2014-02-03 15:55:09 -05:00
|
|
|
require '../common'
|
2016-03-03 17:22:50 -05:00
|
|
|
utils = require '../utils'
|
|
|
|
_ = require 'lodash'
|
|
|
|
Promise = require 'bluebird'
|
2016-02-25 18:24:16 -05:00
|
|
|
nock = require 'nock'
|
2014-02-02 18:02:47 -05:00
|
|
|
|
|
|
|
urlLogin = getURL('/auth/login')
|
|
|
|
urlReset = getURL('/auth/reset')
|
2014-01-03 13:32:13 -05:00
|
|
|
|
|
|
|
describe '/auth/whoami', ->
|
|
|
|
it 'returns 200', (done) ->
|
2014-06-11 16:21:11 -04:00
|
|
|
request.get(getURL('/auth/whoami'), (err, response) ->
|
2014-01-03 13:32:13 -05:00
|
|
|
expect(response).toBeDefined()
|
|
|
|
expect(response.statusCode).toBe(200)
|
|
|
|
done()
|
|
|
|
)
|
|
|
|
|
|
|
|
describe '/auth/login', ->
|
|
|
|
|
2014-11-20 18:54:15 -05:00
|
|
|
it 'clears Users', (done) ->
|
|
|
|
clearModels [User], (err) ->
|
|
|
|
throw err if err
|
|
|
|
request.get getURL('/auth/whoami'), ->
|
|
|
|
throw err if err
|
|
|
|
done()
|
|
|
|
|
2014-11-20 20:03:24 -05:00
|
|
|
it 'allows logging in by iosIdentifierForVendor', (done) ->
|
2014-11-20 18:54:15 -05:00
|
|
|
req = request.post(getURL('/db/user'),
|
|
|
|
(error, response) ->
|
|
|
|
expect(response).toBeDefined()
|
|
|
|
expect(response.statusCode).toBe(200)
|
|
|
|
req = request.post(urlLogin, (error, response) ->
|
|
|
|
expect(response.statusCode).toBe(200)
|
|
|
|
done()
|
|
|
|
)
|
|
|
|
form = req.form()
|
2014-11-20 20:03:24 -05:00
|
|
|
form.append('username', '012345678901234567890123456789012345')
|
2014-11-20 18:54:15 -05:00
|
|
|
form.append('password', '12345')
|
|
|
|
)
|
|
|
|
form = req.form()
|
2014-11-20 20:03:24 -05:00
|
|
|
form.append('iosIdentifierForVendor', '012345678901234567890123456789012345')
|
2014-11-20 18:54:15 -05:00
|
|
|
form.append('password', '12345')
|
|
|
|
|
|
|
|
it 'clears Users', (done) ->
|
2014-04-23 12:19:07 -04:00
|
|
|
clearModels [User], (err) ->
|
|
|
|
throw err if err
|
2014-02-24 23:27:38 -05:00
|
|
|
request.get getURL('/auth/whoami'), ->
|
|
|
|
throw err if err
|
|
|
|
done()
|
2014-01-03 13:32:13 -05:00
|
|
|
|
|
|
|
it 'finds no user', (done) ->
|
2014-02-02 18:02:47 -05:00
|
|
|
req = request.post(urlLogin, (error, response) ->
|
2014-01-03 13:32:13 -05:00
|
|
|
expect(response).toBeDefined()
|
|
|
|
expect(response.statusCode).toBe(401)
|
|
|
|
done()
|
|
|
|
)
|
|
|
|
form = req.form()
|
|
|
|
form.append('username', 'scott@gmail.com')
|
|
|
|
form.append('password', 'nada')
|
|
|
|
|
|
|
|
it 'creates a user', (done) ->
|
|
|
|
req = request.post(getURL('/db/user'),
|
|
|
|
(error, response) ->
|
|
|
|
expect(response).toBeDefined()
|
|
|
|
expect(response.statusCode).toBe(200)
|
|
|
|
done()
|
|
|
|
)
|
|
|
|
form = req.form()
|
|
|
|
form.append('email', 'scott@gmail.com')
|
|
|
|
form.append('password', 'nada')
|
|
|
|
|
|
|
|
it 'finds that created user', (done) ->
|
2014-02-02 18:02:47 -05:00
|
|
|
req = request.post(urlLogin, (error, response) ->
|
2014-01-03 13:32:13 -05:00
|
|
|
expect(response).toBeDefined()
|
|
|
|
expect(response.statusCode).toBe(200)
|
|
|
|
done()
|
|
|
|
)
|
|
|
|
form = req.form()
|
|
|
|
form.append('username', 'scott@gmail.com')
|
|
|
|
form.append('password', 'nada')
|
|
|
|
|
|
|
|
it 'rejects wrong passwords', (done) ->
|
2014-02-02 18:02:47 -05:00
|
|
|
req = request.post(urlLogin, (error, response) ->
|
2014-01-03 13:32:13 -05:00
|
|
|
expect(response.statusCode).toBe(401)
|
2014-06-30 22:16:26 -04:00
|
|
|
expect(response.body.indexOf('wrong')).toBeGreaterThan(-1)
|
2014-01-03 13:32:13 -05:00
|
|
|
done()
|
|
|
|
)
|
|
|
|
form = req.form()
|
|
|
|
form.append('username', 'scott@gmail.com')
|
|
|
|
form.append('password', 'blahblah')
|
|
|
|
|
|
|
|
it 'is completely case insensitive', (done) ->
|
2014-02-02 18:02:47 -05:00
|
|
|
req = request.post(urlLogin, (error, response) ->
|
2014-01-03 13:32:13 -05:00
|
|
|
expect(response.statusCode).toBe(200)
|
|
|
|
done()
|
|
|
|
)
|
|
|
|
form = req.form()
|
|
|
|
form.append('username', 'scoTT@gmaIL.com')
|
2014-02-02 18:02:47 -05:00
|
|
|
form.append('password', 'NaDa')
|
|
|
|
|
|
|
|
describe '/auth/reset', ->
|
|
|
|
passwordReset = ''
|
|
|
|
|
|
|
|
it 'emails require', (done) ->
|
|
|
|
req = request.post(urlReset, (error, response) ->
|
|
|
|
expect(response).toBeDefined()
|
|
|
|
expect(response.statusCode).toBe(422)
|
|
|
|
done()
|
|
|
|
)
|
|
|
|
form = req.form()
|
|
|
|
form.append('username', 'scott@gmail.com')
|
|
|
|
|
2014-11-20 18:54:15 -05:00
|
|
|
it 'can\'t reset an unknown user', (done) ->
|
2014-02-02 18:02:47 -05:00
|
|
|
req = request.post(urlReset, (error, response) ->
|
|
|
|
expect(response).toBeDefined()
|
|
|
|
expect(response.statusCode).toBe(404)
|
|
|
|
done()
|
|
|
|
)
|
|
|
|
form = req.form()
|
|
|
|
form.append('email', 'unknow')
|
|
|
|
|
2014-02-24 23:27:38 -05:00
|
|
|
it 'resets user password', (done) ->
|
2014-02-02 18:02:47 -05:00
|
|
|
req = request.post(urlReset, (error, response) ->
|
|
|
|
expect(response).toBeDefined()
|
|
|
|
expect(response.statusCode).toBe(200)
|
|
|
|
expect(response.body).toBeDefined()
|
|
|
|
passwordReset = response.body
|
|
|
|
done()
|
|
|
|
)
|
|
|
|
form = req.form()
|
|
|
|
form.append('email', 'scott@gmail.com')
|
|
|
|
|
|
|
|
it 'can login after resetting', (done) ->
|
|
|
|
req = request.post(urlLogin, (error, response) ->
|
|
|
|
expect(response).toBeDefined()
|
|
|
|
expect(response.statusCode).toBe(200)
|
|
|
|
done()
|
|
|
|
)
|
|
|
|
form = req.form()
|
|
|
|
form.append('username', 'scott@gmail.com')
|
|
|
|
form.append('password', passwordReset)
|
|
|
|
|
|
|
|
it 'resetting password is not permanent', (done) ->
|
|
|
|
req = request.post(urlLogin, (error, response) ->
|
|
|
|
expect(response).toBeDefined()
|
|
|
|
expect(response.statusCode).toBe(401)
|
|
|
|
done()
|
|
|
|
)
|
|
|
|
form = req.form()
|
|
|
|
form.append('username', 'scott@gmail.com')
|
|
|
|
form.append('password', passwordReset)
|
|
|
|
|
|
|
|
|
|
|
|
it 'can still login with old password', (done) ->
|
|
|
|
req = request.post(urlLogin, (error, response) ->
|
|
|
|
expect(response).toBeDefined()
|
|
|
|
expect(response.statusCode).toBe(200)
|
|
|
|
done()
|
|
|
|
)
|
|
|
|
form = req.form()
|
|
|
|
form.append('username', 'scott@gmail.com')
|
|
|
|
form.append('password', 'nada')
|
2014-04-22 22:27:39 -04:00
|
|
|
|
|
|
|
describe '/auth/unsubscribe', ->
|
2014-04-23 12:19:07 -04:00
|
|
|
it 'clears Users first', (done) ->
|
|
|
|
clearModels [User], (err) ->
|
|
|
|
throw err if err
|
|
|
|
request.get getURL('/auth/whoami'), ->
|
|
|
|
throw err if err
|
|
|
|
done()
|
2014-06-30 22:16:26 -04:00
|
|
|
|
2014-04-22 22:27:39 -04:00
|
|
|
it 'removes just recruitment emails if you include ?recruitNotes=1', (done) ->
|
|
|
|
loginJoe (joe) ->
|
|
|
|
url = getURL('/auth/unsubscribe?recruitNotes=1&email='+joe.get('email'))
|
|
|
|
request.get url, (error, response) ->
|
|
|
|
expect(response.statusCode).toBe(200)
|
|
|
|
user = User.findOne(joe.get('_id')).exec (err, user) ->
|
|
|
|
expect(user.get('emails').recruitNotes.enabled).toBe(false)
|
2014-04-23 12:53:46 -04:00
|
|
|
expect(user.isEmailSubscriptionEnabled('generalNews')).toBeTruthy()
|
2014-04-22 22:27:39 -04:00
|
|
|
done()
|
2014-07-10 14:50:16 -04:00
|
|
|
|
|
|
|
describe '/auth/name', ->
|
|
|
|
url = '/auth/name'
|
|
|
|
|
|
|
|
it 'must provide a name to check with', (done) ->
|
|
|
|
request.get {url: getURL(url + '/'), json: {}}, (err, response) ->
|
|
|
|
expect(err).toBeNull()
|
|
|
|
expect(response.statusCode).toBe 422
|
|
|
|
done()
|
|
|
|
|
|
|
|
it 'can GET a non-conflicting name', (done) ->
|
|
|
|
request.get {url: getURL(url + '/Gandalf'), json: {}}, (err, response) ->
|
|
|
|
expect(err).toBeNull()
|
|
|
|
expect(response.statusCode).toBe 200
|
|
|
|
expect(response.body.name).toBe 'Gandalf'
|
|
|
|
done()
|
|
|
|
|
|
|
|
it 'can GET a new name in case of conflict', (done) ->
|
|
|
|
request.get {url: getURL(url + '/joe'), json: {}}, (err, response) ->
|
|
|
|
expect(err).toBeNull()
|
|
|
|
expect(response.statusCode).toBe 409
|
|
|
|
expect(response.body.name).not.toBe 'joe'
|
|
|
|
expect(response.body.name.length).toBe 4 # 'joe' and a random number
|
|
|
|
done()
|
2016-02-25 18:24:16 -05:00
|
|
|
|
2016-03-03 17:22:50 -05:00
|
|
|
|
2016-02-25 18:24:16 -05:00
|
|
|
describe 'POST /auth/login-facebook', ->
|
|
|
|
beforeEach utils.wrap (done) ->
|
|
|
|
yield utils.clearModels([User])
|
|
|
|
done()
|
|
|
|
|
|
|
|
afterEach ->
|
|
|
|
nock.cleanAll()
|
|
|
|
|
|
|
|
url = getURL('/auth/login-facebook')
|
|
|
|
it 'takes facebookID and facebookAccessToken and logs the user in', utils.wrap (done) ->
|
|
|
|
nock('https://graph.facebook.com').get('/me').query({access_token: 'abcd'}).reply(200, { id: '1234' })
|
|
|
|
yield new User({name: 'someone', facebookID: '1234'}).save()
|
|
|
|
[res, body] = yield request.postAsync url, { json: { facebookID: '1234', facebookAccessToken: 'abcd' }}
|
|
|
|
expect(res.statusCode).toBe(200)
|
|
|
|
done()
|
|
|
|
|
|
|
|
it 'returns 422 if no token or id is provided', utils.wrap (done) ->
|
|
|
|
[res, body] = yield request.postAsync url
|
|
|
|
expect(res.statusCode).toBe(422)
|
|
|
|
done()
|
|
|
|
|
|
|
|
it 'returns 422 if the token is invalid', utils.wrap (done) ->
|
|
|
|
nock('https://graph.facebook.com').get('/me').query({access_token: 'abcd'}).reply(400, {})
|
|
|
|
yield new User({name: 'someone', facebookID: '1234'}).save()
|
|
|
|
[res, body] = yield request.postAsync url, { json: { facebookID: '1234', facebookAccessToken: 'abcd' }}
|
|
|
|
expect(res.statusCode).toBe(422)
|
|
|
|
done()
|
|
|
|
|
|
|
|
it 'returns 404 if the user does not already exist', utils.wrap (done) ->
|
|
|
|
nock('https://graph.facebook.com').get('/me').query({access_token: 'abcd'}).reply(200, { id: '1234' })
|
|
|
|
[res, body] = yield request.postAsync url, { json: { facebookID: '1234', facebookAccessToken: 'abcd' }}
|
|
|
|
expect(res.statusCode).toBe(404)
|
|
|
|
done()
|
|
|
|
|
|
|
|
|
|
|
|
describe 'POST /auth/login-gplus', ->
|
|
|
|
beforeEach utils.wrap (done) ->
|
|
|
|
yield utils.clearModels([User])
|
|
|
|
done()
|
|
|
|
|
|
|
|
afterEach ->
|
|
|
|
nock.cleanAll()
|
|
|
|
|
|
|
|
url = getURL('/auth/login-gplus')
|
|
|
|
it 'takes gplusID and gplusAccessToken and logs the user in', utils.wrap (done) ->
|
|
|
|
nock('https://www.googleapis.com').get('/oauth2/v2/userinfo').query({access_token: 'abcd'}).reply(200, { id: '1234' })
|
|
|
|
yield new User({name: 'someone', gplusID: '1234'}).save()
|
|
|
|
[res, body] = yield request.postAsync url, { json: { gplusID: '1234', gplusAccessToken: 'abcd' }}
|
|
|
|
expect(res.statusCode).toBe(200)
|
|
|
|
done()
|
|
|
|
|
|
|
|
it 'returns 422 if no token or id is provided', utils.wrap (done) ->
|
|
|
|
[res, body] = yield request.postAsync url
|
|
|
|
expect(res.statusCode).toBe(422)
|
|
|
|
done()
|
|
|
|
|
|
|
|
it 'returns 422 if the token is invalid', utils.wrap (done) ->
|
|
|
|
nock('https://www.googleapis.com').get('/oauth2/v2/userinfo').query({access_token: 'abcd'}).reply(400, {})
|
|
|
|
yield new User({name: 'someone', gplusID: '1234'}).save()
|
|
|
|
[res, body] = yield request.postAsync url, { json: { gplusID: '1234', gplusAccessToken: 'abcd' }}
|
|
|
|
expect(res.statusCode).toBe(422)
|
|
|
|
done()
|
|
|
|
|
|
|
|
it 'returns 404 if the user does not already exist', utils.wrap (done) ->
|
|
|
|
nock('https://www.googleapis.com').get('/oauth2/v2/userinfo').query({access_token: 'abcd'}).reply(200, { id: '1234' })
|
|
|
|
[res, body] = yield request.postAsync url, { json: { gplusID: '1234', gplusAccessToken: 'abcd' }}
|
|
|
|
expect(res.statusCode).toBe(404)
|
|
|
|
done()
|
|
|
|
|
2016-03-03 17:22:50 -05:00
|
|
|
|
|
|
|
describe 'POST /auth/spy', ->
|
|
|
|
beforeEach utils.wrap (done) ->
|
|
|
|
yield utils.clearModels([User])
|
|
|
|
@admin = yield utils.initAdmin()
|
|
|
|
@user1 = yield utils.initUser({name: 'Test User 1'})
|
|
|
|
@user2 = yield utils.initUser({name: 'Test User 2'})
|
|
|
|
done()
|
|
|
|
|
|
|
|
it 'logs in an admin as an arbitrary user', utils.wrap (done) ->
|
|
|
|
yield utils.loginUser(@admin)
|
|
|
|
[res, body] = yield request.postAsync {uri: getURL('/auth/spy'), json: {user: @user1.id}}
|
|
|
|
expect(res.statusCode).toBe(200)
|
|
|
|
expect(body._id).toBe(@user1.id)
|
|
|
|
[res, body] = yield request.getAsync {uri: getURL('/auth/whoami'), json: true}
|
|
|
|
expect(body._id).toBe(@user1.id)
|
|
|
|
done()
|
|
|
|
|
|
|
|
it 'accepts the user\'s email as input', utils.wrap (done) ->
|
|
|
|
yield utils.loginUser(@admin)
|
|
|
|
[res, body] = yield request.postAsync {uri: getURL('/auth/spy'), json: {user: @user1.get('email')}}
|
|
|
|
expect(res.statusCode).toBe(200)
|
|
|
|
expect(body._id).toBe(@user1.id)
|
|
|
|
done()
|
|
|
|
|
|
|
|
it 'accepts the user\'s username as input', utils.wrap (done) ->
|
|
|
|
yield utils.loginUser(@admin)
|
|
|
|
[res, body] = yield request.postAsync {uri: getURL('/auth/spy'), json: {user: @user1.get('name')}}
|
|
|
|
expect(res.statusCode).toBe(200)
|
|
|
|
expect(body._id).toBe(@user1.id)
|
|
|
|
done()
|
|
|
|
|
|
|
|
it 'does not work for anonymous users', utils.wrap (done) ->
|
|
|
|
[res, body] = yield request.postAsync {uri: getURL('/auth/spy'), json: {user: @user1.get('name')}}
|
|
|
|
expect(res.statusCode).toBe(401)
|
|
|
|
done()
|
|
|
|
|
|
|
|
it 'does not work for non-admins', utils.wrap (done) ->
|
|
|
|
yield utils.loginUser(@user1)
|
|
|
|
[res, body] = yield request.postAsync {uri: getURL('/auth/spy'), json: {user: @user1.get('name')}}
|
|
|
|
expect(res.statusCode).toBe(403)
|
|
|
|
done()
|
|
|
|
|
2016-03-04 13:50:56 -05:00
|
|
|
describe 'POST /auth/stop-spying', ->
|
2016-03-03 17:22:50 -05:00
|
|
|
beforeEach utils.wrap (done) ->
|
|
|
|
yield utils.clearModels([User])
|
|
|
|
@admin = yield utils.initAdmin()
|
|
|
|
@user = yield utils.initUser()
|
|
|
|
yield utils.loginUser(@admin)
|
|
|
|
[res, body] = yield request.postAsync {uri: getURL('/auth/spy'), json: {user: @user.id}}
|
|
|
|
expect(res.statusCode).toBe(200)
|
|
|
|
done()
|
|
|
|
|
|
|
|
it 'it reverts the spying user back to the admin', utils.wrap (done) ->
|
|
|
|
[res, body] = yield request.getAsync {uri: getURL('/auth/whoami'), json: true}
|
|
|
|
expect(body._id).toBe(@user.id)
|
|
|
|
[res, body] = yield request.postAsync {uri: getURL('/auth/stop-spying'), json: true}
|
|
|
|
expect(res.statusCode).toBe(200)
|
|
|
|
expect(body._id).toBe(@admin.id)
|
|
|
|
[res, body] = yield request.getAsync {uri: getURL('/auth/whoami'), json: true}
|
|
|
|
expect(body._id).toBe(@admin.id)
|
|
|
|
done()
|