verdaccio/test/unit/api/api.jwt.spec.js

// @flow

import request from 'supertest';
import _ from 'lodash';
import path from 'path';
import rimraf from 'rimraf';

import Config from '../../../src/lib/config';
import endPointAPI from '../../../src/api/index';

import {HEADERS, HTTP_STATUS, HEADER_TYPE} from '../../../src/lib/constants';
import {mockServer} from './mock';
import {DOMAIN_SERVERS} from '../../functional/config.functional';
import {parseConfigFile} from '../../../src/lib/utils';
import {parseConfigurationFile} from '../__helper';
import {addUser, getPackage} from './__api-helper';
import {setup} from '../../../src/lib/logger';
import {buildUserBuffer} from '../../../src/lib/auth-utils';

setup([]);
const credentials = { name: 'JotaJWT', password: 'secretPass' };

const parseConfigurationJWTFile = () => {
  return parseConfigurationFile(`api-jwt/jwt`);
};

const FORBIDDEN_VUE: string = 'unregistered users are not allowed to access package vue';

describe('endpoint user auth JWT unit test', () => {
  let config;
  let app;
  let mockRegistry;

  beforeAll(function(done) {
    const store = path.join(__dirname, '../partials/store/test-jwt-storage');
    const mockServerPort = 55546;
    rimraf(store, async () => {
      const confS = parseConfigFile(parseConfigurationJWTFile());
      const configForTest = _.clone(confS);
      configForTest.storage = store;
      configForTest.auth = {
        htpasswd: {
          file: './test-jwt-storage/.htpasswd'
        }
      };
      configForTest.uplinks = {
        npmjs: {
          url: `http://${DOMAIN_SERVERS}:${mockServerPort}`
        }
      };
      configForTest.self_path = store;
      config = new Config(configForTest);
      app = await endPointAPI(config);
      mockRegistry = await mockServer(mockServerPort).init();
      done();
    });
  });

  afterAll(function(done) {
    mockRegistry[0].stop();
    done();
  });

  test('should test add a new user with JWT enabled', async (done) => {
    const [err, res] = await addUser(request(app), credentials.name, credentials);
    expect(err).toBeNull();
    expect(res.body.ok).toBeDefined();
    expect(res.body.token).toBeDefined();
    const token = res.body.token;
    expect(typeof token).toBe('string');
    expect(res.body.ok).toMatch(`user '${credentials.name}' created`);
    // testing JWT auth headers with token
    // we need it here, because token is required
    const [err1, resp1] = await getPackage(request(app), `Bearer ${token}`, 'vue');
    expect(err1).toBeNull();
    expect(resp1.body).toBeDefined();
    expect(resp1.body.name).toMatch('vue');

    const [err2, resp2] = await getPackage(request(app), `Bearer fake`, 'vue', HTTP_STATUS.FORBIDDEN);
    expect(err2).toBeNull();
    expect(resp2.statusCode).toBe(HTTP_STATUS.FORBIDDEN);
    expect(resp2.body.error).toMatch(FORBIDDEN_VUE);
    done();
  });

  test('should emulate npm login when user already exist', async (done) => {
    const credentials = { name: 'jwtUser2', password: 'secretPass' };
    // creates an user
    await addUser(request(app), credentials.name, credentials);
    // it should fails conflict 409
    await addUser(request(app), credentials.name, credentials, HTTP_STATUS.CONFLICT);
    // npm will try to sign in sending credentials via basic auth header
    const token = buildUserBuffer(credentials.name, credentials.password).toString('base64');
    request(app).put(`/-/user/org.couchdb.user:${credentials.name}/-rev/undefined`)
      .send(credentials)
      .set('authorization', `Basic ${token}`)
      .expect(HEADER_TYPE.CONTENT_TYPE, HEADERS.JSON_CHARSET)
      .expect(HTTP_STATUS.CREATED)
      .end(function(err, res) {
        expect(err).toBeNull();
        expect(res.body.ok).toBeDefined();
        expect(res.body.token).toBeDefined();
        done();
      });
  });

  test('should fails on try to access with corrupted token', async (done) => {
    const [err2, resp2] = await getPackage(request(app), `Bearer fake`, 'vue', HTTP_STATUS.FORBIDDEN);
    expect(err2).toBeNull();
    expect(resp2.statusCode).toBe(HTTP_STATUS.FORBIDDEN);
    expect(resp2.body.error).toMatch(FORBIDDEN_VUE);
    done();
  });

});
feat: add support for jwt on api (#896) * feat: add support for jwt on api * test: add unit test for sign token with jwt add multiple scenarios with configuration file * chore: add JWT verification on middleware * chore: restore headless * chore: restore middleware header validation * refactor: fix login whether user exists * refactor: JWT is signed asynchronously * refactor: better structure and new naming convention * test: add unit test for token signature * test: add unit test for creating user with JWT enabled #168 * docs: add security section jwt * refactor: renable web auth middleware * test(auth): add legacy disabled scenario * chore: update gitignore * chore: add some es6 sugar * feat: enable JWT token signature for new installations * chore: add yaml files to git I forgot add this before :mask: * chore: trace log on auth in case we want more output 2018-08-21 08:05:34 +02:00			`// @flow`

			`import request from 'supertest';`
			`import _ from 'lodash';`
			`import path from 'path';`
			`import rimraf from 'rimraf';`

			`import Config from '../../../src/lib/config';`
			`import endPointAPI from '../../../src/api/index';`

			`import {HEADERS, HTTP_STATUS, HEADER_TYPE} from '../../../src/lib/constants';`
			`import {mockServer} from './mock';`
			`import {DOMAIN_SERVERS} from '../../functional/config.functional';`
			`import {parseConfigFile} from '../../../src/lib/utils';`
			`import {parseConfigurationFile} from '../__helper';`
			`import {addUser, getPackage} from './__api-helper';`
			`import {setup} from '../../../src/lib/logger';`
			`import {buildUserBuffer} from '../../../src/lib/auth-utils';`

			`setup([]);`
			`const credentials = { name: 'JotaJWT', password: 'secretPass' };`

			`const parseConfigurationJWTFile = () => {`
			return parseConfigurationFile(`api-jwt/jwt`);
			`};`

			`const FORBIDDEN_VUE: string = 'unregistered users are not allowed to access package vue';`

			`describe('endpoint user auth JWT unit test', () => {`
			`let config;`
			`let app;`
			`let mockRegistry;`

			`beforeAll(function(done) {`
			`const store = path.join(__dirname, '../partials/store/test-jwt-storage');`
			`const mockServerPort = 55546;`
			`rimraf(store, async () => {`
			`const confS = parseConfigFile(parseConfigurationJWTFile());`
			`const configForTest = _.clone(confS);`
			`configForTest.storage = store;`
			`configForTest.auth = {`
			`htpasswd: {`
			`file: './test-jwt-storage/.htpasswd'`
			`}`
			`};`
			`configForTest.uplinks = {`
			`npmjs: {`
			url: `http://${DOMAIN_SERVERS}:${mockServerPort}`
			`}`
			`};`
			`configForTest.self_path = store;`
			`config = new Config(configForTest);`
			`app = await endPointAPI(config);`
			`mockRegistry = await mockServer(mockServerPort).init();`
			`done();`
			`});`
			`});`

			`afterAll(function(done) {`
			`mockRegistry[0].stop();`
			`done();`
			`});`

			`test('should test add a new user with JWT enabled', async (done) => {`
			`const [err, res] = await addUser(request(app), credentials.name, credentials);`
			`expect(err).toBeNull();`
			`expect(res.body.ok).toBeDefined();`
			`expect(res.body.token).toBeDefined();`
			`const token = res.body.token;`
			`expect(typeof token).toBe('string');`
			expect(res.body.ok).toMatch(`user '${credentials.name}' created`);
			`// testing JWT auth headers with token`
			`// we need it here, because token is required`
			const [err1, resp1] = await getPackage(request(app), `Bearer ${token}`, 'vue');
			`expect(err1).toBeNull();`
			`expect(resp1.body).toBeDefined();`
			`expect(resp1.body.name).toMatch('vue');`

			const [err2, resp2] = await getPackage(request(app), `Bearer fake`, 'vue', HTTP_STATUS.FORBIDDEN);
			`expect(err2).toBeNull();`
			`expect(resp2.statusCode).toBe(HTTP_STATUS.FORBIDDEN);`
			`expect(resp2.body.error).toMatch(FORBIDDEN_VUE);`
			`done();`
			`});`

			`test('should emulate npm login when user already exist', async (done) => {`
			`const credentials = { name: 'jwtUser2', password: 'secretPass' };`
			`// creates an user`
			`await addUser(request(app), credentials.name, credentials);`
			`// it should fails conflict 409`
			`await addUser(request(app), credentials.name, credentials, HTTP_STATUS.CONFLICT);`
			`// npm will try to sign in sending credentials via basic auth header`
			`const token = buildUserBuffer(credentials.name, credentials.password).toString('base64');`
			request(app).put(`/-/user/org.couchdb.user:${credentials.name}/-rev/undefined`)
			`.send(credentials)`
			.set('authorization', `Basic ${token}`)
			`.expect(HEADER_TYPE.CONTENT_TYPE, HEADERS.JSON_CHARSET)`
			`.expect(HTTP_STATUS.CREATED)`
			`.end(function(err, res) {`
			`expect(err).toBeNull();`
			`expect(res.body.ok).toBeDefined();`
			`expect(res.body.token).toBeDefined();`
			`done();`
			`});`
			`});`

			`test('should fails on try to access with corrupted token', async (done) => {`
			const [err2, resp2] = await getPackage(request(app), `Bearer fake`, 'vue', HTTP_STATUS.FORBIDDEN);
			`expect(err2).toBeNull();`
			`expect(resp2.statusCode).toBe(HTTP_STATUS.FORBIDDEN);`
			`expect(resp2.body.error).toMatch(FORBIDDEN_VUE);`
			`done();`
			`});`

			`});`