Blacklist slug 'all' and test it

2026-01-18 19:01:29 +00:00 · 2023-07-26 13:13:56 +02:00 · 2023-07-26 13:13:56 +02:00 · 39fc42e25b
commit 39fc42e25b
parent cce6b50c8b
3 changed files with 301 additions and 163 deletions
--- a/backend/src/graphql/authentications.ts
+++ b/backend/src/graphql/authentications.ts
@ -20,6 +20,7 @@ export const signupVerificationMutation = gql`
      termsAndConditionsAgreedVersion: $termsAndConditionsAgreedVersion
    ) {
      id
+      name
      slug
    }
  }
--- a/backend/src/middleware/validation/validationMiddleware.spec.ts
+++ b/backend/src/middleware/validation/validationMiddleware.spec.ts
@ -3,6 +3,7 @@ import Factory, { cleanDatabase } from '../../db/factories'
 import { getNeode, getDriver } from '../../db/neo4j'
 import { createTestClient } from 'apollo-server-testing'
 import createServer from '../../server'
+import { signupVerificationMutation } from '../../graphql/authentications'

 const neode = getNeode()
 const driver = getDriver()
@ -51,9 +52,10 @@ const reviewMutation = gql`
  }
 `
 const updateUserMutation = gql`
-  mutation ($id: ID!, $name: String) {
-    UpdateUser(id: $id, name: $name) {
+  mutation ($id: ID!, $name: String, $slug: String) {
+    UpdateUser(id: $id, name: $name, slug: $slug) {
      name
+      slug
    }
  }
 `
@ -132,175 +134,130 @@ afterEach(async () => {
  await cleanDatabase()
 })

-describe('validateCreateComment', () => {
-  let createCommentVariables
-  beforeEach(async () => {
-    createCommentVariables = {
-      postId: 'whatever',
-      content: '',
-    }
-    authenticatedUser = await commentingUser.toJson()
-  })
-
-  it('throws an error if content is empty', async () => {
-    createCommentVariables = { ...createCommentVariables, postId: 'post-4-commenting' }
-    await expect(
-      mutate({ mutation: createCommentMutation, variables: createCommentVariables }),
-    ).resolves.toMatchObject({
-      data: { CreateComment: null },
-      errors: [{ message: 'Comment must be at least 1 character long!' }],
-    })
-  })
-
-  it('sanitizes content and throws an error if not longer than 1 character', async () => {
-    createCommentVariables = { postId: 'post-4-commenting', content: '<a></a>' }
-    await expect(
-      mutate({ mutation: createCommentMutation, variables: createCommentVariables }),
-    ).resolves.toMatchObject({
-      data: { CreateComment: null },
-      errors: [{ message: 'Comment must be at least 1 character long!' }],
-    })
-  })
-
-  it('throws an error if there is no post with given id in the database', async () => {
-    createCommentVariables = {
-      ...createCommentVariables,
-      postId: 'non-existent-post',
-      content: 'valid content',
-    }
-    await expect(
-      mutate({ mutation: createCommentMutation, variables: createCommentVariables }),
-    ).resolves.toMatchObject({
-      data: { CreateComment: null },
-      errors: [{ message: 'Comment cannot be created without a post!' }],
-    })
-  })
-
-  describe('validateUpdateComment', () => {
-    let updateCommentVariables
+describe('validationMiddleware', () => {
+  describe('CreateComment', () => {
+    let createCommentVariables
    beforeEach(async () => {
-      await Factory.build(
-        'comment',
-        {
-          id: 'comment-id',
-        },
-        {
-          authorId: 'commenting-user',
-        },
-      )
-      updateCommentVariables = {
-        id: 'whatever',
+      createCommentVariables = {
+        postId: 'whatever',
        content: '',
      }
      authenticatedUser = await commentingUser.toJson()
    })

    it('throws an error if content is empty', async () => {
-      updateCommentVariables = { ...updateCommentVariables, id: 'comment-id' }
+      createCommentVariables = { ...createCommentVariables, postId: 'post-4-commenting' }
      await expect(
-        mutate({ mutation: updateCommentMutation, variables: updateCommentVariables }),
+        mutate({ mutation: createCommentMutation, variables: createCommentVariables }),
      ).resolves.toMatchObject({
-        data: { UpdateComment: null },
+        data: { CreateComment: null },
        errors: [{ message: 'Comment must be at least 1 character long!' }],
      })
    })

    it('sanitizes content and throws an error if not longer than 1 character', async () => {
-      updateCommentVariables = { id: 'comment-id', content: '<a></a>' }
+      createCommentVariables = { postId: 'post-4-commenting', content: '<a></a>' }
      await expect(
-        mutate({ mutation: updateCommentMutation, variables: updateCommentVariables }),
+        mutate({ mutation: createCommentMutation, variables: createCommentVariables }),
      ).resolves.toMatchObject({
-        data: { UpdateComment: null },
+        data: { CreateComment: null },
        errors: [{ message: 'Comment must be at least 1 character long!' }],
      })
    })
-  })
-})

-describe('validateReport', () => {
-  it('throws an error if a user tries to report themself', async () => {
-    authenticatedUser = await reportingUser.toJson()
-    reportVariables = { ...reportVariables, resourceId: 'reporting-user' }
-    await expect(
-      mutate({ mutation: reportMutation, variables: reportVariables }),
-    ).resolves.toMatchObject({
-      data: { fileReport: null },
-      errors: [{ message: 'You cannot report yourself!' }],
-    })
-  })
-})
-
-describe('validateReview', () => {
-  beforeEach(async () => {
-    const reportAgainstModerator = await Factory.build('report')
-    await Promise.all([
-      reportAgainstModerator.relateTo(reportingUser, 'filed', {
-        ...reportVariables,
-        resourceId: 'moderating-user',
-      }),
-      reportAgainstModerator.relateTo(moderatingUser, 'belongsTo'),
-    ])
-    authenticatedUser = await moderatingUser.toJson()
-  })
-
-  it('throws an error if a user tries to review a report against them', async () => {
-    disableVariables = { ...disableVariables, resourceId: 'moderating-user' }
-    await expect(
-      mutate({ mutation: reviewMutation, variables: disableVariables }),
-    ).resolves.toMatchObject({
-      data: { review: null },
-      errors: [{ message: 'You cannot review yourself!' }],
-    })
-  })
-
-  it('throws an error for invaild resource', async () => {
-    disableVariables = { ...disableVariables, resourceId: 'non-existent-resource' }
-    await expect(
-      mutate({ mutation: reviewMutation, variables: disableVariables }),
-    ).resolves.toMatchObject({
-      data: { review: null },
-      errors: [{ message: 'Resource not found or is not a Post|Comment|User!' }],
-    })
-  })
-
-  it('throws an error if no report exists', async () => {
-    disableVariables = { ...disableVariables, resourceId: 'offensive-post' }
-    await expect(
-      mutate({ mutation: reviewMutation, variables: disableVariables }),
-    ).resolves.toMatchObject({
-      data: { review: null },
-      errors: [{ message: 'Before starting the review process, please report the Post!' }],
-    })
-  })
-
-  it('throws an error if a moderator tries to review their own resource(Post|Comment)', async () => {
-    const reportAgainstOffensivePost = await Factory.build('report')
-    await Promise.all([
-      reportAgainstOffensivePost.relateTo(reportingUser, 'filed', {
-        ...reportVariables,
-        resourceId: 'offensive-post',
-      }),
-      reportAgainstOffensivePost.relateTo(offensivePost, 'belongsTo'),
-    ])
-    disableVariables = { ...disableVariables, resourceId: 'offensive-post' }
-    await expect(
-      mutate({ mutation: reviewMutation, variables: disableVariables }),
-    ).resolves.toMatchObject({
-      data: { review: null },
-      errors: [{ message: 'You cannot review your own Post!' }],
-    })
-  })
-
-  describe('moderate a resource that is not a (Comment|Post|User) ', () => {
-    beforeEach(async () => {
-      await Promise.all([Factory.build('tag', { id: 'tag-id' })])
-    })
-
-    it('returns null', async () => {
-      disableVariables = {
-        ...disableVariables,
-        resourceId: 'tag-id',
+    it('throws an error if there is no post with given id in the database', async () => {
+      createCommentVariables = {
+        ...createCommentVariables,
+        postId: 'non-existent-post',
+        content: 'valid content',
      }
+      await expect(
+        mutate({ mutation: createCommentMutation, variables: createCommentVariables }),
+      ).resolves.toMatchObject({
+        data: { CreateComment: null },
+        errors: [{ message: 'Comment cannot be created without a post!' }],
+      })
+    })
+
+    describe('UpdateComment', () => {
+      let updateCommentVariables
+      beforeEach(async () => {
+        await Factory.build(
+          'comment',
+          {
+            id: 'comment-id',
+          },
+          {
+            authorId: 'commenting-user',
+          },
+        )
+        updateCommentVariables = {
+          id: 'whatever',
+          content: '',
+        }
+        authenticatedUser = await commentingUser.toJson()
+      })
+
+      it('throws an error if content is empty', async () => {
+        updateCommentVariables = { ...updateCommentVariables, id: 'comment-id' }
+        await expect(
+          mutate({ mutation: updateCommentMutation, variables: updateCommentVariables }),
+        ).resolves.toMatchObject({
+          data: { UpdateComment: null },
+          errors: [{ message: 'Comment must be at least 1 character long!' }],
+        })
+      })
+
+      it('sanitizes content and throws an error if not longer than 1 character', async () => {
+        updateCommentVariables = { id: 'comment-id', content: '<a></a>' }
+        await expect(
+          mutate({ mutation: updateCommentMutation, variables: updateCommentVariables }),
+        ).resolves.toMatchObject({
+          data: { UpdateComment: null },
+          errors: [{ message: 'Comment must be at least 1 character long!' }],
+        })
+      })
+    })
+  })
+
+  describe('Report', () => {
+    it('throws an error if a user tries to report themself', async () => {
+      authenticatedUser = await reportingUser.toJson()
+      reportVariables = { ...reportVariables, resourceId: 'reporting-user' }
+      await expect(
+        mutate({ mutation: reportMutation, variables: reportVariables }),
+      ).resolves.toMatchObject({
+        data: { fileReport: null },
+        errors: [{ message: 'You cannot report yourself!' }],
+      })
+    })
+  })
+
+  describe('Review', () => {
+    beforeEach(async () => {
+      const reportAgainstModerator = await Factory.build('report')
+      await Promise.all([
+        reportAgainstModerator.relateTo(reportingUser, 'filed', {
+          ...reportVariables,
+          resourceId: 'moderating-user',
+        }),
+        reportAgainstModerator.relateTo(moderatingUser, 'belongsTo'),
+      ])
+      authenticatedUser = await moderatingUser.toJson()
+    })
+
+    it('throws an error if a user tries to review a report against them', async () => {
+      disableVariables = { ...disableVariables, resourceId: 'moderating-user' }
+      await expect(
+        mutate({ mutation: reviewMutation, variables: disableVariables }),
+      ).resolves.toMatchObject({
+        data: { review: null },
+        errors: [{ message: 'You cannot review yourself!' }],
+      })
+    })
+
+    it('throws an error for invaild resource', async () => {
+      disableVariables = { ...disableVariables, resourceId: 'non-existent-resource' }
      await expect(
        mutate({ mutation: reviewMutation, variables: disableVariables }),
      ).resolves.toMatchObject({
@ -308,9 +265,145 @@ describe('validateReview', () => {
        errors: [{ message: 'Resource not found or is not a Post|Comment|User!' }],
      })
    })
+
+    it('throws an error if no report exists', async () => {
+      disableVariables = { ...disableVariables, resourceId: 'offensive-post' }
+      await expect(
+        mutate({ mutation: reviewMutation, variables: disableVariables }),
+      ).resolves.toMatchObject({
+        data: { review: null },
+        errors: [{ message: 'Before starting the review process, please report the Post!' }],
+      })
+    })
+
+    it('throws an error if a moderator tries to review their own resource(Post|Comment)', async () => {
+      const reportAgainstOffensivePost = await Factory.build('report')
+      await Promise.all([
+        reportAgainstOffensivePost.relateTo(reportingUser, 'filed', {
+          ...reportVariables,
+          resourceId: 'offensive-post',
+        }),
+        reportAgainstOffensivePost.relateTo(offensivePost, 'belongsTo'),
+      ])
+      disableVariables = { ...disableVariables, resourceId: 'offensive-post' }
+      await expect(
+        mutate({ mutation: reviewMutation, variables: disableVariables }),
+      ).resolves.toMatchObject({
+        data: { review: null },
+        errors: [{ message: 'You cannot review your own Post!' }],
+      })
+    })
+
+    describe('moderate a resource that is not a (Comment|Post|User) ', () => {
+      beforeEach(async () => {
+        await Promise.all([Factory.build('tag', { id: 'tag-id' })])
+      })
+
+      it('returns null', async () => {
+        disableVariables = {
+          ...disableVariables,
+          resourceId: 'tag-id',
+        }
+        await expect(
+          mutate({ mutation: reviewMutation, variables: disableVariables }),
+        ).resolves.toMatchObject({
+          data: { review: null },
+          errors: [{ message: 'Resource not found or is not a Post|Comment|User!' }],
+        })
+      })
+    })
  })

-  describe('validateUpdateUser', () => {
+  describe('SignupVerification', () => {
+    let userParams, variables, updatingUser
+
+    beforeEach(async () => {
+      userParams = {
+        id: 'updating-user',
+        name: 'John Doe',
+      }
+
+      variables = {
+        id: 'updating-user',
+        name: 'John Doughnut',
+        password: '1234',
+        email: 'updating-user@example.org',
+        nonce: '12345',
+        termsAndConditionsAgreedVersion: '0.0.1',
+      }
+      await Factory.build('emailAddress', {
+        email: 'updating-user@example.org',
+        nonce: '12345',
+        verifiedAt: null,
+      })
+    })
+
+    describe('with name', () => {
+      describe('is allowed', () => {
+        it('has success', async () => {
+          await expect(
+            mutate({ mutation: signupVerificationMutation, variables }),
+          ).resolves.toMatchObject({
+            data: {
+              SignupVerification: {
+                name: 'John Doughnut',
+                id: expect.any(String),
+                slug: 'john-doughnut',
+              },
+            },
+            errors: undefined,
+          })
+        })
+
+        it('throws an error', async () => {
+          variables = {
+            ...variables,
+            name: '  ',
+          }
+          await expect(
+            mutate({ mutation: signupVerificationMutation, variables }),
+          ).resolves.toMatchObject({
+            data: { SignupVerification: null },
+            errors: [{ message: 'User name must be at least 3 character long!' }],
+          })
+        })
+      })
+    })
+
+    describe('with slug', () => {
+      describe('is allowed', () => {
+        it('has success', async () => {
+          variables = {
+            ...variables,
+            slug: 'superman',
+          }
+          await expect(
+            mutate({ mutation: signupVerificationMutation, variables }),
+          ).resolves.toMatchObject({
+            data: { SignupVerification: { slug: 'superman' } },
+            errors: undefined,
+          })
+        })
+      })
+
+      describe('"all" in blacklist', () => {
+        it('throws an error', async () => {
+          variables = {
+            ...variables,
+            slug: 'all',
+          }
+          await expect(
+            mutate({ mutation: signupVerificationMutation, variables }),
+          ).resolves.toMatchObject({
+            data: { SignupVerification: null },
+            errors: [{ message: 'User slug “all” must not be in blacklist!' }],
+          })
+        })
+      })
+    })
+  })
+
+  describe('UpdateUser', () => {
    let userParams, variables, updatingUser

    beforeEach(async () => {
@ -327,14 +420,53 @@ describe('validateReview', () => {
      authenticatedUser = await updatingUser.toJson()
    })

-    it('with name too short', async () => {
-      variables = {
-        ...variables,
-        name: '  ',
-      }
-      await expect(mutate({ mutation: updateUserMutation, variables })).resolves.toMatchObject({
-        data: { UpdateUser: null },
-        errors: [{ message: 'Username must be at least 3 character long!' }],
+    describe('with name', () => {
+      describe('is allowed', () => {
+        it('has success', async () => {
+          await expect(mutate({ mutation: updateUserMutation, variables })).resolves.toMatchObject({
+            data: { UpdateUser: { name: 'John Doughnut' } },
+            errors: undefined,
+          })
+        })
+
+        it('throws an error', async () => {
+          variables = {
+            ...variables,
+            name: '  ',
+          }
+          await expect(mutate({ mutation: updateUserMutation, variables })).resolves.toMatchObject({
+            data: { UpdateUser: null },
+            errors: [{ message: 'User name must be at least 3 character long!' }],
+          })
+        })
+      })
+    })
+
+    describe('with slug', () => {
+      describe('is allowed', () => {
+        it('has success', async () => {
+          variables = {
+            ...variables,
+            slug: 'superman',
+          }
+          await expect(mutate({ mutation: updateUserMutation, variables })).resolves.toMatchObject({
+            data: { UpdateUser: { slug: 'superman' } },
+            errors: undefined,
+          })
+        })
+      })
+
+      describe('"all" in blacklist', () => {
+        it('throws an error', async () => {
+          variables = {
+            ...variables,
+            slug: 'all',
+          }
+          await expect(mutate({ mutation: updateUserMutation, variables })).resolves.toMatchObject({
+            data: { UpdateUser: null },
+            errors: [{ message: 'User slug “all” must not be in blacklist!' }],
+          })
+        })
      })
    })
  })
--- a/backend/src/middleware/validation/validationMiddleware.ts
+++ b/backend/src/middleware/validation/validationMiddleware.ts
@ -3,6 +3,8 @@ import { UserInputError } from 'apollo-server'
 const COMMENT_MIN_LENGTH = 1
 const NO_POST_ERR_MESSAGE = 'Comment cannot be created without a post!'
 const USERNAME_MIN_LENGTH = 3
+const SLUG_BLACKLIST = ['all']
+
 const validateCreateComment = async (resolve, root, args, context, info) => {
  const content = args.content.replace(/<(?:.|\n)*?>/gm, '').trim()
  const { postId } = args
@ -111,10 +113,12 @@ export const validateNotifyUsers = async (label, reason) => {
  }
 }

-const validateUpdateUser = async (resolve, root, params, context, info) => {
-  const { name } = params
+const validateUser = async (resolve, root, params, context, info) => {
+  const { name, slug } = params
  if (typeof name === 'string' && name.trim().length < USERNAME_MIN_LENGTH)
-    throw new UserInputError(`Username must be at least ${USERNAME_MIN_LENGTH} character long!`)
+    throw new UserInputError(`User name must be at least ${USERNAME_MIN_LENGTH} character long!`)
+  if (typeof slug === 'string' && SLUG_BLACKLIST.find((blacklisted) => blacklisted === slug))
+    throw new UserInputError(`User slug “${slug}” must not be in blacklist!`)
  return resolve(root, params, context, info)
 }

@ -122,7 +126,8 @@ export default {
  Mutation: {
    CreateComment: validateCreateComment,
    UpdateComment: validateUpdateComment,
-    UpdateUser: validateUpdateUser,
+    SignupVerification: validateUser,
+    UpdateUser: validateUser,
    fileReport: validateReport,
    review: validateReview,
  },