Ghost/test/unit/server/services/auth/api-key/admin.test.js
Hannah Wolfe 9e96b04542
Moved server unit tests into the server folder
- this is a small part of a bit of cleanup of our test files
- the goal is to make the existing tests clearer with a view to making it easier to write more tests
- this makes the test structure follow the codebase structure more closely
- eventually we will colocate the tests as we break the codebase down further
2021-10-06 12:01:09 +01:00

259 lines
7.6 KiB
JavaScript

const errors = require('@tryghost/errors');
const jwt = require('jsonwebtoken');
const should = require('should');
const sinon = require('sinon');
const apiKeyAuth = require('../../../../../../core/server/services/auth/api-key');
const models = require('../../../../../../core/server/models');
describe('Admin API Key Auth', function () {
before(models.init);
beforeEach(function () {
const fakeApiKey = {
id: '1234',
type: 'admin',
secret: Buffer.from('testing').toString('hex'),
get(prop) {
return this[prop];
}
};
this.fakeApiKey = fakeApiKey;
this.secret = Buffer.from(fakeApiKey.secret, 'hex');
this.apiKeyStub = sinon.stub(models.ApiKey, 'findOne');
this.apiKeyStub.resolves();
this.apiKeyStub.withArgs({id: fakeApiKey.id}).resolves(fakeApiKey);
});
afterEach(function () {
sinon.restore();
});
it('should authenticate known+valid v2 API key', function (done) {
const token = jwt.sign({
}, this.secret, {
keyid: this.fakeApiKey.id,
algorithm: 'HS256',
expiresIn: '5m',
audience: '/v2/admin/',
issuer: this.fakeApiKey.id
});
const req = {
originalUrl: '/ghost/api/v2/admin/',
headers: {
authorization: `Ghost ${token}`
}
};
const res = {};
apiKeyAuth.admin.authenticate(req, res, (err) => {
should.not.exist(err);
req.api_key.should.eql(this.fakeApiKey);
done();
});
});
it('should authenticate known+valid canary API key', function (done) {
const token = jwt.sign({
}, this.secret, {
keyid: this.fakeApiKey.id,
algorithm: 'HS256',
expiresIn: '5m',
audience: '/canary/admin/',
issuer: this.fakeApiKey.id
});
const req = {
originalUrl: '/ghost/api/canary/admin/',
headers: {
authorization: `Ghost ${token}`
}
};
const res = {};
apiKeyAuth.admin.authenticate(req, res, (err) => {
should.not.exist(err);
req.api_key.should.eql(this.fakeApiKey);
done();
});
});
it('should authenticate known+valid v3 API key', function (done) {
const token = jwt.sign({
}, this.secret, {
keyid: this.fakeApiKey.id,
algorithm: 'HS256',
expiresIn: '5m',
audience: '/v3/admin/',
issuer: this.fakeApiKey.id
});
const req = {
originalUrl: '/ghost/api/v3/admin/',
headers: {
authorization: `Ghost ${token}`
}
};
const res = {};
apiKeyAuth.admin.authenticate(req, res, (err) => {
should.not.exist(err);
req.api_key.should.eql(this.fakeApiKey);
done();
});
});
it('shouldn\'t authenticate with missing Ghost token', function (done) {
const token = '';
const req = {
headers: {
authorization: `Ghost ${token}`
}
};
const res = {};
apiKeyAuth.admin.authenticate(req, res, function next(err) {
should.exist(err);
should.equal(err instanceof errors.UnauthorizedError, true);
err.code.should.eql('INVALID_AUTH_HEADER');
should.not.exist(req.api_key);
done();
});
});
it('shouldn\'t authenticate with broken Ghost token', function (done) {
const token = 'invalid';
const req = {
headers: {
authorization: `Ghost ${token}`
}
};
const res = {};
apiKeyAuth.admin.authenticate(req, res, function next(err) {
should.exist(err);
should.equal(err instanceof errors.BadRequestError, true);
err.code.should.eql('INVALID_JWT');
should.not.exist(req.api_key);
done();
});
});
it('shouldn\'t authenticate with invalid/unknown key', function (done) {
const token = jwt.sign({
}, this.secret, {
keyid: 'unknown',
algorithm: 'HS256',
expiresIn: '5m',
audience: 'wrong audience',
issuer: 'unknown'
});
const req = {
originalUrl: '/ghost/api/v2/admin/',
headers: {
authorization: `Ghost ${token}`
}
};
const res = {};
apiKeyAuth.admin.authenticate(req, res, function next(err) {
should.exist(err);
should.equal(err instanceof errors.UnauthorizedError, true);
err.code.should.eql('UNKNOWN_ADMIN_API_KEY');
should.not.exist(req.api_key);
done();
});
});
it('shouldn\'t authenticate with JWT signed > 5min ago', function (done) {
const payload = {
iat: Math.floor(Date.now() / 1000) - 6 * 60
};
const token = jwt.sign(payload, this.secret, {
keyid: this.fakeApiKey.id,
algorithm: 'HS256',
expiresIn: '5m',
audience: '/v2/admin/',
issuer: this.fakeApiKey.id
});
const req = {
originalUrl: '/ghost/api/v2/admin/',
headers: {
authorization: `Ghost ${token}`
}
};
const res = {};
apiKeyAuth.admin.authenticate(req, res, function next(err) {
should.exist(err);
should.equal(err instanceof errors.UnauthorizedError, true);
err.code.should.eql('INVALID_JWT');
err.message.should.match(/jwt expired/);
should.not.exist(req.api_key);
done();
});
});
it('shouldn\'t authenticate with JWT with maxAge > 5min', function (done) {
const payload = {
iat: Math.floor(Date.now() / 1000) - 6 * 60
};
const token = jwt.sign(payload, this.secret, {
keyid: this.fakeApiKey.id,
algorithm: 'HS256',
expiresIn: '10m',
audience: '/v2/admin/',
issuer: this.fakeApiKey.id
});
const req = {
originalUrl: '/ghost/api/v2/admin/',
headers: {
authorization: `Ghost ${token}`
}
};
const res = {};
apiKeyAuth.admin.authenticate(req, res, function next(err) {
should.exist(err);
should.equal(err instanceof errors.UnauthorizedError, true);
err.code.should.eql('INVALID_JWT');
err.message.should.match(/maxAge exceeded/);
should.not.exist(req.api_key);
done();
});
});
it('shouldn\'t authenticate with a Content API Key', function (done) {
const token = jwt.sign({
}, this.secret, {
keyid: this.fakeApiKey.id,
algorithm: 'HS256',
expiresIn: '5m',
audience: '/v2/admin/',
issuer: this.fakeApiKey.id
});
const req = {
originalUrl: '/ghost/api/v2/admin/',
headers: {
authorization: `Ghost ${token}`
}
};
const res = {};
this.fakeApiKey.type = 'content';
apiKeyAuth.admin.authenticate(req, res, function next(err) {
should.exist(err);
should.equal(err instanceof errors.UnauthorizedError, true);
err.code.should.eql('INVALID_API_KEY_TYPE');
should.not.exist(req.api_key);
done();
});
});
});