From 8627d5790651f6748cd6e2c398398e5f7b638db7 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Robert=20Sch=C3=A4fer?= Date: Thu, 4 Apr 2019 18:02:48 +0200 Subject: [PATCH 01/11] Don't expose private RSA key cc @Tirokk --- backend/src/middleware/passwordMiddleware.js | 9 +++++++-- backend/src/middleware/permissionsMiddleware.js | 3 ++- 2 files changed, 9 insertions(+), 3 deletions(-) diff --git a/backend/src/middleware/passwordMiddleware.js b/backend/src/middleware/passwordMiddleware.js index 0aff222c8..0523d08dd 100644 --- a/backend/src/middleware/passwordMiddleware.js +++ b/backend/src/middleware/passwordMiddleware.js @@ -11,10 +11,15 @@ export default { } }, Query: async (resolve, root, args, context, info) => { - const result = await resolve(root, args, context, info) - return walkRecursive(result, ['password'], () => { + let result = await resolve(root, args, context, info) + result = walkRecursive(result, ['password'], () => { // replace password with asterisk return '*****' }) + result = walkRecursive(result, ['privateKey'], () => { + // replace password with asterisk + return '*****' + }) + return result } } diff --git a/backend/src/middleware/permissionsMiddleware.js b/backend/src/middleware/permissionsMiddleware.js index 736ce20a9..f51051b19 100644 --- a/backend/src/middleware/permissionsMiddleware.js +++ b/backend/src/middleware/permissionsMiddleware.js @@ -73,7 +73,8 @@ const permissions = shield({ }, User: { email: isMyOwn, - password: isMyOwn + password: isMyOwn, + privateKey: isMyOwn } }) From 8713f617340663ba9a553cfd251061de3d844160 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Wolfgang=20Hu=C3=9F?= Date: Fri, 5 Apr 2019 17:44:43 +0200 Subject: [PATCH 02/11] Added Tests to "user_management.spec.js" Implemented suppression of "publicKey", now commented out for testing approach. Use port 4001 for querying, but forgot that I have to generate the user on the same port, before I can query it with generated "publicKey". Do this in next commit. --- backend/src/jest/helpers.js | 4 +- backend/src/middleware/passwordMiddleware.js | 5 +- .../src/middleware/permissionsMiddleware.js | 1 + backend/src/resolvers/user_management.spec.js | 91 ++++++++++++++++++- 4 files changed, 96 insertions(+), 5 deletions(-) diff --git a/backend/src/jest/helpers.js b/backend/src/jest/helpers.js index 0d358ed40..4b62a6cc8 100644 --- a/backend/src/jest/helpers.js +++ b/backend/src/jest/helpers.js @@ -4,12 +4,12 @@ import { request } from 'graphql-request' // not to be confused with the seeder host export const host = 'http://127.0.0.1:4123' -export async function login ({ email, password }) { +export async function login ({ email, password }, hostParam = host) { const mutation = ` mutation { login(email:"${email}", password:"${password}") }` - const response = await request(host, mutation) + const response = await request(hostParam, mutation) return { authorization: `Bearer ${response.login}` } diff --git a/backend/src/middleware/passwordMiddleware.js b/backend/src/middleware/passwordMiddleware.js index 0aff222c8..18cdfcf6c 100644 --- a/backend/src/middleware/passwordMiddleware.js +++ b/backend/src/middleware/passwordMiddleware.js @@ -12,8 +12,9 @@ export default { }, Query: async (resolve, root, args, context, info) => { const result = await resolve(root, args, context, info) - return walkRecursive(result, ['password'], () => { - // replace password with asterisk + // eslint-disable-next-line spaced-comment + return walkRecursive(result, ['password'/*, 'privateKey'*/], () => { + // replace "password" and "privatKey" with asterisk return '*****' }) } diff --git a/backend/src/middleware/permissionsMiddleware.js b/backend/src/middleware/permissionsMiddleware.js index 495bc9145..8cf3b2f8e 100644 --- a/backend/src/middleware/permissionsMiddleware.js +++ b/backend/src/middleware/permissionsMiddleware.js @@ -75,6 +75,7 @@ const permissions = shield({ User: { email: isMyOwn, password: isMyOwn + // privateKey: isMyOwn } }) diff --git a/backend/src/resolvers/user_management.spec.js b/backend/src/resolvers/user_management.spec.js index 1c21adac1..2098a64de 100644 --- a/backend/src/resolvers/user_management.spec.js +++ b/backend/src/resolvers/user_management.spec.js @@ -254,7 +254,7 @@ describe('change password', () => { } describe('should be authenticated before changing password', () => { - it('throws not "Not Authorised!', async () => { + it('throws not "Not Authorised!"', async () => { await expect( request( host, @@ -309,3 +309,92 @@ describe('change password', () => { }) }) }) + +describe('don\'t expose private RSA key', () => { + const queryUser = params => { + const { queriedUserSlug } = params + return ` + { + User(slug:"${queriedUserSlug}") { + id + privateKey + } + }` + } + + // describe('unauthenticated query of "privateKey"', () => { + // it('throws "Not Authorised!"', async () => { + // const host = 'http://127.0.0.1:4001' // To have a "privateKey" generated. + // let client + // client = new GraphQLClient(host) + // await expect( + // client.request(queryUser({ queriedUserSlug: 'matilde-hermiston' })) + // ).rejects.toThrow('Not Authorised') + // }) + // }) + + describe('authenticated query of "privateKey"', () => { + it('gives "null" as return', async () => { + const hostPrivateKey = 'http://127.0.0.1:4001' // To have a "privateKey" generated. + // const hostPrivateKey = 'http://127.0.0.1:4123' + let client + const headers = await login({ email: 'test@example.org', password: '1234' }, hostPrivateKey) + client = new GraphQLClient(hostPrivateKey, { headers }) + + let response = await client.request( + queryUser({ queriedUserSlug: 'matilde-hermiston' }) + ) + await expect( + response + ).toEqual({ + User: [{ + id: 'acb2d923-f3af-479e-9f00-61b12e864666', + privateKey: 'XXX' + // privateKey: null + }] + }) + }) + }) + + // describe('old and new password should not match', () => { + // it('responds with "Old password and new password should be different"', async () => { + // await expect( + // client.request( + // mutation({ + // oldPassword: '1234', + // newPassword: '1234' + // }) + // ) + // ).rejects.toThrow('Old password and new password should be different') + // }) + // }) + + // describe('incorrect old password', () => { + // it('responds with "Old password isn\'t valid"', async () => { + // await expect( + // client.request( + // mutation({ + // oldPassword: 'notOldPassword', + // newPassword: '12345' + // }) + // ) + // ).rejects.toThrow('Old password is not correct') + // }) + // }) + + // describe('correct password', () => { + // it('changes the password if given correct credentials "', async () => { + // let response = await client.request( + // mutation({ + // oldPassword: '1234', + // newPassword: '12345' + // }) + // ) + // await expect( + // response + // ).toEqual(expect.objectContaining({ + // changePassword: expect.any(String) + // })) + // }) + // }) +}) From c4e57fc928219848bd49f27f093cb52f572852f3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Wolfgang=20Hu=C3=9F?= Date: Fri, 5 Apr 2019 18:32:11 +0200 Subject: [PATCH 03/11] User to query for "publicKey" is generated on port "4001" But still no "publicKey" is generated. So wished failing test shows not "publicKey" except other than "null". --- backend/src/resolvers/user_management.spec.js | 24 ++++++++++++++++--- 1 file changed, 21 insertions(+), 3 deletions(-) diff --git a/backend/src/resolvers/user_management.spec.js b/backend/src/resolvers/user_management.spec.js index 2098a64de..aeb1f880c 100644 --- a/backend/src/resolvers/user_management.spec.js +++ b/backend/src/resolvers/user_management.spec.js @@ -1,3 +1,4 @@ +import gql from 'graphql-tag' import Factory from '../seed/factories' import { GraphQLClient, request } from 'graphql-request' import jwt from 'jsonwebtoken' @@ -313,7 +314,7 @@ describe('change password', () => { describe('don\'t expose private RSA key', () => { const queryUser = params => { const { queriedUserSlug } = params - return ` + return gql` { User(slug:"${queriedUserSlug}") { id @@ -338,17 +339,34 @@ describe('don\'t expose private RSA key', () => { const hostPrivateKey = 'http://127.0.0.1:4001' // To have a "privateKey" generated. // const hostPrivateKey = 'http://127.0.0.1:4123' let client + + // logged out + client = new GraphQLClient(hostPrivateKey) + // Generate user with "privateKey". + const id = 'bcb2d923-f3af-479e-9f00-61b12e864667' + const name = 'Apfel Strudel' + const slug = 'apfel-strudel' + const password = 'xYz' + await client.request(gql` + mutation { + CreateUser(id: "${id}", password: "${password}", slug:"${slug}", name: "${name}", email: "${slug}@test.org") { + id + } + }` + ) + + // logged in const headers = await login({ email: 'test@example.org', password: '1234' }, hostPrivateKey) client = new GraphQLClient(hostPrivateKey, { headers }) let response = await client.request( - queryUser({ queriedUserSlug: 'matilde-hermiston' }) + queryUser({ queriedUserSlug: 'apfel-strudel' }) ) await expect( response ).toEqual({ User: [{ - id: 'acb2d923-f3af-479e-9f00-61b12e864666', + id: 'bcb2d923-f3af-479e-9f00-61b12e864667', privateKey: 'XXX' // privateKey: null }] From 95a0567e697ed4bc01f8a95fee833b0fa23478c3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Wolfgang=20Hu=C3=9F?= Date: Thu, 11 Apr 2019 20:01:20 +0200 Subject: [PATCH 04/11] Query of users "publicKey" 'throws "Not Authorised!"' Changes password and permission middleware. Thanks for your big help @roschaefer ! --- backend/src/jest/helpers.js | 4 +- backend/src/middleware/passwordMiddleware.js | 6 +- .../src/middleware/permissionsMiddleware.js | 4 +- backend/src/resolvers/user_management.spec.js | 129 ++++++------------ 4 files changed, 44 insertions(+), 99 deletions(-) diff --git a/backend/src/jest/helpers.js b/backend/src/jest/helpers.js index 4b62a6cc8..0d358ed40 100644 --- a/backend/src/jest/helpers.js +++ b/backend/src/jest/helpers.js @@ -4,12 +4,12 @@ import { request } from 'graphql-request' // not to be confused with the seeder host export const host = 'http://127.0.0.1:4123' -export async function login ({ email, password }, hostParam = host) { +export async function login ({ email, password }) { const mutation = ` mutation { login(email:"${email}", password:"${password}") }` - const response = await request(hostParam, mutation) + const response = await request(host, mutation) return { authorization: `Bearer ${response.login}` } diff --git a/backend/src/middleware/passwordMiddleware.js b/backend/src/middleware/passwordMiddleware.js index 8bf0c4501..bd0c786df 100644 --- a/backend/src/middleware/passwordMiddleware.js +++ b/backend/src/middleware/passwordMiddleware.js @@ -12,14 +12,10 @@ export default { }, Query: async (resolve, root, args, context, info) => { let result = await resolve(root, args, context, info) - result = walkRecursive(result, ['password'], () => { + result = walkRecursive(result, ['password', 'privatKey'], () => { // replace password with asterisk return '*****' }) - // result = walkRecursive(result, ['privateKey'], () => { - // // replace password with asterisk - // return '*****' - // }) return result } } diff --git a/backend/src/middleware/permissionsMiddleware.js b/backend/src/middleware/permissionsMiddleware.js index 36d77b853..549499dcd 100644 --- a/backend/src/middleware/permissionsMiddleware.js +++ b/backend/src/middleware/permissionsMiddleware.js @@ -90,8 +90,8 @@ const permissions = shield({ }, User: { email: isMyOwn, - password: isMyOwn - // privateKey: isMyOwn + password: isMyOwn, + privateKey: isMyOwn } }) diff --git a/backend/src/resolvers/user_management.spec.js b/backend/src/resolvers/user_management.spec.js index aeb1f880c..6e16abd3c 100644 --- a/backend/src/resolvers/user_management.spec.js +++ b/backend/src/resolvers/user_management.spec.js @@ -311,108 +311,57 @@ describe('change password', () => { }) }) -describe('don\'t expose private RSA key', () => { - const queryUser = params => { - const { queriedUserSlug } = params +describe('do not expose private RSA key', () => { + let client + + const queryUser = () => { return gql` - { - User(slug:"${queriedUserSlug}") { + query($queriedUserSlug: String) { + User(slug: $queriedUserSlug) { id privateKey } }` } - // describe('unauthenticated query of "privateKey"', () => { - // it('throws "Not Authorised!"', async () => { - // const host = 'http://127.0.0.1:4001' // To have a "privateKey" generated. - // let client - // client = new GraphQLClient(host) - // await expect( - // client.request(queryUser({ queriedUserSlug: 'matilde-hermiston' })) - // ).rejects.toThrow('Not Authorised') - // }) - // }) + const action = async () => { + // Generate user with "privateKey" via 'CreateUser' mutation instead of using the factories "factory.create('User', {...})", see above. + const variables = { + id: 'bcb2d923-f3af-479e-9f00-61b12e864667', + password: 'xYz', + slug: 'apfel-strudel', + name: 'Apfel Strudel', + email: 'apfel-strudel@test.org' + } + await client.request(gql` + mutation($id: ID, $password: String!, $slug: String, $name: String, $email: String) { + CreateUser(id: $id, password: $password, slug: $slug, name: $name, email: $email) { + id + } + }`, variables + ) + } - describe('authenticated query of "privateKey"', () => { - it('gives "null" as return', async () => { - const hostPrivateKey = 'http://127.0.0.1:4001' // To have a "privateKey" generated. - // const hostPrivateKey = 'http://127.0.0.1:4123' - let client + describe('unauthenticated query of "privateKey"', () => { + it('throws "Not Authorised!"', async () => { + client = new GraphQLClient(host) - // logged out - client = new GraphQLClient(hostPrivateKey) - // Generate user with "privateKey". - const id = 'bcb2d923-f3af-479e-9f00-61b12e864667' - const name = 'Apfel Strudel' - const slug = 'apfel-strudel' - const password = 'xYz' - await client.request(gql` - mutation { - CreateUser(id: "${id}", password: "${password}", slug:"${slug}", name: "${name}", email: "${slug}@test.org") { - id - } - }` - ) - - // logged in - const headers = await login({ email: 'test@example.org', password: '1234' }, hostPrivateKey) - client = new GraphQLClient(hostPrivateKey, { headers }) - - let response = await client.request( - queryUser({ queriedUserSlug: 'apfel-strudel' }) - ) + await action() await expect( - response - ).toEqual({ - User: [{ - id: 'bcb2d923-f3af-479e-9f00-61b12e864667', - privateKey: 'XXX' - // privateKey: null - }] - }) + client.request(queryUser(), { queriedUserSlug: 'apfel-strudel' }) + ).rejects.toThrow('Not Authorised') }) }) - // describe('old and new password should not match', () => { - // it('responds with "Old password and new password should be different"', async () => { - // await expect( - // client.request( - // mutation({ - // oldPassword: '1234', - // newPassword: '1234' - // }) - // ) - // ).rejects.toThrow('Old password and new password should be different') - // }) - // }) + describe('authenticated query of "privateKey"', () => { + it('throws "Not Authorised!"', async () => { + const headers = await login({ email: 'test@example.org', password: '1234' }) + client = new GraphQLClient(host, { headers }) - // describe('incorrect old password', () => { - // it('responds with "Old password isn\'t valid"', async () => { - // await expect( - // client.request( - // mutation({ - // oldPassword: 'notOldPassword', - // newPassword: '12345' - // }) - // ) - // ).rejects.toThrow('Old password is not correct') - // }) - // }) - - // describe('correct password', () => { - // it('changes the password if given correct credentials "', async () => { - // let response = await client.request( - // mutation({ - // oldPassword: '1234', - // newPassword: '12345' - // }) - // ) - // await expect( - // response - // ).toEqual(expect.objectContaining({ - // changePassword: expect.any(String) - // })) - // }) - // }) + await action() + await expect( + client.request(queryUser(), { queriedUserSlug: 'apfel-strudel' }) + ).rejects.toThrow('Not Authorised') + }) + }) }) From b007015eeba84ecbc81f0d266f5703ae4849e8ad Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Wolfgang=20Hu=C3=9F?= Date: Fri, 12 Apr 2019 14:30:04 +0200 Subject: [PATCH 05/11] Backend test for query "publicKey" to asure that "privatKey" is generated Minor approofments. --- backend/src/resolvers/user_management.spec.js | 59 +++++++++++++------ 1 file changed, 41 insertions(+), 18 deletions(-) diff --git a/backend/src/resolvers/user_management.spec.js b/backend/src/resolvers/user_management.spec.js index 6e16abd3c..612bd0fe8 100644 --- a/backend/src/resolvers/user_management.spec.js +++ b/backend/src/resolvers/user_management.spec.js @@ -312,19 +312,17 @@ describe('change password', () => { }) describe('do not expose private RSA key', () => { + let headers let client + const queryUserPrivateKey = gql` + query($queriedUserSlug: String) { + User(slug: $queriedUserSlug) { + id + privateKey + } + }` - const queryUser = () => { - return gql` - query($queriedUserSlug: String) { - User(slug: $queriedUserSlug) { - id - privateKey - } - }` - } - - const action = async () => { + const actionGenUserWithKeys = async () => { // Generate user with "privateKey" via 'CreateUser' mutation instead of using the factories "factory.create('User', {...})", see above. const variables = { id: 'bcb2d923-f3af-479e-9f00-61b12e864667', @@ -346,22 +344,47 @@ describe('do not expose private RSA key', () => { it('throws "Not Authorised!"', async () => { client = new GraphQLClient(host) - await action() + await actionGenUserWithKeys() await expect( - client.request(queryUser(), { queriedUserSlug: 'apfel-strudel' }) + client.request(queryUserPrivateKey, { queriedUserSlug: 'apfel-strudel' }) ).rejects.toThrow('Not Authorised') }) }) + // authenticate + beforeEach(async () => { + headers = await login({ email: 'test@example.org', password: '1234' }) + client = new GraphQLClient(host, { headers }) + }) + describe('authenticated query of "privateKey"', () => { it('throws "Not Authorised!"', async () => { - const headers = await login({ email: 'test@example.org', password: '1234' }) - client = new GraphQLClient(host, { headers }) - - await action() + await actionGenUserWithKeys() await expect( - client.request(queryUser(), { queriedUserSlug: 'apfel-strudel' }) + client.request(queryUserPrivateKey, { queriedUserSlug: 'apfel-strudel' }) ).rejects.toThrow('Not Authorised') }) }) + + describe('authenticated query of "publicKey". To asure generation of "privateKey" is garanteed', () => { + it('throws "Not Authorised!"', async () => { + const queryUserPuplicKey = gql` + query($queriedUserSlug: String) { + User(slug: $queriedUserSlug) { + id + publicKey + } + }` + + await actionGenUserWithKeys() + await expect( + await client.request(queryUserPuplicKey, { queriedUserSlug: 'apfel-strudel' }) + ).toEqual(expect.objectContaining({ + User: [{ + id: 'bcb2d923-f3af-479e-9f00-61b12e864667', + publicKey: expect.any(String) + }] + })) + }) + }) }) From 008d99c6ef378663f6cc22e664a6d434d29e26ee Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Robert=20Sch=C3=A4fer?= Date: Fri, 12 Apr 2019 16:51:10 +0200 Subject: [PATCH 06/11] Update backend/src/resolvers/user_management.spec.js Co-Authored-By: Tirokk --- backend/src/resolvers/user_management.spec.js | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/backend/src/resolvers/user_management.spec.js b/backend/src/resolvers/user_management.spec.js index 612bd0fe8..9ac102986 100644 --- a/backend/src/resolvers/user_management.spec.js +++ b/backend/src/resolvers/user_management.spec.js @@ -339,7 +339,11 @@ describe('do not expose private RSA key', () => { }`, variables ) } - +describe('unauthenticated query of "publicKey"', () => { + it('returns publicKey', () => { + // check that an RSA key pair has been created at all + }) +}) describe('unauthenticated query of "privateKey"', () => { it('throws "Not Authorised!"', async () => { client = new GraphQLClient(host) From 828ca50f195e604294dd9b4d68ca03458a1cb257 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Robert=20Sch=C3=A4fer?= Date: Fri, 12 Apr 2019 16:51:30 +0200 Subject: [PATCH 07/11] Update backend/src/resolvers/user_management.spec.js Co-Authored-By: Tirokk --- backend/src/resolvers/user_management.spec.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/backend/src/resolvers/user_management.spec.js b/backend/src/resolvers/user_management.spec.js index 9ac102986..3fe151a45 100644 --- a/backend/src/resolvers/user_management.spec.js +++ b/backend/src/resolvers/user_management.spec.js @@ -371,7 +371,7 @@ describe('unauthenticated query of "publicKey"', () => { }) describe('authenticated query of "publicKey". To asure generation of "privateKey" is garanteed', () => { - it('throws "Not Authorised!"', async () => { + it('returns publicKey', async () => { const queryUserPuplicKey = gql` query($queriedUserSlug: String) { User(slug: $queriedUserSlug) { From e5e1f0a9fc2020035142c7f3e9a994536b17972b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Robert=20Sch=C3=A4fer?= Date: Fri, 12 Apr 2019 16:51:41 +0200 Subject: [PATCH 08/11] Update backend/src/resolvers/user_management.spec.js Co-Authored-By: Tirokk --- backend/src/resolvers/user_management.spec.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/backend/src/resolvers/user_management.spec.js b/backend/src/resolvers/user_management.spec.js index 3fe151a45..cb461beba 100644 --- a/backend/src/resolvers/user_management.spec.js +++ b/backend/src/resolvers/user_management.spec.js @@ -370,7 +370,7 @@ describe('unauthenticated query of "publicKey"', () => { }) }) - describe('authenticated query of "publicKey". To asure generation of "privateKey" is garanteed', () => { + describe('unauthenticated query of "publicKey" (does the RSA key pair get generated at all?)', () => { it('returns publicKey', async () => { const queryUserPuplicKey = gql` query($queriedUserSlug: String) { From 023c63601766770d6716e3070346976418541bff Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Wolfgang=20Hu=C3=9F?= Date: Fri, 12 Apr 2019 17:17:01 +0200 Subject: [PATCH 09/11] Query of "publicKey" is now tested unauthenticated and authenticated --- backend/src/resolvers/user_management.spec.js | 60 +++++++++++-------- 1 file changed, 36 insertions(+), 24 deletions(-) diff --git a/backend/src/resolvers/user_management.spec.js b/backend/src/resolvers/user_management.spec.js index cb461beba..66d3c9aeb 100644 --- a/backend/src/resolvers/user_management.spec.js +++ b/backend/src/resolvers/user_management.spec.js @@ -314,6 +314,13 @@ describe('change password', () => { describe('do not expose private RSA key', () => { let headers let client + const queryUserPuplicKey = gql` + query($queriedUserSlug: String) { + User(slug: $queriedUserSlug) { + id + publicKey + } + }` const queryUserPrivateKey = gql` query($queriedUserSlug: String) { User(slug: $queriedUserSlug) { @@ -339,15 +346,28 @@ describe('do not expose private RSA key', () => { }`, variables ) } -describe('unauthenticated query of "publicKey"', () => { - it('returns publicKey', () => { - // check that an RSA key pair has been created at all + + // not authenticate + beforeEach(async () => { + client = new GraphQLClient(host) }) -}) + + describe('unauthenticated query of "publicKey" (does the RSA key pair get generated at all?)', () => { + it('returns publicKey', async () => { + await actionGenUserWithKeys() + await expect( + await client.request(queryUserPuplicKey, { queriedUserSlug: 'apfel-strudel' }) + ).toEqual(expect.objectContaining({ + User: [{ + id: 'bcb2d923-f3af-479e-9f00-61b12e864667', + publicKey: expect.any(String) + }] + })) + }) + }) + describe('unauthenticated query of "privateKey"', () => { it('throws "Not Authorised!"', async () => { - client = new GraphQLClient(host) - await actionGenUserWithKeys() await expect( client.request(queryUserPrivateKey, { queriedUserSlug: 'apfel-strudel' }) @@ -361,25 +381,8 @@ describe('unauthenticated query of "publicKey"', () => { client = new GraphQLClient(host, { headers }) }) - describe('authenticated query of "privateKey"', () => { - it('throws "Not Authorised!"', async () => { - await actionGenUserWithKeys() - await expect( - client.request(queryUserPrivateKey, { queriedUserSlug: 'apfel-strudel' }) - ).rejects.toThrow('Not Authorised') - }) - }) - - describe('unauthenticated query of "publicKey" (does the RSA key pair get generated at all?)', () => { + describe('authenticated query of "publicKey"', () => { it('returns publicKey', async () => { - const queryUserPuplicKey = gql` - query($queriedUserSlug: String) { - User(slug: $queriedUserSlug) { - id - publicKey - } - }` - await actionGenUserWithKeys() await expect( await client.request(queryUserPuplicKey, { queriedUserSlug: 'apfel-strudel' }) @@ -391,4 +394,13 @@ describe('unauthenticated query of "publicKey"', () => { })) }) }) + + describe('authenticated query of "privateKey"', () => { + it('throws "Not Authorised!"', async () => { + await actionGenUserWithKeys() + await expect( + client.request(queryUserPrivateKey, { queriedUserSlug: 'apfel-strudel' }) + ).rejects.toThrow('Not Authorised') + }) + }) }) From 0c8b478ce2351162eb89748d35d76330e4c26cf0 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Robert=20Sch=C3=A4fer?= Date: Fri, 12 Apr 2019 17:32:20 +0200 Subject: [PATCH 10/11] Update backend/src/middleware/passwordMiddleware.js Co-Authored-By: Tirokk --- backend/src/middleware/passwordMiddleware.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/backend/src/middleware/passwordMiddleware.js b/backend/src/middleware/passwordMiddleware.js index bd0c786df..16272421a 100644 --- a/backend/src/middleware/passwordMiddleware.js +++ b/backend/src/middleware/passwordMiddleware.js @@ -12,7 +12,7 @@ export default { }, Query: async (resolve, root, args, context, info) => { let result = await resolve(root, args, context, info) - result = walkRecursive(result, ['password', 'privatKey'], () => { + result = walkRecursive(result, ['password', 'privateKey'], () => { // replace password with asterisk return '*****' }) From aadfd1637466a6d1377896265cd20559aa117669 Mon Sep 17 00:00:00 2001 From: Matt Rider Date: Fri, 12 Apr 2019 13:23:10 -0300 Subject: [PATCH 11/11] Remove redundant "not" --- backend/src/resolvers/user_management.spec.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/backend/src/resolvers/user_management.spec.js b/backend/src/resolvers/user_management.spec.js index 66d3c9aeb..94ec04203 100644 --- a/backend/src/resolvers/user_management.spec.js +++ b/backend/src/resolvers/user_management.spec.js @@ -255,7 +255,7 @@ describe('change password', () => { } describe('should be authenticated before changing password', () => { - it('throws not "Not Authorised!"', async () => { + it('throws "Not Authorised!"', async () => { await expect( request( host,