IT4Change/Ocelot-Social
3
0
Fork 0
mirror of https://github.com/IT4Change/Ocelot-Social.git synced 2025-12-13 07:45:56 +00:00
Code Issues Packages Projects Releases Wiki Activity

Query of users "publicKey" 'throws "Not Authorised!"'

Browse Source 
Changes password and permission middleware.

Thanks for your big help @roschaefer !
This commit is contained in:
Wolfgang Huß 2019-04-11 20:01:20 +02:00
parent 6794156c86
commit 95a0567e69
4 changed files with 44 additions and 99 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
backend/src/jest/helpers.js
View File

@ -4,12 +4,12 @@ import { request } from 'graphql-request'
// not to be confused with the seeder host
export const host = 'http://127.0.0.1:4123'
export async function login ({ email, password }, hostParam = host) {
export async function login ({ email, password }) {
const mutation = `
mutation {
login(email:"${email}", password:"${password}")
}`
const response = await request(hostParam, mutation)
const response = await request(host, mutation)
return {
authorization: `Bearer ${response.login}`
}

6
backend/src/middleware/passwordMiddleware.js
View File

@ -12,14 +12,10 @@ export default {
},
Query: async (resolve, root, args, context, info) => {
let result = await resolve(root, args, context, info)
result = walkRecursive(result, ['password'], () => {
result = walkRecursive(result, ['password', 'privatKey'], () => {
// replace password with asterisk
return '*****'
})
// result = walkRecursive(result, ['privateKey'], () => {
// // replace password with asterisk
// return '*****'
// })
return result
}
}

4
backend/src/middleware/permissionsMiddleware.js
View File

@ -90,8 +90,8 @@ const permissions = shield({
},
User: {
email: isMyOwn,
password: isMyOwn
// privateKey: isMyOwn
password: isMyOwn,
privateKey: isMyOwn
}
})

129
backend/src/resolvers/user_management.spec.js
View File

@ -311,108 +311,57 @@ describe('change password', () => {
})
})
describe('don\'t expose private RSA key', () => {
const queryUser = params => {
const { queriedUserSlug } = params
describe('do not expose private RSA key', () => {
let client
const queryUser = () => {
return gql`
{
User(slug:"${queriedUserSlug}") {
query($queriedUserSlug: String) {
User(slug: $queriedUserSlug) {
id
privateKey
}
}`
}
// describe('unauthenticated query of "privateKey"', () => {
// it('throws "Not Authorised!"', async () => {
// const host = 'http://127.0.0.1:4001' // To have a "privateKey" generated.
// let client
// client = new GraphQLClient(host)
// await expect(
// client.request(queryUser({ queriedUserSlug: 'matilde-hermiston' }))
// ).rejects.toThrow('Not Authorised')
// })
// })
const action = async () => {
// Generate user with "privateKey" via 'CreateUser' mutation instead of using the factories "factory.create('User', {...})", see above.
const variables = {
id: 'bcb2d923-f3af-479e-9f00-61b12e864667',
password: 'xYz',
slug: 'apfel-strudel',
name: 'Apfel Strudel',
email: 'apfel-strudel@test.org'
}
await client.request(gql`
mutation($id: ID, $password: String!, $slug: String, $name: String, $email: String) {
CreateUser(id: $id, password: $password, slug: $slug, name: $name, email: $email) {
id
}
}`, variables
)
}
describe('authenticated query of "privateKey"', () => {
it('gives "null" as return', async () => {
const hostPrivateKey = 'http://127.0.0.1:4001' // To have a "privateKey" generated.
// const hostPrivateKey = 'http://127.0.0.1:4123'
let client
describe('unauthenticated query of "privateKey"', () => {
it('throws "Not Authorised!"', async () => {
client = new GraphQLClient(host)
// logged out
client = new GraphQLClient(hostPrivateKey)
// Generate user with "privateKey".
const id = 'bcb2d923-f3af-479e-9f00-61b12e864667'
const name = 'Apfel Strudel'
const slug = 'apfel-strudel'
const password = 'xYz'
await client.request(gql`
mutation {
CreateUser(id: "${id}", password: "${password}", slug:"${slug}", name: "${name}", email: "${slug}@test.org") {
id
}
}`
)
// logged in
const headers = await login({ email: 'test@example.org', password: '1234' }, hostPrivateKey)
client = new GraphQLClient(hostPrivateKey, { headers })
let response = await client.request(
queryUser({ queriedUserSlug: 'apfel-strudel' })
)
await action()
await expect(
response
).toEqual({
User: [{
id: 'bcb2d923-f3af-479e-9f00-61b12e864667',
privateKey: 'XXX'
// privateKey: null
}]
})
client.request(queryUser(), { queriedUserSlug: 'apfel-strudel' })
).rejects.toThrow('Not Authorised')
})
})
// describe('old and new password should not match', () => {
// it('responds with "Old password and new password should be different"', async () => {
// await expect(
// client.request(
// mutation({
// oldPassword: '1234',
// newPassword: '1234'
// })
// )
// ).rejects.toThrow('Old password and new password should be different')
// })
// })
describe('authenticated query of "privateKey"', () => {
it('throws "Not Authorised!"', async () => {
const headers = await login({ email: 'test@example.org', password: '1234' })
client = new GraphQLClient(host, { headers })
// describe('incorrect old password', () => {
// it('responds with "Old password isn\'t valid"', async () => {
// await expect(
// client.request(
// mutation({
// oldPassword: 'notOldPassword',
// newPassword: '12345'
// })
// )
// ).rejects.toThrow('Old password is not correct')
// })
// })
// describe('correct password', () => {
// it('changes the password if given correct credentials "', async () => {
// let response = await client.request(
// mutation({
// oldPassword: '1234',
// newPassword: '12345'
// })
// )
// await expect(
// response
// ).toEqual(expect.objectContaining({
// changePassword: expect.any(String)
// }))
// })
// })
await action()
await expect(
client.request(queryUser(), { queriedUserSlug: 'apfel-strudel' })
).rejects.toThrow('Not Authorised')
})
})
})