]> BookStack Code Mirror - bookstack/blob - tests/User/UserApiTokenTest.php
Merge branch 'master' of git://github.com/osmansorkar/BookStack into osmansorkar...
[bookstack] / tests / User / UserApiTokenTest.php
1 <?php namespace Test\User;
2
3 use BookStack\Api\ApiToken;
4 use Carbon\Carbon;
5 use Tests\TestCase;
6
7 class UserApiTokenTest extends TestCase
8 {
9
10     protected $testTokenData = [
11         'name' => 'My test API token',
12         'expires_at' => '2050-04-01',
13     ];
14
15     public function test_tokens_section_not_visible_without_access_api_permission()
16     {
17         $user = $this->getViewer();
18
19         $resp = $this->actingAs($user)->get($user->getEditUrl());
20         $resp->assertDontSeeText('API Tokens');
21
22         $this->giveUserPermissions($user, ['access-api']);
23
24         $resp = $this->actingAs($user)->get($user->getEditUrl());
25         $resp->assertSeeText('API Tokens');
26         $resp->assertSeeText('Create Token');
27     }
28
29     public function test_those_with_manage_users_can_view_other_user_tokens_but_not_create()
30     {
31         $viewer = $this->getViewer();
32         $editor = $this->getEditor();
33         $this->giveUserPermissions($viewer, ['users-manage']);
34
35         $resp = $this->actingAs($viewer)->get($editor->getEditUrl());
36         $resp->assertSeeText('API Tokens');
37         $resp->assertDontSeeText('Create Token');
38     }
39
40     public function test_create_api_token()
41     {
42         $editor = $this->getEditor();
43
44         $resp = $this->asAdmin()->get($editor->getEditUrl('/create-api-token'));
45         $resp->assertStatus(200);
46         $resp->assertSee('Create API Token');
47         $resp->assertSee('Token Secret');
48
49         $resp = $this->post($editor->getEditUrl('/create-api-token'), $this->testTokenData);
50         $token = ApiToken::query()->latest()->first();
51         $resp->assertRedirect($editor->getEditUrl('/api-tokens/' . $token->id));
52         $this->assertDatabaseHas('api_tokens', [
53             'user_id' => $editor->id,
54             'name' => $this->testTokenData['name'],
55             'expires_at' => $this->testTokenData['expires_at'],
56         ]);
57
58         // Check secret token
59         $this->assertSessionHas('api-token-secret:' . $token->id);
60         $secret = session('api-token-secret:' . $token->id);
61         $this->assertDatabaseMissing('api_tokens', [
62             'secret' => $secret,
63         ]);
64         $this->assertTrue(\Hash::check($secret, $token->secret));
65
66         $this->assertTrue(strlen($token->token_id) === 32);
67         $this->assertTrue(strlen($secret) === 32);
68
69         $this->assertSessionHas('success');
70     }
71
72     public function test_create_with_no_expiry_sets_expiry_hundred_years_away()
73     {
74         $editor = $this->getEditor();
75         $this->asAdmin()->post($editor->getEditUrl('/create-api-token'), ['name' => 'No expiry token', 'expires_at' => '']);
76         $token = ApiToken::query()->latest()->first();
77
78         $over = Carbon::now()->addYears(101);
79         $under = Carbon::now()->addYears(99);
80         $this->assertTrue(
81             ($token->expires_at < $over && $token->expires_at > $under),
82             "Token expiry set at 100 years in future"
83         );
84     }
85
86     public function test_created_token_displays_on_profile_page()
87     {
88         $editor = $this->getEditor();
89         $this->asAdmin()->post($editor->getEditUrl('/create-api-token'), $this->testTokenData);
90         $token = ApiToken::query()->latest()->first();
91
92         $resp = $this->get($editor->getEditUrl());
93         $resp->assertElementExists('#api_tokens');
94         $resp->assertElementContains('#api_tokens', $token->name);
95         $resp->assertElementContains('#api_tokens', $token->token_id);
96         $resp->assertElementContains('#api_tokens', $token->expires_at->format('Y-m-d'));
97     }
98
99     public function test_secret_shown_once_after_creation()
100     {
101         $editor = $this->getEditor();
102         $resp = $this->asAdmin()->followingRedirects()->post($editor->getEditUrl('/create-api-token'), $this->testTokenData);
103         $resp->assertSeeText('Token Secret');
104
105         $token = ApiToken::query()->latest()->first();
106         $this->assertNull(session('api-token-secret:' . $token->id));
107
108         $resp = $this->get($editor->getEditUrl('/api-tokens/' . $token->id));
109         $resp->assertDontSeeText('Client Secret');
110     }
111
112     public function test_token_update()
113     {
114         $editor = $this->getEditor();
115         $this->asAdmin()->post($editor->getEditUrl('/create-api-token'), $this->testTokenData);
116         $token = ApiToken::query()->latest()->first();
117         $updateData = [
118             'name' => 'My updated token',
119             'expires_at' => '2011-01-01',
120         ];
121
122         $resp = $this->put($editor->getEditUrl('/api-tokens/' . $token->id), $updateData);
123         $resp->assertRedirect($editor->getEditUrl('/api-tokens/' . $token->id));
124
125         $this->assertDatabaseHas('api_tokens', array_merge($updateData, ['id' => $token->id]));
126         $this->assertSessionHas('success');
127     }
128
129     public function test_token_update_with_blank_expiry_sets_to_hundred_years_away()
130     {
131         $editor = $this->getEditor();
132         $this->asAdmin()->post($editor->getEditUrl('/create-api-token'), $this->testTokenData);
133         $token = ApiToken::query()->latest()->first();
134
135         $resp = $this->put($editor->getEditUrl('/api-tokens/' . $token->id), [
136             'name' => 'My updated token',
137             'expires_at' => '',
138         ]);
139         $token->refresh();
140
141         $over = Carbon::now()->addYears(101);
142         $under = Carbon::now()->addYears(99);
143         $this->assertTrue(
144             ($token->expires_at < $over && $token->expires_at > $under),
145             "Token expiry set at 100 years in future"
146         );
147     }
148
149     public function test_token_delete()
150     {
151         $editor = $this->getEditor();
152         $this->asAdmin()->post($editor->getEditUrl('/create-api-token'), $this->testTokenData);
153         $token = ApiToken::query()->latest()->first();
154
155         $tokenUrl = $editor->getEditUrl('/api-tokens/' . $token->id);
156
157         $resp = $this->get($tokenUrl . '/delete');
158         $resp->assertSeeText('Delete Token');
159         $resp->assertSeeText($token->name);
160         $resp->assertElementExists('form[action="'.$tokenUrl.'"]');
161
162         $resp = $this->delete($tokenUrl);
163         $resp->assertRedirect($editor->getEditUrl('#api_tokens'));
164         $this->assertDatabaseMissing('api_tokens', ['id' => $token->id]);
165     }
166
167     public function test_user_manage_can_delete_token_without_api_permission_themselves()
168     {
169         $viewer = $this->getViewer();
170         $editor = $this->getEditor();
171         $this->giveUserPermissions($editor, ['users-manage']);
172
173         $this->asAdmin()->post($viewer->getEditUrl('/create-api-token'), $this->testTokenData);
174         $token = ApiToken::query()->latest()->first();
175
176         $resp = $this->actingAs($editor)->get($viewer->getEditUrl('/api-tokens/' . $token->id));
177         $resp->assertStatus(200);
178         $resp->assertSeeText('Delete Token');
179
180         $resp = $this->actingAs($editor)->delete($viewer->getEditUrl('/api-tokens/' . $token->id));
181         $resp->assertRedirect($viewer->getEditUrl('#api_tokens'));
182         $this->assertDatabaseMissing('api_tokens', ['id' => $token->id]);
183     }
184
185 }