TryGhost/Ghost
1
0
Fork 0
mirror of https://github.com/TryGhost/Ghost.git synced 2024-12-19 00:11:49 +03:00
Code Issues Projects Releases Wiki Activity
ef143978e7
Ghost/ghost/core/test/e2e-server/admin.test.js
Kevin Ansfield ef143978e7
🎨 Reduced requests and 403 responses for comments auth check (#19840) 
closes https://linear.app/tryghost/issue/ENG-721
ref https://linear.app/tryghost/issue/ENG-708

Comments-UI loads `/ghost/admin-frame/` in an iframe to check if a Staff User is authenticated in order to  show moderation options. That iframe request loads a HTML page which in turn contains a script that fires off an API request that attempts to fetch the logged-in user details, resulting in a 403 "error" showing up when not authenticated. In the vast majority of cases there will be no staff user authenticated so lots of extra requests and "errors" are seen unnecessarily.

- adjusted the `/ghost/auth-frame/` endpoint to check if the request contains an Admin session cookie
  - if it does, continue as before with rendering the HTML page so the script is loaded
  - if it doesn't, return an empty 204 response avoiding the script request and subsequent 403-generating API request
- eliminates the 403 error being generated for all typical visitor traffic, the error should only be seen when an Admin was previously logged in but their cookie is no longer valid (either from logging out, or going past the 6month validity period)
2024-03-12 12:27:18 +00:00

153 lines
5.4 KiB
JavaScript
Raw Blame History

// # Frontend Route tests
// As it stands, these tests depend on the database, and as such are integration tests.
// Mocking out the models to not touch the DB would turn these into unit tests, and should probably be done in future,
// But then again testing real code, rather than mock code, might be more useful...
const should = require('should');
const path = require('path');
const fs = require('fs');
const supertest = require('supertest');
const testUtils = require('../utils');
const configUtils = require('../utils/configUtils');
const urlUtils = require('../utils/urlUtils');
const adminUtils = require('../utils/admin-utils');
const config = require('../../core/shared/config');
let request;
function assertCorrectHeaders(res) {
should.not.exist(res.headers['x-cache-invalidate']);
should.exist(res.headers.date);
}
describe('Admin Routing', function () {
before(async function () {
adminUtils.stubAdminFiles();
await testUtils.startGhost();
request = supertest.agent(config.get('url'));
});
describe('Assets', function () {
it('should return 404 for unknown assets', async function () {
await request.get('/ghost/assets/not-found.js')
.expect('Cache-Control', testUtils.cacheRules.private)
.expect(404)
.expect(assertCorrectHeaders);
});
it('should retrieve built assets', async function () {
await request.get('/ghost/assets/vendor.js')
.expect('Cache-Control', testUtils.cacheRules.yearImmutable)
.expect(200)
.expect(assertCorrectHeaders);
});
});
describe('Auth Frame', function () {
before(function () {
// ensure the admin-auth folder exists so serveStatic doesn't fall through
adminUtils.stubAuthFrameFiles(configUtils.config.getContentPath('public'));
});
it('Renders 204 with no admin session cookie', async function () {
await request
.get('/ghost/auth-frame/')
.set('Origin', config.get('url'))
.expect(204);
});
it('Renders static file with admin session cookie', async function () {
await request
.get('/ghost/auth-frame/')
.set('Origin', config.get('url'))
.set('Cookie', [
'ghost-admin-api-session=abc; Path=/; HttpOnly; Secure; SameSite=Strict'
])
.expect(200);
});
});
describe('Admin Redirects', function () {
it('should redirect /GHOST/ to /ghost/', async function () {
await request.get('/GHOST/')
.expect('Location', '/ghost/')
.expect(301)
.expect(assertCorrectHeaders);
});
});
// we'll use X-Forwarded-Proto: https to simulate an 'https://' request behind a proxy
describe('Require HTTPS - redirect', function () {
before(async function () {
configUtils.set('url', 'https://localhost:2390');
urlUtils.stubUrlUtilsFromConfig();
await testUtils.startGhost({forceStart: true});
request = supertest.agent(config.get('server:host') + ':' + config.get('server:port'));
});
after(async function () {
urlUtils.restore();
await configUtils.restore();
});
it('should redirect admin access over non-HTTPS', async function () {
await request.get('/ghost/')
.expect('Location', /^https:\/\/localhost:2390\/ghost\//)
.expect(301)
.expect(assertCorrectHeaders);
});
it('should allow admin access over HTTPS', async function () {
await request.get('/ghost/')
.set('X-Forwarded-Proto', 'https')
.expect(200)
.expect(assertCorrectHeaders);
});
});
describe('built template', function () {
beforeEach(function () {
const configPaths = configUtils.config.get('paths');
configPaths.adminAssets = path.resolve('test/utils/fixtures/admin-build');
configUtils.set('paths', configPaths);
});
afterEach(async function () {
await configUtils.restore();
});
it('serves assets in production', async function () {
configUtils.set('env', 'production');
const prodTemplate = fs.readFileSync(path.resolve('test/utils/fixtures/admin-build/index.html')).toString();
const res = await request.get('/ghost/')
.set('X-Forwarded-Proto', 'https')
.expect(200);
res.text.should.equal(prodTemplate);
});
it('serves assets when not in production', async function () {
const devTemplate = fs.readFileSync(path.resolve('test/utils/fixtures/admin-build/index.html')).toString();
const res = await request.get('/ghost/')
.set('X-Forwarded-Proto', 'https')
.expect(200);
res.text.should.equal(devTemplate);
});
it('generates it\'s own ETag header from file contents', async function () {
const res = await request.get('/ghost/')
.set('X-Forwarded-Proto', 'https')
.expect(200);
should.exist(res.headers.etag);
res.headers.etag.should.equal('8793333e8e91cde411b1336c58ec6ef3');
});
});
});
Reference in New Issue View Git Blame Copy Permalink