Infra-Mirrors/BookStack
1
0
Fork 0
mirror of https://github.com/BookStackApp/BookStack.git synced 2024-10-01 01:36:00 -04:00
Code Issues Packages Projects Releases Wiki Activity

Added testing coverage to API token auth

Browse Source
This commit is contained in:
Dan Brown 2019-12-30 19:42:46 +00:00
parent 6f1b88a6a6
commit 3d11cba223
No known key found for this signature in database
GPG Key ID: 46D9F943C24A2EF9
8 changed files with 126 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
app/Api/ApiTokenGuard.php
View File

@ -150,4 +150,11 @@ class ApiTokenGuard implements Guard
return Hash::check($credentials['secret'], $token->secret); return Hash::check($credentials['secret'], $token->secret);
} }
/**
* "Log out" the currently authenticated user.
*/
public function logout()
{
$this->user = null;
}
} }

2
app/Auth/Role.php
View File

@ -72,7 +72,7 @@ class Role extends Model
*/ */
public function detachPermission(RolePermission $permission) public function detachPermission(RolePermission $permission)
{ {
$this->permissions()->detach($permission->id); $this->permissions()->detach([$permission->id]);
} }
/** /**

2
app/Http/Middleware/ApiAuthenticate.php
View File

@ -35,7 +35,7 @@ class ApiAuthenticate
} }
if ($this->awaitingEmailConfirmation()) { if ($this->awaitingEmailConfirmation()) {
return $this->emailConfirmationErrorResponse($request); return $this->emailConfirmationErrorResponse($request, true);
} }
return $next($request); return $next($request);

4
app/Http/Middleware/ChecksForEmailConfirmation.php
View File

@ -26,9 +26,9 @@ trait ChecksForEmailConfirmation
* Provide an error response for when the current user's email is not confirmed * Provide an error response for when the current user's email is not confirmed
* in a system which requires it. * in a system which requires it.
*/ */
protected function emailConfirmationErrorResponse(Request $request) protected function emailConfirmationErrorResponse(Request $request, bool $forceJson = false)
{ {
if ($request->wantsJson()) { if ($request->wantsJson() || $forceJson) {
return response()->json([ return response()->json([
'error' => [ 'error' => [
'code' => 401, 'code' => 401,

14
database/seeds/DummyContentSeeder.php
View File

@ -1,6 +1,8 @@
<?php <?php
use BookStack\Api\ApiToken;
use BookStack\Auth\Permissions\PermissionService; use BookStack\Auth\Permissions\PermissionService;
use BookStack\Auth\Permissions\RolePermission;
use BookStack\Auth\Role; use BookStack\Auth\Role;
use BookStack\Auth\User; use BookStack\Auth\User;
use BookStack\Entities\Bookshelf; use BookStack\Entities\Bookshelf;
@ -52,6 +54,18 @@ class DummyContentSeeder extends Seeder
$shelves = factory(Bookshelf::class, 10)->create($byData); $shelves = factory(Bookshelf::class, 10)->create($byData);
$largeBook->shelves()->attach($shelves->pluck('id')); $largeBook->shelves()->attach($shelves->pluck('id'));
// Assign API permission to editor role and create an API key
$apiPermission = RolePermission::getByName('access-api');
$editorRole->attachPermission($apiPermission);
$token = (new ApiToken())->forceFill([
'user_id' => $editorUser->id,
'name' => 'Testing API key',
'expires_at' => ApiToken::defaultExpiry(),
'secret' => Hash::make('password'),
'token_id' => 'apitoken',
]);
$token->save();
app(PermissionService::class)->buildJointPermissions(); app(PermissionService::class)->buildJointPermissions();
app(SearchService::class)->indexAllEntities(); app(SearchService::class)->indexAllEntities();
} }

82
tests/Api/ApiAuthTest.php Normal file
View File

@ -0,0 +1,82 @@
<?php
namespace Tests;
use BookStack\Auth\Permissions\RolePermission;
class ApiAuthTest extends TestCase
{
use TestsApi;
protected $endpoint = '/api/books';
public function test_requests_succeed_with_default_auth()
{
$viewer = $this->getViewer();
$resp = $this->get($this->endpoint);
$resp->assertStatus(401);
$this->actingAs($viewer, 'web');
$resp = $this->get($this->endpoint);
$resp->assertStatus(200);
}
public function test_no_token_throws_error()
{
$resp = $this->get($this->endpoint);
$resp->assertStatus(401);
$resp->assertJson($this->errorResponse("No authorization token found on the request", 401));
}
public function test_bad_token_format_throws_error()
{
$resp = $this->get($this->endpoint, ['Authorization' => "Token abc123"]);
$resp->assertStatus(401);
$resp->assertJson($this->errorResponse("An authorization token was found on the request but the format appeared incorrect", 401));
}
public function test_token_with_non_existing_id_throws_error()
{
$resp = $this->get($this->endpoint, ['Authorization' => "Token abc:123"]);
$resp->assertStatus(401);
$resp->assertJson($this->errorResponse("No matching API token was found for the provided authorization token", 401));
}
public function test_token_with_bad_secret_value_throws_error()
{
$resp = $this->get($this->endpoint, ['Authorization' => "Token {$this->apiTokenId}:123"]);
$resp->assertStatus(401);
$resp->assertJson($this->errorResponse("The secret provided for the given used API token is incorrect", 401));
}
public function test_api_access_permission_required_to_access_api()
{
$resp = $this->get($this->endpoint, ['Authorization' => "Token {$this->apiTokenId}:{$this->apiTokenSecret}"]);
$resp->assertStatus(200);
auth()->logout();
$accessApiPermission = RolePermission::getByName('access-api');
$editorRole = $this->getEditor()->roles()->first();
$editorRole->detachPermission($accessApiPermission);
$resp = $this->get($this->endpoint, ['Authorization' => "Token {$this->apiTokenId}:{$this->apiTokenSecret}"]);
$resp->assertJson($this->errorResponse("The owner of the used API token does not have permission to make API calls", 403));
}
public function test_email_confirmation_checked_on_auth_requets()
{
$editor = $this->getEditor();
$editor->email_confirmed = false;
$editor->save();
// Set settings and get user instance
$this->setSettings(['registration-enabled' => 'true', 'registration-confirmation' => 'true']);
$resp = $this->get($this->endpoint, ['Authorization' => "Token {$this->apiTokenId}:{$this->apiTokenSecret}"]);
$resp->assertStatus(401);
$resp->assertJson($this->errorResponse("The email address for the account in use needs to be confirmed", 401));
}
}

16
tests/TestsApi.php Normal file
View File

@ -0,0 +1,16 @@
<?php
namespace Tests;
trait TestsApi
{
protected $apiTokenId = 'apitoken';
protected $apiTokenSecret = 'password';
protected function errorResponse(string $messge, int $code)
{
return ["error" => ["code" => $code, "message" => $messge]];
}
}

6
tests/User/UserApiTokenTest.php
View File

@ -14,7 +14,7 @@ class UserApiTokenTest extends TestCase
public function test_tokens_section_not_visible_without_access_api_permission() public function test_tokens_section_not_visible_without_access_api_permission()
{ {
$user = $this->getEditor(); $user = $this->getViewer();
$resp = $this->actingAs($user)->get($user->getEditUrl()); $resp = $this->actingAs($user)->get($user->getEditUrl());
$resp->assertDontSeeText('API Tokens'); $resp->assertDontSeeText('API Tokens');
@ -30,9 +30,9 @@ class UserApiTokenTest extends TestCase
{ {
$viewer = $this->getViewer(); $viewer = $this->getViewer();
$editor = $this->getEditor(); $editor = $this->getEditor();
$this->giveUserPermissions($editor, ['users-manage']); $this->giveUserPermissions($viewer, ['users-manage']);
$resp = $this->actingAs($editor)->get($viewer->getEditUrl()); $resp = $this->actingAs($viewer)->get($editor->getEditUrl());
$resp->assertSeeText('API Tokens'); $resp->assertSeeText('API Tokens');
$resp->assertDontSeeText('Create Token'); $resp->assertDontSeeText('Create Token');
} }