Fixed test class names + add perm. check to api session auth

[bookstack] / tests / Api / ApiAuthTest.php

diff --git a/tests/Api/ApiAuthTest.php b/tests/Api/ApiAuthTest.php
index ef975d556b654faa3e59929d9a5353e4860edab5..b6b6b72ac795090d6c603a8791cb6a147f045d9f 100644 (file)
--- a/tests/Api/ApiAuthTest.php
+++ b/tests/Api/ApiAuthTest.php
@@ -3,6 +3,8 @@
 namespace Tests;
 
 use BookStack\Auth\Permissions\RolePermission;
+use BookStack\Auth\User;
+use Carbon\Carbon;
 
 class ApiAuthTest extends TestCase
 {
@@ -13,6 +15,8 @@ class ApiAuthTest extends TestCase
     public function test_requests_succeed_with_default_auth()
     {
         $viewer = $this->getViewer();
+        $this->giveUserPermissions($viewer, ['access-api']);
+
         $resp = $this->get($this->endpoint);
         $resp->assertStatus(401);
 
@@ -52,7 +56,7 @@ class ApiAuthTest extends TestCase
 
     public function test_api_access_permission_required_to_access_api()
     {
-        $resp = $this->get($this->endpoint, ['Authorization' => "Token {$this->apiTokenId}:{$this->apiTokenSecret}"]);
+        $resp = $this->get($this->endpoint, $this->apiAuthHeader());
         $resp->assertStatus(200);
         auth()->logout();
 
@@ -60,12 +64,49 @@ class ApiAuthTest extends TestCase
         $editorRole = $this->getEditor()->roles()->first();
         $editorRole->detachPermission($accessApiPermission);
 
-        $resp = $this->get($this->endpoint, ['Authorization' => "Token {$this->apiTokenId}:{$this->apiTokenSecret}"]);
+        $resp = $this->get($this->endpoint, $this->apiAuthHeader());
+        $resp->assertStatus(403);
+        $resp->assertJson($this->errorResponse("The owner of the used API token does not have permission to make API calls", 403));
+    }
+
+    public function test_api_access_permission_required_to_access_api_with_session_auth()
+    {
+        $editor = $this->getEditor();
+        $this->actingAs($editor, 'web');
+
+        $resp = $this->get($this->endpoint);
+        $resp->assertStatus(200);
+        auth('web')->logout();
+
+        $accessApiPermission = RolePermission::getByName('access-api');
+        $editorRole = $this->getEditor()->roles()->first();
+        $editorRole->detachPermission($accessApiPermission);
+
+        $editor = User::query()->where('id', '=', $editor->id)->first();
+
+        $this->actingAs($editor, 'web');
+        $resp = $this->get($this->endpoint);
+        $resp->assertStatus(403);
         $resp->assertJson($this->errorResponse("The owner of the used API token does not have permission to make API calls", 403));
     }
 
+    public function test_token_expiry_checked()
+    {
+        $editor = $this->getEditor();
+        $token = $editor->apiTokens()->first();
+
+        $resp = $this->get($this->endpoint, $this->apiAuthHeader());
+        $resp->assertStatus(200);
+        auth()->logout();
+
+        $token->expires_at = Carbon::now()->subDay()->format('Y-m-d');
+        $token->save();
+
+        $resp = $this->get($this->endpoint, $this->apiAuthHeader());
+        $resp->assertJson($this->errorResponse("The authorization token used has expired", 403));
+    }
 
-    public function test_email_confirmation_checked_on_auth_requets()
+    public function test_email_confirmation_checked_using_api_auth()
     {
         $editor = $this->getEditor();
         $editor->email_confirmed = false;
@@ -74,7 +115,7 @@ class ApiAuthTest extends TestCase
         // Set settings and get user instance
         $this->setSettings(['registration-enabled' => 'true', 'registration-confirmation' => 'true']);
 
-        $resp = $this->get($this->endpoint, ['Authorization' => "Token {$this->apiTokenId}:{$this->apiTokenSecret}"]);
+        $resp = $this->get($this->endpoint, $this->apiAuthHeader());
         $resp->assertStatus(401);
         $resp->assertJson($this->errorResponse("The email address for the account in use needs to be confirmed", 401));
     }