cturan
/
vendure
mirror of https://github.com/vendure-ecommerce/vendure


			
				
					
						
						
							123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376
							import { DocumentNode } from 'graphql';
import gql from 'graphql-tag';
import path from 'path';

import {
    CREATE_ADMINISTRATOR,
    CREATE_ROLE,
} from '../../admin-ui/src/app/data/definitions/administrator-definitions';
import { ATTEMPT_LOGIN } from '../../admin-ui/src/app/data/definitions/auth-definitions';
import {
    CREATE_PRODUCT,
    GET_PRODUCT_LIST,
    UPDATE_PRODUCT,
} from '../../admin-ui/src/app/data/definitions/product-definitions';
import {
    CreateAdministrator,
    CreateProductMutationArgs,
    CreateRole,
    LoginMutationArgs,
    Permission,
    RegisterCustomerInput,
    UpdateProductMutationArgs,
} from '../../shared/generated-types';
import { SUPER_ADMIN_USER_IDENTIFIER, SUPER_ADMIN_USER_PASSWORD } from '../../shared/shared-constants';
import { NoopEmailGenerator } from '../src/config/email/noop-email-generator';
import { defaultEmailTypes } from '../src/email/default-email-types';

import { TEST_SETUP_TIMEOUT_MS } from './config/test-config';
import { TestClient } from './test-client';
import { TestServer } from './test-server';

describe('Authorization & permissions', () => {
    const client = new TestClient();
    const server = new TestServer();
    let sendEmailFn: jest.Mock;

    beforeAll(async () => {
        const token = await server.init(
            {
                productCount: 1,
                customerCount: 1,
            },
            {
                emailOptions: {
                    emailTemplatePath: 'src/email/templates',
                    emailTypes: defaultEmailTypes,
                    generator: new NoopEmailGenerator(),
                    transport: {
                        type: 'testing',
                        onSend: ctx => sendEmailFn(ctx),
                    },
                },
            },
        );
        await client.init();
    }, TEST_SETUP_TIMEOUT_MS);

    afterAll(async () => {
        await server.destroy();
    });

    describe('admin permissions', () => {
        describe('Anonymous user', () => {
            beforeAll(async () => {
                await client.asAnonymousUser();
            });

            it('can attempt login', async () => {
                await assertRequestAllowed<LoginMutationArgs>(ATTEMPT_LOGIN, {
                    username: SUPER_ADMIN_USER_IDENTIFIER,
                    password: SUPER_ADMIN_USER_PASSWORD,
                    rememberMe: false,
                });
            });
        });

        describe('ReadCatalog', () => {
            beforeAll(async () => {
                await client.asSuperAdmin();
                const { identifier, password } = await createAdministratorWithPermissions('ReadCatalog', [
                    Permission.ReadCatalog,
                ]);
                await client.asUserWithCredentials(identifier, password);
            });

            it('can read', async () => {
                await assertRequestAllowed(GET_PRODUCT_LIST);
            });

            it('cannot uppdate', async () => {
                await assertRequestForbidden<UpdateProductMutationArgs>(UPDATE_PRODUCT, {
                    input: {
                        id: '1',
                        translations: [],
                    },
                });
            });

            it('cannot create', async () => {
                await assertRequestForbidden<CreateProductMutationArgs>(CREATE_PRODUCT, {
                    input: {
                        translations: [],
                    },
                });
            });
        });

        describe('CRUD on Customers', () => {
            beforeAll(async () => {
                await client.asSuperAdmin();
                const { identifier, password } = await createAdministratorWithPermissions('CRUDCustomer', [
                    Permission.CreateCustomer,
                    Permission.ReadCustomer,
                    Permission.UpdateCustomer,
                    Permission.DeleteCustomer,
                ]);
                await client.asUserWithCredentials(identifier, password);
            });

            it('can create', async () => {
                await assertRequestAllowed(
                    gql`
                        mutation CreateCustomer($input: CreateCustomerInput!) {
                            createCustomer(input: $input) {
                                id
                            }
                        }
                    `,
                    { input: { emailAddress: '', firstName: '', lastName: '' } },
                );
            });

            it('can read', async () => {
                await assertRequestAllowed(gql`
                    query {
                        customers {
                            totalItems
                        }
                    }
                `);
            });
        });
    });

    describe('customer account creation', () => {
        const password = 'password';
        const emailAddress = 'test1@test.com';
        let verificationToken: string;

        beforeEach(() => {
            sendEmailFn = jest.fn();
        });

        it('register a new account', async () => {
            const verificationTokenPromise = getVerificationTokenPromise();
            const input: RegisterCustomerInput = {
                firstName: 'Sean',
                lastName: 'Tester',
                emailAddress,
            };
            const result = await client.query(REGISTER_ACCOUNT, { input });

            verificationToken = await verificationTokenPromise;

            expect(result.registerCustomerAccount).toBe(true);
            expect(sendEmailFn).toHaveBeenCalled();
            expect(verificationToken).toBeDefined();
        });

        it('issues a new token if attempting to register a second time', async () => {
            const sendEmail = new Promise<string>(resolve => {
                sendEmailFn.mockImplementation(ctx => {
                    resolve(ctx.event.user.verificationToken);
                });
            });
            const input: RegisterCustomerInput = {
                firstName: 'Sean',
                lastName: 'Tester',
                emailAddress,
            };
            const result = await client.query(REGISTER_ACCOUNT, { input });

            const newVerificationToken = await sendEmail;

            expect(result.registerCustomerAccount).toBe(true);
            expect(sendEmailFn).toHaveBeenCalled();
            expect(newVerificationToken).not.toBe(verificationToken);

            verificationToken = newVerificationToken;
        });

        it('refreshCustomerVerification issues a new token', async () => {
            const sendEmail = new Promise<string>(resolve => {
                sendEmailFn.mockImplementation(ctx => {
                    resolve(ctx.event.user.verificationToken);
                });
            });
            const result = await client.query(REFRESH_TOKEN, { emailAddress });

            const newVerificationToken = await sendEmail;

            expect(result.refreshCustomerVerification).toBe(true);
            expect(sendEmailFn).toHaveBeenCalled();
            expect(newVerificationToken).not.toBe(verificationToken);

            verificationToken = newVerificationToken;
        });

        it('refreshCustomerVerification does nothing with an unrecognized emailAddress', async () => {
            const result = await client.query(REFRESH_TOKEN, {
                emailAddress: 'never-been-registered@test.com',
            });
            await waitForSendEmailFn();
            expect(result.refreshCustomerVerification).toBe(true);
            expect(sendEmailFn).not.toHaveBeenCalled();
        });

        it('login fails before verification', async () => {
            try {
                await client.asUserWithCredentials(emailAddress, '');
                fail('should have thrown');
            } catch (err) {
                expect(getErrorCode(err)).toBe('UNAUTHORIZED');
            }
        });

        it('verification fails with wrong token', async () => {
            try {
                await client.query(VERIFY_EMAIL, {
                    password,
                    token: 'bad-token',
                });
                fail('should have thrown');
            } catch (err) {
                expect(err.message).toEqual(expect.stringContaining(`Verification token not recognized`));
            }
        });

        it('verification succeeds with correct token', async () => {
            const result = await client.query(VERIFY_EMAIL, {
                password,
                token: verificationToken,
            });

            expect(result.verifyCustomerAccount.user.identifier).toBe('test1@test.com');
        });

        it('registration silently fails if attempting to register an email already verified', async () => {
            const input: RegisterCustomerInput = {
                firstName: 'Dodgy',
                lastName: 'Hacker',
                emailAddress,
            };
            const result = await client.query(REGISTER_ACCOUNT, { input });
            await waitForSendEmailFn();
            expect(result.registerCustomerAccount).toBe(true);
            expect(sendEmailFn).not.toHaveBeenCalled();
        });

        it('verification fails if attempted a second time', async () => {
            try {
                await client.query(VERIFY_EMAIL, {
                    password,
                    token: verificationToken,
                });
                fail('should have thrown');
            } catch (err) {
                expect(err.message).toEqual(expect.stringContaining(`Verification token not recognized`));
            }
        });
    });

    function getVerificationTokenPromise(): Promise<string> {
        return new Promise<string>(resolve => {
            sendEmailFn.mockImplementation(ctx => {
                resolve(ctx.event.user.verificationToken);
            });
        });
    }

    async function assertRequestAllowed<V>(operation: DocumentNode, variables?: V) {
        try {
            const status = await client.queryStatus(operation, variables);
            expect(status).toBe(200);
        } catch (e) {
            const errorCode = getErrorCode(e);
            if (!errorCode) {
                fail(`Unexpected failure: ${e}`);
            } else {
                fail(`Operation should be allowed, got status ${getErrorCode(e)}`);
            }
        }
    }

    async function assertRequestForbidden<V>(operation: DocumentNode, variables: V) {
        try {
            const status = await client.query(operation, variables);
            fail(`Should have thrown`);
        } catch (e) {
            expect(getErrorCode(e)).toBe('FORBIDDEN');
        }
    }

    function getErrorCode(err: any): string {
        return err.response.errors[0].extensions.code;
    }

    async function createAdministratorWithPermissions(
        code: string,
        permissions: Permission[],
    ): Promise<{ identifier: string; password: string }> {
        const roleResult = await client.query<CreateRole.Mutation, CreateRole.Variables>(CREATE_ROLE, {
            input: {
                code,
                description: '',
                permissions,
            },
        });

        const role = roleResult.createRole;

        const identifier = `${code}@${Math.random()
            .toString(16)
            .substr(2, 8)}`;
        const password = `test`;

        const adminResult = await client.query<CreateAdministrator.Mutation, CreateAdministrator.Variables>(
            CREATE_ADMINISTRATOR,
            {
                input: {
                    emailAddress: identifier,
                    firstName: code,
                    lastName: 'Admin',
                    password,
                    roleIds: [role.id],
                },
            },
        );
        const admin = adminResult.createAdministrator;

        return {
            identifier,
            password,
        };
    }

    /**
     * A "sleep" function which allows the sendEmailFn time to get called.
     */
    function waitForSendEmailFn() {
        return new Promise(resolve => setTimeout(resolve, 10));
    }

    const REGISTER_ACCOUNT = gql`
        mutation Register($input: RegisterCustomerInput!) {
            registerCustomerAccount(input: $input)
        }
    `;

    const VERIFY_EMAIL = gql`
        mutation Verify($password: String!, $token: String!) {
            verifyCustomerAccount(password: $password, token: $token) {
                user {
                    id
                    identifier
                }
            }
        }
    `;

    const REFRESH_TOKEN = gql`
        mutation RefreshToken($emailAddress: String!) {
            refreshCustomerVerification(emailAddress: $emailAddress)
        }
    `;
});