-<?php
-
-namespace Tests;
+<?php namespace Tests\Api;
use BookStack\Auth\Permissions\RolePermission;
+use BookStack\Auth\User;
+use Carbon\Carbon;
+use Tests\TestCase;
class ApiAuthTest extends TestCase
{
public function test_requests_succeed_with_default_auth()
{
$viewer = $this->getViewer();
+ $this->giveUserPermissions($viewer, ['access-api']);
+
$resp = $this->get($this->endpoint);
$resp->assertStatus(401);
- $this->actingAs($viewer, 'web');
+ $this->actingAs($viewer, 'standard');
$resp = $this->get($this->endpoint);
$resp->assertStatus(200);
public function test_api_access_permission_required_to_access_api()
{
- $resp = $this->get($this->endpoint, ['Authorization' => "Token {$this->apiTokenId}:{$this->apiTokenSecret}"]);
+ $resp = $this->get($this->endpoint, $this->apiAuthHeader());
$resp->assertStatus(200);
auth()->logout();
$editorRole = $this->getEditor()->roles()->first();
$editorRole->detachPermission($accessApiPermission);
- $resp = $this->get($this->endpoint, ['Authorization' => "Token {$this->apiTokenId}:{$this->apiTokenSecret}"]);
+ $resp = $this->get($this->endpoint, $this->apiAuthHeader());
+ $resp->assertStatus(403);
+ $resp->assertJson($this->errorResponse("The owner of the used API token does not have permission to make API calls", 403));
+ }
+
+ public function test_api_access_permission_required_to_access_api_with_session_auth()
+ {
+ $editor = $this->getEditor();
+ $this->actingAs($editor, 'standard');
+
+ $resp = $this->get($this->endpoint);
+ $resp->assertStatus(200);
+ auth('standard')->logout();
+
+ $accessApiPermission = RolePermission::getByName('access-api');
+ $editorRole = $this->getEditor()->roles()->first();
+ $editorRole->detachPermission($accessApiPermission);
+
+ $editor = User::query()->where('id', '=', $editor->id)->first();
+
+ $this->actingAs($editor, 'standard');
+ $resp = $this->get($this->endpoint);
+ $resp->assertStatus(403);
$resp->assertJson($this->errorResponse("The owner of the used API token does not have permission to make API calls", 403));
}
+ public function test_token_expiry_checked()
+ {
+ $editor = $this->getEditor();
+ $token = $editor->apiTokens()->first();
+
+ $resp = $this->get($this->endpoint, $this->apiAuthHeader());
+ $resp->assertStatus(200);
+ auth()->logout();
+
+ $token->expires_at = Carbon::now()->subDay()->format('Y-m-d');
+ $token->save();
+
+ $resp = $this->get($this->endpoint, $this->apiAuthHeader());
+ $resp->assertJson($this->errorResponse("The authorization token used has expired", 403));
+ }
- public function test_email_confirmation_checked_on_auth_requets()
+ public function test_email_confirmation_checked_using_api_auth()
{
$editor = $this->getEditor();
$editor->email_confirmed = false;
// Set settings and get user instance
$this->setSettings(['registration-enabled' => 'true', 'registration-confirmation' => 'true']);
- $resp = $this->get($this->endpoint, ['Authorization' => "Token {$this->apiTokenId}:{$this->apiTokenSecret}"]);
+ $resp = $this->get($this->endpoint, $this->apiAuthHeader());
$resp->assertStatus(401);
$resp->assertJson($this->errorResponse("The email address for the account in use needs to be confirmed", 401));
}
+ public function test_rate_limit_headers_active_on_requests()
+ {
+ $resp = $this->actingAsApiEditor()->get($this->endpoint);
+ $resp->assertHeader('x-ratelimit-limit', 180);
+ $resp->assertHeader('x-ratelimit-remaining', 179);
+ $resp = $this->actingAsApiEditor()->get($this->endpoint);
+ $resp->assertHeader('x-ratelimit-remaining', 178);
+ }
+
+ public function test_rate_limit_hit_gives_json_error()
+ {
+ config()->set(['api.requests_per_minute' => 1]);
+ $resp = $this->actingAsApiEditor()->get($this->endpoint);
+ $resp->assertStatus(200);
+
+ $resp = $this->actingAsApiEditor()->get($this->endpoint);
+ $resp->assertStatus(429);
+ $resp->assertHeader('x-ratelimit-remaining', 0);
+ $resp->assertHeader('retry-after');
+ $resp->assertJson([
+ 'error' => [
+ 'code' => 429,
+ ]
+ ]);
+ }
}
\ No newline at end of file
projects / bookstack / blobdiff