tabshift/payloadcms
1
0
Fork 0
Code Issues Pull Requests Actions 3 Packages Projects Releases Wiki Activity
Files
cdc1e024f1c8543a5746bf94056ee5fb8e0873f0
payloadcms/test/auth/int.spec.ts
Dan Ribbens b9dec2f714 Chore/next poc merge main (#5204) 
* wip moves payload, user and data into partial req

* chore: adjust req type

* chore(next): installs sass and resolves type errors

* feat: working login route/view

* fix: me route

* chore(next): scaffolds access routes (#4562)

* chore(next): scaffolds admin layout and dashboard view (#4566)

* chore(next): builds initPage utility (#4589)

* feat(3.0): next route handlers (#4590)

* chore: removes old files

* chore(next): ssr list view (#4594)

* chore: removes old files

* chore: adjusts graphql file imports to align with new operation exports

* chore: allows for custom endpoints

* chore: cleanup

* chore(next): ssr edit view (#4614)

* chore(ui): ssr main nav (#4619)

* chore(next): ssr account view (#4620)

* chore(next): ssr auth views and document create (#4631)

* chore(next): ssr globals view (#4640)

* chore(next): scaffolds document layout (#4644)

* chore(next): ssr versions view (#4645)

* chore(next): ssr field conditions (#4675)

* chore(next): ssr field validations (#4700)

* chore(next): moves dashboard view into next dir

* chore(next): moves account view into next dir

* chore(next): moves global edit view into next dir

* chore(next): returns isolated configs and locale from initPage

* chore(next): ssr api view (#4721)

* feat: adds i18n functionality within Rest API, Local and Client contexts (#4749)

* chore: separate client translation groups with empty line

* chore: add missing translation used in db adapters

* chore: simplify next/routes export and import paths

* chore: renames PayloadT to Payload

* chore(next): custom views (#4748)

* chore: fix translation tsconfig

* chore: adjust other package ts-configs that rely on translations

* chore(next): installs @payloadcms/ui as direct dependency

* chore(next): progress to build

* chore(next): migrates types (#4792)

* fixes acccept-language detection

* chore(next): moves remaining components out from payload core (#4794)

* chore(deps): removes all unused dependencies from payload core (#4797)

* chore(next): achieves buildable state (#4803)

* adds Translation component and removes more react-i18next

* fixes up remaining translation strings

* fixes a few i18n TODO's

* chore: remaining translation strings without colons

* chore: adds missing ja translations

* chore(next): ssr group field (#4830)

* chore: removes placeholder t function

* chore: removes old file

* chore(bundler-webpack): removes webpack bundler

* chore(bundler-vite): removes vite bundler

* chore(next): ssr tabs field (#4863)

* chore(next): ssr row field

* chore(next): ssr textarea field

* chore(next): wires server action into document edit view (#4873)

* chore(next): conditional logic (#4880)

* chore(next): ssr radio, point, code, json, ui, and hidden fields (#4891)

* chore(next): ssr collapsible field (#4894)

* chore: remove findByID from req

* chore: adjusts file property on request type

* comment clarification

* chore: wires up busboy with Requst readstream

* chore: ports over express-fileupload into a NextJS compatible format

* chore: adjust upload file structure

* chore: adds try/catch around routes, corrects a few route responses

* chore: renames file/function

* chore: improve req type safety in local operations, misc req.files replacements

* chore: misc type and fn export changes

* chore: ensures root routes take pass unmodified request to root routes

* chore: improve types

* chore: consolidates locale api req initialization (#4922)

* chore(next): overhauls field rendering strategy (#4924)

* chore(next): ssr array field (#4937)

* chore(next): ssr blocks field (#4942)

* chore(next): ssr upload field and document drawer (#4957)

* chore(next): wires form submissions (#4982)

* chore: api handler adjustments

* feat: adds graphql playground handler

* adds credentials include setting to playground

* remove old playground init, stub graphql handler location

* fix: allow for null fallbackLocale

* fix: correctly prioritize locales passed as null

* chore: move all graphql code into next package

* graphql changes

* chore: semi working version of graphql http layer

* gql fix attempts

* rm console log

* chore: partial gql changes

* chore: adds gql and gql-http back into payload

* chore: removes collection from req

* chore: separates graphql package out for schema generation

* chore: dep cleanup

* chore: move graphql handlers

* chore: removes unused deps

* chore(next): ssr list view (#5032)

* chore: refactor response handler order for custom endpoints

* chore: add back in condition for collection GET path with 2 slugs

* chore: rm optional chain

* chore: import sort route file

* chore: allows custom endpoints to attempt before erroring

* feat: adds memoization to translation functions (#5036)

* chore: fix APIError import

* chore: return attemptCustomEndpointBeforeError responses

* chore(next): properly instantiates table columns

* fix(next): attaches params to req and properly assigns prefs key (#5042)

* chore: reorganize next route order

* chore(next): adds RouteError handler to next routes

* chore: builds payload successfully

* chore: misc file omissions

* fix(ui): maintains proper column order

* fix(ui): ensures first cell is a link

* fix(next): properly copies url object in createPayloadRequest (#5064)

* fix(ui): bumps react-toastify to v10.0.4 to fix hydration warnings

* feat: add route for static file GET requests (#5065)

* chore(next): allows resolved config promise to be thread through initPage (#5071)

* chore(ui): conditionally renders field label from props

* feat(next): next install script

* chore: pass config to route handlers

* feat: initial test suite framework (#4929)

* chore(next): renderable account, api, and create first user views (#5084)

* fix(next): properly parses search params in find, update, and delete handlers (#5088)

* chore(next): ssr versions view (#5085)

* chore: adds homepage for scss testing

* chore: moves dev folder to top, establishes new test pattern

* chore: working turbopack

* chore: sets up working dynamic payload-config imports

* remove unused code

* chore: rm console log

* misc

* feat: correctly subs out ability to boot REST API within same process

* chore: WIP dev suites

* chore: removes need for REST_API folder in test dir

* removes duplicate bootAdminPanel fn

* misc

* specify default export

* chore: sets up jest to work with next/jest

* chore: progress to mongodb and sharp builds

* chore: passing community tests

* chore: sorta workin

* chore: adjust payload-config import

* chore: adds rest client for Next handlers

* chore: removes test garb

* chore: restores payload-config tsconfig path temporarily

* chore: establishes pattern for memory db during tests

* chore: bumps mongoose to 7

* chore(next): 404s on nested create urls

* chore: functional _community e2e

* chore: increases e2e expect timeout

* fix(next): sanitizes locale toString from client config

* chore: type fixes

* chore: pulls mongodb from main

* chore: uses graphql to log user in

* feat: passing auth test suite

* chore(ui): threads params through context and conditionally renders document tabs (#5094)

* feat(ui): adds params context (#5095)

* chore: removes unecessary memory allocation for urlPropertiesObject object

* chore: passing graphql test suite

* chore: removes references to bson

* chore: re-enables mongodb memory server for auth test suite

* chore: replace bson with bson-objectid

* feat: passing collections-rest int suite

* chore: fixes bad imports

* chore: more passing int suites

* feat: passing globals int tests

* feat: passing hooks int test suite

* chore: remove last express file

* chore: start live-preview int test migration

* chore: passing localization int tests

* passing relationships int tests

* chore: partial passing upload int tests

* chore: fixes scss imports

* chore(ui): renders document info provider at root (#5106)

* chore: adds schema path to useFieldPath provider, more passing tests

* chore: begins work to optimize translation imports

* chore: add translations to ui ts-config references

* chore: add exports folder to package json exports

* chore: adds readme how-to-use instructions

* chore: attempts refactor of translation imports

* chore: adds authentication:account translation key to server keys

* chore: finishes translation optimization

* chore: ignores warnings from mongodb

* chore(ui): renders live document title (#5115)

* chore(ui): ssr document tabs (#5116)

* chore: handles redirecting from login

* chore: handle redirect with no searchParams

* chore: handle missing segments

* chore(next): migrates server action into standalone api endpoint (#5122)

* chore: adjust dashboard colection segments

* test: update e2e suites

* fix(ui): prevents unnecessary calls to form state

* chore: fix finding global config fields from schema path

* fix(next): executes root POST endpoints

* chore(ui): ignores values returned by form state polling

* chore: scaffolds ssr rte

* chore: renders client leaves

* chore: server-side rendered rich text elements

* chore: defines ClientFunction pattern

* chore(ui): migrates relationship field

* chore: adds translations, cleans up slate

* chore: functional slate link

* chore: slate upload ssr

* chore: relationship slate ssr

* chore: remaining slate ssr

* chore: fixes circular workspace dep

* chore: correct broken int test import paths

* chore: remove media files from root

* chore: server renders custom edit view

* fix(ui): resolves infinite loading in versions view

* fix(next): resolves global edit view lookup

* chore: payload builds

* chore: delete unused files

* chore: removes local property from payload

* chore: adds mongodb as dev dep in db-mongodb package

* chore: hide deprecation warnings for tempfile and jest-environment-jsdom

* chore: remove all translations from translations dist

* chore: clean ts-config files

* chore: simple type fixes

* chore(ui): server renders custom list view

* chore: fix next config payload-config alias

* chore: adds turbo alias paths

* chore: adjusts translation generation

* chore: improve auth function

* chore: eslint config for packages/ui

* chore(ui): exports FormState

* chore(next): migrates account view to latest patterns

* chore: disable barbie mode

* chore(ui): lints

* chore(next): lints

* chore: for alexical

* chore: custom handler type signature adjustment

* fix: non-boolean condition result causes infinite looping (#4579)

* chore(richtext-lexical): upgrade lexical from v0.12.5 to v0.12.6 (#4732)

* chore(richtext-lexical): upgrade all lexical packages from 0.12.5 to 0.12.6

* fix(richtext-lexical): fix TypeScript errors

* fix indenting

* feat(richtext-lexical): Blocks: generate type definitions for blocks fields (#4529)

* feat(richtext-lexical)!: Update lexical from 0.12.6 to 0.13.1, port over all useful changes from playground (#5066)

* feat(richtext-lexical): Update lexical from 0.12.6 to 0.13.1, port over all useful changes from playground

* chore: upgrade lexical version used in monorepo

* chore: remove the 3

* chore: upgrade nodemon versions (#5059)

* feat: add more options to addFieldStatePromise so that it can be used for field flattening (#4799)

* feat(plugin-seo)!: remove support for payload <2.7.0 (#4765)

* chore(plugin-seo): remove test script from package.json (#4762)

* chore: upgrade @types/nodemailer from v6.4.8 to v6.4.14 (#4733)

* chore: revert auth and initPage changes

* chore(next): moves edit and list views (#5170)

* fix: "The punycode module is deprecated" warning by updating nodemailer

* chore: adjust translations tsconfig paths in root

* chore: fix merge build

---------

Co-authored-by: Jarrod Flesch <jarrodmflesch@gmail.com>
Co-authored-by: Jacob Fletcher <jacobsfletch@gmail.com>
Co-authored-by: Jarrod Flesch <30633324+JarrodMFlesch@users.noreply.github.com>
Co-authored-by: Elliot DeNolf <denolfe@gmail.com>
Co-authored-by: James <james@trbl.design>
Co-authored-by: Alessio Gravili <alessio@gravili.de>
Co-authored-by: Alessio Gravili <70709113+AlessioGr@users.noreply.github.com>
2024-02-28 13:44:17 -05:00

628 lines
17 KiB
TypeScript
Raw Blame History

import jwtDecode from 'jwt-decode'
import type { Payload } from '../../packages/payload/src'
import type { User } from '../../packages/payload/src/auth'
import { getPayload } from '../../packages/payload/src'
import { devUser } from '../credentials'
import { NextRESTClient } from '../helpers/NextRESTClient'
import { startMemoryDB } from '../startMemoryDB'
import configPromise from './config'
import { namedSaveToJWTValue, saveToJWTKey, slug } from './shared'
let restClient: NextRESTClient
let payload: Payload
const { email, password } = devUser
describe('Auth', () => {
beforeAll(async () => {
const config = await startMemoryDB(configPromise)
payload = await getPayload({ config })
restClient = new NextRESTClient(payload.config)
})
afterAll(async () => {
if (typeof payload.db.destroy === 'function') {
await payload.db.destroy(payload)
}
})
describe('GraphQL - admin user', () => {
let token
let user
beforeAll(async () => {
const { data } = await restClient
.GRAPHQL_POST({
body: JSON.stringify({
query: `mutation {
loginUser(email: "${devUser.email}", password: "${devUser.password}") {
token
user {
id
email
}
}
}`,
}),
})
.then((res) => res.json())
user = data.loginUser.user
token = data.loginUser.token
})
it('should login', async () => {
expect(user.id).toBeDefined()
expect(user.email).toEqual(devUser.email)
expect(token).toBeDefined()
})
it('should have fields saved to JWT', async () => {
const decoded = jwtDecode<User>(token)
const { collection, email: jwtEmail, exp, iat, roles } = decoded
expect(jwtEmail).toBeDefined()
expect(collection).toEqual('users')
expect(Array.isArray(roles)).toBeTruthy()
expect(iat).toBeDefined()
expect(exp).toBeDefined()
})
})
describe('REST - admin user', () => {
it('should prevent registering a new first user', async () => {
const response = await restClient.POST(`/${slug}/first-register`, {
body: JSON.stringify({
email,
password,
}),
})
expect(response.status).toBe(403)
})
it('should login a user successfully', async () => {
const response = await restClient.POST(`/${slug}/login`, {
body: JSON.stringify({
email,
password,
}),
})
const data = await response.json()
expect(response.status).toBe(200)
expect(data.token).toBeDefined()
})
describe('logged in', () => {
let token: string | undefined
let loggedInUser: User | undefined
beforeAll(async () => {
const response = await restClient.POST(`/${slug}/login`, {
body: JSON.stringify({
email,
password,
}),
})
const data = await response.json()
token = data.token
loggedInUser = data.user
})
it('should allow a user to change password without returning password', async () => {
const result = await payload.update({
id: loggedInUser.id,
collection: slug,
data: {
password: 'test',
},
})
expect(result.id).toStrictEqual(loggedInUser.id)
expect(result.password).toBeUndefined()
})
it('should return a logged in user from /me', async () => {
const response = await restClient.GET(`/${slug}/me`, {
headers: {
Authorization: `JWT ${token}`,
},
})
const data = await response.json()
expect(response.status).toBe(200)
expect(data.user.email).toBeDefined()
})
it('should have fields saved to JWT', async () => {
const decoded = jwtDecode<User>(token)
const {
collection,
email: jwtEmail,
exp,
iat,
roles,
[saveToJWTKey]: customJWTPropertyKey,
tabLiftedSaveToJWT,
unnamedTabSaveToJWTFalse,
'x-lifted-from-group': liftedFromGroup,
'x-tab-field': unnamedTabSaveToJWTString,
} = decoded
const group = decoded['x-group'] as Record<string, unknown>
const tab = decoded.saveToJWTTab as Record<string, unknown>
const tabString = decoded['tab-test'] as Record<string, unknown>
expect(jwtEmail).toBeDefined()
expect(collection).toEqual('users')
expect(collection).toEqual('users')
expect(Array.isArray(roles)).toBeTruthy()
// 'x-custom-jwt-property-name': 'namedSaveToJWT value'
expect(customJWTPropertyKey).toEqual(namedSaveToJWTValue)
expect(group).toBeDefined()
expect(group['x-test']).toEqual('nested property')
expect(group.saveToJWTFalse).toBeUndefined()
expect(liftedFromGroup).toEqual('lifted from group')
expect(tabLiftedSaveToJWT).toEqual('lifted from unnamed tab')
expect(tab['x-field']).toEqual('yes')
expect(tabString.includedByDefault).toEqual('yes')
expect(unnamedTabSaveToJWTString).toEqual('text')
expect(unnamedTabSaveToJWTFalse).toBeUndefined()
expect(iat).toBeDefined()
expect(exp).toBeDefined()
})
it('should allow authentication with an API key with useAPIKey', async () => {
const apiKey = '0123456789ABCDEFGH'
const user = await payload.create({
collection: slug,
data: {
apiKey,
email: 'dev@example.com',
password: 'test',
},
})
const response = await restClient.GET(`/${slug}/me`, {
headers: {
Authorization: `${slug} API-Key ${user?.apiKey}`,
},
})
const data = await response.json()
expect(response.status).toBe(200)
expect(data.user.email).toBeDefined()
expect(data.user.apiKey).toStrictEqual(apiKey)
})
it('should refresh a token and reset its expiration', async () => {
const response = await restClient.POST(`/${slug}/refresh-token`, {
headers: {
Authorization: `JWT ${token}`,
},
})
const data = await response.json()
expect(response.status).toBe(200)
expect(data.refreshedToken).toBeDefined()
})
it('should refresh a token and receive an up-to-date user', async () => {
expect(loggedInUser?.custom).toBe('Hello, world!')
await payload.update({
id: loggedInUser?.id || '',
collection: slug,
data: {
custom: 'Goodbye, world!',
},
})
const response = await restClient.POST(`/${slug}/refresh-token`, {
headers: {
Authorization: `JWT ${token}`,
},
})
const data = await response.json()
expect(response.status).toBe(200)
expect(data.user.custom).toBe('Goodbye, world!')
})
it('should allow a user to be created', async () => {
const response = await restClient.POST(`/${slug}`, {
body: JSON.stringify({
email: 'name@test.com',
password,
roles: ['editor'],
}),
headers: {
Authorization: `JWT ${token}`,
},
})
const data = await response.json()
expect(response.status).toBe(201)
expect(data).toHaveProperty('message')
expect(data).toHaveProperty('doc')
const { doc } = data
expect(doc).toHaveProperty('email')
expect(doc).toHaveProperty('createdAt')
expect(doc).toHaveProperty('roles')
})
it('should allow verification of a user', async () => {
const emailToVerify = 'verify@me.com'
const response = await restClient.POST(`/public-users`, {
body: JSON.stringify({
email: emailToVerify,
password,
roles: ['editor'],
}),
headers: {
Authorization: `JWT ${token}`,
},
})
expect(response.status).toBe(201)
const userResult = await payload.find({
collection: 'public-users',
limit: 1,
showHiddenFields: true,
where: {
email: {
equals: emailToVerify,
},
},
})
const { _verificationToken, _verified } = userResult.docs[0]
expect(_verified).toBe(false)
expect(_verificationToken).toBeDefined()
const verificationResponse = await restClient.POST(
`/public-users/verify/${_verificationToken}`,
)
expect(verificationResponse.status).toBe(200)
const afterVerifyResult = await payload.find({
collection: 'public-users',
limit: 1,
showHiddenFields: true,
where: {
email: {
equals: emailToVerify,
},
},
})
const { _verificationToken: afterToken, _verified: afterVerified } =
afterVerifyResult.docs[0]
expect(afterVerified).toBe(true)
expect(afterToken).toBeNull()
})
describe('User Preferences', () => {
const key = 'test'
const property = 'store'
let data
beforeAll(async () => {
const response = await restClient.POST(`/payload-preferences/${key}`, {
body: JSON.stringify({
value: { property },
}),
headers: {
Authorization: `JWT ${token}`,
},
})
data = await response.json()
})
it('should create', async () => {
expect(data.doc.key).toStrictEqual(key)
expect(data.doc.value.property).toStrictEqual(property)
})
it('should read', async () => {
const response = await restClient.GET(`/payload-preferences/${key}`, {
headers: {
Authorization: `JWT ${token}`,
},
})
data = await response.json()
expect(data.key).toStrictEqual(key)
expect(data.value.property).toStrictEqual(property)
})
it('should update', async () => {
const response = await restClient.POST(`/payload-preferences/${key}`, {
body: JSON.stringify({
value: { property: 'updated', property2: 'test' },
}),
headers: {
Authorization: `JWT ${token}`,
},
})
data = await response.json()
const result = await payload.find({
collection: 'payload-preferences',
depth: 0,
where: {
key: { equals: key },
},
})
expect(data.doc.key).toStrictEqual(key)
expect(data.doc.value.property).toStrictEqual('updated')
expect(data.doc.value.property2).toStrictEqual('test')
expect(result.docs).toHaveLength(1)
})
it('should delete', async () => {
const response = await restClient.DELETE(`/payload-preferences/${key}`, {
headers: {
Authorization: `JWT ${token}`,
},
})
data = await response.json()
const result = await payload.find({
collection: 'payload-preferences',
depth: 0,
where: {
key: { equals: key },
},
})
expect(result.docs).toHaveLength(0)
})
})
describe('Account Locking', () => {
const userEmail = 'lock@me.com'
const tryLogin = async () => {
await restClient.POST(`/${slug}/login`, {
body: JSON.stringify({
email: userEmail,
password: 'bad',
}),
})
}
beforeAll(async () => {
const response = await restClient.POST(`/${slug}/login`, {
body: JSON.stringify({
email,
password,
}),
})
const data = await response.json()
token = data.token
// New user to lock
await restClient.POST(`/${slug}`, {
body: JSON.stringify({
email: userEmail,
password,
}),
headers: {
Authorization: `JWT ${token}`,
},
})
})
it('should lock the user after too many attempts', async () => {
await tryLogin()
await tryLogin()
await tryLogin() // Let it call multiple times, therefore the unlock condition has no bug.
const userResult = await payload.find({
collection: slug,
limit: 1,
showHiddenFields: true,
where: {
email: {
equals: userEmail,
},
},
})
const { lockUntil, loginAttempts } = userResult.docs[0]
expect(loginAttempts).toBe(2)
expect(lockUntil).toBeDefined()
})
it('should unlock account once lockUntil period is over', async () => {
// Lock user
await tryLogin()
await tryLogin()
await payload.update({
collection: slug,
data: {
lockUntil: Date.now() - 605 * 1000,
},
where: {
email: {
equals: userEmail,
},
},
})
// login
await restClient.POST(`/${slug}/login`, {
body: JSON.stringify({
email: userEmail,
password,
}),
headers: {
Authorization: `JWT ${token}`,
},
})
const userResult = await payload.find({
collection: slug,
limit: 1,
showHiddenFields: true,
where: {
email: {
equals: userEmail,
},
},
})
const { lockUntil, loginAttempts } = userResult.docs[0]
expect(loginAttempts).toBe(0)
expect(lockUntil).toBeNull()
})
})
})
it('should allow forgot-password by email', async () => {
// TODO: Spy on payload sendEmail function
const response = await restClient.POST(`/${slug}/forgot-password`, {
body: JSON.stringify({
email,
}),
})
// expect(mailSpy).toHaveBeenCalled();
expect(response.status).toBe(200)
})
it('should allow reset password', async () => {
const token = await payload.forgotPassword({
collection: 'users',
data: {
email: devUser.email,
},
disableEmail: true,
})
const result = await payload
.resetPassword({
collection: 'users',
data: {
password: devUser.password,
token,
},
overrideAccess: true,
})
.catch((e) => console.error(e))
expect(result).toBeTruthy()
})
it('should enforce access control on the me route', async () => {
const user = await payload.create({
collection: slug,
data: {
adminOnlyField: 'admin secret',
email: 'insecure@me.com',
password: 'test',
roles: ['admin'],
},
})
const response = await restClient.POST(`/${slug}/login`, {
body: JSON.stringify({
email: 'insecure@me.com',
password: 'test',
}),
})
const data = await response.json()
const adminMe = await restClient
.GET(`/${slug}/me`, {
headers: {
Authorization: `JWT ${data.token}`,
},
})
.then((res) => res.json())
expect(adminMe.user.adminOnlyField).toEqual('admin secret')
await payload.update({
id: user?.id || '',
collection: slug,
data: {
roles: ['editor'],
},
})
const editorMe = await restClient
.GET(`/${slug}/me`, {
headers: {
Authorization: `JWT ${data.token}`,
},
})
.then((res) => res.json())
expect(editorMe.user.adminOnlyField).toBeUndefined()
})
it('should not allow refreshing an invalid token', async () => {
const response = await restClient.POST(`/${slug}/refresh-token`, {
body: JSON.stringify({
token: 'INVALID',
}),
})
const data = await response.json()
expect(response.status).toBe(403)
expect(data.token).toBeUndefined()
})
})
describe('API Key', () => {
it('should authenticate via the correct API key user', async () => {
const usersQuery = await payload.find({
collection: 'api-keys',
})
const [user1, user2] = usersQuery.docs
const success = await restClient
.GET(`/api-keys/${user2.id}`, {
headers: {
Authorization: `api-keys API-Key ${user2.apiKey}`,
},
})
.then((res) => res.json())
expect(success.apiKey).toStrictEqual(user2.apiKey)
const fail = await restClient.GET(`/api-keys/${user1.id}`, {
headers: {
Authorization: `api-keys API-Key ${user2.apiKey}`,
},
})
expect(fail.status).toStrictEqual(404)
})
})
})
Reference in New Issue View Git Blame Copy Permalink