Add banned field and tests to User

2025-01-05 15:58:03 -05:00 · 2018-08-12 05:30:50 -04:00 · 2018-08-12 05:30:50 -04:00 · b8d40032ca
commit b8d40032ca
parent e0eacf5ff9
5 changed files with 76 additions and 7 deletions
--- a/app/models/User.js
+++ b/app/models/User.js
@ -33,6 +33,15 @@ const UserSchema = mongoose.Schema({
    date: {
        type: Date,
        default: Date.now
+    },
+
+    banned: {
+        type: Boolean,
+        default: false,
+        expires: {
+            type: Date,
+            default: null
+        }
    }
 });

--- a/app/routes/api/auth.js
+++ b/app/routes/api/auth.js
@ -115,8 +115,8 @@ router.post('/logout', function (req, res) {

 router.get('/whoami', requireAuth(), (req, res) => {
    res.status(200).json({
-        user: req.username,
-        display: req.displayname,
+        username: req.username,
+        displayname: req.displayname,
        scope: req.scope,
        key: req.key
    });
--- a/app/util/auth.js
+++ b/app/util/auth.js
@ -1,5 +1,6 @@
 const ModelPath = '../models/';
 const Key = require(ModelPath + 'Key.js');
+const User = require(ModelPath + 'User.js');

 const wrap = require('./wrap.js');
 const verifyScope = require('./verifyScope.js');
@ -35,7 +36,8 @@ const checkKey = async (req, scope, status) => {

 // Middleware that checks for authentication by either API key or session
 // sets req.username, req.displayname, req.scope, and req.key if authenticated properly,
-// otherwise throws an error code
+// otherwise throws an error code.
+// If the user is banned, also throw an error.
 const requireAuth = scope =>
    wrap(async (req, res, next) => {
        const status = {
@ -53,8 +55,13 @@ const requireAuth = scope =>
            return res.status(401).json({message: 'Unauthorized.'});
        else if (!status.permission)
            return res.status(403).json({message: 'Forbidden.'});
-        else
-            next();
+
+        // Check if the user is banned
+        const user = await User.findOne({username: req.username});
+        if(user && user.banned)
+            return res.status(403).json({message: 'Forbidden.'});
+
+        next();
    });

 module.exports.checkSession = checkSession;
--- a/test/api.js
+++ b/test/api.js
@ -186,6 +186,56 @@ describe('Authentication', () => {
            );
        });
    });
+
+    describe('/POST whoami', () => {
+        function verifyWhoami(res, username, displayname, scope, key) {
+            res.should.have.status(200);
+            res.body.should.be.a('object');
+            res.body.should.have.property('username').equal(username);
+            res.body.should.have.property('displayname').equal(displayname);
+            res.body.should.have.property('scope').deep.equal(scope);
+            res.body.should.have.property('key').equal(key);
+        }
+
+        describe('0 Valid Request', () => {
+            it('must respond with a valid session', async () => {
+                await util.createTestSession(agent);
+                const res = await util.whoami(agent);
+                verifyWhoami(res, 'user', 'user', ['file.upload'], null);
+                return util.logout(agent);
+            });
+
+            it('must respond with a valid api key', async () => {
+                await util.createTestKey(['file.upload']);
+                const res = await util.whoami(agent, 'key');
+                verifyWhoami(res, 'Mocha', 'Mocha', ['file.upload'], 'key');
+            });
+        });
+
+        describe('1 Invalid Auth', () => {
+            it('must not respond with an invalid session', async () => {
+                const res = await util.whoami(agent);
+                util.verifyResponse(res, 401, 'Unauthorized.');
+            });
+
+            it('must not respond with a banned user with a valid session', async () => {
+                await util.createTestSession(agent);
+                await util.setBanned('user', true);
+                const res = await util.whoami(agent);
+                util.verifyResponse(res, 403, 'Forbidden.');
+            });
+
+            it('must not respond with a banned users api key', async () => {
+                await util.createTestUser(agent);
+                await Promise.all([
+                    util.setBanned('user', true),
+                    util.insertKey({key: 'key', identifier: 'test', scope: ['file.upload'], issuer: 'user'})
+                ]);
+                const res = await util.whoami(agent, 'key');
+                util.verifyResponse(res, 403, 'Forbidden.');
+            });
+        });
+    });
 });

 describe('Uploading', () => {
--- a/test/testUtil.js
+++ b/test/testUtil.js
@ -44,6 +44,9 @@ exports.insertInvite = invite =>
 exports.insertKey = key =>
    Key.create(key);

+exports.setBanned = (username, banned) =>
+    User.updateOne({username: username}, {banned: banned});
+
 //---------------- API ROUTES ----------------//

 exports.login = (credentials, agent) =>
@ -57,9 +60,9 @@ exports.registerUser = (user, agent) =>
    agent.post('/api/auth/register')
        .send(user);

-exports.whoami = (agent) =>
+exports.whoami = (agent, key) =>
    agent.get('/api/auth/whoami')
-        .send();
+        .send({key: key});

 //---------------- TEST ENTRY CREATION ----------------//