2018-02-06 23:31:18 +01:00
|
|
|
const assert = require('assert');
|
|
|
|
const sinon = require('sinon');
|
|
|
|
const proxyquire = require('proxyquire').noCallThru();
|
|
|
|
|
|
|
|
const storage = {
|
|
|
|
metadata: sinon.stub(),
|
|
|
|
setField: sinon.stub()
|
|
|
|
};
|
|
|
|
|
|
|
|
function request(id, auth) {
|
|
|
|
return {
|
|
|
|
params: { id },
|
|
|
|
header: sinon.stub().returns(auth)
|
|
|
|
};
|
|
|
|
}
|
|
|
|
|
|
|
|
function response() {
|
|
|
|
return {
|
|
|
|
sendStatus: sinon.stub(),
|
|
|
|
set: sinon.stub()
|
|
|
|
};
|
|
|
|
}
|
|
|
|
|
|
|
|
const next = sinon.stub();
|
|
|
|
|
|
|
|
const storedMeta = {
|
|
|
|
auth:
|
|
|
|
'r9uFxEs9GEVaQR9CJJ0uTKFGhFSOTRjOY2FCLFlCIZ0Cr-VGTVpMGlXDbNR8RMT55trMpSrzWtBVKq1LffOT2g',
|
|
|
|
nonce: 'FL4oxA7IE1PW8shwFN9qZw=='
|
|
|
|
};
|
|
|
|
|
|
|
|
const authMiddleware = proxyquire('../../server/middleware/auth', {
|
|
|
|
'../storage': storage
|
2018-08-08 00:40:17 +02:00
|
|
|
}).hmac;
|
2018-02-06 23:31:18 +01:00
|
|
|
|
|
|
|
describe('Owner Middleware', function() {
|
|
|
|
afterEach(function() {
|
|
|
|
storage.metadata.reset();
|
|
|
|
storage.setField.reset();
|
|
|
|
next.reset();
|
|
|
|
});
|
|
|
|
|
|
|
|
it('sends a 401 when no auth header is set', async function() {
|
|
|
|
const req = request('x');
|
|
|
|
const res = response();
|
|
|
|
await authMiddleware(req, res, next);
|
|
|
|
sinon.assert.calledWith(res.sendStatus, 401);
|
|
|
|
sinon.assert.notCalled(next);
|
|
|
|
});
|
|
|
|
|
|
|
|
it('sends a 404 when metadata is not found', async function() {
|
|
|
|
const req = request('x', 'y');
|
|
|
|
const res = response();
|
|
|
|
await authMiddleware(req, res, next);
|
|
|
|
sinon.assert.calledWith(res.sendStatus, 404);
|
|
|
|
sinon.assert.notCalled(next);
|
|
|
|
});
|
|
|
|
|
|
|
|
it('sends a 401 when the auth header is invalid base64', async function() {
|
|
|
|
storage.metadata.returns(Promise.resolve(storedMeta));
|
|
|
|
const req = request('x', '1');
|
|
|
|
const res = response();
|
|
|
|
await authMiddleware(req, res, next);
|
|
|
|
sinon.assert.calledWith(res.sendStatus, 401);
|
|
|
|
sinon.assert.notCalled(next);
|
|
|
|
});
|
|
|
|
|
|
|
|
it('authenticates when the hashes match', async function() {
|
|
|
|
storage.metadata.returns(Promise.resolve(storedMeta));
|
|
|
|
const req = request(
|
|
|
|
'x',
|
|
|
|
'send-v1 R7nZk14qJqZXtxpnAtw2uDIRQTRnO1qSO1Q0PiwcNA8'
|
|
|
|
);
|
|
|
|
const res = response();
|
|
|
|
await authMiddleware(req, res, next);
|
|
|
|
sinon.assert.calledOnce(next);
|
|
|
|
sinon.assert.calledWith(storage.setField, 'x', 'nonce', req.nonce);
|
|
|
|
sinon.assert.calledWith(
|
|
|
|
res.set,
|
|
|
|
'WWW-Authenticate',
|
|
|
|
`send-v1 ${req.nonce}`
|
|
|
|
);
|
|
|
|
sinon.assert.notCalled(res.sendStatus);
|
|
|
|
assert.equal(req.authorized, true);
|
|
|
|
assert.equal(req.meta, storedMeta);
|
|
|
|
assert.notEqual(req.nonce, storedMeta.nonce);
|
|
|
|
});
|
|
|
|
|
|
|
|
it('sends a 401 when the hashes do not match', async function() {
|
|
|
|
storage.metadata.returns(Promise.resolve(storedMeta));
|
|
|
|
const req = request(
|
|
|
|
'x',
|
|
|
|
'send-v1 R8nZk14qJqZXtxpnAtw2uDIRQTRnO1qSO1Q0PiwcNA8'
|
|
|
|
);
|
|
|
|
const res = response();
|
|
|
|
await authMiddleware(req, res, next);
|
|
|
|
sinon.assert.calledWith(res.sendStatus, 401);
|
|
|
|
sinon.assert.calledWith(
|
|
|
|
res.set,
|
|
|
|
'WWW-Authenticate',
|
|
|
|
`send-v1 ${storedMeta.nonce}`
|
|
|
|
);
|
|
|
|
sinon.assert.notCalled(next);
|
|
|
|
});
|
|
|
|
});
|