2018-10-24 21:42:33 +08:00
|
|
|
'use strict';
|
|
|
|
|
2011-12-27 02:16:41 +08:00
|
|
|
require('../helper');
|
|
|
|
|
2016-09-15 02:54:24 +08:00
|
|
|
var server = require('../../app/server')();
|
2015-05-13 17:21:44 +08:00
|
|
|
var assert = require('../support/assert');
|
2011-12-27 02:16:41 +08:00
|
|
|
|
2015-05-13 17:21:44 +08:00
|
|
|
describe('app.auth', function() {
|
2012-07-13 04:54:12 +08:00
|
|
|
|
2014-09-17 05:57:11 +08:00
|
|
|
var scenarios = [
|
2018-05-30 19:28:50 +08:00
|
|
|
{
|
|
|
|
desc: 'no api key should fallback to default api key',
|
|
|
|
url: "/api/v1/sql?q=SELECT%20*%20FROM%20untitle_table_4",
|
|
|
|
statusCode: 200
|
|
|
|
},
|
|
|
|
{
|
|
|
|
desc: 'invalid api key should return 401',
|
|
|
|
url: "/api/v1/sql?api_key=THIS_API_KEY_NOT_EXIST&q=SELECT%20*%20FROM%20untitle_table_4",
|
|
|
|
statusCode: 401
|
|
|
|
},
|
2014-09-17 05:57:11 +08:00
|
|
|
{
|
|
|
|
desc: 'valid api key should allow insert in protected tables',
|
|
|
|
url: "/api/v1/sql?api_key=1234&q=INSERT%20INTO%20private_table%20(name)%20VALUES%20('app_auth_test1')",
|
|
|
|
statusCode: 200
|
2015-05-13 17:21:44 +08:00
|
|
|
},
|
|
|
|
{
|
2014-09-22 19:23:30 +08:00
|
|
|
desc: 'valid api key should allow delete in protected tables',
|
|
|
|
url: "/api/v1/sql?api_key=1234&q=DELETE%20FROM%20private_table%20WHERE%20name%3d'app_auth_test1'",
|
|
|
|
statusCode: 200
|
2015-05-13 17:21:44 +08:00
|
|
|
},
|
|
|
|
{
|
2014-09-17 05:57:11 +08:00
|
|
|
desc: 'invalid api key should NOT allow insert in protected tables',
|
2018-05-17 23:13:00 +08:00
|
|
|
url: "/api/v1/sql?api_key=THIS_API_KEY_NOT_EXIST&q=INSERT%20INTO%20private_table%20(name)%20VALUES%20('R')",
|
|
|
|
statusCode: 401
|
2015-05-13 17:21:44 +08:00
|
|
|
},
|
|
|
|
{
|
2014-09-17 05:57:11 +08:00
|
|
|
desc: 'no api key should NOT allow insert in protected tables',
|
|
|
|
url: "/api/v1/sql?q=INSERT%20INTO%20private_table%20(name)%20VALUES%20('RAMBO')",
|
2018-02-23 22:50:23 +08:00
|
|
|
statusCode: 403
|
2015-05-13 17:21:44 +08:00
|
|
|
},
|
|
|
|
{
|
2014-09-17 05:57:11 +08:00
|
|
|
desc: 'no api key should NOT allow insert in public tables',
|
|
|
|
url: "/api/v1/sql?q=INSERT%20INTO%20untitle_table_4%20(name)%20VALUES%20('RAMBO')",
|
2018-02-23 22:50:23 +08:00
|
|
|
statusCode: 403
|
2014-09-17 05:57:11 +08:00
|
|
|
}
|
|
|
|
];
|
|
|
|
|
|
|
|
scenarios.forEach(function(scenario) {
|
2015-05-13 17:21:44 +08:00
|
|
|
it(scenario.desc, function(done) {
|
2016-09-15 02:54:24 +08:00
|
|
|
assert.response(server, {
|
2014-09-17 05:57:11 +08:00
|
|
|
// view prepare_db.sh to find public table name and structure
|
|
|
|
url: scenario.url,
|
|
|
|
headers: {
|
|
|
|
host: 'vizzuality.cartodb.com'
|
|
|
|
},
|
|
|
|
method: 'GET'
|
|
|
|
},
|
|
|
|
{},
|
2016-09-26 20:37:40 +08:00
|
|
|
function(err, res) {
|
2014-09-17 05:57:11 +08:00
|
|
|
assert.equal(res.statusCode, scenario.statusCode, res.statusCode + ': ' + res.body);
|
|
|
|
done();
|
|
|
|
}
|
|
|
|
);
|
|
|
|
});
|
2012-07-16 19:41:44 +08:00
|
|
|
});
|
2012-09-17 17:11:10 +08:00
|
|
|
|
2012-07-13 04:54:12 +08:00
|
|
|
});
|