From b8d40032caef7f473b9681149a342fd7d6b0a40e Mon Sep 17 00:00:00 2001
From: Jack Foltz <jack@foltz.io>
Date: Sun, 12 Aug 2018 05:30:50 -0400
Subject: [PATCH] Add banned field and tests to User

---
 app/models/User.js     |  9 +++++++++
 app/routes/api/auth.js |  4 ++--
 app/util/auth.js       | 13 ++++++++++---
 test/api.js            | 50 ++++++++++++++++++++++++++++++++++++++++++++++++++
 test/testUtil.js       |  7 +++++--
 5 files changed, 76 insertions(+), 7 deletions(-)

diff --git a/app/models/User.js b/app/models/User.js
index 64a46ff..bbf52db 100644
--- a/app/models/User.js
+++ b/app/models/User.js
@@ -33,6 +33,15 @@ const UserSchema = mongoose.Schema({
     date: {
         type: Date,
         default: Date.now
+    },
+
+    banned: {
+        type: Boolean,
+        default: false,
+        expires: {
+            type: Date,
+            default: null
+        }
     }
 });
 
diff --git a/app/routes/api/auth.js b/app/routes/api/auth.js
index 55d0c39..75f1356 100644
--- a/app/routes/api/auth.js
+++ b/app/routes/api/auth.js
@@ -115,8 +115,8 @@ router.post('/logout', function (req, res) {
 
 router.get('/whoami', requireAuth(), (req, res) => {
     res.status(200).json({
-        user: req.username,
-        display: req.displayname,
+        username: req.username,
+        displayname: req.displayname,
         scope: req.scope,
         key: req.key
     });
diff --git a/app/util/auth.js b/app/util/auth.js
index ab61000..b27f836 100644
--- a/app/util/auth.js
+++ b/app/util/auth.js
@@ -1,5 +1,6 @@
 const ModelPath = '../models/';
 const Key = require(ModelPath + 'Key.js');
+const User = require(ModelPath + 'User.js');
 
 const wrap = require('./wrap.js');
 const verifyScope = require('./verifyScope.js');
@@ -35,7 +36,8 @@ const checkKey = async (req, scope, status) => {
 
 // Middleware that checks for authentication by either API key or session
 // sets req.username, req.displayname, req.scope, and req.key if authenticated properly,
-// otherwise throws an error code
+// otherwise throws an error code.
+// If the user is banned, also throw an error.
 const requireAuth = scope =>
     wrap(async (req, res, next) => {
         const status = {
@@ -53,8 +55,13 @@ const requireAuth = scope =>
             return res.status(401).json({message: 'Unauthorized.'});
         else if (!status.permission)
             return res.status(403).json({message: 'Forbidden.'});
-        else
-            next();
+
+        // Check if the user is banned
+        const user = await User.findOne({username: req.username});
+        if(user && user.banned)
+            return res.status(403).json({message: 'Forbidden.'});
+
+        next();
     });
 
 module.exports.checkSession = checkSession;
diff --git a/test/api.js b/test/api.js
index cf4dda5..109cfa7 100644
--- a/test/api.js
+++ b/test/api.js
@@ -186,6 +186,56 @@ describe('Authentication', () => {
             );
         });
     });
+
+    describe('/POST whoami', () => {
+        function verifyWhoami(res, username, displayname, scope, key) {
+            res.should.have.status(200);
+            res.body.should.be.a('object');
+            res.body.should.have.property('username').equal(username);
+            res.body.should.have.property('displayname').equal(displayname);
+            res.body.should.have.property('scope').deep.equal(scope);
+            res.body.should.have.property('key').equal(key);
+        }
+
+        describe('0 Valid Request', () => {
+            it('must respond with a valid session', async () => {
+                await util.createTestSession(agent);
+                const res = await util.whoami(agent);
+                verifyWhoami(res, 'user', 'user', ['file.upload'], null);
+                return util.logout(agent);
+            });
+
+            it('must respond with a valid api key', async () => {
+                await util.createTestKey(['file.upload']);
+                const res = await util.whoami(agent, 'key');
+                verifyWhoami(res, 'Mocha', 'Mocha', ['file.upload'], 'key');
+            });
+        });
+
+        describe('1 Invalid Auth', () => {
+            it('must not respond with an invalid session', async () => {
+                const res = await util.whoami(agent);
+                util.verifyResponse(res, 401, 'Unauthorized.');
+            });
+
+            it('must not respond with a banned user with a valid session', async () => {
+                await util.createTestSession(agent);
+                await util.setBanned('user', true);
+                const res = await util.whoami(agent);
+                util.verifyResponse(res, 403, 'Forbidden.');
+            });
+
+            it('must not respond with a banned users api key', async () => {
+                await util.createTestUser(agent);
+                await Promise.all([
+                    util.setBanned('user', true),
+                    util.insertKey({key: 'key', identifier: 'test', scope: ['file.upload'], issuer: 'user'})
+                ]);
+                const res = await util.whoami(agent, 'key');
+                util.verifyResponse(res, 403, 'Forbidden.');
+            });
+        });
+    });
 });
 
 describe('Uploading', () => {
diff --git a/test/testUtil.js b/test/testUtil.js
index aa2f0a0..161440a 100644
--- a/test/testUtil.js
+++ b/test/testUtil.js
@@ -44,6 +44,9 @@ exports.insertInvite = invite =>
 exports.insertKey = key =>
     Key.create(key);
 
+exports.setBanned = (username, banned) =>
+    User.updateOne({username: username}, {banned: banned});
+
 //---------------- API ROUTES ----------------//
 
 exports.login = (credentials, agent) =>
@@ -57,9 +60,9 @@ exports.registerUser = (user, agent) =>
     agent.post('/api/auth/register')
         .send(user);
 
-exports.whoami = (agent) =>
+exports.whoami = (agent, key) =>
     agent.get('/api/auth/whoami')
-        .send();
+        .send({key: key});
 
 //---------------- TEST ENTRY CREATION ----------------//