BookStack Code Mirror - bookstack/blobdiff

index 30d7f4ead4e855478ba2209b443d919d5070b53c..3020939479b355ab0d91fab30e6dc3acedb2288e 100644 (file)

--- a/tests/Api/ApiAuthTest.php

+++ b/tests/Api/ApiAuthTest.php

@@ -1,9 +1,9 @@

-<?php

-namespace Tests;

+<?php namespace Tests\Api;

use BookStack\Auth\Permissions\RolePermission;

+use BookStack\Auth\User;

use Carbon\Carbon;

+use Tests\TestCase;

class ApiAuthTest extends TestCase

{

class ApiAuthTest extends TestCase

{

@@ -14,10 +14,12 @@ class ApiAuthTest extends TestCase

public function test_requests_succeed_with_default_auth()

{

$viewer = $this->getViewer();

public function test_requests_succeed_with_default_auth()

{

$viewer = $this->getViewer();

+ $this->giveUserPermissions($viewer, ['access-api']);

$resp = $this->get($this->endpoint);

$resp->assertStatus(401);

$resp = $this->get($this->endpoint);

$resp->assertStatus(401);

- $this->actingAs($viewer, 'web');

+ $this->actingAs($viewer, 'standard');

$resp = $this->get($this->endpoint);

$resp->assertStatus(200);

$resp = $this->get($this->endpoint);

$resp->assertStatus(200);

@@ -62,6 +64,28 @@ class ApiAuthTest extends TestCase

$editorRole->detachPermission($accessApiPermission);

$resp = $this->get($this->endpoint, $this->apiAuthHeader());

$editorRole->detachPermission($accessApiPermission);

$resp = $this->get($this->endpoint, $this->apiAuthHeader());

+ $resp->assertStatus(403);

+ $resp->assertJson($this->errorResponse("The owner of the used API token does not have permission to make API calls", 403));

+ }

+ public function test_api_access_permission_required_to_access_api_with_session_auth()

+ {

+ $editor = $this->getEditor();

+ $this->actingAs($editor, 'standard');

+ $resp = $this->get($this->endpoint);

+ $resp->assertStatus(200);

+ auth('standard')->logout();

+ $accessApiPermission = RolePermission::getByName('access-api');

+ $editorRole = $this->getEditor()->roles()->first();

+ $editorRole->detachPermission($accessApiPermission);

+ $editor = User::query()->where('id', '=', $editor->id)->first();

+ $this->actingAs($editor, 'standard');

+ $resp = $this->get($this->endpoint);

+ $resp->assertStatus(403);

$resp->assertJson($this->errorResponse("The owner of the used API token does not have permission to make API calls", 403));

}

$resp->assertJson($this->errorResponse("The owner of the used API token does not have permission to make API calls", 403));

}

@@ -95,4 +119,29 @@ class ApiAuthTest extends TestCase

$resp->assertJson($this->errorResponse("The email address for the account in use needs to be confirmed", 401));

}

$resp->assertJson($this->errorResponse("The email address for the account in use needs to be confirmed", 401));

}

+ public function test_rate_limit_headers_active_on_requests()

+ {

+ $resp = $this->actingAsApiEditor()->get($this->endpoint);

+ $resp->assertHeader('x-ratelimit-limit', 180);

+ $resp->assertHeader('x-ratelimit-remaining', 179);

+ $resp = $this->actingAsApiEditor()->get($this->endpoint);

+ $resp->assertHeader('x-ratelimit-remaining', 178);

+ }

+ public function test_rate_limit_hit_gives_json_error()

+ {

+ config()->set(['api.requests_per_minute' => 1]);

+ $resp = $this->actingAsApiEditor()->get($this->endpoint);

+ $resp->assertStatus(200);

+ $resp = $this->actingAsApiEditor()->get($this->endpoint);

+ $resp->assertStatus(429);

+ $resp->assertHeader('x-ratelimit-remaining', 0);

+ $resp->assertHeader('retry-after');

+ $resp->assertJson([

+ 'error' => [

+ 'code' => 429,

+ ]

+ ]);

+ }

}

\ No newline at end of file

}

\ No newline at end of file