mirror of
https://github.com/TryGhost/Ghost.git
synced 2024-12-18 16:01:40 +03:00
c9f551eb96
refs #8111 - Ghost returns now all (active+none active) users by default - protect login with suspended status - test permissions and add extra protection for suspending myself - if a user is suspended and tries to activate himself, he won't be able to proceed the login to get a new token
415 lines
16 KiB
JavaScript
415 lines
16 KiB
JavaScript
var should = require('should'),
|
|
sinon = require('sinon'),
|
|
Promise = require('bluebird'),
|
|
_ = require('lodash'),
|
|
|
|
authStrategies = require('../../../server/auth/auth-strategies'),
|
|
Models = require('../../../server/models'),
|
|
errors = require('../../../server/errors'),
|
|
globalUtils = require('../../../server/utils'),
|
|
|
|
sandbox = sinon.sandbox.create(),
|
|
|
|
fakeClient = {
|
|
slug: 'ghost-admin',
|
|
secret: 'not_available',
|
|
status: 'enabled'
|
|
},
|
|
|
|
fakeValidToken = {
|
|
user_id: 3,
|
|
token: 'valid-token',
|
|
client_id: 1,
|
|
expires: Date.now() + globalUtils.ONE_DAY_MS
|
|
},
|
|
fakeInvalidToken = {
|
|
user_id: 3,
|
|
token: 'expired-token',
|
|
client_id: 1,
|
|
expires: Date.now() - globalUtils.ONE_DAY_MS
|
|
};
|
|
|
|
describe('Auth Strategies', function () {
|
|
var next;
|
|
|
|
before(function () {
|
|
// Loads all the models
|
|
Models.init();
|
|
});
|
|
|
|
beforeEach(function () {
|
|
next = sandbox.spy();
|
|
});
|
|
|
|
afterEach(function () {
|
|
sandbox.restore();
|
|
});
|
|
|
|
describe('Client Password Strategy', function () {
|
|
var clientStub;
|
|
|
|
beforeEach(function () {
|
|
clientStub = sandbox.stub(Models.Client, 'findOne');
|
|
clientStub.returns(new Promise.resolve());
|
|
clientStub.withArgs({slug: fakeClient.slug}).returns(new Promise.resolve({
|
|
toJSON: function () {
|
|
return fakeClient;
|
|
}
|
|
}));
|
|
});
|
|
|
|
it('should find client', function (done) {
|
|
var clientId = 'ghost-admin',
|
|
clientSecret = 'not_available';
|
|
|
|
authStrategies.clientPasswordStrategy(clientId, clientSecret, next).then(function () {
|
|
clientStub.calledOnce.should.be.true();
|
|
clientStub.calledWith({slug: clientId}).should.be.true();
|
|
next.called.should.be.true();
|
|
next.firstCall.args.length.should.eql(2);
|
|
should.equal(next.firstCall.args[0], null);
|
|
next.firstCall.args[1].slug.should.eql(clientId);
|
|
done();
|
|
}).catch(done);
|
|
});
|
|
|
|
it('shouldn\'t find client with invalid id', function (done) {
|
|
var clientId = 'invalid_id',
|
|
clientSecret = 'not_available';
|
|
authStrategies.clientPasswordStrategy(clientId, clientSecret, next).then(function () {
|
|
clientStub.calledOnce.should.be.true();
|
|
clientStub.calledWith({slug: clientId}).should.be.true();
|
|
next.called.should.be.true();
|
|
next.calledWith(null, false).should.be.true();
|
|
done();
|
|
}).catch(done);
|
|
});
|
|
|
|
it('shouldn\'t find client with invalid secret', function (done) {
|
|
var clientId = 'ghost-admin',
|
|
clientSecret = 'invalid_secret';
|
|
authStrategies.clientPasswordStrategy(clientId, clientSecret, next).then(function () {
|
|
clientStub.calledOnce.should.be.true();
|
|
clientStub.calledWith({slug: clientId}).should.be.true();
|
|
next.called.should.be.true();
|
|
next.calledWith(null, false).should.be.true();
|
|
done();
|
|
}).catch(done);
|
|
});
|
|
|
|
it('shouldn\'t auth client that is disabled', function (done) {
|
|
var clientId = 'ghost-admin',
|
|
clientSecret = 'not_available';
|
|
|
|
fakeClient.status = 'disabled';
|
|
|
|
authStrategies.clientPasswordStrategy(clientId, clientSecret, next).then(function () {
|
|
clientStub.calledOnce.should.be.true();
|
|
clientStub.calledWith({slug: clientId}).should.be.true();
|
|
next.called.should.be.true();
|
|
next.calledWith(null, false).should.be.true();
|
|
done();
|
|
}).catch(done);
|
|
});
|
|
});
|
|
|
|
describe('Bearer Strategy', function () {
|
|
var tokenStub, userStub, userIsActive;
|
|
|
|
beforeEach(function () {
|
|
tokenStub = sandbox.stub(Models.Accesstoken, 'findOne');
|
|
tokenStub.returns(new Promise.resolve());
|
|
tokenStub.withArgs({token: fakeValidToken.token}).returns(new Promise.resolve({
|
|
toJSON: function () {
|
|
return fakeValidToken;
|
|
}
|
|
}));
|
|
|
|
tokenStub.withArgs({token: fakeInvalidToken.token}).returns(new Promise.resolve({
|
|
toJSON: function () {
|
|
return fakeInvalidToken;
|
|
}
|
|
}));
|
|
|
|
userStub = sandbox.stub(Models.User, 'findOne');
|
|
userStub.returns(new Promise.resolve());
|
|
userStub.withArgs({id: 3}).returns(new Promise.resolve({
|
|
toJSON: function () {
|
|
return {id: 3};
|
|
},
|
|
isActive: function () {
|
|
return userIsActive;
|
|
}
|
|
}));
|
|
});
|
|
|
|
it('should find user with valid token', function (done) {
|
|
var accessToken = 'valid-token',
|
|
userId = 3;
|
|
|
|
userIsActive = true;
|
|
|
|
authStrategies.bearerStrategy(accessToken, next).then(function () {
|
|
tokenStub.calledOnce.should.be.true();
|
|
tokenStub.calledWith({token: accessToken}).should.be.true();
|
|
userStub.calledOnce.should.be.true();
|
|
userStub.calledWith({id: userId}).should.be.true();
|
|
next.calledOnce.should.be.true();
|
|
next.firstCall.args.length.should.eql(3);
|
|
next.calledWith(null, {id: userId}, {scope: '*'}).should.be.true();
|
|
done();
|
|
}).catch(done);
|
|
});
|
|
|
|
it('should find user with valid token, but user is suspended', function (done) {
|
|
var accessToken = 'valid-token',
|
|
userId = 3;
|
|
|
|
userIsActive = false;
|
|
|
|
authStrategies.bearerStrategy(accessToken, next).then(function () {
|
|
tokenStub.calledOnce.should.be.true();
|
|
tokenStub.calledWith({token: accessToken}).should.be.true();
|
|
userStub.calledOnce.should.be.true();
|
|
userStub.calledWith({id: userId}).should.be.true();
|
|
next.calledOnce.should.be.true();
|
|
next.firstCall.args.length.should.eql(1);
|
|
(next.firstCall.args[0] instanceof errors.NoPermissionError).should.eql(true);
|
|
next.firstCall.args[0].message.should.eql('Your account was suspended.');
|
|
done();
|
|
}).catch(done);
|
|
});
|
|
|
|
it('shouldn\'t find user with invalid token', function (done) {
|
|
var accessToken = 'invalid_token';
|
|
|
|
authStrategies.bearerStrategy(accessToken, next).then(function () {
|
|
tokenStub.calledOnce.should.be.true();
|
|
tokenStub.calledWith({token: accessToken}).should.be.true();
|
|
userStub.called.should.be.false();
|
|
next.called.should.be.true();
|
|
next.calledWith(null, false).should.be.true();
|
|
done();
|
|
}).catch(done);
|
|
});
|
|
|
|
it('should find user that doesn\'t exist', function (done) {
|
|
var accessToken = 'valid-token',
|
|
userId = 2;
|
|
|
|
// override user
|
|
fakeValidToken.user_id = userId;
|
|
|
|
authStrategies.bearerStrategy(accessToken, next).then(function () {
|
|
tokenStub.calledOnce.should.be.true();
|
|
tokenStub.calledWith({token: accessToken}).should.be.true();
|
|
userStub.calledOnce.should.be.true();
|
|
userStub.calledWith({id: userId}).should.be.true();
|
|
next.called.should.be.true();
|
|
next.calledWith(null, false).should.be.true();
|
|
done();
|
|
}).catch(done);
|
|
});
|
|
|
|
it('should find user with expired token', function (done) {
|
|
var accessToken = 'expired-token';
|
|
|
|
authStrategies.bearerStrategy(accessToken, next).then(function () {
|
|
tokenStub.calledOnce.should.be.true();
|
|
tokenStub.calledWith({token: accessToken}).should.be.true();
|
|
userStub.calledOnce.should.be.false();
|
|
next.called.should.be.true();
|
|
next.calledWith(null, false).should.be.true();
|
|
done();
|
|
}).catch(done);
|
|
});
|
|
});
|
|
|
|
describe('Ghost Strategy', function () {
|
|
var inviteStub, userAddStub, userEditStub, userFindOneStub;
|
|
|
|
beforeEach(function () {
|
|
userFindOneStub = sandbox.stub(Models.User, 'findOne');
|
|
userAddStub = sandbox.stub(Models.User, 'add');
|
|
userEditStub = sandbox.stub(Models.User, 'edit');
|
|
inviteStub = sandbox.stub(Models.Invite, 'findOne');
|
|
});
|
|
|
|
it('with invite, but with wrong invite token', function (done) {
|
|
var ghostAuthAccessToken = '12345',
|
|
req = {body: {inviteToken: 'wrong'}},
|
|
profile = {email: 'test@example.com', id: '1234'};
|
|
|
|
userFindOneStub.returns(Promise.resolve(null));
|
|
inviteStub.returns(Promise.reject(new errors.NotFoundError()));
|
|
|
|
authStrategies.ghostStrategy(req, ghostAuthAccessToken, null, profile, function (err) {
|
|
should.exist(err);
|
|
(err instanceof errors.NotFoundError).should.eql(true);
|
|
userFindOneStub.calledOnce.should.be.false();
|
|
inviteStub.calledOnce.should.be.true();
|
|
done();
|
|
});
|
|
});
|
|
|
|
it('with correct invite token, but expired', function (done) {
|
|
var ghostAuthAccessToken = '12345',
|
|
req = {body: {inviteToken: 'token'}},
|
|
profile = {email: 'test@example.com', id: '1234'};
|
|
|
|
userFindOneStub.returns(Promise.resolve(null));
|
|
inviteStub.returns(Promise.resolve(Models.Invite.forge({
|
|
id: 1,
|
|
token: 'token',
|
|
expires: Date.now() - 1000
|
|
})));
|
|
|
|
authStrategies.ghostStrategy(req, ghostAuthAccessToken, null, profile, function (err) {
|
|
should.exist(err);
|
|
(err instanceof errors.NotFoundError).should.eql(true);
|
|
userFindOneStub.calledOnce.should.be.false();
|
|
inviteStub.calledOnce.should.be.true();
|
|
done();
|
|
});
|
|
});
|
|
|
|
it('with correct invite token', function (done) {
|
|
var ghostAuthAccessToken = '12345',
|
|
req = {body: {inviteToken: 'token'}},
|
|
invitedProfile = {email: 'test@example.com', id: '1234'},
|
|
invitedUser = {id: 2},
|
|
inviteModel = Models.Invite.forge({
|
|
id: 1,
|
|
token: 'token',
|
|
expires: Date.now() + 1000
|
|
});
|
|
|
|
userFindOneStub.returns(Promise.resolve(null));
|
|
userAddStub.returns(Promise.resolve(invitedUser));
|
|
userEditStub.returns(Promise.resolve(invitedUser));
|
|
inviteStub.returns(Promise.resolve(inviteModel));
|
|
sandbox.stub(inviteModel, 'destroy').returns(Promise.resolve());
|
|
|
|
authStrategies.ghostStrategy(req, ghostAuthAccessToken, null, invitedProfile, function (err, user, profile) {
|
|
should.not.exist(err);
|
|
should.exist(user);
|
|
should.exist(profile);
|
|
user.should.eql(invitedUser);
|
|
profile.should.eql(invitedProfile);
|
|
|
|
userFindOneStub.calledOnce.should.be.false();
|
|
inviteStub.calledOnce.should.be.true();
|
|
done();
|
|
});
|
|
});
|
|
|
|
it('setup', function (done) {
|
|
var ghostAuthAccessToken = '12345',
|
|
req = {body: {}},
|
|
ownerProfile = {email: 'test@example.com', id: '1234'},
|
|
owner = {id: 2};
|
|
|
|
userFindOneStub.withArgs({ghost_auth_id: ownerProfile.id})
|
|
.returns(Promise.resolve(null));
|
|
|
|
userFindOneStub.withArgs({slug: 'ghost-owner', status: 'inactive'})
|
|
.returns(Promise.resolve(_.merge({}, {status: 'inactive'}, owner)));
|
|
|
|
userEditStub.withArgs({
|
|
status: 'active',
|
|
email: 'test@example.com',
|
|
ghost_auth_id: ownerProfile.id,
|
|
ghost_auth_access_token: ghostAuthAccessToken
|
|
}, {
|
|
context: {internal: true},
|
|
id: owner.id
|
|
}).returns(Promise.resolve(owner));
|
|
|
|
userEditStub.withArgs({
|
|
ghost_auth_access_token: ghostAuthAccessToken,
|
|
ghost_auth_id: ownerProfile.id,
|
|
email: ownerProfile.email
|
|
}, {
|
|
context: {internal: true},
|
|
id: owner.id
|
|
}).returns(Promise.resolve(owner));
|
|
|
|
authStrategies.ghostStrategy(req, ghostAuthAccessToken, null, ownerProfile, function (err, user, profile) {
|
|
should.not.exist(err);
|
|
userFindOneStub.calledTwice.should.be.true();
|
|
inviteStub.calledOnce.should.be.false();
|
|
|
|
should.exist(user);
|
|
should.exist(profile);
|
|
user.should.eql(owner);
|
|
profile.should.eql(ownerProfile);
|
|
done();
|
|
});
|
|
});
|
|
|
|
it('sign in', function (done) {
|
|
var ghostAuthAccessToken = '12345',
|
|
req = {body: {}},
|
|
ownerProfile = {email: 'test@example.com', id: '12345'},
|
|
owner = {id: 2, isActive: function () {
|
|
return true;
|
|
}};
|
|
|
|
userFindOneStub.returns(Promise.resolve(owner));
|
|
userEditStub.withArgs({
|
|
ghost_auth_access_token: ghostAuthAccessToken,
|
|
ghost_auth_id: ownerProfile.id,
|
|
email: ownerProfile.email
|
|
}, {
|
|
context: {internal: true},
|
|
id: owner.id
|
|
}).returns(Promise.resolve(owner));
|
|
|
|
authStrategies.ghostStrategy(req, ghostAuthAccessToken, null, ownerProfile, function (err, user, profile) {
|
|
should.not.exist(err);
|
|
userFindOneStub.calledOnce.should.be.true();
|
|
userEditStub.calledOnce.should.be.true();
|
|
inviteStub.calledOnce.should.be.false();
|
|
|
|
should.exist(user);
|
|
should.exist(profile);
|
|
user.should.eql(owner);
|
|
profile.should.eql(ownerProfile);
|
|
done();
|
|
});
|
|
});
|
|
|
|
it('sign in, but user is suspended', function (done) {
|
|
var ghostAuthAccessToken = '12345',
|
|
req = {body: {}},
|
|
ownerProfile = {email: 'test@example.com', id: '12345'},
|
|
owner = {id: 2, isActive: function () {
|
|
return false;
|
|
}};
|
|
|
|
userFindOneStub.returns(Promise.resolve(owner));
|
|
userEditStub.withArgs({
|
|
ghost_auth_access_token: ghostAuthAccessToken,
|
|
ghost_auth_id: ownerProfile.id,
|
|
email: ownerProfile.email
|
|
}, {
|
|
context: {internal: true},
|
|
id: owner.id
|
|
}).returns(Promise.resolve(owner));
|
|
|
|
authStrategies.ghostStrategy(req, ghostAuthAccessToken, null, ownerProfile, function (err, user, profile) {
|
|
should.exist(err);
|
|
err.message.should.eql('Your account was suspended.');
|
|
|
|
userFindOneStub.calledOnce.should.be.true();
|
|
userEditStub.calledOnce.should.be.false();
|
|
inviteStub.calledOnce.should.be.false();
|
|
|
|
should.not.exist(user);
|
|
should.not.exist(profile);
|
|
done();
|
|
});
|
|
});
|
|
});
|
|
});
|