CartoDB-SQL-API/test/unit/oauth.test.js

require('../helper');

var _        = require('underscore')
    , redis  = require("redis")
    , OAuthAuth  = require('../../app/auth/oauth')
    , oAuth  = require('../../app/auth/oauth').backend
    , assert = require('assert')
    , tests  = module.exports = {}
    , oauth_data_1 = {
        oauth_consumer_key: "dpf43f3p2l4k3l03",
        oauth_token: "nnch734d00sl2jdk",
        oauth_signature_method: "HMAC-SHA1",
        oauth_signature: "tR3%2BTy81lMeYAr%2FFid0kMTYa%2FWM%3D",
        oauth_timestamp:"1191242096",
        oauth_nonce:"kllo9940pd9333jh"
    }
    , oauth_data_2        = { oauth_version:"1.0" }
    , oauth_data          = _.extend(oauth_data_1, oauth_data_2)
    , real_oauth_header   = 'OAuth realm="http://vizzuality.testhost.lan/",oauth_consumer_key="fZeNGv5iYayvItgDYHUbot1Ukb5rVyX6QAg8GaY2",oauth_token="l0lPbtP68ao8NfStCiA3V3neqfM03JKhToxhUQTR",oauth_signature_method="HMAC-SHA1", oauth_signature="o4hx4hWP6KtLyFwggnYB4yPK8xI%3D",oauth_timestamp="1313581372",oauth_nonce="W0zUmvyC4eVL8cBd4YwlH1nnPTbxW0QBYcWkXTwe4",oauth_version="1.0"'
    , oauth_header_tokens = 'oauth_consumer_key="dpf43f3p2l4k3l03",oauth_token="nnch734d00sl2jdk",oauth_signature_method="HMAC-SHA1", oauth_signature="tR3%2BTy81lMeYAr%2FFid0kMTYa%2FWM%3D",oauth_timestamp="1191242096",oauth_nonce="kllo9940pd9333jh",oauth_version="1.0"'
    , full_oauth_header   = 'OAuth realm="http://photos.example.net/"' + oauth_header_tokens;

suite('oauth', function() {

test('test database number', function(){
    assert.equal(oAuth.oauth_database, 3);
});

test('test oauth database key', function(){
    assert.equal(oAuth.oauth_user_key, "rails:oauth_access_tokens:<%= oauth_access_key %>");
});

test('test parse tokens from full headers does not raise exception', function(){
    var req = {query:{}, headers:{authorization:full_oauth_header}};
    assert.doesNotThrow(function(){ oAuth.parseTokens(req) }, /incomplete oauth tokens in request/);
});

test('test parse all normal tokens raises no exception', function(){
    var req = {query:oauth_data, headers:{}};
    assert.doesNotThrow(function(){ oAuth.parseTokens(req) }, /incomplete oauth tokens in request/);
});

test('test headers take presedence over query parameters', function(){
    var req = {query:{oauth_signature_method: "MY_HASH"}, headers:{authorization:full_oauth_header}};
    var tokens = oAuth.parseTokens(req);
    assert.equal(tokens.oauth_signature_method, "HMAC-SHA1");
});

test('test can access oauth hash for a user based on access token (oauth_token)', function(done){
    var req = {query:{}, headers:{authorization:real_oauth_header}};
    var tokens = oAuth.parseTokens(req);

    oAuth.getOAuthHash(tokens.oauth_token, function(err, data){
        assert.equal(tokens.oauth_consumer_key, data.consumer_key);
        done();
    });
});

test('test non existant oauth hash for a user based on oauth_token returns empty hash', function(done){
    var req = {query:{}, headers:{authorization:full_oauth_header}};
    var tokens = oAuth.parseTokens(req);

    oAuth.getOAuthHash(tokens.oauth_token, function(err, data){
        assert.ok(!err, err);
        assert.deepEqual(data, {});
        done();
    });
});

test('can return user for verified signature', function(done){
    var req = {query:{},
        headers:{authorization:real_oauth_header, host: 'vizzuality.testhost.lan' },
        method: 'GET',
        path: '/api/v1/tables'
    };

    oAuth.verifyRequest(req, function(err, data){
        assert.ok(!err, err);
        assert.equal(data, 1);
        done();
    }, 'http');
});

test('returns null user for unverified signatures', function(done){
    var req = {query:{},
        headers:{authorization:real_oauth_header, host: 'vizzuality.testyhost.lan' },
        method: 'GET',
        path: '/api/v1/tables'
    };

    oAuth.verifyRequest(req, function(err, data){
        assert.equal(data, null);
        done();
    }, 'http');
});

test('returns null user for no oauth', function(done){
    var req = {
        query:{},
        headers:{},
        method: 'GET',
        path: '/api/v1/tables'
    };

    oAuth.verifyRequest(req,function(err,data){
        assert.equal(data, null);
        done();
    });
});

test('OAuthAuth reports it has credentials', function(done) {
    var req = {query:{}, headers:{authorization:real_oauth_header}};
    var oAuthAuth = new OAuthAuth(req);
    assert.ok(oAuthAuth.hasCredentials());
    done();
});

test('OAuthAuth reports it has no credentials', function(done) {
    var req = {query:{}, headers:{}};
    var oAuthAuth = new OAuthAuth(req);
    assert.equal(oAuthAuth.hasCredentials(), false);
    done();
});


});
first draft, tidied, unit tests, modules, refactor, environments, see TODO for next steps" 2011-06-13 11:23:02 +08:00			`require('../helper');`

formatting and semi colons 2012-06-02 04:06:33 +08:00			`var _ = require('underscore')`
			`, redis = require("redis")`
New authentication mechanism: checks in advance if credentials are provided in order to do a single request to redis to retrieve the required database connection parameters. 2014-08-05 22:20:06 +08:00			`, OAuthAuth = require('../../app/auth/oauth')`
			`, oAuth = require('../../app/auth/oauth').backend`
formatting and semi colons 2012-06-02 04:06:33 +08:00			`, assert = require('assert')`
			`, tests = module.exports = {}`
			`, oauth_data_1 = {`
			`oauth_consumer_key: "dpf43f3p2l4k3l03",`
			`oauth_token: "nnch734d00sl2jdk",`
			`oauth_signature_method: "HMAC-SHA1",`
			`oauth_signature: "tR3%2BTy81lMeYAr%2FFid0kMTYa%2FWM%3D",`
			`oauth_timestamp:"1191242096",`
			`oauth_nonce:"kllo9940pd9333jh"`
			`}`
			`, oauth_data_2 = { oauth_version:"1.0" }`
			`, oauth_data = _.extend(oauth_data_1, oauth_data_2)`
			`, real_oauth_header = 'OAuth realm="http://vizzuality.testhost.lan/",oauth_consumer_key="fZeNGv5iYayvItgDYHUbot1Ukb5rVyX6QAg8GaY2",oauth_token="l0lPbtP68ao8NfStCiA3V3neqfM03JKhToxhUQTR",oauth_signature_method="HMAC-SHA1", oauth_signature="o4hx4hWP6KtLyFwggnYB4yPK8xI%3D",oauth_timestamp="1313581372",oauth_nonce="W0zUmvyC4eVL8cBd4YwlH1nnPTbxW0QBYcWkXTwe4",oauth_version="1.0"'`
			`, oauth_header_tokens = 'oauth_consumer_key="dpf43f3p2l4k3l03",oauth_token="nnch734d00sl2jdk",oauth_signature_method="HMAC-SHA1", oauth_signature="tR3%2BTy81lMeYAr%2FFid0kMTYa%2FWM%3D",oauth_timestamp="1191242096",oauth_nonce="kllo9940pd9333jh",oauth_version="1.0"'`
			`, full_oauth_header = 'OAuth realm="http://photos.example.net/"' + oauth_header_tokens;`
added true oauth to application. got rid of bogus 2011-08-18 00:27:45 +08:00
Port tests to mocha. Closes #35. 2012-07-13 04:54:12 +08:00			`suite('oauth', function() {`

			`test('test database number', function(){`
formatting and semi colons 2012-06-02 04:06:33 +08:00			`assert.equal(oAuth.oauth_database, 3);`
Port tests to mocha. Closes #35. 2012-07-13 04:54:12 +08:00			`});`
first draft, tidied, unit tests, modules, refactor, environments, see TODO for next steps" 2011-06-13 11:23:02 +08:00
Port tests to mocha. Closes #35. 2012-07-13 04:54:12 +08:00			`test('test oauth database key', function(){`
formatting and semi colons 2012-06-02 04:06:33 +08:00			`assert.equal(oAuth.oauth_user_key, "rails:oauth_access_tokens:<%= oauth_access_key %>");`
Port tests to mocha. Closes #35. 2012-07-13 04:54:12 +08:00			`});`
first draft, tidied, unit tests, modules, refactor, environments, see TODO for next steps" 2011-06-13 11:23:02 +08:00
Port tests to mocha. Closes #35. 2012-07-13 04:54:12 +08:00			`test('test parse tokens from full headers does not raise exception', function(){`
formatting and semi colons 2012-06-02 04:06:33 +08:00			`var req = {query:{}, headers:{authorization:full_oauth_header}};`
			`assert.doesNotThrow(function(){ oAuth.parseTokens(req) }, /incomplete oauth tokens in request/);`
Port tests to mocha. Closes #35. 2012-07-13 04:54:12 +08:00			`});`
added true oauth to application. got rid of bogus 2011-08-18 00:27:45 +08:00
Port tests to mocha. Closes #35. 2012-07-13 04:54:12 +08:00			`test('test parse all normal tokens raises no exception', function(){`
formatting and semi colons 2012-06-02 04:06:33 +08:00			`var req = {query:oauth_data, headers:{}};`
			`assert.doesNotThrow(function(){ oAuth.parseTokens(req) }, /incomplete oauth tokens in request/);`
Port tests to mocha. Closes #35. 2012-07-13 04:54:12 +08:00			`});`
added true oauth to application. got rid of bogus 2011-08-18 00:27:45 +08:00
Port tests to mocha. Closes #35. 2012-07-13 04:54:12 +08:00			`test('test headers take presedence over query parameters', function(){`
formatting and semi colons 2012-06-02 04:06:33 +08:00			`var req = {query:{oauth_signature_method: "MY_HASH"}, headers:{authorization:full_oauth_header}};`
			`var tokens = oAuth.parseTokens(req);`
			`assert.equal(tokens.oauth_signature_method, "HMAC-SHA1");`
Port tests to mocha. Closes #35. 2012-07-13 04:54:12 +08:00			`});`
added true oauth to application. got rid of bogus 2011-08-18 00:27:45 +08:00
Port tests to mocha. Closes #35. 2012-07-13 04:54:12 +08:00			`test('test can access oauth hash for a user based on access token (oauth_token)', function(done){`
formatting and semi colons 2012-06-02 04:06:33 +08:00			`var req = {query:{}, headers:{authorization:real_oauth_header}};`
			`var tokens = oAuth.parseTokens(req);`
added true oauth to application. got rid of bogus 2011-08-18 00:27:45 +08:00
formatting and semi colons 2012-06-02 04:06:33 +08:00			`oAuth.getOAuthHash(tokens.oauth_token, function(err, data){`
			`assert.equal(tokens.oauth_consumer_key, data.consumer_key);`
Port tests to mocha. Closes #35. 2012-07-13 04:54:12 +08:00			`done();`
formatting and semi colons 2012-06-02 04:06:33 +08:00			`});`
Port tests to mocha. Closes #35. 2012-07-13 04:54:12 +08:00			`});`
hard to do oauth units, possibly move to acceptance fully 2012-06-02 04:00:45 +08:00
Port tests to mocha. Closes #35. 2012-07-13 04:54:12 +08:00			`test('test non existant oauth hash for a user based on oauth_token returns empty hash', function(done){`
formatting and semi colons 2012-06-02 04:06:33 +08:00			`var req = {query:{}, headers:{authorization:full_oauth_header}};`
			`var tokens = oAuth.parseTokens(req);`
hard to do oauth units, possibly move to acceptance fully 2012-06-02 04:00:45 +08:00
formatting and semi colons 2012-06-02 04:06:33 +08:00			`oAuth.getOAuthHash(tokens.oauth_token, function(err, data){`
CartoDB redis interaction delegated to "cartodb-redis" module 2013-11-16 01:36:49 +08:00			`assert.ok(!err, err);`
Port tests to mocha. Closes #35. 2012-07-13 04:54:12 +08:00			`assert.deepEqual(data, {});`
			`done();`
formatting and semi colons 2012-06-02 04:06:33 +08:00			`});`
Port tests to mocha. Closes #35. 2012-07-13 04:54:12 +08:00			`});`
hard to do oauth units, possibly move to acceptance fully 2012-06-02 04:00:45 +08:00
Port tests to mocha. Closes #35. 2012-07-13 04:54:12 +08:00			`test('can return user for verified signature', function(done){`
formatting and semi colons 2012-06-02 04:06:33 +08:00			`var req = {query:{},`
			`headers:{authorization:real_oauth_header, host: 'vizzuality.testhost.lan' },`
			`method: 'GET',`
Fix oAuth unit tests now that we use req.path rather than req.route.path 2013-06-06 23:08:31 +08:00			`path: '/api/v1/tables'`
formatting and semi colons 2012-06-02 04:06:33 +08:00			`};`

			`oAuth.verifyRequest(req, function(err, data){`
Enhance failing test to show the failure reason 2013-05-15 14:52:26 +08:00			`assert.ok(!err, err);`
Port tests to mocha. Closes #35. 2012-07-13 04:54:12 +08:00			`assert.equal(data, 1);`
			`done();`
Fix test broken after oAuth interface change introduced in fcf95755 Also improve error message on miscall 2013-05-20 15:05:27 +08:00			`}, 'http');`
Port tests to mocha. Closes #35. 2012-07-13 04:54:12 +08:00			`});`
hard to do oauth units, possibly move to acceptance fully 2012-06-02 04:00:45 +08:00
Port tests to mocha. Closes #35. 2012-07-13 04:54:12 +08:00			`test('returns null user for unverified signatures', function(done){`
formatting and semi colons 2012-06-02 04:06:33 +08:00			`var req = {query:{},`
			`headers:{authorization:real_oauth_header, host: 'vizzuality.testyhost.lan' },`
			`method: 'GET',`
Fix oAuth unit tests now that we use req.path rather than req.route.path 2013-06-06 23:08:31 +08:00			`path: '/api/v1/tables'`
formatting and semi colons 2012-06-02 04:06:33 +08:00			`};`

			`oAuth.verifyRequest(req, function(err, data){`
Port tests to mocha. Closes #35. 2012-07-13 04:54:12 +08:00			`assert.equal(data, null);`
			`done();`
Fix test broken after oAuth interface change introduced in fcf95755 Also improve error message on miscall 2013-05-20 15:05:27 +08:00			`}, 'http');`
Port tests to mocha. Closes #35. 2012-07-13 04:54:12 +08:00			`});`
hard to do oauth units, possibly move to acceptance fully 2012-06-02 04:00:45 +08:00
Port tests to mocha. Closes #35. 2012-07-13 04:54:12 +08:00			`test('returns null user for no oauth', function(done){`
formatting and semi colons 2012-06-02 04:06:33 +08:00			`var req = {`
			`query:{},`
			`headers:{},`
			`method: 'GET',`
Fix oAuth unit tests now that we use req.path rather than req.route.path 2013-06-06 23:08:31 +08:00			`path: '/api/v1/tables'`
formatting and semi colons 2012-06-02 04:06:33 +08:00			`};`

			`oAuth.verifyRequest(req,function(err,data){`
Port tests to mocha. Closes #35. 2012-07-13 04:54:12 +08:00			`assert.equal(data, null);`
			`done();`
formatting and semi colons 2012-06-02 04:06:33 +08:00			`});`
Port tests to mocha. Closes #35. 2012-07-13 04:54:12 +08:00			`});`

New authentication mechanism: checks in advance if credentials are provided in order to do a single request to redis to retrieve the required database connection parameters. 2014-08-05 22:20:06 +08:00			`test('OAuthAuth reports it has credentials', function(done) {`
			`var req = {query:{}, headers:{authorization:real_oauth_header}};`
			`var oAuthAuth = new OAuthAuth(req);`
			`assert.ok(oAuthAuth.hasCredentials());`
			`done();`
			`});`

			`test('OAuthAuth reports it has no credentials', function(done) {`
			`var req = {query:{}, headers:{}};`
			`var oAuthAuth = new OAuthAuth(req);`
			`assert.equal(oAuthAuth.hasCredentials(), false);`
			`done();`
			`});`


Port tests to mocha. Closes #35. 2012-07-13 04:54:12 +08:00			`});`