mirror of
https://github.com/TryGhost/Ghost.git
synced 2024-12-28 21:33:24 +03:00
f08a55c21f
refs: https://github.com/TryGhost/Team/issues/856 refs: https://github.com/TryGhost/Team/issues/756 - The .test.js extension is better than _spec.js as it's more obvious that it's an extension - It also meaans we can use the --extension parameter in mocha, which should result in a better default behaviour for `yarn test` - It also highlights that some of our tests were named incorrectly and were not (and still will not be) run (see https://github.com/TryGhost/Team/issues/856) - Note: even with this change, `yarn test` is throwing errors, I believe because of this issue https://github.com/TryGhost/Team/issues/756
102 lines
3.3 KiB
JavaScript
102 lines
3.3 KiB
JavaScript
const should = require('should');
|
|
const supertest = require('supertest');
|
|
const jwt = require('jsonwebtoken');
|
|
const jwksClient = require('jwks-rsa');
|
|
const testUtils = require('../../../../utils');
|
|
const localUtils = require('./utils');
|
|
const config = require('../../../../../core/shared/config');
|
|
|
|
const ghost = testUtils.startGhost;
|
|
|
|
let request;
|
|
|
|
const verifyJWKS = (endpoint, token) => {
|
|
return new Promise((resolve, reject) => {
|
|
const client = jwksClient({
|
|
jwksUri: endpoint
|
|
});
|
|
|
|
async function getKey(header, callback) {
|
|
const key = await client.getSigningKey(header.kid);
|
|
let signingKey = key.publicKey || key.rsaPublicKey;
|
|
callback(null, signingKey);
|
|
}
|
|
|
|
jwt.verify(token, getKey, {}, (err, decoded) => {
|
|
if (err) {
|
|
reject(err);
|
|
}
|
|
|
|
resolve(decoded);
|
|
});
|
|
});
|
|
};
|
|
|
|
describe('Identities API', function () {
|
|
describe('As Owner', function () {
|
|
before(function () {
|
|
return ghost()
|
|
.then(function () {
|
|
request = supertest.agent(config.get('url'));
|
|
})
|
|
.then(function () {
|
|
return localUtils.doAuth(request);
|
|
});
|
|
});
|
|
|
|
it('Can create JWT token and verify it afterwards with public jwks', function () {
|
|
let identity;
|
|
|
|
return request
|
|
.get(localUtils.API.getApiQuery(`identities/`))
|
|
.set('Origin', config.get('url'))
|
|
.expect('Content-Type', /json/)
|
|
.expect('Cache-Control', testUtils.cacheRules.private)
|
|
.expect(200)
|
|
.then((res) => {
|
|
should.not.exist(res.headers['x-cache-invalidate']);
|
|
const jsonResponse = res.body;
|
|
should.exist(jsonResponse);
|
|
should.exist(jsonResponse.identities);
|
|
|
|
identity = jsonResponse.identities[0];
|
|
})
|
|
.then(() => {
|
|
return verifyJWKS(`${request.app}/ghost/.well-known/jwks.json`, identity.token);
|
|
})
|
|
.then((decoded) => {
|
|
decoded.sub.should.equal('jbloggs@example.com');
|
|
});
|
|
});
|
|
});
|
|
|
|
describe('As non-Owner', function () {
|
|
before(function () {
|
|
return ghost()
|
|
.then(function (_ghostServer) {
|
|
request = supertest.agent(config.get('url'));
|
|
})
|
|
.then(function () {
|
|
return testUtils.createUser({
|
|
user: testUtils.DataGenerator.forKnex.createUser({email: 'admin+1@ghost.org'}),
|
|
role: testUtils.DataGenerator.Content.roles[0].name
|
|
});
|
|
})
|
|
.then(function (admin) {
|
|
request.user = admin;
|
|
|
|
return localUtils.doAuth(request);
|
|
});
|
|
});
|
|
|
|
it('Cannot read', function () {
|
|
return request
|
|
.get(localUtils.API.getApiQuery(`identities/`))
|
|
.set('Origin', config.get('url'))
|
|
.expect('Content-Type', /json/)
|
|
.expect('Cache-Control', testUtils.cacheRules.private)
|
|
.expect(403);
|
|
});
|
|
});
|
|
});
|