foltik
/
shimapan
mirror of https://github.com/Foltik/Shimapan
1
0
Fork 0
Code Issues 0 Releases 0 Wiki Activity
A simple file sharing site with an easy to use API and online panel.
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
238 Commits
2 Branches
29MB
Tree: 5f0592d976
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from '5f0592d976'
${ noResults }
shimapan/test/api.js

1066 lines
47KB
Raw Blame History 

  1. process.env.NODE_ENV = 'test';

  2. 

  3. const chai = require('chai');

  4. chai.use(require('chai-http'));

  5. const should = chai.should();

  6. const describe = require('mocha').describe;

  7. 

  8. const ModelPath = '../app/models/';

  9. const User = require(ModelPath + 'User.js');

  10. const Upload = require(ModelPath + 'Upload.js');

  11. const Key = require(ModelPath + 'Key.js');

  12. const Invite = require(ModelPath + 'Invite.js');

  13. const View = require(ModelPath + 'View.js');

  14. 

  15. const util = require('./testUtil.js');

  16. const canonicalize = require('../app/util/canonicalize').canonicalize;

  17. 

  18. const config = require('config');

  19. let app;

  20. let server;

  21. let agent;

  22. 

  23. before(() => {

  24.     const main = require('../server.js');

  25.     app = main.app;

  26.     server = main.server;

  27.     agent = chai.request.agent(app);

  28. });

  29. 

  30. after(() => {

  31.     server.close();

  32. });

  33. 

  34. beforeEach(() => util.clearDatabase());

  35. 

  36. describe('Authentication', () => {

  37.     describe('/POST register', () => {

  38.         describe('0 Valid Request', () => {

  39.             async function verifySuccessfulRegister(user) {

  40.                 await util.createTestInvite();

  41. 

  42.                 const res = await util.registerUser(user, agent);

  43.                 util.verifyResponse(res, 200, 'Registration successful.');

  44. 

  45.                 const userCount = await User.countDocuments({displayname: user.displayname});

  46.                 userCount.should.equal(1, 'The user should have be created in the database');

  47. 

  48.                 const inviteCount = await Invite.countDocuments({code: user.invite, recipient: canonicalize(user.displayname)});

  49.                 inviteCount.should.equal(1, 'The invite should be marked as used by the user');

  50.             }

  51. 

  52.             it('MUST register a valid user with a valid invite', async () =>

  53.                 verifySuccessfulRegister({displayname: 'user', password: 'pass', invite: 'code'})

  54.             );

  55. 

  56.             it('MUST register a username with unicode symbols and a valid invite', async () =>

  57.                 verifySuccessfulRegister({displayname: 'ᴮᴵᴳᴮᴵᴿᴰ', password: 'pass', invite: 'code'})

  58.             );

  59.         });

  60. 

  61.         describe('1 Invalid Invites', () => {

  62.             async function verifyRejectedInvite(invite, message) {

  63.                 const user = {displayname: 'user', password: 'pass', invite: 'code'};

  64.                 if (invite) {

  65.                     await util.insertInvite(invite, agent);

  66.                     user.invite = invite.code;

  67.                 }

  68. 

  69.                 const res = await(util.registerUser(user, agent));

  70.                 util.verifyResponse(res, 422, message);

  71. 

  72.                 const inviteCount = await Invite.countDocuments({code: user.invite, recipient: canonicalize(user.displayname)});

  73.                 inviteCount.should.equal(0, 'Invite should not be marked as used or received by the user');

  74.             }

  75. 

  76.             it('MUST NOT register a nonexistant invite', async () =>

  77.                 verifyRejectedInvite(null, 'Invalid invite code.')

  78.             );

  79. 

  80.             it('MUST NOT register a used invite', async () =>

  81.                 verifyRejectedInvite({code: 'code', used: new Date(), issuer: 'Mocha'}, 'Invite already used.')

  82.             );

  83. 

  84.             it('MUST NOT register an expired invite', async () =>

  85.                 verifyRejectedInvite({code: 'code', expires: new Date(), issuer: 'Mocha'}, 'Invite expired.')

  86.             );

  87.         });

  88. 

  89.         describe('2 Invalid Displaynames', () => {

  90.             async function verifyRejectedUsername(user, code, message) {

  91.                 const res = await util.registerUser(user, agent);

  92.                 util.verifyResponse(res, code, message);

  93. 

  94.                 const inviteCount = await Invite.countDocuments({code: user.invite, recipient: canonicalize(user.displayname)});

  95.                 inviteCount.should.equal(0, 'The invite should not be inserted into the database after rejection');

  96.             }

  97. 

  98.             it('MUST NOT register a duplicate username', async () => {

  99.                 await util.createTestInvites(2);

  100.                 const user0 = {displayname: 'user', password: 'pass', invite: 'code0'};

  101.                 const user1 = {displayname: 'user', password: 'diff', invite: 'code1'};

  102. 

  103.                 await util.registerUser(user0, agent);

  104.                 return verifyRejectedUsername(user1, 422, 'Username in use.');

  105.             });

  106. 

  107.             it('MUST NOT register a username with a duplicate canonical name', async () => {

  108.                 await util.createTestInvites(2);

  109.                 const user0 = {displayname: 'bigbird', password: 'pass', invite: 'code0'};

  110.                 const user1 = {displayname: 'ᴮᴵᴳᴮᴵᴿᴰ', password: 'diff', invite: 'code1'};

  111. 

  112.                 await util.registerUser(user0, agent);

  113.                 return verifyRejectedUsername(user1, 422, 'Username in use.');

  114.             });

  115. 

  116.             it('MUST NOT register a username containing whitespace', async () => {

  117.                 await util.createTestInvites(3);

  118.                 const users = [

  119.                     {displayname: 'user name', password: 'pass', invite: 'code0'},

  120.                     {displayname: 'user name', password: 'pass', invite: 'code1'},

  121.                     {displayname: 'user name', password: 'pass', invite: 'code2'}

  122.                 ];

  123. 

  124.                 const failMsg = 'displayname contains invalid characters.';

  125.                 return Promise.all(users.map(user => verifyRejectedUsername(user, 400, failMsg)));

  126.             });

  127. 

  128.             it('MUST NOT register a username containing HTML', async () => {

  129.                 await util.createTestInvite();

  130.                 const user = {displayname: 'user<svg/onload=alert("XSS")>', password: 'pass', invite: 'code'};

  131.                 return verifyRejectedUsername(user, 400, 'displayname contains invalid characters.');

  132.             });

  133. 

  134.             it('MUST NOT register a username with too many characters', async () => {

  135.                 await util.createTestInvite();

  136.                 const user = {displayname: '123456789_123456789_123456789_1234567', password: 'pass', invite: 'code'};

  137.                 return verifyRejectedUsername(user, 400, 'displayname too long.');

  138.             });

  139.         });

  140.     });

  141. 

  142.     describe('/POST login', () => {

  143.         async function verifySuccessfulLogin(credentials) {

  144.             // Login with the agent

  145.             const res = await util.login(credentials, agent);

  146.             util.verifyResponse(res, 200, 'Logged in.');

  147.             res.should.have.cookie('session.id');

  148. 

  149.             // Get /api/auth/whoami, which can only be viewed when logged in

  150.             const whoami = await util.whoami(agent);

  151.             whoami.should.have.status(200);

  152.         }

  153. 

  154.         async function verifyFailedLogin(credentials) {

  155.             const res = await util.login(credentials, agent);

  156.             util.verifyResponse(res, 401, 'Unauthorized.');

  157.         }

  158. 

  159.         describe('0 Valid Request', () => {

  160.             it('SHOULD accept a valid user with a valid password', async () => {

  161.                 await util.createTestUser(agent);

  162.                 return verifySuccessfulLogin({displayname: 'user', password: 'pass'});

  163.             });

  164. 

  165.             it('SHOULD accept a username instead of a displayname', async () => {

  166.                 await util.createTestUser(agent);

  167.                 return verifySuccessfulLogin({username: 'user', password: 'pass'});

  168.             });

  169. 

  170.             it('SHOULD accept any non-normalized variant of a username with a valid password', async () => {

  171.                 await util.createTestInvite();

  172.                 await util.registerUser({displayname: 'ᴮᴵᴳᴮᴵᴿᴰ', password: 'pass', invite: 'code'}, agent);

  173.                 return verifySuccessfulLogin({displayname: 'BiGbIrD', password: 'pass'});

  174.             });

  175.         });

  176. 

  177.         describe('1 Invalid Password', () => {

  178.             it('SHOULD NOT accept an invalid password', async () => {

  179.                 await util.createTestUser(agent);

  180.                 return verifyFailedLogin({displayname: 'user', password: 'bogus'});

  181.             });

  182.         });

  183. 

  184.         describe('2 Invalid User', () => {

  185.             it('SHOULD NOT accept an invalid user', async () =>

  186.                 verifyFailedLogin({displayname: 'bogus', password: 'bogus'})

  187.             );

  188.         });

  189.     });

  190. 

  191.     describe('/POST logout', () => {

  192.         async function verifyNoSession() {

  193.             const res = await util.whoami(agent);

  194.             util.verifyResponse(res, 401, 'Unauthorized.');

  195.         }

  196. 

  197.         describe('0 Valid Request', () => {

  198.             it('must logout a user with a session', async () => {

  199.                 await util.createTestSession(agent);

  200.                 const res = await util.logout(agent);

  201.                 util.verifyResponse(res, 200, 'Logged out.');

  202.                 return verifyNoSession();

  203.             });

  204.         });

  205. 

  206.         describe('1 Invalid Session', () => {

  207.             it('must not logout a user without a session', async () => {

  208.                 const res = await util.logout(agent);

  209.                 util.verifyResponse(res, 400, 'Not logged in.');

  210.                 return verifyNoSession();

  211.             });

  212.         });

  213.     });

  214. 

  215.     describe('/POST whoami', () => {

  216.         function verifyWhoami(res, username, displayname, scope, key) {

  217.             res.should.have.status(200);

  218.             res.body.should.be.a('object');

  219.             res.body.should.have.property('username').equal(username);

  220.             res.body.should.have.property('displayname').equal(displayname);

  221.             res.body.should.have.property('scope').deep.equal(scope);

  222.             res.body.should.have.property('key').equal(key);

  223.         }

  224. 

  225.         describe('0 Valid Request', () => {

  226.             it('must respond with a valid session', async () => {

  227.                 await util.createTestSession(agent);

  228.                 const res = await util.whoami(agent);

  229.                 verifyWhoami(res, 'user', 'user', ['file.upload'], null);

  230.                 return util.logout(agent);

  231.             });

  232. 

  233.             it('must respond with a valid api key', async () => {

  234.                 await util.createTestKey(['file.upload']);

  235.                 const res = await util.whoami(agent, 'key');

  236.                 verifyWhoami(res, 'Mocha', 'Mocha', ['file.upload'], 'key');

  237.             });

  238.         });

  239. 

  240.         describe('1 Invalid Auth', () => {

  241.             it('must not respond with an invalid session', async () => {

  242.                 const res = await util.whoami(agent);

  243.                 util.verifyResponse(res, 401, 'Unauthorized.');

  244.             });

  245. 

  246.             it('must not respond with a banned user with a valid session', async () => {

  247.                 await util.createTestSession(agent);

  248.                 await util.setBanned('user', true);

  249.                 const res = await util.whoami(agent);

  250.                 util.verifyResponse(res, 403, 'Forbidden.');

  251.             });

  252. 

  253.             it('must not respond with a banned users api key', async () => {

  254.                 await util.createTestUser(agent);

  255.                 await Promise.all([

  256.                     util.setBanned('user', true),

  257.                     util.insertKey({key: 'key', identifier: 'test', scope: ['file.upload'], issuer: 'user'})

  258.                 ]);

  259.                 const res = await util.whoami(agent, 'key');

  260.                 util.verifyResponse(res, 403, 'Forbidden.');

  261.             });

  262.         });

  263.     });

  264. });

  265. 

  266. describe('Uploading', () => {

  267.     after(async () => util.clearDirectory(config.get('Upload.path')));

  268. 

  269.     describe('/POST upload', () => {

  270.         async function verifySuccessfulUpload(file, key) {

  271.             // Get file stats beforehand

  272.             const fileHash = await util.fileHash(file);

  273. 

  274.             // Submit the upload and verify the result

  275.             const res = await util.upload(file, agent, key);

  276.             res.should.have.status(200);

  277.             res.body.should.be.a('object');

  278.             res.body.should.have.property('url');

  279.             const idLength = config.get('Upload.idLength');

  280.             res.body.should.have.property('uid').length(idLength, 'The UID should be a ' + idLength + ' letter lowercase string.');

  281. 

  282.             // Find the uploaded file in the database

  283.             const upload = await Upload.findOne({uid: res.body.uid}, {_id: 0, uid: 1, file: 1});

  284.             const uploadFile = upload.file.path;

  285.             upload.should.be.a('object');

  286.             upload.uid.should.equal(res.body.uid, 'The uploaded file in the database should exist and match the reponse ID.');

  287. 

  288.             // Verify the uploaded file is the same as the file now on disk

  289.             const uploadHash = await util.fileHash(uploadFile);

  290.             uploadHash.should.equal(fileHash, 'The uploaded file and the file on disk should have matching hashes.');

  291.         }

  292. 

  293.         async function verifySuccessfulUserUpload(file, username) {

  294.             // Get the user's stats beforehand

  295.             const userBefore = await User.findOne({username: username}, {_id: 0, uploadCount: 1, uploadSize: 1});

  296. 

  297.             await verifySuccessfulUpload(file);

  298. 

  299.             // Verify the user's stats have been updated correctly

  300.             const userAfter = await User.findOne({username: username}, {_id: 0, uploadCount: 1, uploadSize: 1});

  301.             const fileSize = await util.fileSize(file);

  302.             userAfter.uploadCount.should.equal(userBefore.uploadCount + 1, 'The users upload count should be incremented.');

  303.             userAfter.uploadSize.should.equal(userBefore.uploadSize + fileSize, 'The users upload size should be properly increased.');

  304.         }

  305. 

  306.         async function verifySuccessfulKeyUpload(file, key) {

  307.             // Get the key's stats beforehand

  308.             const keyBefore = await Key.findOne({key: key}, {_id: 0, uploadCount: 1, uploadSize: 1});

  309. 

  310.             await verifySuccessfulUpload(file, key);

  311. 

  312.             // Verify the key's stats have been updated correctly

  313.             const keyAfter = await Key.findOne({key: key}, {_id: 0, uploadCount: 1, uploadSize: 1});

  314.             const fileSize = await util.fileSize(file);

  315.             keyAfter.uploadCount.should.equal(keyBefore.uploadCount + 1, 'The keys upload count should be incremented.');

  316.             keyAfter.uploadSize.should.equal(keyBefore.uploadSize + fileSize, 'The keys upload size should be properly increased');

  317.         }

  318. 

  319.         async function verifyFailedUpload(file, status, message, key) {

  320.             const fileCountBefore = await util.directoryFileCount(config.get('Upload.path'));

  321.             const uploadCountBefore = await Upload.countDocuments({});

  322. 

  323.             const res = await util.upload(file, agent, key);

  324.             util.verifyResponse(res, status, message);

  325. 

  326.             const fileCountAfter = await util.directoryFileCount(config.get('Upload.path'));

  327.             fileCountAfter.should.equal(fileCountBefore, 'File should not be written to disk');

  328. 

  329.             const uploadCountAfter = await Upload.countDocuments({});

  330.             uploadCountAfter.should.equal(uploadCountBefore, 'No uploads should be written to the database');

  331.         }

  332. 

  333.         describe('0 Valid Request', () => {

  334.             it('SHOULD accept an upload from a valid session', async () => {

  335.                 await Promise.all([

  336.                     util.createTestSession(agent),

  337.                     util.createTestFile(2048, 'test.bin')

  338.                 ]);

  339. 

  340.                 await verifySuccessfulUserUpload('test.bin', 'user');

  341. 

  342.                 return Promise.all([

  343.                     util.logout(agent),

  344.                     util.deleteFile('test.bin')

  345.                 ]);

  346.             });

  347. 

  348.             it('SHOULD accept an upload from a valid api key', async () => {

  349.                 await Promise.all([

  350.                     util.createTestKey(['file.upload']),

  351.                     util.createTestFile(2048, 'test.bin')

  352.                 ]);

  353. 

  354.                 await verifySuccessfulKeyUpload('test.bin', 'key');

  355. 

  356.                 return util.deleteFile('test.bin');

  357.             })

  358.         });

  359. 

  360.         describe('1 Invalid Authentication', () => {

  361.             it('SHOULD NOT accept an unauthenticated request', async () => {

  362.                 await util.createTestFile(2048, 'test.bin');

  363. 

  364.                 await verifyFailedUpload('test.bin', 401, 'Unauthorized.');

  365. 

  366.                 return util.deleteFile('test.bin');

  367.             });

  368. 

  369.             it('SHOULD NOT accept a session request without file.upload scope', async () => {

  370.                 await util.insertInvite({code: 'code', scope: [], issuer: 'Mocha'});

  371.                 await util.registerUser({displayname: 'user', password: 'pass', invite: 'code'}, agent);

  372.                 await util.login({displayname: 'user', password: 'pass'}, agent);

  373. 

  374.                 await util.createTestFile(2048, 'test.bin');

  375. 

  376.                 await verifyFailedUpload('test.bin', 403, 'Forbidden.');

  377. 

  378.                 return Promise.all([

  379.                     util.logout(agent),

  380.                     util.deleteFile('test.bin')

  381.                 ]);

  382.             });

  383. 

  384.             it('SHOULD NOT accept a key request without file.upload scope', async () => {

  385.                 await Promise.all([

  386.                     util.createTestKey([]),

  387.                     util.createTestFile(2048, 'test.bin')

  388.                 ]);

  389. 

  390.                 await verifyFailedUpload('test.bin', 403, 'Forbidden.', 'key');

  391. 

  392.                 return util.deleteFile('test.bin');

  393.             })

  394.         });

  395. 

  396.         describe('3 Invalid File', () => {

  397.             before(() => util.createTestFile(config.get('Upload.maxSize') + 1024, 'large.bin'));

  398.             after(() => util.deleteFile('large.bin'));

  399. 

  400.             it('SHOULD NOT accept a too large file', async () => {

  401.                 await util.createTestSession(agent);

  402.                 await verifyFailedUpload('large.bin', 413, 'File too large.');

  403.                 return util.logout(agent);

  404.             });

  405.         });

  406. 

  407.         describe('4 Malformed Request', () => {

  408.             it('SHOULD NOT accept a request with no file attached', async () => {

  409.                 await util.createTestSession(agent);

  410.                 await verifyFailedUpload(null, 400, 'Bad request.');

  411. 

  412.                 return util.logout(agent);

  413.             });

  414. 

  415.             it('must only accept one file from a request with multiple files attached', async () => {

  416.                 await Promise.all([

  417.                     util.createTestFile(2048, 'test1.bin'),

  418.                     util.createTestFile(2048, 'test2.bin'),

  419.                     util.createTestSession(agent)

  420.                 ]);

  421. 

  422. 

  423.                 const fileCountBefore = await util.directoryFileCount(config.get('Upload.path'));

  424.                 const uploadCountBefore = await Upload.countDocuments({});

  425. 

  426.                 const res = await agent.post('/api/upload')

  427.                     .attach('file', 'test1.bin', 'test1.bin')

  428.                     .attach('file1', 'test2.bin', 'test2.bin');

  429. 

  430.                 util.verifyResponse(res, 200, 'File uploaded.');

  431. 

  432.                 const fileCountAfter = await util.directoryFileCount(config.get('Upload.path'));

  433.                 fileCountAfter.should.equal(fileCountBefore + 1, 'Only one file should be written to the disk');

  434. 

  435.                 const uploadCountAfter = await Upload.countDocuments({});

  436.                 uploadCountAfter.should.equal(uploadCountBefore + 1, 'Only one upload should be written to the database');

  437. 

  438.                 return Promise.all([

  439.                     util.deleteFile('test1.bin'),

  440.                     util.deleteFile('test2.bin')

  441.                 ]);

  442.             })

  443.         })

  444.     });

  445. });

  446. 

  447. describe('Viewing', () => {

  448.     async function verifyView(file, uid, disposition) {

  449.         const uploadViewsBefore = (await Upload.findOne({uid: uid})).views;

  450.         const viewsBefore = await View.countDocuments();

  451. 

  452.         const res = await util.view(uid, agent)

  453.             .parse(util.binaryFileParser);

  454. 

  455.         res.should.have.status(200);

  456.         res.should.have.header('content-disposition', disposition);

  457. 

  458.         const [uploadHash, downloadHash] = await Promise.all([

  459.             util.fileHash(file),

  460.             util.bufferHash(res.body)

  461.         ]);

  462.         downloadHash.should.equal(uploadHash, 'Uploaded file and downloaded hash should match');

  463. 

  464.         const viewsAfter = await View.countDocuments();

  465.         const uploadViewsAfter = (await Upload.findOne({uid: uid})).views;

  466.         uploadViewsAfter.should.equal(uploadViewsBefore + 1, 'The files views should be incremented.');

  467.         viewsAfter.should.equal(viewsBefore + 1, 'A view object should have been inserted to the database.');

  468.     }

  469. 

  470.     it('must return an uploaded binary file', async () => {

  471.         await Promise.all([

  472.             util.createTestSession(agent),

  473.             util.createTestFile(2048, 'test.bin')

  474.         ]);

  475.         const upload = await util.upload('test.bin', agent);

  476.         await verifyView('test.bin', upload.body.uid, 'attachment; filename="test.bin"');

  477.         return util.deleteFile('test.bin');

  478.     });

  479. 

  480.     it('must return an uploaded image file inline', async () => {

  481.         await Promise.all([

  482.             util.createTestSession(agent),

  483.             util.createTestFile(2048, 'test.jpg')

  484.         ]);

  485.         const upload = await util.upload('test.jpg', agent);

  486.         await verifyView('test.jpg', upload.body.uid, 'inline');

  487.         return util.deleteFile('test.jpg');

  488.     });

  489. 

  490.     it('must return an error when file not found', async () => {

  491.         const res = await util.view('abcdef', agent);

  492.         util.verifyResponse(res, 404, 'File not found.');

  493.     });

  494. });

  495. 

  496. describe('Invites', () => {

  497.     describe('/POST create', () => {

  498.         async function verifyCreatedInvite(invite) {

  499.             const res = await util.createInvite(invite, agent);

  500.             util.verifyResponse(res, 200, 'Invite created.');

  501.             res.body.should.have.property('code').match(/^[A-Fa-f0-9]+$/, 'The invite should be a hex string.');

  502. 

  503.             const dbInvite = await Invite.findOne({code: res.body.code});

  504.             dbInvite.should.not.equal(null);

  505.             dbInvite.scope.should.deep.equal(invite.scope, 'The created invites scope should match the request.');

  506.             dbInvite.issuer.should.equal('user');

  507.         }

  508. 

  509.         describe('0 Valid Request', () => {

  510.             it('SHOULD create an invite with valid scope from a valid session', async () => {

  511.                 await util.createSession(agent, ['invite.create', 'file.upload']);

  512.                 return verifyCreatedInvite({scope: ['file.upload']});

  513.             });

  514.         });

  515. 

  516.         describe('1 Invalid Scope', () => {

  517.             it('SHOULD NOT create in invite without invite.create scope', async () => {

  518.                 await util.createSession(agent, ['file.upload']);

  519.                 const res = await util.createInvite({scope: ['file.upload']}, agent);

  520.                 util.verifyResponse(res, 403, 'Forbidden.');

  521.             });

  522. 

  523.             it('SHOULD NOT create an invite with a scope exceeding the requesters', async () => {

  524.                 await util.createSession(agent, ['invite.create', 'file.upload']);

  525.                 const res = await util.createInvite({scope: ['user.ban']}, agent);

  526.                 util.verifyResponse(res, 403, 'Requested scope exceeds own scope.');

  527.             });

  528.         });

  529.     });

  530. 

  531.     describe('/POST delete', () => {

  532.         async function verifyDeletedInvite(code) {

  533.             const res = await util.deleteInvite(code, agent);

  534.             util.verifyResponse(res, 200, 'Invite deleted.');

  535. 

  536.             const inviteCount = await Invite.countDocuments({code: code});

  537.             inviteCount.should.equal(0, 'The invite should be removed from the database.');

  538.         }

  539. 

  540.         describe('0 Valid Request', () => {

  541.             it('SHOULD delete an invite with valid permission from a valid session', async () => {

  542.                 await util.createSession(agent, ['invite.create', 'invite.delete', 'file.upload']);

  543.                 const res = await util.createInvite({scope: ['file.upload']}, agent);

  544.                 return verifyDeletedInvite(res.body.code);

  545.             });

  546. 

  547.             it('SHOULD delete another users invite with invite.delete.others scope', async () => {

  548.                 await util.createSession(agent, ['invite.create', 'file.upload'], 'alice');

  549.                 const invite = await util.createInvite({scope: ['file.upload']}, agent);

  550.                 await util.logout(agent);

  551. 

  552.                 await util.createSession(agent, ['invite.create', 'invite.delete', 'invite.delete.others'], 'eve');

  553.                 return verifyDeletedInvite(invite.body.code);

  554.             });

  555. 

  556.             it('SHOULD delete a usedinvite with invite.delete.used scope', async () => {

  557.                 await util.createSession(agent, ['invite.create', 'invite.delete', 'invite.delete.used', 'file.upload'], 'alice');

  558.                 const invite = await util.createInvite({scope: ['file.upload']}, agent);

  559.                 await util.registerUser({displayname: 'bob', password: 'hunter2', invite: invite.body.code}, agent);

  560. 

  561.                 return verifyDeletedInvite(invite.body.code);

  562.             });

  563.         });

  564. 

  565.         describe('1 Invalid Scope', () => {

  566.             it('SHOULD NOT delete an invite without invite.delete scope', async () => {

  567.                 await util.createSession(agent, ['invite.create', 'file.upload']);

  568.                 const invite = await util.createInvite({scope: ['file.upload']}, agent);

  569.                 const res = await util.deleteInvite(invite.body.code, agent);

  570.                 util.verifyResponse(res, 403, 'Forbidden.');

  571.             });

  572. 

  573.             it('SHOULD NOT delete another users invite without invite.delete.others scope', async () => {

  574.                 await util.createSession(agent, ['invite.create', 'file.upload'], 'alice');

  575.                 const invite = await util.createInvite({scope: ['file.upload']}, agent);

  576.                 await util.logout(agent);

  577. 

  578.                 await util.createSession(agent, ['invite.create', 'invite.delete'], 'eve');

  579.                 const res = await util.deleteInvite(invite.body.code, agent);

  580.                 util.verifyResponse(res, 422, 'Invite not found.');

  581.             });

  582. 

  583.             it('SHOULD NOT delete a used invite without invite.delete.used scope', async () => {

  584.                 await util.createSession(agent, ['invite.create', 'invite.delete', 'file.upload'], 'alice');

  585.                 const invite = await util.createInvite({scope: ['file.upload']}, agent);

  586. 

  587.                 await util.registerUser({displayname: 'bob', password: 'hunter2', invite: invite.body.code}, agent);

  588. 

  589.                 const res = await util.deleteInvite(invite.body.code, agent);

  590.                 util.verifyResponse(res, 403, 'Forbidden to delete used invites.');

  591.             });

  592.         });

  593. 

  594.         describe('2 Invalid Code', () => {

  595.             it('SHOULD return an error when the invite is not found', async () => {

  596.                 await util.createSession(agent, ['invite.delete']);

  597.                 const res = await util.deleteInvite('bogus', agent);

  598.                 util.verifyResponse(res, 422, 'Invite not found.');

  599.             });

  600.         });

  601.     });

  602. 

  603.     describe('/POST get', () => {

  604.         async function verifyInviteSearch(codes) {

  605.             const res = await util.getInvites({}, agent);

  606.             res.should.have.status(200);

  607.             res.body.should.be.a('Array');

  608. 

  609.             codes.sort();

  610.             const resCodes = res.body.map(invite => invite.code).sort();

  611. 

  612.             resCodes.should.deep.equal(codes, 'All invites should be present in result.');

  613.         }

  614. 

  615.         async function verifySingleSearch(code) {

  616.             const res = await util.getInvites({code: code}, agent);

  617.             res.should.have.status(200);

  618.             res.body.should.be.a('Array');

  619.             res.body.should.have.length(1, 'Only one invite should be in the array');

  620.             res.body[0].code.should.equal(code, 'The found invite should match the request code');

  621.         }

  622. 

  623.         describe('0 Valid Request', () => {

  624.             it('SHOULD get multiple invites from a valid session', async () => {

  625.                 await util.createSession(agent, ['invite.create', 'invite.get', 'file.upload']);

  626.                 const inv1 = await util.createInvite({scope: ['file.upload']}, agent);

  627.                 const inv2 = await util.createInvite({scope: ['invite.create']}, agent);

  628. 

  629.                 return verifyInviteSearch([inv1.body.code, inv2.body.code]);

  630.             });

  631. 

  632.             it('SHOULD get a single invite from a valid session', async () => {

  633.                 await util.createSession(agent, ['invite.create', 'invite.get', 'file.upload']);

  634.                 const inv = await util.createInvite({scope: ['file.upload']}, agent);

  635. 

  636.                 return verifySingleSearch(inv.body.code);

  637.             });

  638. 

  639.             it('SHOULD get another users invite with invite.get.others scope', async () => {

  640.                 await util.createSession(agent, ['invite.create', 'file.upload'], 'alice');

  641.                 const inv = await util.createInvite({scope: ['file.upload']}, agent);

  642.                 await util.logout(agent);

  643. 

  644.                 await util.createSession(agent, ['invite.get', 'invite.get.others'], 'eve');

  645.                 return verifySingleSearch(inv.body.code);

  646.             });

  647.         });

  648. 

  649.         describe('1 Invalid Scope', () => {

  650.             it('SHOULD NOT get invites without invite.get scope', async () => {

  651.                 await util.createSession(agent, ['invite.create', 'file.upload']);

  652.                 const res = await util.getInvites({code: 'bogus'}, agent);

  653.                 util.verifyResponse(res, 403, 'Forbidden.');

  654.             });

  655. 

  656.             it('SHOULD NOT get another users invite without invite.get.others scope', async () => {

  657.                 await util.createSession(agent, ['invite.create', 'file.upload'], 'alice');

  658.                 const invite = await util.createInvite({scope: ['file.upload']}, agent);

  659.                 await util.logout(agent);

  660. 

  661.                 await util.createSession(agent, ['invite.get'], 'eve');

  662.                 const res = await util.getInvites({code: invite.body.code}, agent);

  663.                 res.should.have.status(200);

  664.                 res.body.should.be.a('Array');

  665.                 res.body.should.have.length(0, 'No invites should be found.');

  666.             });

  667.         });

  668.     });

  669. });

  670. 

  671. describe('Keys', () => {

  672.     describe('/POST create', () => {

  673.         async function verifyCreatedKey(key) {

  674.             const res = await util.createKey(key, agent);

  675.             util.verifyResponse(res, 200, 'Key created.');

  676.             res.body.should.have.property('key').match(/^[A-Fa-f0-9]+$/, 'The key should be a hex string');

  677. 

  678.             const dbKey = await Key.findOne({key: res.body.key});

  679.             dbKey.should.not.equal(null);

  680.             dbKey.scope.should.deep.equal(key.scope, 'The created keys scope should match the request.');

  681.             dbKey.issuer.should.equal('user');

  682.         }

  683. 

  684.         describe('0 Valid Request', () => {

  685.             it('SHOULD create a key with valid scope from a valid session', async () => {

  686.                 await util.createSession(agent, ['key.create', 'file.upload']);

  687.                 return verifyCreatedKey({identifier: 'key', scope: ['file.upload']});

  688.             });

  689.         });

  690. 

  691.         describe('1 Invalid Scope', () => {

  692.             it('SHOULD NOT create a key without key.create scope', async () => {

  693.                 await util.createSession(agent, ['file.upload']);

  694.                 const res = await util.createKey({identifier: 'key', scope: ['file.upload']}, agent);

  695.                 util.verifyResponse(res, 403, 'Forbidden.');

  696.             });

  697.             

  698.             it('SHOULD NOT create a key with scope exceeding the requesters', async () => {

  699.                 await util.createSession(agent, ['key.create']);

  700.                 const res = await util.createKey({identifier: 'key', scope: ['file.upload']}, agent);

  701.                 util.verifyResponse(res, 403, 'Requested scope exceeds own scope.');

  702.             });

  703.         });

  704. 

  705.         describe('2 Key Limit', () => {

  706.             it('must not create additional keys beyond the limit', async () => {

  707.                 await util.createSession(agent, ['key.create', 'file.upload']);

  708.                 const limit = config.get('Key.limit');

  709. 

  710.                 // Create keys upto the limit (key0, key1, key2, ...)

  711.                 await Promise.all(

  712.                     [...Array(limit)]

  713.                         .map(idx => util.createKey({identifier: 'key' + idx, scope: ['file.upload']}, agent)));

  714. 

  715.                 const res = await util.createKey({identifier: 'toomany', scope: ['file.upload']}, agent);

  716.                 util.verifyResponse(res, 403, 'Key limit reached.');

  717.             });

  718.         });

  719.     });

  720. 

  721.     describe('/POST delete', () => {

  722.         async function verifyDeletedKey(key) {

  723.             const res = await util.deleteKey(key, agent);

  724.             util.verifyResponse(res, 200, 'Key deleted.');

  725. 

  726.             const keyCount = await Key.countDocuments({key: key});

  727.             keyCount.should.equal(0, 'The key should be removed from the database.');

  728.         }

  729. 

  730. 

  731.         describe('0 Valid Request', () => {

  732.             it('SHOULD delete a key with valid scope from a valid session', async () => {

  733.                 await util.createSession(agent, ['key.create', 'key.delete', 'file.upload']);

  734.                 const key = await util.createKey({identifier: 'key', scope: ['file.upload']}, agent);

  735.                 return verifyDeletedKey(key.body.key);

  736.             });

  737. 

  738.             it('SHOULD delete another users key with key.delete.others scope', async () => {

  739.                 await util.createSession(agent, ['key.create', 'file.upload'], 'alice');

  740.                 const key = await util.createKey({identifier: 'key', scope: ['file.upload']}, agent);

  741.                 await util.logout(agent);

  742.                 await util.createSession(agent, ['key.delete', 'key.delete.others'], 'eve');

  743.                 return verifyDeletedKey(key.body.key);

  744.             });

  745.         });

  746. 

  747.         describe('1 Invalid Scope', () => {

  748.             it('SHOULD NOT delete another users key without key.delete.others scope', async () => {

  749.                 await util.createSession(agent, ['key.create', 'file.upload'], 'bob');

  750.                 const key = await util.createKey({identifier: 'key', scope: ['file.upload']}, agent);

  751.                 await util.logout(agent);

  752.                 await util.createSession(agent, ['key.delete'], 'eve');

  753.                 const res = await util.deleteKey(key.body.key, agent);

  754.                 util.verifyResponse(res, 422, 'Key not found.');

  755.             });

  756.         });

  757. 

  758.         describe('2 Invalid Key', () => {

  759.             it('SHOULD return an error when the key was not found', async () => {

  760.                 await util.createSession(agent, ['key.delete']);

  761.                 const res = await util.deleteKey('bogus', agent);

  762.                 util.verifyResponse(res, 422, 'Key not found.');

  763.             });

  764.         });

  765.     });

  766. 

  767.     describe('/POST get', () => {

  768.         async function verifyKeySearch(keys, query = {}) {

  769.             const res = await util.getKeys(query, agent);

  770.             res.should.have.status(200);

  771.             res.body.should.be.a('Array');

  772. 

  773.             keys.sort();

  774.             const resKeys = res.body.map(key => key.key).sort();

  775. 

  776.             resKeys.should.deep.equal(keys, 'All keys should be present in the result.');

  777.         }

  778. 

  779.         async function verifySingleSearch(key, query = {}) {

  780.             const res = await util.getKeys(query, agent);

  781.             res.should.have.status(200);

  782.             res.body.should.be.a('Array');

  783.             res.body.should.have.length(1, 'Only one key should be in the array');

  784.             res.body[0].key.should.equal(key, 'The found key should match the request code');

  785.         }

  786. 

  787.         describe('0 Valid Request', () => {

  788.             it('SHOULD get multiple keys from a valid session', async () => {

  789.                 await util.createSession(agent, ['key.create', 'key.get', 'file.upload']);

  790.                 const keys = await Promise.all([

  791.                     util.createKey({identifier: 'key1', scope: ['file.upload']}, agent),

  792.                     util.createKey({identifier: 'key2', scope: ['file.upload']}, agent)

  793.                 ]);

  794.                 return verifyKeySearch(keys.map(res => res.body.key));

  795.             });

  796. 

  797.             it('SHOULD get a key by identifier from a valid session', async () => {

  798.                 await util.createSession(agent, ['key.create', 'key.get', 'file.upload']);

  799.                 const keys = await Promise.all([

  800.                     util.createKey({identifier: 'key1', scope: ['file.upload']}, agent),

  801.                     util.createKey({identifier: 'key2', scope: ['file.upload']}, agent)

  802.                 ]);

  803.                 return verifySingleSearch(keys[1].body.key, {identifier: 'key2'});

  804.             });

  805. 

  806.             it('SHOULD get another users key with key.get.others scope', async () => {

  807.                 await util.createSession(agent, ['key.create', 'file.upload'], 'bob');

  808.                 const key1 = await util.createKey({identifier: 'key', scope: ['file.upload']}, agent);

  809.                 await util.logout(agent);

  810.                 await util.createSession(agent, ['key.create', 'key.get', 'key.get.others', 'file.upload']);

  811.                 const key2 = await util.createKey({identifier: 'key', scope: ['file.upload']}, agent);

  812.                 return verifyKeySearch([key1.body.key, key2.body.key]);

  813.             });

  814.         });

  815. 

  816.         describe('1 Invalid Scope', () => {

  817.             it('SHOULD NOT get another users key without key.get.others scope', async () => {

  818.                 await util.createSession(agent, ['key.create', 'file.upload'], 'alice');

  819.                 await util.createInvite({identifier: 'private_key', scope: ['file.upload']}, agent);

  820.                 await util.logout(agent);

  821. 

  822.                 await util.createSession(agent, ['key.get'], 'eve');

  823.                 const res = await util.getKeys({identifier: 'private_key'}, agent);

  824.                 res.should.have.status(200);

  825.                 res.body.should.be.a('Array');

  826.                 res.body.should.have.length(0, 'No invites should be found.');

  827.             });

  828.         });

  829.     });

  830. });

  831. 

  832. describe('Users', () => {

  833.     describe('/GET get', () => {

  834.         beforeEach(() => Promise.all([

  835.             Promise.all([

  836.                 util.insertInvite({code: 'test1', scope: ['file.upload'], issuer: 'Mocha'}),

  837.                 util.insertInvite({code: 'test2', scope: ['file.upload'], issuer: 'Mocha'})

  838.             ]),

  839.             Promise.all([

  840.                 util.registerUser({displayname: 'user1', password: 'pass', invite: 'test1'}, agent),

  841.                 util.registerUser({displayname: 'user2', password: 'pass', invite: 'test2'}, agent)

  842.             ])

  843.         ]));

  844. 

  845.         async function verifyGetUsers(res, users) {

  846.             res.should.have.status(200);

  847.             res.body.should.be.a('Array');

  848.             res.body.map(user => user.username).sort().should.deep.equal(users.sort());

  849.         }

  850. 

  851.         describe('0 Valid Request', () => {

  852.             it('must get all users with an empty query', async () => {

  853.                 await util.createSession(agent, ['user.get'], 'admin');

  854.                 const res = await util.getUsers({}, agent);

  855.                 return verifyGetUsers(res, ['user1', 'user2', 'admin']);

  856.             });

  857. 

  858.             it('must filter users by username', async () => {

  859.                 await util.createSession(agent, ['user.get'], 'admin');

  860.                 const res = await util.getUsers({username: 'user1'}, agent);

  861.                 return verifyGetUsers(res, ['user1']);

  862.             });

  863. 

  864.             it('must filter users by displayname', async () => {

  865.                 await util.createSession(agent, ['user.get'], 'admin');

  866.                 const res = await util.getUsers({displayname: 'user1'}, agent);

  867.                 return verifyGetUsers(res, ['user1']);

  868.             });

  869. 

  870.             it('must return an empty array when no users were found', async () => {

  871.                 await util.createSession(agent, ['user.get'], 'admin');

  872.                 const res = await util.getUsers({username: 'abc'}, agent);

  873.                 return verifyGetUsers(res, []);

  874.             });

  875.         });

  876.     });

  877. 

  878.     describe('/POST ban/unban', () => {

  879.         beforeEach(async () => {

  880.             await util.insertInvite({code: 'test1', scope: ['file.upload'], issuer: 'Mocha'});

  881.             await util.registerUser({displayname: 'user', password: 'pass', invite: 'test1'}, agent);

  882.         });

  883. 

  884.         async function verifyBanned(res, statusCode, message, username, banStatus) {

  885.             util.verifyResponse(res, statusCode, message);

  886.             const user = await User.findOne({username: username});

  887.             user.should.exist;

  888.             user.should.have.property('banned').equal(banStatus, 'The user should have banned status ' + banStatus);

  889.         }

  890. 

  891.         describe('0 Valid Request', () => {

  892.             it('must ban a not banned user', async () => {

  893.                 await util.createSession(agent, ['user.ban'], 'admin');

  894.                 const res = await util.ban('user', agent);

  895.                 return verifyBanned(res, 200, 'User banned.', 'user', true);

  896.             });

  897. 

  898.             it('must unban a banned user', async () => {

  899.                 await util.setBanned('user', true);

  900.                 await util.createSession(agent, ['user.unban'], 'admin');

  901.                 const res = await util.unban('user', agent);

  902.                 return verifyBanned(res, 200, 'User unbanned.', 'user', false);

  903.             });

  904.         });

  905. 

  906.         describe('1 Already Requested Ban Status', () => {

  907.             it('must not ban an already banned user', async () => {

  908.                 await util.setBanned('user', true);

  909.                 await util.createSession(agent, ['user.ban'], 'admin');

  910.                 const res = await util.ban('user', agent);

  911.                 return verifyBanned(res, 422, 'User already banned.', 'user', true);

  912.             });

  913. 

  914.             it('must not unban a not banned user', async () => {

  915.                 await util.createSession(agent, ['user.unban'], 'admin');

  916.                 const res = await util.unban('user', agent);

  917.                 return verifyBanned(res, 422, 'User not banned.', 'user', false);

  918.             });

  919.         });

  920. 

  921.         describe('2 Not Found', () => {

  922.             it('must not ban a nonexistant user', async () => {

  923.                 await util.createSession(agent, ['user.ban'], 'admin');

  924.                 const res = await util.ban('abc', agent);

  925.                 util.verifyResponse(res, 422, 'User not found.');

  926.             });

  927. 

  928.             it('must not unban a nonexistant user', async () => {

  929.                 await util.createSession(agent, ['user.unban'], 'admin');

  930.                 const res = await util.unban('abc', agent);

  931.                 util.verifyResponse(res, 422, 'User not found.');

  932.             });

  933.         });

  934.     });

  935. });

  936. 

  937. describe('Stats', () => {

  938.     const setupUploadsAndViews = async () => {

  939.         const oneDay = 1000 * 60 * 60 * 24;

  940.         const currentDate = new Date();

  941. 

  942.         const get_uid = i => {

  943.             return 'abcde' + String.fromCharCode(i + 97)

  944.         };

  945. 

  946.         for (let i = 0; i < 8; i++) {

  947.             await util.insertUpload({

  948.                 uid: get_uid(i),

  949.                 views: 0,

  950.                 uploader: 'user',

  951.                 uploaderKey: null,

  952.                 date: new Date(currentDate - i * oneDay),

  953.                 file: {

  954.                     size: 1

  955.                 }

  956.             });

  957.         }

  958. 

  959.         await util.insertUpload({

  960.             uid: 'zyxwvu',

  961.             uploader: 'someguy',

  962.             date: new Date(currentDate - 3 * oneDay),

  963.             file: {

  964.                 size: 1

  965.             }

  966.         });

  967. 

  968.         for (let i = 0; i < 8; i++) {

  969.             await util.insertView({

  970.                 uid: get_uid(i),

  971.                 uploader: 'user',

  972.                 remoteAddress: '::1',

  973.                 userAgent: 'fiyerfocks',

  974.                 date: new Date(currentDate - i * oneDay),

  975.             });

  976.         }

  977. 

  978.         await util.insertView({

  979.             uid: 'zyxwvu',

  980.             uploader: 'someguy',

  981.             remoteAddress: '::1',

  982.             userAgent: 'fiyerfocks',

  983.             date: new Date(currentDate - 3 * oneDay)

  984.         });

  985.     };

  986. 

  987.     describe('/GET week', () => {

  988.         describe('0 Valid Request', () => {

  989.             it('must return valid stats for the past week', async () => {

  990.                 await setupUploadsAndViews();

  991. 

  992.                 const oneDay = 1000 * 60 * 60 * 24;

  993.                 const currentDate = new Date();

  994. 

  995.                 await util.createSession(agent, ['stats.get'], 'user');

  996.                 const stats = (await util.getStatsWeek(agent)).body;

  997.                 console.log(stats);

  998. 

  999.                 for (let i = 0; i < 7; i++) {

  1000.                     let date = new Date(currentDate - i * oneDay).toISOString();

  1001.                     let dateStr = date.substr(5, 2) + '-' + date.substr(8, 2);

  1002.                     let dayStats = stats[dateStr];

  1003.                     dayStats.should.be.a('object', 'Stats should exist for the day ' + dateStr);

  1004.                     dayStats.uploads.should.equal(1, 'Should be only one upload for the day ' + dateStr);

  1005.                     dayStats.size.should.equal(1, 'Should be only one byte uploaded for the day ' + dateStr);

  1006.                     dayStats.views.should.equal(1, 'Should be only one view for the day ' + dateStr);

  1007.                 }

  1008. 

  1009.                 let pastDate = new Date(currentDate - 7 * oneDay).toISOString();

  1010.                 let pastDateStr = pastDate.substr(5, 2) + '-' + pastDate.substr(8, 2);

  1011.                 stats.should.not.have.property(pastDateStr, 'No stats should exist past 1 week ago');

  1012. 

  1013.                 return util.logout(agent);

  1014.             });

  1015. 

  1016.             it('must return an empty set when there are no stats', async () => {

  1017.                 await util.createSession(agent, ['stats.get'], 'user');

  1018.                 const stats_self = (await util.getStatsWeek(agent)).body;

  1019.                 stats_self.should.deep.equal({});

  1020. 

  1021. 

  1022.                 await setupUploadsAndViews();

  1023.                 await util.createSession(agent, ['stats.get'], 'other_user');

  1024.                 const stats_other = (await util.getStatsWeek(agent)).body;

  1025.                 stats_other.should.deep.equal({}, 'No stats should be returned from another user');

  1026. 

  1027.                 return util.logout(agent);

  1028.             });

  1029.         });

  1030.     });

  1031. 

  1032.     describe('/GET all', () => {

  1033.         describe('0 Valid Request', () => {

  1034.             it('must return valid stats for all time', async () => {

  1035.                 await setupUploadsAndViews();

  1036. 

  1037.                 await util.createSession(agent, ['stats.get'], 'user');

  1038.                 const stats = (await util.getStatsAll(agent)).body;

  1039. 

  1040.                 stats.should.have.property('total');

  1041.                 stats.total.should.have.property('count').equal(8);

  1042.                 stats.total.should.have.property('size').equal(8);

  1043.                 stats.total.should.have.property('views').equal(8);

  1044. 

  1045.                 return util.logout(agent);

  1046.             });

  1047. 

  1048.             it('must return an empty set when there are no stats', async () => {

  1049.                 await util.createSession(agent, ['stats.get'], 'user');

  1050.                 const stats_self = (await util.getStatsAll(agent)).body;

  1051.                 stats_self.should.deep.equal({}, 'No stats should be returned');

  1052.                 await util.logout(agent);

  1053. 

  1054.                 await setupUploadsAndViews();

  1055.                 await util.createSession(agent, ['stats.get'], 'other_user');

  1056.                 const stats_other = (await util.getStatsAll(agent)).body;

  1057.                 stats_other.should.deep.equal({}, 'No stats should be returned from another user');

  1058. 

  1059.                 return util.logout(agent);

  1060.             });

  1061.         });

  1062.     });

  1063. });

  1064. 

  1065. after(() => server.close(() => process.exit(0)));