freeCodeCamp/api-server/server/middlewares/request-authorization.test.js

/* global describe it expect */
import sinon from 'sinon';
import { mockReq, mockRes } from 'sinon-express-mock';
import jwt from 'jsonwebtoken';

import createRequestAuthorization, {
  isAllowedPath
} from './request-authorization';

const validJWTSecret = 'this is a super secret string';
const invalidJWTSecret = 'This is not correct secret';
const now = new Date(Date.now());
const theBeginningOfTime = new Date(0);
const accessToken = {
  id: '123abc',
  userId: '456def',
  ttl: 60000,
  created: now
};
const users = {
  '456def': {
    username: 'camperbot',
    progressTimestamps: [1, 2, 3, 4]
  }
};
const mockGetUserById = id =>
  id in users ? Promise.resolve(users[id]) : Promise.reject('No user found');

describe('request-authorization', () => {
  describe('isAllowedPath', () => {
    const authRE = /^\/auth\//;
    const confirmEmailRE = /^\/confirm-email$/;
    const newsShortLinksRE = /^\/n\/|^\/p\//;
    const publicUserRE = /^\/api\/users\/get-public-profile$/;
    const publicUsernameRE = /^\/api\/users\/exists$/;
    const resubscribeRE = /^\/resubscribe\//;
    const showCertRE = /^\/certificate\/showCert\//;
    // note: signin may not have a trailing slash
    const signinRE = /^\/signin/;
    const statusRE = /^\/status\/ping$/;
    const unsubscribedRE = /^\/unsubscribed\//;
    const unsubscribeRE = /^\/u\/|^\/unsubscribe\/|^\/ue\//;
    const updateHooksRE = /^\/hooks\/update-paypal$|^\/hooks\/update-stripe$/;

    const allowedPathsList = [
      authRE,
      confirmEmailRE,
      newsShortLinksRE,
      publicUserRE,
      publicUsernameRE,
      resubscribeRE,
      showCertRE,
      signinRE,
      statusRE,
      unsubscribedRE,
      unsubscribeRE,
      updateHooksRE
    ];

    it('returns a boolean', () => {
      const result = isAllowedPath();
      expect(typeof result).toBe('boolean');
    });

    it('returns true for a white listed path', () => {
      const resultA = isAllowedPath(
        '/auth/auth0/callback?code=yF_mGjswLsef-_RLo',
        allowedPathsList
      );
      const resultB = isAllowedPath(
        '/ue/WmjInLerysPrcon6fMb/',
        allowedPathsList
      );
      const resultC = isAllowedPath('/hooks/update-paypal', allowedPathsList);
      const resultD = isAllowedPath('/hooks/update-stripe', allowedPathsList);
      expect(resultA).toBe(true);
      expect(resultB).toBe(true);
      expect(resultC).toBe(true);
      expect(resultD).toBe(true);
    });

    it('returns false for a non-white-listed path', () => {
      const resultA = isAllowedPath('/hax0r-42/no-go', allowedPathsList);
      const resultB = isAllowedPath(
        '/update-current-challenge',
        allowedPathsList
      );
      expect(resultA).toBe(false);
      expect(resultB).toBe(false);
    });
  });

  describe('createRequestAuthorization', () => {
    const requestAuthorization = createRequestAuthorization({
      jwtSecret: validJWTSecret,
      getUserById: mockGetUserById
    });

    it('is a function', () => {
      expect(typeof requestAuthorization).toEqual('function');
    });

    describe('cookies', () => {
      it('throws when no access token is present', () => {
        expect.assertions(2);
        const req = mockReq({ path: '/some-path/that-needs/auth' });
        const res = mockRes();
        const next = sinon.spy();
        expect(() => requestAuthorization(req, res, next)).toThrowError(
          'Access token is required for this request'
        );
        expect(next.called).toBe(false);
      });

      it('throws when the access token is invalid', () => {
        expect.assertions(2);
        const invalidJWT = jwt.sign({ accessToken }, invalidJWTSecret);
        const req = mockReq({
          path: '/some-path/that-needs/auth',
          // eslint-disable-next-line camelcase
          cookie: { jwt_access_token: invalidJWT }
        });
        const res = mockRes();
        const next = sinon.spy();

        expect(() => requestAuthorization(req, res, next)).toThrowError(
          'Access token is invalid'
        );
        expect(next.called).toBe(false);
      });

      it('throws when the access token has expired', () => {
        expect.assertions(2);
        const invalidJWT = jwt.sign(
          { accessToken: { ...accessToken, created: theBeginningOfTime } },
          validJWTSecret
        );
        const req = mockReq({
          path: '/some-path/that-needs/auth',
          // eslint-disable-next-line camelcase
          cookie: { jwt_access_token: invalidJWT }
        });
        const res = mockRes();
        const next = sinon.spy();

        expect(() => requestAuthorization(req, res, next)).toThrowError(
          'Access token is no longer valid'
        );
        expect(next.called).toBe(false);
      });

      it('adds the user to the request object', async done => {
        expect.assertions(3);
        const validJWT = jwt.sign({ accessToken }, validJWTSecret);
        const req = mockReq({
          path: '/some-path/that-needs/auth',
          // eslint-disable-next-line camelcase
          cookie: { jwt_access_token: validJWT }
        });
        const res = mockRes();
        const next = sinon.spy();
        await requestAuthorization(req, res, next);
        expect(next.called).toBe(true);
        expect(req).toHaveProperty('user');
        expect(req.user).toEqual(users['456def']);
        return done();
      });

      it('adds the jwt to the headers', async done => {
        const validJWT = jwt.sign({ accessToken }, validJWTSecret);
        const req = mockReq({
          path: '/some-path/that-needs/auth',
          // eslint-disable-next-line camelcase
          cookie: { jwt_access_token: validJWT }
        });
        const res = mockRes();
        const next = sinon.spy();
        await requestAuthorization(req, res, next);
        expect(res.set.calledWith('X-fcc-access-token', validJWT)).toBe(true);
        return done();
      });

      it('calls next if request does not require authorization', async () => {
        // currently /unsubscribe does not require authorization
        const req = mockReq({ path: '/unsubscribe/another/route' });
        const res = mockRes();
        const next = sinon.spy();
        await requestAuthorization(req, res, next);
        expect(next.called).toBe(true);
      });
    });

    describe('Auth header', () => {
      it('throws when no access token is present', () => {
        expect.assertions(2);
        const req = mockReq({ path: '/some-path/that-needs/auth' });
        const res = mockRes();
        const next = sinon.spy();
        expect(() => requestAuthorization(req, res, next)).toThrowError(
          'Access token is required for this request'
        );
        expect(next.called).toBe(false);
      });

      it('throws when the access token is invalid', () => {
        expect.assertions(2);
        const invalidJWT = jwt.sign({ accessToken }, invalidJWTSecret);
        const req = mockReq({
          path: '/some-path/that-needs/auth',
          headers: { 'X-fcc-access-token': invalidJWT }
        });
        const res = mockRes();
        const next = sinon.spy();

        expect(() => requestAuthorization(req, res, next)).toThrowError(
          'Access token is invalid'
        );
        expect(next.called).toBe(false);
      });

      it('throws when the access token has expired', () => {
        expect.assertions(2);
        const invalidJWT = jwt.sign(
          { accessToken: { ...accessToken, created: theBeginningOfTime } },
          validJWTSecret
        );
        const req = mockReq({
          path: '/some-path/that-needs/auth',
          headers: { 'X-fcc-access-token': invalidJWT }
        });
        const res = mockRes();
        const next = sinon.spy();

        expect(() => requestAuthorization(req, res, next)).toThrowError(
          'Access token is no longer valid'
        );
        expect(next.called).toBe(false);
      });

      it('adds the user to the request object', async done => {
        expect.assertions(3);
        const validJWT = jwt.sign({ accessToken }, validJWTSecret);
        const req = mockReq({
          path: '/some-path/that-needs/auth',
          headers: { 'X-fcc-access-token': validJWT }
        });
        const res = mockRes();
        const next = sinon.spy();
        await requestAuthorization(req, res, next);
        expect(next.called).toBe(true);
        expect(req).toHaveProperty('user');
        expect(req.user).toEqual(users['456def']);
        return done();
      });

      it('adds the jwt to the headers', async done => {
        const validJWT = jwt.sign({ accessToken }, validJWTSecret);
        const req = mockReq({
          path: '/some-path/that-needs/auth',
          // eslint-disable-next-line camelcase
          cookie: { jwt_access_token: validJWT }
        });
        const res = mockRes();
        const next = sinon.spy();
        await requestAuthorization(req, res, next);
        expect(res.set.calledWith('X-fcc-access-token', validJWT)).toBe(true);
        return done();
      });

      it('calls next if request does not require authorization', async () => {
        // currently /unsubscribe does not require authorization
        const req = mockReq({ path: '/unsubscribe/another/route' });
        const res = mockRes();
        const next = sinon.spy();
        await requestAuthorization(req, res, next);
        expect(next.called).toBe(true);
      });
    });
  });
});
chore: Add tests for jwt authorization 2019-02-20 18:18:50 +00:00			`/* global describe it expect */`
			`import sinon from 'sinon';`
			`import { mockReq, mockRes } from 'sinon-express-mock';`
			`import jwt from 'jsonwebtoken';`

			`import createRequestAuthorization, {`
fix: negative sentiment → neutral language (#39522) The existing terminology carries negative sentiment that can be interpreted in a racial or sense. Updating the name to have no potential for such a connection. Co-authored-by: Justin Rogers <justrog@gmail.com> 2020-09-07 11:04:44 +05:30			`isAllowedPath`
chore: Add tests for jwt authorization 2019-02-20 18:18:50 +00:00			`} from './request-authorization';`

			`const validJWTSecret = 'this is a super secret string';`
			`const invalidJWTSecret = 'This is not correct secret';`
			`const now = new Date(Date.now());`
			`const theBeginningOfTime = new Date(0);`
			`const accessToken = {`
			`id: '123abc',`
			`userId: '456def',`
			`ttl: 60000,`
			`created: now`
			`};`
			`const users = {`
			`'456def': {`
			`username: 'camperbot',`
			`progressTimestamps: [1, 2, 3, 4]`
			`}`
			`};`
			`const mockGetUserById = id =>`
			`id in users ? Promise.resolve(users[id]) : Promise.reject('No user found');`

			`describe('request-authorization', () => {`
fix: negative sentiment → neutral language (#39522) The existing terminology carries negative sentiment that can be interpreted in a racial or sense. Updating the name to have no potential for such a connection. Co-authored-by: Justin Rogers <justrog@gmail.com> 2020-09-07 11:04:44 +05:30			`describe('isAllowedPath', () => {`
fix(api): add /auth paths to whitelist (#38383) 2020-03-18 17:49:42 +05:30			`const authRE = /^\/auth\//;`
fix(api): update routes for authorization bypass (#38387) 2020-03-18 22:35:42 +05:30			`const confirmEmailRE = /^\/confirm-email$/;`
fix(api): add /auth paths to whitelist (#38383) 2020-03-18 17:49:42 +05:30			`const newsShortLinksRE = /^\/n\/\|^\/p\//;`
fix(api): update routes for authorization bypass (#38387) 2020-03-18 22:35:42 +05:30			`const publicUserRE = /^\/api\/users\/get-public-profile$/;`
			`const publicUsernameRE = /^\/api\/users\/exists$/;`
fix(api): add /auth paths to whitelist (#38383) 2020-03-18 17:49:42 +05:30			`const resubscribeRE = /^\/resubscribe\//;`
			`const showCertRE = /^\/certificate\/showCert\//;`
			`// note: signin may not have a trailing slash`
			`const signinRE = /^\/signin/;`
fix(api): update routes for authorization bypass (#38387) 2020-03-18 22:35:42 +05:30			`const statusRE = /^\/status\/ping$/;`
fix(api): add /auth paths to whitelist (#38383) 2020-03-18 17:49:42 +05:30			`const unsubscribedRE = /^\/unsubscribed\//;`
			`const unsubscribeRE = /^\/u\/\|^\/unsubscribe\/\|^\/ue\//;`
feat(api): add and update webhooks routing 2020-03-19 12:20:04 +05:30			`const updateHooksRE = /^\/hooks\/update-paypal$\|^\/hooks\/update-stripe$/;`
fix(api): add /auth paths to whitelist (#38383) 2020-03-18 17:49:42 +05:30
fix: negative sentiment → neutral language (#39522) The existing terminology carries negative sentiment that can be interpreted in a racial or sense. Updating the name to have no potential for such a connection. Co-authored-by: Justin Rogers <justrog@gmail.com> 2020-09-07 11:04:44 +05:30			`const allowedPathsList = [`
fix(api): add /auth paths to whitelist (#38383) 2020-03-18 17:49:42 +05:30			`authRE,`
fix(api): update routes for authorization bypass (#38387) 2020-03-18 22:35:42 +05:30			`confirmEmailRE,`
fix(api): add /auth paths to whitelist (#38383) 2020-03-18 17:49:42 +05:30			`newsShortLinksRE,`
fix(api): update routes for authorization bypass (#38387) 2020-03-18 22:35:42 +05:30			`publicUserRE,`
			`publicUsernameRE,`
fix(api): add /auth paths to whitelist (#38383) 2020-03-18 17:49:42 +05:30			`resubscribeRE,`
			`showCertRE,`
			`signinRE,`
fix(api): update routes for authorization bypass (#38387) 2020-03-18 22:35:42 +05:30			`statusRE,`
fix(api): add /auth paths to whitelist (#38383) 2020-03-18 17:49:42 +05:30			`unsubscribedRE,`
			`unsubscribeRE,`
feat(api): add and update webhooks routing 2020-03-19 12:20:04 +05:30			`updateHooksRE`
fix(api): add /auth paths to whitelist (#38383) 2020-03-18 17:49:42 +05:30			`];`
chore: Add tests for jwt authorization 2019-02-20 18:18:50 +00:00
			`it('returns a boolean', () => {`
fix: negative sentiment → neutral language (#39522) The existing terminology carries negative sentiment that can be interpreted in a racial or sense. Updating the name to have no potential for such a connection. Co-authored-by: Justin Rogers <justrog@gmail.com> 2020-09-07 11:04:44 +05:30			`const result = isAllowedPath();`
chore: Add tests for jwt authorization 2019-02-20 18:18:50 +00:00			`expect(typeof result).toBe('boolean');`
			`});`

			`it('returns true for a white listed path', () => {`
fix: negative sentiment → neutral language (#39522) The existing terminology carries negative sentiment that can be interpreted in a racial or sense. Updating the name to have no potential for such a connection. Co-authored-by: Justin Rogers <justrog@gmail.com> 2020-09-07 11:04:44 +05:30			`const resultA = isAllowedPath(`
fix(api): add /auth paths to whitelist (#38383) 2020-03-18 17:49:42 +05:30			`'/auth/auth0/callback?code=yF_mGjswLsef-_RLo',`
fix: negative sentiment → neutral language (#39522) The existing terminology carries negative sentiment that can be interpreted in a racial or sense. Updating the name to have no potential for such a connection. Co-authored-by: Justin Rogers <justrog@gmail.com> 2020-09-07 11:04:44 +05:30			`allowedPathsList`
fix(api): add /auth paths to whitelist (#38383) 2020-03-18 17:49:42 +05:30			`);`
fix: negative sentiment → neutral language (#39522) The existing terminology carries negative sentiment that can be interpreted in a racial or sense. Updating the name to have no potential for such a connection. Co-authored-by: Justin Rogers <justrog@gmail.com> 2020-09-07 11:04:44 +05:30			`const resultB = isAllowedPath(`
			`'/ue/WmjInLerysPrcon6fMb/',`
			`allowedPathsList`
			`);`
			`const resultC = isAllowedPath('/hooks/update-paypal', allowedPathsList);`
			`const resultD = isAllowedPath('/hooks/update-stripe', allowedPathsList);`
chore: Add tests for jwt authorization 2019-02-20 18:18:50 +00:00			`expect(resultA).toBe(true);`
			`expect(resultB).toBe(true);`
feat(api): add and update webhooks routing 2020-03-19 12:20:04 +05:30			`expect(resultC).toBe(true);`
			`expect(resultD).toBe(true);`
chore: Add tests for jwt authorization 2019-02-20 18:18:50 +00:00			`});`

			`it('returns false for a non-white-listed path', () => {`
fix: negative sentiment → neutral language (#39522) The existing terminology carries negative sentiment that can be interpreted in a racial or sense. Updating the name to have no potential for such a connection. Co-authored-by: Justin Rogers <justrog@gmail.com> 2020-09-07 11:04:44 +05:30			`const resultA = isAllowedPath('/hax0r-42/no-go', allowedPathsList);`
			`const resultB = isAllowedPath(`
			`'/update-current-challenge',`
			`allowedPathsList`
			`);`
fix(api): add /auth paths to whitelist (#38383) 2020-03-18 17:49:42 +05:30			`expect(resultA).toBe(false);`
			`expect(resultB).toBe(false);`
chore: Add tests for jwt authorization 2019-02-20 18:18:50 +00:00			`});`
			`});`

			`describe('createRequestAuthorization', () => {`
			`const requestAuthorization = createRequestAuthorization({`
feat: Use new (tested) accessToken utils to authoize requests 2019-02-20 23:05:31 +00:00			`jwtSecret: validJWTSecret,`
chore: Add tests for jwt authorization 2019-02-20 18:18:50 +00:00			`getUserById: mockGetUserById`
			`});`

			`it('is a function', () => {`
			`expect(typeof requestAuthorization).toEqual('function');`
			`});`

feat: Use new (tested) accessToken utils to authoize requests 2019-02-20 23:05:31 +00:00			`describe('cookies', () => {`
			`it('throws when no access token is present', () => {`
			`expect.assertions(2);`
fix(csrf): remove all csrf bypass 2020-03-06 17:51:58 +01:00			`const req = mockReq({ path: '/some-path/that-needs/auth' });`
feat: Use new (tested) accessToken utils to authoize requests 2019-02-20 23:05:31 +00:00			`const res = mockRes();`
			`const next = sinon.spy();`
			`expect(() => requestAuthorization(req, res, next)).toThrowError(`
			`'Access token is required for this request'`
			`);`
			`expect(next.called).toBe(false);`
			`});`
chore: Add tests for jwt authorization 2019-02-20 18:18:50 +00:00
feat: Use new (tested) accessToken utils to authoize requests 2019-02-20 23:05:31 +00:00			`it('throws when the access token is invalid', () => {`
			`expect.assertions(2);`
			`const invalidJWT = jwt.sign({ accessToken }, invalidJWTSecret);`
			`const req = mockReq({`
fix(csrf): remove all csrf bypass 2020-03-06 17:51:58 +01:00			`path: '/some-path/that-needs/auth',`
feat: Use new (tested) accessToken utils to authoize requests 2019-02-20 23:05:31 +00:00			`// eslint-disable-next-line camelcase`
			`cookie: { jwt_access_token: invalidJWT }`
			`});`
			`const res = mockRes();`
			`const next = sinon.spy();`

			`expect(() => requestAuthorization(req, res, next)).toThrowError(`
			`'Access token is invalid'`
			`);`
			`expect(next.called).toBe(false);`
chore: Add tests for jwt authorization 2019-02-20 18:18:50 +00:00			`});`

feat: Use new (tested) accessToken utils to authoize requests 2019-02-20 23:05:31 +00:00			`it('throws when the access token has expired', () => {`
			`expect.assertions(2);`
			`const invalidJWT = jwt.sign(`
			`{ accessToken: { ...accessToken, created: theBeginningOfTime } },`
			`validJWTSecret`
			`);`
			`const req = mockReq({`
fix(csrf): remove all csrf bypass 2020-03-06 17:51:58 +01:00			`path: '/some-path/that-needs/auth',`
feat: Use new (tested) accessToken utils to authoize requests 2019-02-20 23:05:31 +00:00			`// eslint-disable-next-line camelcase`
			`cookie: { jwt_access_token: invalidJWT }`
			`});`
			`const res = mockRes();`
			`const next = sinon.spy();`

			`expect(() => requestAuthorization(req, res, next)).toThrowError(`
cleanup: typos and remove commented out code (#36573) 2019-08-09 21:27:26 +03:00			`'Access token is no longer valid'`
feat: Use new (tested) accessToken utils to authoize requests 2019-02-20 23:05:31 +00:00			`);`
			`expect(next.called).toBe(false);`
			`});`
chore: Add tests for jwt authorization 2019-02-20 18:18:50 +00:00
feat: Use new (tested) accessToken utils to authoize requests 2019-02-20 23:05:31 +00:00			`it('adds the user to the request object', async done => {`
fix: Centralise user deserialization 2019-03-04 21:10:12 +00:00			`expect.assertions(3);`
feat: Use new (tested) accessToken utils to authoize requests 2019-02-20 23:05:31 +00:00			`const validJWT = jwt.sign({ accessToken }, validJWTSecret);`
			`const req = mockReq({`
fix(csrf): remove all csrf bypass 2020-03-06 17:51:58 +01:00			`path: '/some-path/that-needs/auth',`
feat: Use new (tested) accessToken utils to authoize requests 2019-02-20 23:05:31 +00:00			`// eslint-disable-next-line camelcase`
			`cookie: { jwt_access_token: validJWT }`
			`});`
			`const res = mockRes();`
			`const next = sinon.spy();`
			`await requestAuthorization(req, res, next);`
			`expect(next.called).toBe(true);`
			`expect(req).toHaveProperty('user');`
			`expect(req.user).toEqual(users['456def']);`
			`return done();`
chore: Add tests for jwt authorization 2019-02-20 18:18:50 +00:00			`});`

feat: Use new (tested) accessToken utils to authoize requests 2019-02-20 23:05:31 +00:00			`it('adds the jwt to the headers', async done => {`
			`const validJWT = jwt.sign({ accessToken }, validJWTSecret);`
			`const req = mockReq({`
fix(csrf): remove all csrf bypass 2020-03-06 17:51:58 +01:00			`path: '/some-path/that-needs/auth',`
feat: Use new (tested) accessToken utils to authoize requests 2019-02-20 23:05:31 +00:00			`// eslint-disable-next-line camelcase`
			`cookie: { jwt_access_token: validJWT }`
			`});`
			`const res = mockRes();`
			`const next = sinon.spy();`
			`await requestAuthorization(req, res, next);`
			`expect(res.set.calledWith('X-fcc-access-token', validJWT)).toBe(true);`
			`return done();`
			`});`
chore: Add tests for jwt authorization 2019-02-20 18:18:50 +00:00
feat: Use new (tested) accessToken utils to authoize requests 2019-02-20 23:05:31 +00:00			`it('calls next if request does not require authorization', async () => {`
fix(csrf): remove all csrf bypass 2020-03-06 17:51:58 +01:00			`// currently /unsubscribe does not require authorization`
			`const req = mockReq({ path: '/unsubscribe/another/route' });`
feat: Use new (tested) accessToken utils to authoize requests 2019-02-20 23:05:31 +00:00			`const res = mockRes();`
			`const next = sinon.spy();`
			`await requestAuthorization(req, res, next);`
			`expect(next.called).toBe(true);`
chore: Add tests for jwt authorization 2019-02-20 18:18:50 +00:00			`});`
			`});`

feat: Use new (tested) accessToken utils to authoize requests 2019-02-20 23:05:31 +00:00			`describe('Auth header', () => {`
			`it('throws when no access token is present', () => {`
			`expect.assertions(2);`
fix(csrf): remove all csrf bypass 2020-03-06 17:51:58 +01:00			`const req = mockReq({ path: '/some-path/that-needs/auth' });`
feat: Use new (tested) accessToken utils to authoize requests 2019-02-20 23:05:31 +00:00			`const res = mockRes();`
			`const next = sinon.spy();`
			`expect(() => requestAuthorization(req, res, next)).toThrowError(`
			`'Access token is required for this request'`
			`);`
			`expect(next.called).toBe(false);`
			`});`

			`it('throws when the access token is invalid', () => {`
			`expect.assertions(2);`
			`const invalidJWT = jwt.sign({ accessToken }, invalidJWTSecret);`
			`const req = mockReq({`
fix(csrf): remove all csrf bypass 2020-03-06 17:51:58 +01:00			`path: '/some-path/that-needs/auth',`
feat: Use new (tested) accessToken utils to authoize requests 2019-02-20 23:05:31 +00:00			`headers: { 'X-fcc-access-token': invalidJWT }`
			`});`
			`const res = mockRes();`
			`const next = sinon.spy();`

			`expect(() => requestAuthorization(req, res, next)).toThrowError(`
			`'Access token is invalid'`
			`);`
			`expect(next.called).toBe(false);`
			`});`

			`it('throws when the access token has expired', () => {`
			`expect.assertions(2);`
			`const invalidJWT = jwt.sign(`
			`{ accessToken: { ...accessToken, created: theBeginningOfTime } },`
			`validJWTSecret`
			`);`
			`const req = mockReq({`
fix(csrf): remove all csrf bypass 2020-03-06 17:51:58 +01:00			`path: '/some-path/that-needs/auth',`
feat: Use new (tested) accessToken utils to authoize requests 2019-02-20 23:05:31 +00:00			`headers: { 'X-fcc-access-token': invalidJWT }`
			`});`
			`const res = mockRes();`
			`const next = sinon.spy();`

			`expect(() => requestAuthorization(req, res, next)).toThrowError(`
cleanup: typos and remove commented out code (#36573) 2019-08-09 21:27:26 +03:00			`'Access token is no longer valid'`
feat: Use new (tested) accessToken utils to authoize requests 2019-02-20 23:05:31 +00:00			`);`
			`expect(next.called).toBe(false);`
			`});`

			`it('adds the user to the request object', async done => {`
fix: Centralise user deserialization 2019-03-04 21:10:12 +00:00			`expect.assertions(3);`
feat: Use new (tested) accessToken utils to authoize requests 2019-02-20 23:05:31 +00:00			`const validJWT = jwt.sign({ accessToken }, validJWTSecret);`
			`const req = mockReq({`
fix(csrf): remove all csrf bypass 2020-03-06 17:51:58 +01:00			`path: '/some-path/that-needs/auth',`
feat: Use new (tested) accessToken utils to authoize requests 2019-02-20 23:05:31 +00:00			`headers: { 'X-fcc-access-token': validJWT }`
			`});`
			`const res = mockRes();`
			`const next = sinon.spy();`
			`await requestAuthorization(req, res, next);`
			`expect(next.called).toBe(true);`
			`expect(req).toHaveProperty('user');`
			`expect(req.user).toEqual(users['456def']);`
			`return done();`
			`});`

			`it('adds the jwt to the headers', async done => {`
			`const validJWT = jwt.sign({ accessToken }, validJWTSecret);`
			`const req = mockReq({`
fix(csrf): remove all csrf bypass 2020-03-06 17:51:58 +01:00			`path: '/some-path/that-needs/auth',`
feat: Use new (tested) accessToken utils to authoize requests 2019-02-20 23:05:31 +00:00			`// eslint-disable-next-line camelcase`
			`cookie: { jwt_access_token: validJWT }`
			`});`
			`const res = mockRes();`
			`const next = sinon.spy();`
			`await requestAuthorization(req, res, next);`
			`expect(res.set.calledWith('X-fcc-access-token', validJWT)).toBe(true);`
			`return done();`
			`});`

			`it('calls next if request does not require authorization', async () => {`
fix(csrf): remove all csrf bypass 2020-03-06 17:51:58 +01:00			`// currently /unsubscribe does not require authorization`
			`const req = mockReq({ path: '/unsubscribe/another/route' });`
feat: Use new (tested) accessToken utils to authoize requests 2019-02-20 23:05:31 +00:00			`const res = mockRes();`
			`const next = sinon.spy();`
			`await requestAuthorization(req, res, next);`
			`expect(next.called).toBe(true);`
			`});`
chore: Add tests for jwt authorization 2019-02-20 18:18:50 +00:00			`});`
			`});`
			`});`