From d8be4d24a5307db660e598ec29bcc71652a5b5e4 Mon Sep 17 00:00:00 2001
From: "Nicholas Carrigan (he/him)" <nhcarrigan@gmail.com>
Date: Tue, 3 Nov 2020 06:26:10 -0800
Subject: [PATCH] feat(learn): Some tests for Anonymous Message Board (#39652)

* Clean up text, partial test completion

* remove extraneous declaration

* Apply suggestions from code review

Co-authored-by: Tom <20648924+moT01@users.noreply.github.com>

* Apply suggestions from code review

Co-authored-by: Randell Dawson <5313213+RandellDawson@users.noreply.github.com>

* Use non-breaking space after colon

Signed-off-by: nhcarrigan <nhcarrigan@gmail.com>

Co-authored-by: Tom <20648924+moT01@users.noreply.github.com>
Co-authored-by: Randell Dawson <5313213+RandellDawson@users.noreply.github.com>
---
 .../anonymous-message-board.md                | 36 ++++++++++++-------
 1 file changed, 24 insertions(+), 12 deletions(-)

diff --git a/curriculum/challenges/english/09-information-security/information-security-projects/anonymous-message-board.md b/curriculum/challenges/english/09-information-security/information-security-projects/anonymous-message-board.md
index cc528e4b58..e45d235f20 100644
--- a/curriculum/challenges/english/09-information-security/information-security-projects/anonymous-message-board.md
+++ b/curriculum/challenges/english/09-information-security/information-security-projects/anonymous-message-board.md
@@ -27,27 +27,39 @@ tests:
       getUserInput => {
         assert(!/.*\/anonymous-message-board\.freecodecamp\.rocks/.test(getUserInput('url')));
       }
-  - text: Only allow your site to be loading in an iFrame on your own pages.
-    testString: ''
+  - text: Only allow your site to be loaded in an iFrame on your own pages.
+    testString: "async getUserInput => {
+      const data = await fetch(getUserInput('url') + '/_api/app-info');
+      const parsed = await data.json();
+      assert.isTrue(parsed.headers['x-frame-options']?.includes('SAMEORIGIN'));
+      }"
   - text: Do not allow DNS prefetching.
-    testString: ''
+    testString: "async getUserInput => {
+      const data = await fetch(getUserInput('url') + '/_api/app-info');
+      const parsed = await data.json();
+      assert.isTrue(parsed.headers['x-dns-prefetch-control']?.includes('off'));
+      }"
   - text: Only allow your site to send the referrer for your own pages.
+    testString: "async getUserInput => {
+      const data = await fetch(getUserInput('url') + '/_api/app-info');
+      const parsed = await data.json();
+      assert.isTrue(parsed.headers['referrer-policy']?.includes('same-origin'));
+      }"
+  - text: I can POST a thread to a specific message board by passing form data `text` and `delete_password` to `/api/threads/{board}` (Recommend `res.redirect` to board page `/b/{board}`). The saved database record will have at least the following fields: `_id`, `text`, `created_on`(date & time), `bumped_on`(date & time, starts same as `created_on`), `reported` (boolean), `delete_password`, & `replies` (array).
     testString: ''
-  - text: I can POST a thread to a specific message board by passing form data text and deletepassword_ to /api/threads/{board}.(Recommend res.redirect to board page /b/{board}) Saved will be at least _id, text, createdon_(date&time), bumpedon_(date&time, starts same as created_on), reported(boolean), deletepassword_, & replies(array).
+  - text: I can POST a reply to a thread on a specific board by passing form data `text`, `delete_password`, & `thread_id` to `/api/replies/{board}` and it will also update the `bumped_on` date to the comment's date (Recommend `res.redirect` to thread page `/b/{board}/{thread_id}`). In the thread's `replies` array, an object will be saved with at least the following properties: `_id`, `text`, `created_on`, `delete_password`, & `reported`.
     testString: ''
-  - text: I can POST a reply to a thread on a specific board by passing form data text, deletepassword_, & threadid_ to /api/replies/{board} and it will also update the bumped_on date to the comments date.(Recommend res.redirect to thread page /b/{board}/{thread_id}) In the thread's replies array will be saved _id, text, createdon_, deletepassword_, & reported.
+  - text: I can GET an array of the most recent 10 bumped threads on the board with only the most recent 3 replies each from `/api/threads/{board}`. The `reported` and `delete_password` fields will not be sent to the client.
     testString: ''
-  - text: I can GET an array of the most recent 10 bumped threads on the board with only the most recent 3 replies each from /api/threads/{board}. The reported and deletepasswords_ fields will not be sent to the client.
+  - text: I can GET an entire thread with all its replies from `/api/replies/{board}?thread_id={thread_id}`, also hiding the same fields from the client as the previous test.
     testString: ''
-  - text: I can GET an entire thread with all its replies from /api/replies/{board}?thread_id={thread_id}. Also hiding the same fields the client should be see.
+  - text: I can delete a thread completely if I send a DELETE request to `/api/threads/{board}` and pass along the `thread_id` & `delete_password` (Text response will be 'incorrect password' or 'success'). 
     testString: ''
-  - text: I can delete a thread completely if I send a DELETE request to /api/threads/{board} and pass along the threadid_ & deletepassword_. (Text response will be 'incorrect password' or 'success')
+  - text: I can delete a post (changing the text to '[deleted]' instead of removing completely like a thread) if I send a DELETE request to `/api/replies/{board}` and pass along the `thread_id`, `reply_id`, & `delete_password` (Text response will be 'incorrect password' or 'success').
     testString: ''
-  - text: I can delete a post(just changing the text to '[deleted]' instead of removing completely like a thread) if I send a DELETE request to /api/replies/{board} and pass along the threadid_, replyid_, & deletepassword_. (Text response will be 'incorrect password' or 'success')
+  - text: I can report a thread and change its `reported` value to `true` by sending a PUT request to `/api/threads/{board}` and pass along the `thread_id` (Text response will be 'success').
     testString: ''
-  - text: I can report a thread and change its reported value to true by sending a PUT request to /api/threads/{board} and pass along the threadid_. (Text response will be 'success')
-    testString: ''
-  - text: I can report a reply and change its reported value to true by sending a PUT request to /api/replies/{board} and pass along the threadid_ & replyid_. (Text response will be 'success')
+  - text: I can report a reply and change its reported value to true by sending a PUT request to `/api/replies/{board}` and pass along the `thread_id` & `reply_id` (Text response will be 'success').
     testString: ''
   - text: Complete functional tests that wholly test routes and pass.
     testString: ''