// # Default Frontend Routing Test // These tests check the default out-of-the-box behaviour of Ghost is working as expected. // Test Structure // As it stands, these tests depend on the database, and as such are integration tests. // Mocking out the models to not touch the DB would turn these into unit tests, and should probably be done in future, // But then again testing real code, rather than mock code, might be more useful... const should = require('should'); const sinon = require('sinon'); const supertest = require('supertest'); const moment = require('moment'); const cheerio = require('cheerio'); const _ = require('lodash'); const testUtils = require('../utils'); const configUtils = require('../utils/configUtils'); const settingsCache = require('../../core/shared/settings-cache'); const origCache = _.cloneDeep(settingsCache); function assertCorrectFrontendHeaders(res) { should.not.exist(res.headers['x-cache-invalidate']); should.not.exist(res.headers['X-CSRF-Token']); should.not.exist(res.headers['set-cookie']); should.exist(res.headers.date); } describe('Default Frontend routing', function () { let request; afterEach(function () { sinon.restore(); }); before(async function () { await testUtils.startGhost(); request = supertest.agent(configUtils.config.get('url')); }); describe('Error', function () { it('should 404 for unknown post', async function () { await request.get('/spectacular/') .expect('Cache-Control', testUtils.cacheRules.private) .expect(404) .expect(/Page not found/) .expect(assertCorrectFrontendHeaders); }); it('should 404 for unknown file', async function () { await request.get('/content/images/some/file/that/doesnt-exist.jpg') .expect('Cache-Control', testUtils.cacheRules.private) .expect(404) .expect(/404 Image not found/) .expect(assertCorrectFrontendHeaders); }); }); describe('Main Routes', function () { it('/ should respond with valid HTML', async function () { await request.get('/') .expect('Content-Type', /html/) .expect('Cache-Control', testUtils.cacheRules.public) .expect(200) .expect(assertCorrectFrontendHeaders) .expect((res) => { const $ = cheerio.load(res.text); // NOTE: "Ghost" is the title from the settings. $('title').text().should.equal('Ghost'); $('body.home-template').length.should.equal(1); $('article.post').length.should.equal(7); $('article.tag-getting-started').length.should.equal(7); res.text.should.not.containEql('__GHOST_URL__'); }); }); it('/author/ghost/ should respond with valid HTML', async function () { await request.get('/author/ghost/') .expect('Content-Type', /html/) .expect('Cache-Control', testUtils.cacheRules.public) .expect(200) .expect(assertCorrectFrontendHeaders) .expect((res) => { const $ = cheerio.load(res.text); // NOTE: "Ghost" is the title from the settings. $('title').text().should.equal('Ghost - Ghost'); $('body.author-template').length.should.equal(1); $('article.post').length.should.equal(7); $('article.tag-getting-started').length.should.equal(7); res.text.should.not.containEql('__GHOST_URL__'); }); }); it('/tag/getting-started/ should respond with valid HTML', async function () { await request.get('/tag/getting-started/') .expect('Content-Type', /html/) .expect('Cache-Control', testUtils.cacheRules.public) .expect(200) .expect(assertCorrectFrontendHeaders) .expect((res) => { const $ = cheerio.load(res.text); // NOTE: "Ghost" is the title from the settings. $('title').text().should.equal('Getting Started - Ghost'); $('body.tag-template').length.should.equal(1); $('article.post').length.should.equal(7); $('article.tag-getting-started').length.should.equal(7); res.text.should.not.containEql('__GHOST_URL__'); }); }); }); describe('Single post', function () { it('/welcome/ should respond with valid HTML', async function () { await request.get('/welcome/') .expect('Content-Type', /html/) .expect('Cache-Control', testUtils.cacheRules.public) .expect(assertCorrectFrontendHeaders) .expect((res) => { const $ = cheerio.load(res.text); // NOTE: This is the title from the settings. $('title').text().should.equal('Start here for a quick overview of everything you need to know'); $('body.post-template').length.should.equal(1); $('body.tag-getting-started').length.should.equal(1); $('article.post').length.should.equal(2); $('article.tag-getting-started').length.should.equal(2); res.text.should.not.containEql('__GHOST_URL__'); }); }); it('should not work with date permalinks', async function () { // get today's date const date = moment().format('YYYY/MM/DD'); await request.get('/' + date + '/welcome/') .expect('Cache-Control', testUtils.cacheRules.private) .expect(404) .expect(/Page not found/) .expect(assertCorrectFrontendHeaders); }); }); describe('Post edit', function () { it('should redirect to editor', async function () { await request.get('/welcome/edit/') .expect('Location', /ghost\/#\/editor\/\w+/) .expect('Cache-Control', testUtils.cacheRules.public) .expect(302) .expect(assertCorrectFrontendHeaders); }); it('should 404 for non-edit parameter', async function () { await request.get('/welcome/notedit/') .expect('Cache-Control', testUtils.cacheRules.private) .expect(404) .expect(/Page not found/) .expect(assertCorrectFrontendHeaders); }); describe('Admin Redirects Disabled', function () { before(async function () { configUtils.set('admin:redirects', false); await testUtils.startGhost({forceStart: true}); request = supertest.agent(configUtils.config.get('url')); }); after(async function () { configUtils.restore(); await testUtils.startGhost({forceStart: true}); request = supertest.agent(configUtils.config.get('url')); }); it('/edit/ should NOT redirect to the editor', async function () { await request.get('/welcome/edit/') .expect('Cache-Control', testUtils.cacheRules.private) .expect(404) .expect(assertCorrectFrontendHeaders); }); }); }); describe('AMP post', function () { it('should respond with html for valid url', async function () { await request.get('/welcome/amp/') .expect('Content-Type', /html/) .expect('Cache-Control', testUtils.cacheRules.public) .expect(200) .expect(assertCorrectFrontendHeaders) .expect((res) => { const $ = cheerio.load(res.text); $('.post-title').text().should.equal('Start here for a quick overview of everything you need to know'); $('.content .post').length.should.equal(1); $('.powered').text().should.equal(' Published with Ghost'); $('body.amp-template').length.should.equal(1); $('article.post').length.should.equal(1); $('style[amp-custom]').length.should.equal(1); res.text.should.containEql(':root {--ghost-accent-color: #FF1A75;}'); res.text.should.not.containEql('__GHOST_URL__'); }); }); it('should not work with date permalinks', async function () { // get today's date const date = moment().format('YYYY/MM/DD'); await request.get('/' + date + '/welcome/amp/') .expect('Cache-Control', testUtils.cacheRules.private) .expect(404) .expect(/Page not found/) .expect(assertCorrectFrontendHeaders); }); describe('AMP Disabled', function () { it('/amp/ should redirect to regular post, including any query params', async function () { sinon.stub(settingsCache, 'get').callsFake(function (key, options) { if (key === 'amp' && !options) { return false; } return origCache.get(key, options); }); await request.get('/welcome/amp/?q=a') .expect('Location', '/welcome/?q=a') .expect(301) .expect(assertCorrectFrontendHeaders); }); }); }); describe('RSS', function () { it('/rss/ should serve an RSS feed', async function () { await request.get('/rss/') .expect(200) .expect('Cache-Control', testUtils.cacheRules.public) .expect('Content-Type', 'text/xml; charset=utf-8') .expect(assertCorrectFrontendHeaders) .expect((res) => { res.text.should.match(//); res.text.should.not.containEql('__GHOST_URL__'); }); }); it('/author/ghost/rss/ should serve an RSS feed', async function () { await request.get('/author/ghost/rss/') .expect(200) .expect('Cache-Control', testUtils.cacheRules.public) .expect('Content-Type', 'text/xml; charset=utf-8') .expect(assertCorrectFrontendHeaders) .expect((res) => { res.text.should.match(//); res.text.should.not.containEql('__GHOST_URL__'); }); }); it('/tag/getting-started/rss/ should serve an RSS feed', async function () { await request.get('/tag/getting-started/rss/') .expect(200) .expect('Cache-Control', testUtils.cacheRules.public) .expect('Content-Type', 'text/xml; charset=utf-8') .expect(assertCorrectFrontendHeaders) .expect((res) => { res.text.should.match(//); res.text.should.not.containEql('__GHOST_URL__'); }); }); }); describe('Static assets', function () { it('should retrieve theme assets', async function () { await request.get('/assets/css/screen.css') .expect('Cache-Control', testUtils.cacheRules.year) .expect(200) .expect(assertCorrectFrontendHeaders); }); it('should retrieve default robots.txt', async function () { const res = await request.get('/robots.txt') .expect('Cache-Control', testUtils.cacheRules.hour) .expect('ETag', /[0-9a-f]{32}/i) .expect(200) .expect(assertCorrectFrontendHeaders); // The response here is a publicly documented format users rely on // In case it's changed remember to update the docs at https://ghost.org/help/modifying-robots-txt/ res.text.should.equal( 'User-agent: *\n' + 'Sitemap: http://127.0.0.1:2369/sitemap.xml\nDisallow: /ghost/\n' + 'Disallow: /p/\n' + 'Disallow: /email/\n' ); }); it('should retrieve default favicon.ico', async function () { await request.get('/favicon.ico') .expect('Cache-Control', testUtils.cacheRules.day) .expect('ETag', /[0-9a-f]{32}/i) .expect(200) .expect(assertCorrectFrontendHeaders); }); }); describe('Site Map', function () { before(async function () { await testUtils.clearData(); await testUtils.initData(); await testUtils.initFixtures('posts'); }); it('should serve sitemap.xml', async function () { await request.get('/sitemap.xml') .expect(200) .expect('Cache-Control', testUtils.cacheRules.hour) .expect('Content-Type', 'text/xml; charset=utf-8') .expect(assertCorrectFrontendHeaders) .expect((res) => { res.text.should.match(/sitemapindex/); res.text.should.not.containEql('__GHOST_URL__'); }); }); it('should serve sitemap-posts.xml', async function () { await request.get('/sitemap-posts.xml') .expect(200) .expect('Cache-Control', testUtils.cacheRules.hour) .expect('Content-Type', 'text/xml; charset=utf-8') .expect(assertCorrectFrontendHeaders) .expect((res) => { res.text.should.match(/urlset/); res.text.should.not.containEql('__GHOST_URL__'); }); }); it('should serve sitemap-pages.xml', async function () { await request.get('/sitemap-pages.xml') .expect(200) .expect('Cache-Control', testUtils.cacheRules.hour) .expect('Content-Type', 'text/xml; charset=utf-8') .expect(assertCorrectFrontendHeaders) .expect((res) => { res.text.should.match(/urlset/); res.text.should.not.containEql('__GHOST_URL__'); }); }); it('should serve sitemap-tags.xml', async function () { await request.get('/sitemap-tags.xml') .expect(200) .expect('Cache-Control', testUtils.cacheRules.hour) .expect('Content-Type', 'text/xml; charset=utf-8') .expect(assertCorrectFrontendHeaders) .expect((res) => { res.text.should.match(/urlset/); res.text.should.not.containEql('__GHOST_URL__'); }); }); it('should serve sitemap-users.xml', async function () { await request.get('/sitemap-users.xml') .expect(200) .expect('Cache-Control', testUtils.cacheRules.hour) .expect('Content-Type', 'text/xml; charset=utf-8') .expect(assertCorrectFrontendHeaders) .expect((res) => { res.text.should.match(/urlset/); res.text.should.not.containEql('__GHOST_URL__'); }); }); it('should serve sitemap.xsl', async function () { await request.get('/sitemap.xsl') .expect(200) .expect('Cache-Control', testUtils.cacheRules.day) .expect('Content-Type', 'text/xsl') .expect(assertCorrectFrontendHeaders) .expect((res) => { res.text.should.match(/urlset/); res.text.should.not.containEql('__GHOST_URL__'); }); }); }); describe('Private Blogging', function () { beforeEach(function () { sinon.stub(settingsCache, 'get').callsFake(function (key, options) { if (key === 'is_private') { return true; } return origCache.get(key, options); }); }); it('/ should redirect to /private/', async function () { await request.get('/') .expect('Location', '/private/?r=%2F') .expect(302) .expect(assertCorrectFrontendHeaders); }); it('/welcome/ should redirect to /private/', async function () { await request.get('/welcome/') .expect('Location', '/private/?r=%2Fwelcome%2F') .expect(302) .expect(assertCorrectFrontendHeaders); }); it('/private/?r=%2Fwelcome%2F should not redirect', async function () { await request.get('/private/?r=%2Fwelcome%2F') .expect(200) .expect(assertCorrectFrontendHeaders); }); it('should redirect, NOT 404 for private route with extra path', async function () { await request.get('/private/welcome/') .expect('Location', '/private/?r=%2Fprivate%2Fwelcome%2F') .expect(302) .expect(assertCorrectFrontendHeaders); }); it('should still serve private RSS feed', async function () { await request.get(`/${settingsCache.get('public_hash')}/rss/`) .expect(200) .expect('Cache-Control', testUtils.cacheRules.private) .expect('Content-Type', 'text/xml; charset=utf-8') .expect(assertCorrectFrontendHeaders) .expect((res) => { res.text.should.match(//); }); }); it('should still serve private tag RSS feed', async function () { await request.get(`/tag/getting-started/${settingsCache.get('public_hash')}/rss/`) .expect(200) .expect('Cache-Control', testUtils.cacheRules.private) .expect('Content-Type', 'text/xml; charset=utf-8') .expect(assertCorrectFrontendHeaders) .expect((res) => { res.text.should.match(//); }); }); it('should redirect, NOT 404 for private tag RSS feed with extra path', async function () { await request.get(`/tag/getting-started/${settingsCache.get('public_hash')}/rss/hack/`) .expect('Location', `/private/?r=%2Ftag%2Fgetting-started%2F${settingsCache.get('public_hash')}%2Frss%2Fhack%2F`) .expect(302) .expect(assertCorrectFrontendHeaders); }); // NOTE: this case is covered by extra error handling, and cannot be unit tested it('should redirect, NOT 404 for unknown private RSS feed', async function () { // NOTE: the redirect will be to /hack/rss because we strip the hash from the URL before trying to serve RSS // This isn't ideal, but it's better to expose this internal logic than it is a 404 page await request.get(`/hack/${settingsCache.get('public_hash')}/rss/`) .expect('Location', '/private/?r=%2Fhack%2Frss%2F') .expect(302) .expect(assertCorrectFrontendHeaders); }); // NOTE: this test extends the unit test, checking that there is no other robots.txt middleware overriding private blogging it('should serve private robots.txt', async function () { await request.get('/robots.txt') .expect('Cache-Control', 'public, max-age=3600000') .expect(200) .expect(assertCorrectFrontendHeaders) .expect((res) => { res.text.should.match('User-agent: *\nDisallow: /'); }); }); }); });