static does not find the resource - this avoid having checks everywhere - 🎨 replace usages of errors/index.js functions and adapt tests - use logging.error, logging.warn - make tests green - remove some usages of logging and throwing api errors -> because when a request is involved, logging happens automatically - 🐛 return errorDetails to Ghost-Admin - errorDetails is used for Theme error handling - 🎨 use 500er error for theme is missing error in theme-handler - 🎨 extend file rotation to 1w
2016-10-04 18:33:43 +03:00
var next = function next(err) {
err.statusCode.should.eql(401);
(err instanceof errors.UnauthorizedError).should.eql(true);
done();
};
Public API refs #4180 closes #4181 - added client and user authentication - added authenticatePublic/authenticatePrivate as workaround for missing permissions - added domain validation - added CORS header for valid clients - merged authenticate.js and client-auth.js into auth.js - removed middleware/api-error-handlers.js - removed authentication middleware - added and updated tests
2015-10-22 16:28:47 +03:00
✨ Ghost OAuth (#7451) issue #7452 Remote oauth2 authentication with Ghost.org. This PR supports: - oauth2 login or local login - authentication on blog setup - authentication on invite - normal authentication - does not contain many, many tests, but we'll improve in the next alpha weeks
2016-09-30 14:45:59 +03:00
auth.authenticate.authenticateClient(req, res, next);
Public API refs #4180 closes #4181 - added client and user authentication - added authenticatePublic/authenticatePrivate as workaround for missing permissions - added domain validation - added CORS header for valid clients - merged authenticate.js and client-auth.js into auth.js - removed middleware/api-error-handlers.js - removed authentication middleware - added and updated tests
2015-10-22 16:28:47 +03:00
});
it('shouldn\'t authenticate client without client_id', function (done) {
req.body = {};
req.body.client_secret = testSecret;
res.status = {};
🎨 configurable logging with bunyan (#7431) - 🛠 add bunyan and prettyjson, remove morgan - ✨ add logging module - GhostLogger class that handles setup of bunyan - PrettyStream for stdout - ✨ config for logging - @TODO: testing level fatal? - ✨ log each request via GhostLogger (express middleware) - @TODO: add errors to output - 🔥 remove errors.updateActiveTheme - we can read the value from config - 🔥 remove 15 helper functions in core/server/errors/index.js - all these functions get replaced by modules: 1. logging 2. error middleware handling for html/json 3. error creation (which will be part of PR #7477) - ✨ add express error handler for html/json - one true error handler for express responses - contains still some TODO's, but they are not high priority for first implementation/integration - this middleware only takes responsibility of either rendering html responses or return json error responses - 🎨 use new express error handler in middleware/index - 404 and 500 handling - 🎨 return error instead of error message in permissions/index.js - the rule for error handling should be: if you call a unit, this unit should return a custom Ghost error - 🎨 wrap serve static module - rule: if you call a module/unit, you should always wrap this error - it's always the same rule - so the caller never has to worry about what comes back - it's always a clear error instance - in this case: we return our notfounderror if serve static does not find the resource - this avoid having checks everywhere - 🎨 replace usages of errors/index.js functions and adapt tests - use logging.error, logging.warn - make tests green - remove some usages of logging and throwing api errors -> because when a request is involved, logging happens automatically - 🐛 return errorDetails to Ghost-Admin - errorDetails is used for Theme error handling - 🎨 use 500er error for theme is missing error in theme-handler - 🎨 extend file rotation to 1w
2016-10-04 18:33:43 +03:00
var next = function next(err) {
err.statusCode.should.eql(401);
(err instanceof errors.UnauthorizedError).should.eql(true);
done();
};
Public API refs #4180 closes #4181 - added client and user authentication - added authenticatePublic/authenticatePrivate as workaround for missing permissions - added domain validation - added CORS header for valid clients - merged authenticate.js and client-auth.js into auth.js - removed middleware/api-error-handlers.js - removed authentication middleware - added and updated tests
2015-10-22 16:28:47 +03:00
✨ Ghost OAuth (#7451) issue #7452 Remote oauth2 authentication with Ghost.org. This PR supports: - oauth2 login or local login - authentication on blog setup - authentication on invite - normal authentication - does not contain many, many tests, but we'll improve in the next alpha weeks
2016-09-30 14:45:59 +03:00
auth.authenticate.authenticateClient(req, res, next);
Public API refs #4180 closes #4181 - added client and user authentication - added authenticatePublic/authenticatePrivate as workaround for missing permissions - added domain validation - added CORS header for valid clients - merged authenticate.js and client-auth.js into auth.js - removed middleware/api-error-handlers.js - removed authentication middleware - added and updated tests
2015-10-22 16:28:47 +03:00
});
it('shouldn\'t authenticate client without client_secret', function (done) {
req.body = {};
req.body.client_id = testClient;
res.status = {};
🎨 configurable logging with bunyan (#7431) - 🛠 add bunyan and prettyjson, remove morgan - ✨ add logging module - GhostLogger class that handles setup of bunyan - PrettyStream for stdout - ✨ config for logging - @TODO: testing level fatal? - ✨ log each request via GhostLogger (express middleware) - @TODO: add errors to output - 🔥 remove errors.updateActiveTheme - we can read the value from config - 🔥 remove 15 helper functions in core/server/errors/index.js - all these functions get replaced by modules: 1. logging 2. error middleware handling for html/json 3. error creation (which will be part of PR #7477) - ✨ add express error handler for html/json - one true error handler for express responses - contains still some TODO's, but they are not high priority for first implementation/integration - this middleware only takes responsibility of either rendering html responses or return json error responses - 🎨 use new express error handler in middleware/index - 404 and 500 handling - 🎨 return error instead of error message in permissions/index.js - the rule for error handling should be: if you call a unit, this unit should return a custom Ghost error - 🎨 wrap serve static module - rule: if you call a module/unit, you should always wrap this error - it's always the same rule - so the caller never has to worry about what comes back - it's always a clear error instance - in this case: we return our notfounderror if serve static does not find the resource - this avoid having checks everywhere - 🎨 replace usages of errors/index.js functions and adapt tests - use logging.error, logging.warn - make tests green - remove some usages of logging and throwing api errors -> because when a request is involved, logging happens automatically - 🐛 return errorDetails to Ghost-Admin - errorDetails is used for Theme error handling - 🎨 use 500er error for theme is missing error in theme-handler - 🎨 extend file rotation to 1w
2016-10-04 18:33:43 +03:00
var next = function next(err) {
err.statusCode.should.eql(401);
(err instanceof errors.UnauthorizedError).should.eql(true);
done();
};
Public API refs #4180 closes #4181 - added client and user authentication - added authenticatePublic/authenticatePrivate as workaround for missing permissions - added domain validation - added CORS header for valid clients - merged authenticate.js and client-auth.js into auth.js - removed middleware/api-error-handlers.js - removed authentication middleware - added and updated tests
2015-10-22 16:28:47 +03:00
✨ Ghost OAuth (#7451) issue #7452 Remote oauth2 authentication with Ghost.org. This PR supports: - oauth2 login or local login - authentication on blog setup - authentication on invite - normal authentication - does not contain many, many tests, but we'll improve in the next alpha weeks
2016-09-30 14:45:59 +03:00
auth.authenticate.authenticateClient(req, res, next);
Public API refs #4180 closes #4181 - added client and user authentication - added authenticatePublic/authenticatePrivate as workaround for missing permissions - added domain validation - added CORS header for valid clients - merged authenticate.js and client-auth.js into auth.js - removed middleware/api-error-handlers.js - removed authentication middleware - added and updated tests
2015-10-22 16:28:47 +03:00
});
Improvements to client auth error logging no issue - If client credentials are missing, or not valid, output a clear message in the server console - Still defaults to sending the 'access denied to url' error to the frontend
2015-12-14 18:35:19 +03:00
it('shouldn\'t authenticate without full client credentials', function (done) {
Public API refs #4180 closes #4181 - added client and user authentication - added authenticatePublic/authenticatePrivate as workaround for missing permissions - added domain validation - added CORS header for valid clients - merged authenticate.js and client-auth.js into auth.js - removed middleware/api-error-handlers.js - removed authentication middleware - added and updated tests
2015-10-22 16:28:47 +03:00
req.body = {};
req.body.client_id = testClient;
res.status = {};
🎨 configurable logging with bunyan (#7431) - 🛠 add bunyan and prettyjson, remove morgan - ✨ add logging module - GhostLogger class that handles setup of bunyan - PrettyStream for stdout - ✨ config for logging - @TODO: testing level fatal? - ✨ log each request via GhostLogger (express middleware) - @TODO: add errors to output - 🔥 remove errors.updateActiveTheme - we can read the value from config - 🔥 remove 15 helper functions in core/server/errors/index.js - all these functions get replaced by modules: 1. logging 2. error middleware handling for html/json 3. error creation (which will be part of PR #7477) - ✨ add express error handler for html/json - one true error handler for express responses - contains still some TODO's, but they are not high priority for first implementation/integration - this middleware only takes responsibility of either rendering html responses or return json error responses - 🎨 use new express error handler in middleware/index - 404 and 500 handling - 🎨 return error instead of error message in permissions/index.js - the rule for error handling should be: if you call a unit, this unit should return a custom Ghost error - 🎨 wrap serve static module - rule: if you call a module/unit, you should always wrap this error - it's always the same rule - so the caller never has to worry about what comes back - it's always a clear error instance - in this case: we return our notfounderror if serve static does not find the resource - this avoid having checks everywhere - 🎨 replace usages of errors/index.js functions and adapt tests - use logging.error, logging.warn - make tests green - remove some usages of logging and throwing api errors -> because when a request is involved, logging happens automatically - 🐛 return errorDetails to Ghost-Admin - errorDetails is used for Theme error handling - 🎨 use 500er error for theme is missing error in theme-handler - 🎨 extend file rotation to 1w
2016-10-04 18:33:43 +03:00
var next = function next(err) {
err.statusCode.should.eql(401);
(err instanceof errors.UnauthorizedError).should.eql(true);
done();
};
Public API refs #4180 closes #4181 - added client and user authentication - added authenticatePublic/authenticatePrivate as workaround for missing permissions - added domain validation - added CORS header for valid clients - merged authenticate.js and client-auth.js into auth.js - removed middleware/api-error-handlers.js - removed authentication middleware - added and updated tests
2015-10-22 16:28:47 +03:00
registerUnsuccessfulClientPasswordStrategy();
✨ Ghost OAuth (#7451) issue #7452 Remote oauth2 authentication with Ghost.org. This PR supports: - oauth2 login or local login - authentication on blog setup - authentication on invite - normal authentication - does not contain many, many tests, but we'll improve in the next alpha weeks
2016-09-30 14:45:59 +03:00
auth.authenticate.authenticateClient(req, res, next);
Improvements to client auth error logging no issue - If client credentials are missing, or not valid, output a clear message in the server console - Still defaults to sending the 'access denied to url' error to the frontend
2015-12-14 18:35:19 +03:00
});
it('shouldn\'t authenticate invalid/unknown client', function (done) {
req.body = {};
req.body.client_id = testClient;
req.body.client_secret = testSecret;
res.status = {};
🎨 configurable logging with bunyan (#7431) - 🛠 add bunyan and prettyjson, remove morgan - ✨ add logging module - GhostLogger class that handles setup of bunyan - PrettyStream for stdout - ✨ config for logging - @TODO: testing level fatal? - ✨ log each request via GhostLogger (express middleware) - @TODO: add errors to output - 🔥 remove errors.updateActiveTheme - we can read the value from config - 🔥 remove 15 helper functions in core/server/errors/index.js - all these functions get replaced by modules: 1. logging 2. error middleware handling for html/json 3. error creation (which will be part of PR #7477) - ✨ add express error handler for html/json - one true error handler for express responses - contains still some TODO's, but they are not high priority for first implementation/integration - this middleware only takes responsibility of either rendering html responses or return json error responses - 🎨 use new express error handler in middleware/index - 404 and 500 handling - 🎨 return error instead of error message in permissions/index.js - the rule for error handling should be: if you call a unit, this unit should return a custom Ghost error - 🎨 wrap serve static module - rule: if you call a module/unit, you should always wrap this error - it's always the same rule - so the caller never has to worry about what comes back - it's always a clear error instance - in this case: we return our notfounderror if serve static does not find the resource - this avoid having checks everywhere - 🎨 replace usages of errors/index.js functions and adapt tests - use logging.error, logging.warn - make tests green - remove some usages of logging and throwing api errors -> because when a request is involved, logging happens automatically - 🐛 return errorDetails to Ghost-Admin - errorDetails is used for Theme error handling - 🎨 use 500er error for theme is missing error in theme-handler - 🎨 extend file rotation to 1w
2016-10-04 18:33:43 +03:00
var next = function next(err) {
err.statusCode.should.eql(401);
(err instanceof errors.UnauthorizedError).should.eql(true);
done();
};
Improvements to client auth error logging no issue - If client credentials are missing, or not valid, output a clear message in the server console - Still defaults to sending the 'access denied to url' error to the frontend
2015-12-14 18:35:19 +03:00
registerUnsuccessfulClientPasswordStrategy();
✨ Ghost OAuth (#7451) issue #7452 Remote oauth2 authentication with Ghost.org. This PR supports: - oauth2 login or local login - authentication on blog setup - authentication on invite - normal authentication - does not contain many, many tests, but we'll improve in the next alpha weeks
2016-09-30 14:45:59 +03:00
auth.authenticate.authenticateClient(req, res, next);
Public API refs #4180 closes #4181 - added client and user authentication - added authenticatePublic/authenticatePrivate as workaround for missing permissions - added domain validation - added CORS header for valid clients - merged authenticate.js and client-auth.js into auth.js - removed middleware/api-error-handlers.js - removed authentication middleware - added and updated tests
2015-10-22 16:28:47 +03:00
});
Improvements to client auth error logging no issue - If client credentials are missing, or not valid, output a clear message in the server console - Still defaults to sending the 'access denied to url' error to the frontend
2015-12-14 18:35:19 +03:00
it('should authenticate valid/known client', function (done) {
Public API refs #4180 closes #4181 - added client and user authentication - added authenticatePublic/authenticatePrivate as workaround for missing permissions - added domain validation - added CORS header for valid clients - merged authenticate.js and client-auth.js into auth.js - removed middleware/api-error-handlers.js - removed authentication middleware - added and updated tests
2015-10-22 16:28:47 +03:00
req.body = {};
req.body.client_id = testClient;
req.body.client_secret = testSecret;
req.headers = {};
Handling Origin Header closes #6106 - added better error message for client and console - added exclusion of localhost/127.0.0.1 for dev mode
2015-11-23 20:21:19 +03:00
registerSuccessfulClientPasswordStrategy();
✨ Ghost OAuth (#7451) issue #7452 Remote oauth2 authentication with Ghost.org. This PR supports: - oauth2 login or local login - authentication on blog setup - authentication on invite - normal authentication - does not contain many, many tests, but we'll improve in the next alpha weeks
2016-09-30 14:45:59 +03:00
auth.authenticate.authenticateClient(req, res, next);
Origin Header revisited closes #6106 - added override for my-ghost-blog.com - added local IP addresses to be allowed - changed localhost/127.0.0.1 to be allowed in production
2015-11-26 15:11:31 +03:00
deps: should@8.2.1 closes #6448 -upgraded should.js to the latest version (8.2.1) -Changed the tests so that they comply with the breaking changes introduced in the new version of should.js -Installs the package should-http so should.be.json() can be used -Installs the package should-sinon so that should.be.calledOnce() can be used
2016-02-08 00:27:01 +03:00
next.called.should.be.true();
next.calledWith(null, client).should.be.true();
Handling Origin Header closes #6106 - added better error message for client and console - added exclusion of localhost/127.0.0.1 for dev mode
2015-11-23 20:21:19 +03:00
done();
});
Public API refs #4180 closes #4181 - added client and user authentication - added authenticatePublic/authenticatePrivate as workaround for missing permissions - added domain validation - added CORS header for valid clients - merged authenticate.js and client-auth.js into auth.js - removed middleware/api-error-handlers.js - removed authentication middleware - added and updated tests
2015-10-22 16:28:47 +03:00
it('should authenticate client with id in query', function (done) {
req.body = {};
req.query = {};
req.query.client_id = testClient;
req.query.client_secret = testSecret;
req.headers = {};
registerSuccessfulClientPasswordStrategy();
✨ Ghost OAuth (#7451) issue #7452 Remote oauth2 authentication with Ghost.org. This PR supports: - oauth2 login or local login - authentication on blog setup - authentication on invite - normal authentication - does not contain many, many tests, but we'll improve in the next alpha weeks
2016-09-30 14:45:59 +03:00
auth.authenticate.authenticateClient(req, res, next);
Public API refs #4180 closes #4181 - added client and user authentication - added authenticatePublic/authenticatePrivate as workaround for missing permissions - added domain validation - added CORS header for valid clients - merged authenticate.js and client-auth.js into auth.js - removed middleware/api-error-handlers.js - removed authentication middleware - added and updated tests
2015-10-22 16:28:47 +03:00
deps: should@8.2.1 closes #6448 -upgraded should.js to the latest version (8.2.1) -Changed the tests so that they comply with the breaking changes introduced in the new version of should.js -Installs the package should-http so should.be.json() can be used -Installs the package should-sinon so that should.be.calledOnce() can be used
2016-02-08 00:27:01 +03:00
next.called.should.be.true();
next.calledWith(null, client).should.be.true();
Public API refs #4180 closes #4181 - added client and user authentication - added authenticatePublic/authenticatePrivate as workaround for missing permissions - added domain validation - added CORS header for valid clients - merged authenticate.js and client-auth.js into auth.js - removed middleware/api-error-handlers.js - removed authentication middleware - added and updated tests
2015-10-22 16:28:47 +03:00
done();
});
it('should authenticate client with id + secret in query', function (done) {
req.body = {};
req.query = {};
req.query.client_id = testClient;
req.query.client_secret = testSecret;
req.headers = {};
registerSuccessfulClientPasswordStrategy();
✨ Ghost OAuth (#7451) issue #7452 Remote oauth2 authentication with Ghost.org. This PR supports: - oauth2 login or local login - authentication on blog setup - authentication on invite - normal authentication - does not contain many, many tests, but we'll improve in the next alpha weeks
2016-09-30 14:45:59 +03:00
auth.authenticate.authenticateClient(req, res, next);
Public API refs #4180 closes #4181 - added client and user authentication - added authenticatePublic/authenticatePrivate as workaround for missing permissions - added domain validation - added CORS header for valid clients - merged authenticate.js and client-auth.js into auth.js - removed middleware/api-error-handlers.js - removed authentication middleware - added and updated tests
2015-10-22 16:28:47 +03:00
deps: should@8.2.1 closes #6448 -upgraded should.js to the latest version (8.2.1) -Changed the tests so that they comply with the breaking changes introduced in the new version of should.js -Installs the package should-http so should.be.json() can be used -Installs the package should-sinon so that should.be.calledOnce() can be used
2016-02-08 00:27:01 +03:00
next.called.should.be.true();
next.calledWith(null, client).should.be.true();
Public API refs #4180 closes #4181 - added client and user authentication - added authenticatePublic/authenticatePrivate as workaround for missing permissions - added domain validation - added CORS header for valid clients - merged authenticate.js and client-auth.js into auth.js - removed middleware/api-error-handlers.js - removed authentication middleware - added and updated tests
2015-10-22 16:28:47 +03:00
done();
});
it('shouldn\'t authenticate when error', function (done) {
req.body = {};
req.body.client_id = testClient;
req.body.client_secret = testSecret;
res.status = {};
registerFaultyClientPasswordStrategy();
✨ Ghost OAuth (#7451) issue #7452 Remote oauth2 authentication with Ghost.org. This PR supports: - oauth2 login or local login - authentication on blog setup - authentication on invite - normal authentication - does not contain many, many tests, but we'll improve in the next alpha weeks
2016-09-30 14:45:59 +03:00
auth.authenticate.authenticateClient(req, res, next);
Public API refs #4180 closes #4181 - added client and user authentication - added authenticatePublic/authenticatePrivate as workaround for missing permissions - added domain validation - added CORS header for valid clients - merged authenticate.js and client-auth.js into auth.js - removed middleware/api-error-handlers.js - removed authentication middleware - added and updated tests
2015-10-22 16:28:47 +03:00
deps: should@8.2.1 closes #6448 -upgraded should.js to the latest version (8.2.1) -Changed the tests so that they comply with the breaking changes introduced in the new version of should.js -Installs the package should-http so should.be.json() can be used -Installs the package should-sinon so that should.be.calledOnce() can be used
2016-02-08 00:27:01 +03:00
next.called.should.be.true();
next.calledWith('error').should.be.true();
Public API refs #4180 closes #4181 - added client and user authentication - added authenticatePublic/authenticatePrivate as workaround for missing permissions - added domain validation - added CORS header for valid clients - merged authenticate.js and client-auth.js into auth.js - removed middleware/api-error-handlers.js - removed authentication middleware - added and updated tests
2015-10-22 16:28:47 +03:00
done();
});
Middleware Refactor - Refactor SSL middleware into separate module. - Refactor redirectToSetup to separate module + tests - Refactor serveStaticFile + tests - Refactor authentication middleware + tests - Refactor private blogging middleware refs #5286
2015-07-15 19:01:23 +03:00
});
});
Reference in New Issue Copy Permalink