diff --git a/backend/src/jest/helpers.js b/backend/src/jest/helpers.js index 4b62a6cc8..0d358ed40 100644 --- a/backend/src/jest/helpers.js +++ b/backend/src/jest/helpers.js @@ -4,12 +4,12 @@ import { request } from 'graphql-request' // not to be confused with the seeder host export const host = 'http://127.0.0.1:4123' -export async function login ({ email, password }, hostParam = host) { +export async function login ({ email, password }) { const mutation = ` mutation { login(email:"${email}", password:"${password}") }` - const response = await request(hostParam, mutation) + const response = await request(host, mutation) return { authorization: `Bearer ${response.login}` } diff --git a/backend/src/middleware/passwordMiddleware.js b/backend/src/middleware/passwordMiddleware.js index 8bf0c4501..bd0c786df 100644 --- a/backend/src/middleware/passwordMiddleware.js +++ b/backend/src/middleware/passwordMiddleware.js @@ -12,14 +12,10 @@ export default { }, Query: async (resolve, root, args, context, info) => { let result = await resolve(root, args, context, info) - result = walkRecursive(result, ['password'], () => { + result = walkRecursive(result, ['password', 'privatKey'], () => { // replace password with asterisk return '*****' }) - // result = walkRecursive(result, ['privateKey'], () => { - // // replace password with asterisk - // return '*****' - // }) return result } } diff --git a/backend/src/middleware/permissionsMiddleware.js b/backend/src/middleware/permissionsMiddleware.js index 36d77b853..549499dcd 100644 --- a/backend/src/middleware/permissionsMiddleware.js +++ b/backend/src/middleware/permissionsMiddleware.js @@ -90,8 +90,8 @@ const permissions = shield({ }, User: { email: isMyOwn, - password: isMyOwn - // privateKey: isMyOwn + password: isMyOwn, + privateKey: isMyOwn } }) diff --git a/backend/src/resolvers/user_management.spec.js b/backend/src/resolvers/user_management.spec.js index aeb1f880c..6e16abd3c 100644 --- a/backend/src/resolvers/user_management.spec.js +++ b/backend/src/resolvers/user_management.spec.js @@ -311,108 +311,57 @@ describe('change password', () => { }) }) -describe('don\'t expose private RSA key', () => { - const queryUser = params => { - const { queriedUserSlug } = params +describe('do not expose private RSA key', () => { + let client + + const queryUser = () => { return gql` - { - User(slug:"${queriedUserSlug}") { + query($queriedUserSlug: String) { + User(slug: $queriedUserSlug) { id privateKey } }` } - // describe('unauthenticated query of "privateKey"', () => { - // it('throws "Not Authorised!"', async () => { - // const host = 'http://127.0.0.1:4001' // To have a "privateKey" generated. - // let client - // client = new GraphQLClient(host) - // await expect( - // client.request(queryUser({ queriedUserSlug: 'matilde-hermiston' })) - // ).rejects.toThrow('Not Authorised') - // }) - // }) + const action = async () => { + // Generate user with "privateKey" via 'CreateUser' mutation instead of using the factories "factory.create('User', {...})", see above. + const variables = { + id: 'bcb2d923-f3af-479e-9f00-61b12e864667', + password: 'xYz', + slug: 'apfel-strudel', + name: 'Apfel Strudel', + email: 'apfel-strudel@test.org' + } + await client.request(gql` + mutation($id: ID, $password: String!, $slug: String, $name: String, $email: String) { + CreateUser(id: $id, password: $password, slug: $slug, name: $name, email: $email) { + id + } + }`, variables + ) + } - describe('authenticated query of "privateKey"', () => { - it('gives "null" as return', async () => { - const hostPrivateKey = 'http://127.0.0.1:4001' // To have a "privateKey" generated. - // const hostPrivateKey = 'http://127.0.0.1:4123' - let client + describe('unauthenticated query of "privateKey"', () => { + it('throws "Not Authorised!"', async () => { + client = new GraphQLClient(host) - // logged out - client = new GraphQLClient(hostPrivateKey) - // Generate user with "privateKey". - const id = 'bcb2d923-f3af-479e-9f00-61b12e864667' - const name = 'Apfel Strudel' - const slug = 'apfel-strudel' - const password = 'xYz' - await client.request(gql` - mutation { - CreateUser(id: "${id}", password: "${password}", slug:"${slug}", name: "${name}", email: "${slug}@test.org") { - id - } - }` - ) - - // logged in - const headers = await login({ email: 'test@example.org', password: '1234' }, hostPrivateKey) - client = new GraphQLClient(hostPrivateKey, { headers }) - - let response = await client.request( - queryUser({ queriedUserSlug: 'apfel-strudel' }) - ) + await action() await expect( - response - ).toEqual({ - User: [{ - id: 'bcb2d923-f3af-479e-9f00-61b12e864667', - privateKey: 'XXX' - // privateKey: null - }] - }) + client.request(queryUser(), { queriedUserSlug: 'apfel-strudel' }) + ).rejects.toThrow('Not Authorised') }) }) - // describe('old and new password should not match', () => { - // it('responds with "Old password and new password should be different"', async () => { - // await expect( - // client.request( - // mutation({ - // oldPassword: '1234', - // newPassword: '1234' - // }) - // ) - // ).rejects.toThrow('Old password and new password should be different') - // }) - // }) + describe('authenticated query of "privateKey"', () => { + it('throws "Not Authorised!"', async () => { + const headers = await login({ email: 'test@example.org', password: '1234' }) + client = new GraphQLClient(host, { headers }) - // describe('incorrect old password', () => { - // it('responds with "Old password isn\'t valid"', async () => { - // await expect( - // client.request( - // mutation({ - // oldPassword: 'notOldPassword', - // newPassword: '12345' - // }) - // ) - // ).rejects.toThrow('Old password is not correct') - // }) - // }) - - // describe('correct password', () => { - // it('changes the password if given correct credentials "', async () => { - // let response = await client.request( - // mutation({ - // oldPassword: '1234', - // newPassword: '12345' - // }) - // ) - // await expect( - // response - // ).toEqual(expect.objectContaining({ - // changePassword: expect.any(String) - // })) - // }) - // }) + await action() + await expect( + client.request(queryUser(), { queriedUserSlug: 'apfel-strudel' }) + ).rejects.toThrow('Not Authorised') + }) + }) })