X-Git-Url: http://source.bookstackapp.com/bookstack/blobdiff_plain/3cacda6762bca67ae2beeb44cdcff39ad6d7ec60..refs/pull/2023/head:/tests/Api/ApiAuthTest.php diff --git a/tests/Api/ApiAuthTest.php b/tests/Api/ApiAuthTest.php index 30d7f4ead..302093947 100644 --- a/tests/Api/ApiAuthTest.php +++ b/tests/Api/ApiAuthTest.php @@ -1,9 +1,9 @@ -getViewer(); + $this->giveUserPermissions($viewer, ['access-api']); + $resp = $this->get($this->endpoint); $resp->assertStatus(401); - $this->actingAs($viewer, 'web'); + $this->actingAs($viewer, 'standard'); $resp = $this->get($this->endpoint); $resp->assertStatus(200); @@ -62,6 +64,28 @@ class ApiAuthTest extends TestCase $editorRole->detachPermission($accessApiPermission); $resp = $this->get($this->endpoint, $this->apiAuthHeader()); + $resp->assertStatus(403); + $resp->assertJson($this->errorResponse("The owner of the used API token does not have permission to make API calls", 403)); + } + + public function test_api_access_permission_required_to_access_api_with_session_auth() + { + $editor = $this->getEditor(); + $this->actingAs($editor, 'standard'); + + $resp = $this->get($this->endpoint); + $resp->assertStatus(200); + auth('standard')->logout(); + + $accessApiPermission = RolePermission::getByName('access-api'); + $editorRole = $this->getEditor()->roles()->first(); + $editorRole->detachPermission($accessApiPermission); + + $editor = User::query()->where('id', '=', $editor->id)->first(); + + $this->actingAs($editor, 'standard'); + $resp = $this->get($this->endpoint); + $resp->assertStatus(403); $resp->assertJson($this->errorResponse("The owner of the used API token does not have permission to make API calls", 403)); } @@ -95,4 +119,29 @@ class ApiAuthTest extends TestCase $resp->assertJson($this->errorResponse("The email address for the account in use needs to be confirmed", 401)); } + public function test_rate_limit_headers_active_on_requests() + { + $resp = $this->actingAsApiEditor()->get($this->endpoint); + $resp->assertHeader('x-ratelimit-limit', 180); + $resp->assertHeader('x-ratelimit-remaining', 179); + $resp = $this->actingAsApiEditor()->get($this->endpoint); + $resp->assertHeader('x-ratelimit-remaining', 178); + } + + public function test_rate_limit_hit_gives_json_error() + { + config()->set(['api.requests_per_minute' => 1]); + $resp = $this->actingAsApiEditor()->get($this->endpoint); + $resp->assertStatus(200); + + $resp = $this->actingAsApiEditor()->get($this->endpoint); + $resp->assertStatus(429); + $resp->assertHeader('x-ratelimit-remaining', 0); + $resp->assertHeader('retry-after'); + $resp->assertJson([ + 'error' => [ + 'code' => 429, + ] + ]); + } } \ No newline at end of file