codecombat/spec/server/functional/auth.spec.coffee

require '../common'
User = require '../../../server/users/User'
utils = require '../utils'
_ = require 'lodash'
Promise = require 'bluebird'
nock = require 'nock'

urlLogin = getURL('/auth/login')
urlReset = getURL('/auth/reset')

describe '/auth/whoami', ->
  it 'returns 200', (done) ->
    request.get(getURL('/auth/whoami'), (err, response) ->
      expect(response).toBeDefined()
      expect(response.statusCode).toBe(200)
      done()
    )

describe '/auth/login', ->

  it 'clears Users', (done) ->
    clearModels [User], (err) ->
      throw err if err
      request.get getURL('/auth/whoami'), ->
        throw err if err
        done()

  it 'allows logging in by iosIdentifierForVendor', (done) ->
    req = request.post(getURL('/db/user'),
    (error, response) ->
      expect(response).toBeDefined()
      expect(response.statusCode).toBe(200)
      req = request.post(urlLogin, (error, response) ->
        expect(response.statusCode).toBe(200)
        done()
      )
      form = req.form()
      form.append('username', '012345678901234567890123456789012345')
      form.append('password', '12345')
    )
    form = req.form()
    form.append('iosIdentifierForVendor', '012345678901234567890123456789012345')
    form.append('password', '12345')
  
  it 'clears Users', (done) ->
    clearModels [User], (err) ->
      throw err if err
      request.get getURL('/auth/whoami'), ->
        throw err if err
        done()

  it 'finds no user', (done) ->
    req = request.post(urlLogin, (error, response) ->
      expect(response).toBeDefined()
      expect(response.statusCode).toBe(401)
      done()
    )
    form = req.form()
    form.append('username', 'scott@gmail.com')
    form.append('password', 'nada')

  it 'creates a user', (done) ->
    req = request.post(getURL('/db/user'),
      (error, response) ->
        expect(response).toBeDefined()
        expect(response.statusCode).toBe(200)
        done()
    )
    form = req.form()
    form.append('email', 'scott@gmail.com')
    form.append('password', 'nada')

  it 'finds that created user', (done) ->
    req = request.post(urlLogin, (error, response) ->
      expect(response).toBeDefined()
      expect(response.statusCode).toBe(200)
      done()
    )
    form = req.form()
    form.append('username', 'scott@gmail.com')
    form.append('password', 'nada')

  it 'rejects wrong passwords', (done) ->
    req = request.post(urlLogin, (error, response) ->
      expect(response.statusCode).toBe(401)
      expect(response.body.indexOf('wrong')).toBeGreaterThan(-1)
      done()
    )
    form = req.form()
    form.append('username', 'scott@gmail.com')
    form.append('password', 'blahblah')

  it 'is completely case insensitive', (done) ->
    req = request.post(urlLogin, (error, response) ->
      expect(response.statusCode).toBe(200)
      done()
    )
    form = req.form()
    form.append('username', 'scoTT@gmaIL.com')
    form.append('password', 'NaDa')

describe '/auth/reset', ->
  passwordReset = ''

  it 'emails require', (done) ->
    req = request.post(urlReset, (error, response) ->
      expect(response).toBeDefined()
      expect(response.statusCode).toBe(422)
      done()
    )
    form = req.form()
    form.append('username', 'scott@gmail.com')

  it 'can\'t reset an unknown user', (done) ->
    req = request.post(urlReset, (error, response) ->
      expect(response).toBeDefined()
      expect(response.statusCode).toBe(404)
      done()
    )
    form = req.form()
    form.append('email', 'unknow')

  it 'resets user password', (done) ->
    req = request.post(urlReset, (error, response) ->
      expect(response).toBeDefined()
      expect(response.statusCode).toBe(200)
      expect(response.body).toBeDefined()
      passwordReset = response.body
      done()
    )
    form = req.form()
    form.append('email', 'scott@gmail.com')

  it 'can login after resetting', (done) ->
    req = request.post(urlLogin, (error, response) ->
      expect(response).toBeDefined()
      expect(response.statusCode).toBe(200)
      done()
    )
    form = req.form()
    form.append('username', 'scott@gmail.com')
    form.append('password', passwordReset)

  it 'resetting password is not permanent', (done) ->
    req = request.post(urlLogin, (error, response) ->
      expect(response).toBeDefined()
      expect(response.statusCode).toBe(401)
      done()
    )
    form = req.form()
    form.append('username', 'scott@gmail.com')
    form.append('password', passwordReset)


  it 'can still login with old password', (done) ->
    req = request.post(urlLogin, (error, response) ->
      expect(response).toBeDefined()
      expect(response.statusCode).toBe(200)
      done()
    )
    form = req.form()
    form.append('username', 'scott@gmail.com')
    form.append('password', 'nada')

describe '/auth/unsubscribe', ->
  it 'clears Users first', (done) ->
    clearModels [User], (err) ->
      throw err if err
      request.get getURL('/auth/whoami'), ->
        throw err if err
        done()

  it 'removes just recruitment emails if you include ?recruitNotes=1', (done) ->
    loginJoe (joe) ->
      url = getURL('/auth/unsubscribe?recruitNotes=1&email='+joe.get('email'))
      request.get url, (error, response) ->
        expect(response.statusCode).toBe(200)
        user = User.findOne(joe.get('_id')).exec (err, user) ->
          expect(user.get('emails').recruitNotes.enabled).toBe(false)
          expect(user.isEmailSubscriptionEnabled('generalNews')).toBeTruthy()
          done()

describe '/auth/name', ->
  url = '/auth/name'

  it 'must provide a name to check with', (done) ->
    request.get {url: getURL(url + '/'), json: {}}, (err, response) ->
      expect(err).toBeNull()
      expect(response.statusCode).toBe 422
      done()

  it 'can GET a non-conflicting name', (done) ->
    request.get {url: getURL(url + '/Gandalf'), json: {}}, (err, response) ->
      expect(err).toBeNull()
      expect(response.statusCode).toBe 200
      expect(response.body.name).toBe 'Gandalf'
      done()

  it 'can GET a new name in case of conflict', (done) ->
    request.get {url: getURL(url + '/joe'), json: {}}, (err, response) ->
      expect(err).toBeNull()
      expect(response.statusCode).toBe 409
      expect(response.body.name).not.toBe 'joe'
      expect(response.body.name.length).toBe 4 # 'joe' and a random number
      done()

      
describe 'POST /auth/login-facebook', ->
  beforeEach utils.wrap (done) ->
    yield utils.clearModels([User])
    done()
    
  afterEach -> 
    nock.cleanAll()
  
  url = getURL('/auth/login-facebook')
  it 'takes facebookID and facebookAccessToken and logs the user in', utils.wrap (done) ->
    nock('https://graph.facebook.com').get('/me').query({access_token: 'abcd'}).reply(200, { id: '1234' })
    yield new User({name: 'someone', facebookID: '1234'}).save()
    [res, body] = yield request.postAsync url, { json: { facebookID: '1234', facebookAccessToken: 'abcd' }}
    expect(res.statusCode).toBe(200)
    done()
    
  it 'returns 422 if no token or id is provided', utils.wrap (done) ->
    [res, body] = yield request.postAsync url
    expect(res.statusCode).toBe(422)
    done()
  
  it 'returns 422 if the token is invalid', utils.wrap (done) ->
    nock('https://graph.facebook.com').get('/me').query({access_token: 'abcd'}).reply(400, {})
    yield new User({name: 'someone', facebookID: '1234'}).save()
    [res, body] = yield request.postAsync url, { json: { facebookID: '1234', facebookAccessToken: 'abcd' }}
    expect(res.statusCode).toBe(422)
    done()
  
  it 'returns 404 if the user does not already exist', utils.wrap (done) ->
    nock('https://graph.facebook.com').get('/me').query({access_token: 'abcd'}).reply(200, { id: '1234' })
    [res, body] = yield request.postAsync url, { json: { facebookID: '1234', facebookAccessToken: 'abcd' }}
    expect(res.statusCode).toBe(404)
    done()


describe 'POST /auth/login-gplus', ->
  beforeEach utils.wrap (done) ->
    yield utils.clearModels([User])
    done()

  afterEach ->
    nock.cleanAll()

  url = getURL('/auth/login-gplus')
  it 'takes gplusID and gplusAccessToken and logs the user in', utils.wrap (done) ->
    nock('https://www.googleapis.com').get('/oauth2/v2/userinfo').query({access_token: 'abcd'}).reply(200, { id: '1234' })
    yield new User({name: 'someone', gplusID: '1234'}).save()
    [res, body] = yield request.postAsync url, { json: { gplusID: '1234', gplusAccessToken: 'abcd' }}
    expect(res.statusCode).toBe(200)
    done()

  it 'returns 422 if no token or id is provided', utils.wrap (done) ->
    [res, body] = yield request.postAsync url
    expect(res.statusCode).toBe(422)
    done()

  it 'returns 422 if the token is invalid', utils.wrap (done) ->
    nock('https://www.googleapis.com').get('/oauth2/v2/userinfo').query({access_token: 'abcd'}).reply(400, {})
    yield new User({name: 'someone', gplusID: '1234'}).save()
    [res, body] = yield request.postAsync url, { json: { gplusID: '1234', gplusAccessToken: 'abcd' }}
    expect(res.statusCode).toBe(422)
    done()

  it 'returns 404 if the user does not already exist', utils.wrap (done) ->
    nock('https://www.googleapis.com').get('/oauth2/v2/userinfo').query({access_token: 'abcd'}).reply(200, { id: '1234' })
    [res, body] = yield request.postAsync url, { json: { gplusID: '1234', gplusAccessToken: 'abcd' }}
    expect(res.statusCode).toBe(404)
    done()
          
      
describe 'POST /auth/spy', ->
  beforeEach utils.wrap (done) ->
    yield utils.clearModels([User])
    @admin = yield utils.initAdmin()
    @user1 = yield utils.initUser({name: 'Test User 1'})
    @user2 = yield utils.initUser({name: 'Test User 2'})
    done()
  
  it 'logs in an admin as an arbitrary user', utils.wrap (done) ->
    yield utils.loginUser(@admin)
    [res, body] = yield request.postAsync {uri: getURL('/auth/spy'), json: {user: @user1.id}}
    expect(res.statusCode).toBe(200)
    expect(body._id).toBe(@user1.id)
    [res, body] = yield request.getAsync {uri: getURL('/auth/whoami'), json: true}
    expect(body._id).toBe(@user1.id)
    done()

  it 'accepts the user\'s email as input', utils.wrap (done) ->
    yield utils.loginUser(@admin)
    [res, body] = yield request.postAsync {uri: getURL('/auth/spy'), json: {user: @user1.get('email')}}
    expect(res.statusCode).toBe(200)
    expect(body._id).toBe(@user1.id)
    done()
    
  it 'accepts the user\'s username as input', utils.wrap (done) ->
    yield utils.loginUser(@admin)
    [res, body] = yield request.postAsync {uri: getURL('/auth/spy'), json: {user: @user1.get('name')}}
    expect(res.statusCode).toBe(200)
    expect(body._id).toBe(@user1.id)
    done()
    
  it 'does not work for anonymous users', utils.wrap (done) ->
    [res, body] = yield request.postAsync {uri: getURL('/auth/spy'), json: {user: @user1.get('name')}}
    expect(res.statusCode).toBe(401)
    done()
    
  it 'does not work for non-admins', utils.wrap (done) ->
    yield utils.loginUser(@user1)
    [res, body] = yield request.postAsync {uri: getURL('/auth/spy'), json: {user: @user1.get('name')}}
    expect(res.statusCode).toBe(403)
    done()

describe 'POST /auth/stop-spying', ->
  beforeEach utils.wrap (done) ->
    yield utils.clearModels([User])
    @admin = yield utils.initAdmin()
    @user = yield utils.initUser()
    yield utils.loginUser(@admin)
    [res, body] = yield request.postAsync {uri: getURL('/auth/spy'), json: {user: @user.id}}
    expect(res.statusCode).toBe(200)
    done()
  
  it 'it reverts the spying user back to the admin', utils.wrap (done) ->
    [res, body] = yield request.getAsync {uri: getURL('/auth/whoami'), json: true}
    expect(body._id).toBe(@user.id)
    [res, body] = yield request.postAsync {uri: getURL('/auth/stop-spying'), json: true}
    expect(res.statusCode).toBe(200)
    expect(body._id).toBe(@admin.id)
    [res, body] = yield request.getAsync {uri: getURL('/auth/whoami'), json: true}
    expect(body._id).toBe(@admin.id)
    done()
refactor server test folder 2014-02-03 15:55:09 -05:00			`require '../common'`
Implement all of teacher-dashboard 2016-03-30 16:57:19 -04:00			`User = require '../../../server/users/User'`
Add return-to-admin (turn off espionage mode) 2016-03-03 17:22:50 -05:00			`utils = require '../utils'`
			`_ = require 'lodash'`
			`Promise = require 'bluebird'`
Refactor CreateAccountModal out of AuthModal, add class code to signup 2016-02-25 18:24:16 -05:00			`nock = require 'nock'`
add server auth test (reset password) 2014-02-02 18:02:47 -05:00
			`urlLogin = getURL('/auth/login')`
			`urlReset = getURL('/auth/reset')`
Ready for action, sir! 2014-01-03 13:32:13 -05:00
			`describe '/auth/whoami', ->`
			`it 'returns 200', (done) ->`
Fixed server tests to exit when they are finished. jasmine-node will never exit unless all connections are closed. This helped: https://github.com/mhevery/jasmine-node/issues/318#issuecomment-43914090 2014-06-11 16:21:11 -04:00			`request.get(getURL('/auth/whoami'), (err, response) ->`
Ready for action, sir! 2014-01-03 13:32:13 -05:00			`expect(response).toBeDefined()`
			`expect(response.statusCode).toBe(200)`
			`done()`
			`)`

			`describe '/auth/login', ->`

Added the ability to assign a user an iOS UDID, and login with it. 2014-11-20 18:54:15 -05:00			`it 'clears Users', (done) ->`
			`clearModels [User], (err) ->`
			`throw err if err`
			`request.get getURL('/auth/whoami'), ->`
			`throw err if err`
			`done()`

Changed UDID to identifierForVendor 2014-11-20 20:03:24 -05:00			`it 'allows logging in by iosIdentifierForVendor', (done) ->`
Added the ability to assign a user an iOS UDID, and login with it. 2014-11-20 18:54:15 -05:00			`req = request.post(getURL('/db/user'),`
			`(error, response) ->`
			`expect(response).toBeDefined()`
			`expect(response.statusCode).toBe(200)`
			`req = request.post(urlLogin, (error, response) ->`
			`expect(response.statusCode).toBe(200)`
			`done()`
			`)`
			`form = req.form()`
Changed UDID to identifierForVendor 2014-11-20 20:03:24 -05:00			`form.append('username', '012345678901234567890123456789012345')`
Added the ability to assign a user an iOS UDID, and login with it. 2014-11-20 18:54:15 -05:00			`form.append('password', '12345')`
			`)`
			`form = req.form()`
Changed UDID to identifierForVendor 2014-11-20 20:03:24 -05:00			`form.append('iosIdentifierForVendor', '012345678901234567890123456789012345')`
Added the ability to assign a user an iOS UDID, and login with it. 2014-11-20 18:54:15 -05:00			`form.append('password', '12345')`

			`it 'clears Users', (done) ->`
Fixed a couple bugs and tests. 2014-04-23 12:19:07 -04:00			`clearModels [User], (err) ->`
			`throw err if err`
Made the server resistant to req.user being undefined sometimes. 2014-02-24 23:27:38 -05:00			`request.get getURL('/auth/whoami'), ->`
			`throw err if err`
			`done()`
Ready for action, sir! 2014-01-03 13:32:13 -05:00
			`it 'finds no user', (done) ->`
add server auth test (reset password) 2014-02-02 18:02:47 -05:00			`req = request.post(urlLogin, (error, response) ->`
Ready for action, sir! 2014-01-03 13:32:13 -05:00			`expect(response).toBeDefined()`
			`expect(response.statusCode).toBe(401)`
			`done()`
			`)`
			`form = req.form()`
			`form.append('username', 'scott@gmail.com')`
			`form.append('password', 'nada')`

			`it 'creates a user', (done) ->`
			`req = request.post(getURL('/db/user'),`
			`(error, response) ->`
			`expect(response).toBeDefined()`
			`expect(response.statusCode).toBe(200)`
			`done()`
			`)`
			`form = req.form()`
			`form.append('email', 'scott@gmail.com')`
			`form.append('password', 'nada')`

			`it 'finds that created user', (done) ->`
add server auth test (reset password) 2014-02-02 18:02:47 -05:00			`req = request.post(urlLogin, (error, response) ->`
Ready for action, sir! 2014-01-03 13:32:13 -05:00			`expect(response).toBeDefined()`
			`expect(response.statusCode).toBe(200)`
			`done()`
			`)`
			`form = req.form()`
			`form.append('username', 'scott@gmail.com')`
			`form.append('password', 'nada')`

			`it 'rejects wrong passwords', (done) ->`
add server auth test (reset password) 2014-02-02 18:02:47 -05:00			`req = request.post(urlLogin, (error, response) ->`
Ready for action, sir! 2014-01-03 13:32:13 -05:00			`expect(response.statusCode).toBe(401)`
Clean up mixed quotes 2014-06-30 22:16:26 -04:00			`expect(response.body.indexOf('wrong')).toBeGreaterThan(-1)`
Ready for action, sir! 2014-01-03 13:32:13 -05:00			`done()`
			`)`
			`form = req.form()`
			`form.append('username', 'scott@gmail.com')`
			`form.append('password', 'blahblah')`

			`it 'is completely case insensitive', (done) ->`
add server auth test (reset password) 2014-02-02 18:02:47 -05:00			`req = request.post(urlLogin, (error, response) ->`
Ready for action, sir! 2014-01-03 13:32:13 -05:00			`expect(response.statusCode).toBe(200)`
			`done()`
			`)`
			`form = req.form()`
			`form.append('username', 'scoTT@gmaIL.com')`
add server auth test (reset password) 2014-02-02 18:02:47 -05:00			`form.append('password', 'NaDa')`

			`describe '/auth/reset', ->`
			`passwordReset = ''`

			`it 'emails require', (done) ->`
			`req = request.post(urlReset, (error, response) ->`
			`expect(response).toBeDefined()`
			`expect(response.statusCode).toBe(422)`
			`done()`
			`)`
			`form = req.form()`
			`form.append('username', 'scott@gmail.com')`

Added the ability to assign a user an iOS UDID, and login with it. 2014-11-20 18:54:15 -05:00			`it 'can\'t reset an unknown user', (done) ->`
add server auth test (reset password) 2014-02-02 18:02:47 -05:00			`req = request.post(urlReset, (error, response) ->`
			`expect(response).toBeDefined()`
			`expect(response.statusCode).toBe(404)`
			`done()`
			`)`
			`form = req.form()`
			`form.append('email', 'unknow')`

Made the server resistant to req.user being undefined sometimes. 2014-02-24 23:27:38 -05:00			`it 'resets user password', (done) ->`
add server auth test (reset password) 2014-02-02 18:02:47 -05:00			`req = request.post(urlReset, (error, response) ->`
			`expect(response).toBeDefined()`
			`expect(response.statusCode).toBe(200)`
			`expect(response.body).toBeDefined()`
			`passwordReset = response.body`
			`done()`
			`)`
			`form = req.form()`
			`form.append('email', 'scott@gmail.com')`

			`it 'can login after resetting', (done) ->`
			`req = request.post(urlLogin, (error, response) ->`
			`expect(response).toBeDefined()`
			`expect(response.statusCode).toBe(200)`
			`done()`
			`)`
			`form = req.form()`
			`form.append('username', 'scott@gmail.com')`
			`form.append('password', passwordReset)`

			`it 'resetting password is not permanent', (done) ->`
			`req = request.post(urlLogin, (error, response) ->`
			`expect(response).toBeDefined()`
			`expect(response.statusCode).toBe(401)`
			`done()`
			`)`
			`form = req.form()`
			`form.append('username', 'scott@gmail.com')`
			`form.append('password', passwordReset)`


			`it 'can still login with old password', (done) ->`
			`req = request.post(urlLogin, (error, response) ->`
			`expect(response).toBeDefined()`
			`expect(response.statusCode).toBe(200)`
			`done()`
			`)`
			`form = req.form()`
			`form.append('username', 'scott@gmail.com')`
			`form.append('password', 'nada')`
Added an unsubscribe url for recruit notifications. 2014-04-22 22:27:39 -04:00
			`describe '/auth/unsubscribe', ->`
Fixed a couple bugs and tests. 2014-04-23 12:19:07 -04:00			`it 'clears Users first', (done) ->`
			`clearModels [User], (err) ->`
			`throw err if err`
			`request.get getURL('/auth/whoami'), ->`
			`throw err if err`
			`done()`
Clean up mixed quotes 2014-06-30 22:16:26 -04:00
Added an unsubscribe url for recruit notifications. 2014-04-22 22:27:39 -04:00			`it 'removes just recruitment emails if you include ?recruitNotes=1', (done) ->`
			`loginJoe (joe) ->`
			`url = getURL('/auth/unsubscribe?recruitNotes=1&email='+joe.get('email'))`
			`request.get url, (error, response) ->`
			`expect(response.statusCode).toBe(200)`
			`user = User.findOne(joe.get('_id')).exec (err, user) ->`
			`expect(user.get('emails').recruitNotes.enabled).toBe(false)`
Added another check to the recruit unsubscribe test, to make sure it doesn't affect other subscriptions. 2014-04-23 12:53:46 -04:00			`expect(user.isEmailSubscriptionEnabled('generalNews')).toBeTruthy()`
Added an unsubscribe url for recruit notifications. 2014-04-22 22:27:39 -04:00			`done()`
GET /auth/name/<name> now serves possible free names anonymous users are now warned if their new name is already chosen User Settings is now without auto-save Upon name conflict, a user will be suggested a new name which is then submitted if the user chooses to save after all. Refactored conflicted name checking so it can be used in more places Signup form now has an optional name field Covered extra case where the debounced check happened too late. Support for submitting on enter. Worked in scott's comments and got tests working again 2014-07-10 14:50:16 -04:00
			`describe '/auth/name', ->`
			`url = '/auth/name'`

			`it 'must provide a name to check with', (done) ->`
			`request.get {url: getURL(url + '/'), json: {}}, (err, response) ->`
			`expect(err).toBeNull()`
			`expect(response.statusCode).toBe 422`
			`done()`

			`it 'can GET a non-conflicting name', (done) ->`
			`request.get {url: getURL(url + '/Gandalf'), json: {}}, (err, response) ->`
			`expect(err).toBeNull()`
			`expect(response.statusCode).toBe 200`
			`expect(response.body.name).toBe 'Gandalf'`
			`done()`

			`it 'can GET a new name in case of conflict', (done) ->`
			`request.get {url: getURL(url + '/joe'), json: {}}, (err, response) ->`
			`expect(err).toBeNull()`
			`expect(response.statusCode).toBe 409`
			`expect(response.body.name).not.toBe 'joe'`
			`expect(response.body.name.length).toBe 4 # 'joe' and a random number`
			`done()`
Refactor CreateAccountModal out of AuthModal, add class code to signup 2016-02-25 18:24:16 -05:00
Add return-to-admin (turn off espionage mode) 2016-03-03 17:22:50 -05:00
Refactor CreateAccountModal out of AuthModal, add class code to signup 2016-02-25 18:24:16 -05:00			`describe 'POST /auth/login-facebook', ->`
			`beforeEach utils.wrap (done) ->`
			`yield utils.clearModels([User])`
			`done()`

			`afterEach ->`
			`nock.cleanAll()`

			`url = getURL('/auth/login-facebook')`
			`it 'takes facebookID and facebookAccessToken and logs the user in', utils.wrap (done) ->`
			`nock('https://graph.facebook.com').get('/me').query({access_token: 'abcd'}).reply(200, { id: '1234' })`
			`yield new User({name: 'someone', facebookID: '1234'}).save()`
			`[res, body] = yield request.postAsync url, { json: { facebookID: '1234', facebookAccessToken: 'abcd' }}`
			`expect(res.statusCode).toBe(200)`
			`done()`

			`it 'returns 422 if no token or id is provided', utils.wrap (done) ->`
			`[res, body] = yield request.postAsync url`
			`expect(res.statusCode).toBe(422)`
			`done()`

			`it 'returns 422 if the token is invalid', utils.wrap (done) ->`
			`nock('https://graph.facebook.com').get('/me').query({access_token: 'abcd'}).reply(400, {})`
			`yield new User({name: 'someone', facebookID: '1234'}).save()`
			`[res, body] = yield request.postAsync url, { json: { facebookID: '1234', facebookAccessToken: 'abcd' }}`
			`expect(res.statusCode).toBe(422)`
			`done()`

			`it 'returns 404 if the user does not already exist', utils.wrap (done) ->`
			`nock('https://graph.facebook.com').get('/me').query({access_token: 'abcd'}).reply(200, { id: '1234' })`
			`[res, body] = yield request.postAsync url, { json: { facebookID: '1234', facebookAccessToken: 'abcd' }}`
			`expect(res.statusCode).toBe(404)`
			`done()`


			`describe 'POST /auth/login-gplus', ->`
			`beforeEach utils.wrap (done) ->`
			`yield utils.clearModels([User])`
			`done()`

			`afterEach ->`
			`nock.cleanAll()`

			`url = getURL('/auth/login-gplus')`
			`it 'takes gplusID and gplusAccessToken and logs the user in', utils.wrap (done) ->`
			`nock('https://www.googleapis.com').get('/oauth2/v2/userinfo').query({access_token: 'abcd'}).reply(200, { id: '1234' })`
			`yield new User({name: 'someone', gplusID: '1234'}).save()`
			`[res, body] = yield request.postAsync url, { json: { gplusID: '1234', gplusAccessToken: 'abcd' }}`
			`expect(res.statusCode).toBe(200)`
			`done()`

			`it 'returns 422 if no token or id is provided', utils.wrap (done) ->`
			`[res, body] = yield request.postAsync url`
			`expect(res.statusCode).toBe(422)`
			`done()`

			`it 'returns 422 if the token is invalid', utils.wrap (done) ->`
			`nock('https://www.googleapis.com').get('/oauth2/v2/userinfo').query({access_token: 'abcd'}).reply(400, {})`
			`yield new User({name: 'someone', gplusID: '1234'}).save()`
			`[res, body] = yield request.postAsync url, { json: { gplusID: '1234', gplusAccessToken: 'abcd' }}`
			`expect(res.statusCode).toBe(422)`
			`done()`

			`it 'returns 404 if the user does not already exist', utils.wrap (done) ->`
			`nock('https://www.googleapis.com').get('/oauth2/v2/userinfo').query({access_token: 'abcd'}).reply(200, { id: '1234' })`
			`[res, body] = yield request.postAsync url, { json: { gplusID: '1234', gplusAccessToken: 'abcd' }}`
			`expect(res.statusCode).toBe(404)`
			`done()`

Add return-to-admin (turn off espionage mode) 2016-03-03 17:22:50 -05:00
			`describe 'POST /auth/spy', ->`
			`beforeEach utils.wrap (done) ->`
			`yield utils.clearModels([User])`
			`@admin = yield utils.initAdmin()`
			`@user1 = yield utils.initUser({name: 'Test User 1'})`
			`@user2 = yield utils.initUser({name: 'Test User 2'})`
			`done()`

			`it 'logs in an admin as an arbitrary user', utils.wrap (done) ->`
			`yield utils.loginUser(@admin)`
			`[res, body] = yield request.postAsync {uri: getURL('/auth/spy'), json: {user: @user1.id}}`
			`expect(res.statusCode).toBe(200)`
			`expect(body._id).toBe(@user1.id)`
			`[res, body] = yield request.getAsync {uri: getURL('/auth/whoami'), json: true}`
			`expect(body._id).toBe(@user1.id)`
			`done()`

			`it 'accepts the user\'s email as input', utils.wrap (done) ->`
			`yield utils.loginUser(@admin)`
			`[res, body] = yield request.postAsync {uri: getURL('/auth/spy'), json: {user: @user1.get('email')}}`
			`expect(res.statusCode).toBe(200)`
			`expect(body._id).toBe(@user1.id)`
			`done()`

			`it 'accepts the user\'s username as input', utils.wrap (done) ->`
			`yield utils.loginUser(@admin)`
			`[res, body] = yield request.postAsync {uri: getURL('/auth/spy'), json: {user: @user1.get('name')}}`
			`expect(res.statusCode).toBe(200)`
			`expect(body._id).toBe(@user1.id)`
			`done()`

			`it 'does not work for anonymous users', utils.wrap (done) ->`
			`[res, body] = yield request.postAsync {uri: getURL('/auth/spy'), json: {user: @user1.get('name')}}`
			`expect(res.statusCode).toBe(401)`
			`done()`

			`it 'does not work for non-admins', utils.wrap (done) ->`
			`yield utils.loginUser(@user1)`
			`[res, body] = yield request.postAsync {uri: getURL('/auth/spy'), json: {user: @user1.get('name')}}`
			`expect(res.statusCode).toBe(403)`
			`done()`

Remove a test focus 2016-03-04 13:50:56 -05:00			`describe 'POST /auth/stop-spying', ->`
Add return-to-admin (turn off espionage mode) 2016-03-03 17:22:50 -05:00			`beforeEach utils.wrap (done) ->`
			`yield utils.clearModels([User])`
			`@admin = yield utils.initAdmin()`
			`@user = yield utils.initUser()`
			`yield utils.loginUser(@admin)`
			`[res, body] = yield request.postAsync {uri: getURL('/auth/spy'), json: {user: @user.id}}`
			`expect(res.statusCode).toBe(200)`
			`done()`

			`it 'it reverts the spying user back to the admin', utils.wrap (done) ->`
			`[res, body] = yield request.getAsync {uri: getURL('/auth/whoami'), json: true}`
			`expect(body._id).toBe(@user.id)`
			`[res, body] = yield request.postAsync {uri: getURL('/auth/stop-spying'), json: true}`
			`expect(res.statusCode).toBe(200)`
			`expect(body._id).toBe(@admin.id)`
			`[res, body] = yield request.getAsync {uri: getURL('/auth/whoami'), json: true}`
			`expect(body._id).toBe(@admin.id)`
Implement all of teacher-dashboard 2016-03-30 16:57:19 -04:00			`done()`