BookStack Code Mirror - bookstack/blob - tests/Api/ApiAuthTest.php

   1 <?php namespace Tests\Api;
   2
   3 use BookStack\Auth\Permissions\RolePermission;
   4 use BookStack\Auth\User;
   5 use Carbon\Carbon;
   6 use Tests\TestCase;
   7
   8 class ApiAuthTest extends TestCase
   9 {
  10     use TestsApi;
  11
  12     protected $endpoint = '/api/books';
  13
  14     public function test_requests_succeed_with_default_auth()
  15     {
  16         $viewer = $this->getViewer();
  17         $this->giveUserPermissions($viewer, ['access-api']);
  18
  19         $resp = $this->get($this->endpoint);
  20         $resp->assertStatus(401);
  21
  22         $this->actingAs($viewer, 'standard');
  23
  24         $resp = $this->get($this->endpoint);
  25         $resp->assertStatus(200);
  26     }
  27
  28     public function test_no_token_throws_error()
  29     {
  30         $resp = $this->get($this->endpoint);
  31         $resp->assertStatus(401);
  32         $resp->assertJson($this->errorResponse("No authorization token found on the request", 401));
  33     }
  34
  35     public function test_bad_token_format_throws_error()
  36     {
  37         $resp = $this->get($this->endpoint, ['Authorization' => "Token abc123"]);
  38         $resp->assertStatus(401);
  39         $resp->assertJson($this->errorResponse("An authorization token was found on the request but the format appeared incorrect", 401));
  40     }
  41
  42     public function test_token_with_non_existing_id_throws_error()
  43     {
  44         $resp = $this->get($this->endpoint, ['Authorization' => "Token abc:123"]);
  45         $resp->assertStatus(401);
  46         $resp->assertJson($this->errorResponse("No matching API token was found for the provided authorization token", 401));
  47     }
  48
  49     public function test_token_with_bad_secret_value_throws_error()
  50     {
  51         $resp = $this->get($this->endpoint, ['Authorization' => "Token {$this->apiTokenId}:123"]);
  52         $resp->assertStatus(401);
  53         $resp->assertJson($this->errorResponse("The secret provided for the given used API token is incorrect", 401));
  54     }
  55
  56     public function test_api_access_permission_required_to_access_api()
  57     {
  58         $resp = $this->get($this->endpoint, $this->apiAuthHeader());
  59         $resp->assertStatus(200);
  60         auth()->logout();
  61
  62         $accessApiPermission = RolePermission::getByName('access-api');
  63         $editorRole = $this->getEditor()->roles()->first();
  64         $editorRole->detachPermission($accessApiPermission);
  65
  66         $resp = $this->get($this->endpoint, $this->apiAuthHeader());
  67         $resp->assertStatus(403);
  68         $resp->assertJson($this->errorResponse("The owner of the used API token does not have permission to make API calls", 403));
  69     }
  70
  71     public function test_api_access_permission_required_to_access_api_with_session_auth()
  72     {
  73         $editor = $this->getEditor();
  74         $this->actingAs($editor, 'standard');
  75
  76         $resp = $this->get($this->endpoint);
  77         $resp->assertStatus(200);
  78         auth('standard')->logout();
  79
  80         $accessApiPermission = RolePermission::getByName('access-api');
  81         $editorRole = $this->getEditor()->roles()->first();
  82         $editorRole->detachPermission($accessApiPermission);
  83
  84         $editor = User::query()->where('id', '=', $editor->id)->first();
  85
  86         $this->actingAs($editor, 'standard');
  87         $resp = $this->get($this->endpoint);
  88         $resp->assertStatus(403);
  89         $resp->assertJson($this->errorResponse("The owner of the used API token does not have permission to make API calls", 403));
  90     }
  91
  92     public function test_token_expiry_checked()
  93     {
  94         $editor = $this->getEditor();
  95         $token = $editor->apiTokens()->first();
  96
  97         $resp = $this->get($this->endpoint, $this->apiAuthHeader());
  98         $resp->assertStatus(200);
  99         auth()->logout();
 100
 101         $token->expires_at = Carbon::now()->subDay()->format('Y-m-d');
 102         $token->save();
 103
 104         $resp = $this->get($this->endpoint, $this->apiAuthHeader());
 105         $resp->assertJson($this->errorResponse("The authorization token used has expired", 403));
 106     }
 107
 108     public function test_email_confirmation_checked_using_api_auth()
 109     {
 110         $editor = $this->getEditor();
 111         $editor->email_confirmed = false;
 112         $editor->save();
 113
 114         // Set settings and get user instance
 115         $this->setSettings(['registration-enabled' => 'true', 'registration-confirmation' => 'true']);
 116
 117         $resp = $this->get($this->endpoint, $this->apiAuthHeader());
 118         $resp->assertStatus(401);
 119         $resp->assertJson($this->errorResponse("The email address for the account in use needs to be confirmed", 401));
 120     }
 121
 122     public function test_rate_limit_headers_active_on_requests()
 123     {
 124         $resp = $this->actingAsApiEditor()->get($this->endpoint);
 125         $resp->assertHeader('x-ratelimit-limit', 180);
 126         $resp->assertHeader('x-ratelimit-remaining', 179);
 127         $resp = $this->actingAsApiEditor()->get($this->endpoint);
 128         $resp->assertHeader('x-ratelimit-remaining', 178);
 129     }
 130
 131     public function test_rate_limit_hit_gives_json_error()
 132     {
 133         config()->set(['api.requests_per_minute' => 1]);
 134         $resp = $this->actingAsApiEditor()->get($this->endpoint);
 135         $resp->assertStatus(200);
 136
 137         $resp = $this->actingAsApiEditor()->get($this->endpoint);
 138         $resp->assertStatus(429);
 139         $resp->assertHeader('x-ratelimit-remaining', 0);
 140         $resp->assertHeader('retry-after');
 141         $resp->assertJson([
 142             'error' => [
 143                 'code' => 429,
 144             ]
 145         ]);
 146     }
 147 }