Browse Source

Make sure same-origin credentials are used in all fetch, then a test to confirm one api will block.

uiredesign
Zed A. Shaw 4 weeks ago
parent
commit
0605939406
16 changed files with 76 additions and 20 deletions
  1. +2
    -2
      jest.config.js
  2. +38
    -0
      lib/api.js
  3. +1
    -1
      lib/testing.js
  4. +2
    -0
      src/node_modules/api.js
  5. +1
    -1
      src/node_modules/utils.js
  6. +2
    -2
      src/routes/blog/[slug].svelte
  7. +2
    -2
      src/routes/live/index.svelte
  8. +8
    -2
      src/routes/user/index.json.js
  9. +1
    -0
      src/routes/user/index.svelte
  10. +1
    -1
      src/service-worker.js
  11. +9
    -0
      tests/api/access.spec.js
  12. +2
    -2
      tests/ui/blog.spec.js
  13. +2
    -2
      tests/ui/live.spec.js
  14. +2
    -2
      tests/ui/login.spec.js
  15. +1
    -1
      tests/ui/phones.spec.js
  16. +2
    -2
      tests/ui/register.spec.js

+ 2
- 2
jest.config.js View File

@@ -10,8 +10,8 @@ module.exports = {
'.+\\.(css|styl|less|sass|scss|svg|png|jpg|ttf|woff|woff2)$': 'jest-transform-stub',
},
moduleNameMapper: {
'^@/(.*)$': '<rootDir>/src/$1',
'^@/(.*)$': '<rootDir>/lib/$1',
'^@app/(.*)$': '<rootDir>/src/$1',
'^@lib/(.*)$': '<rootDir>/lib/$1',
'\\.(css)$': 'identity-obj-proxy',
},
snapshotSerializers: [

+ 38
- 0
lib/api.js View File

@@ -0,0 +1,38 @@
// TODO: gotta resolve this module .js vs common js thing

const base = 'http://localhost:3000';

const send = ({ method, path, data, token }) => {
const fetch = process.browser ? window.fetch : require('node-fetch').default;

const opts = { method, headers: {} };

if (data) {
opts.headers['Content-Type'] = 'application/json';
opts.body = JSON.stringify(data);
}

if (token) {
opts.headers['Authorization'] = `Token ${token}`;
} else {
opts.credentials = 'same-origin';
}

return fetch(`${base}${path}`, opts);
}

exports.get = (path, token) => {
return send({ method: 'GET', path, token });
}

exports.del = (path, token) => {
return send({ method: 'DELETE', path, token });
}

exports.post = (path, data, token) => {
return send({ method: 'POST', path, data, token });
}

exports.put = (path, data, token) => {
return send({ method: 'PUT', path, data, token });
}

+ 1
- 1
lib/testing.js View File

@@ -27,7 +27,7 @@ let browser = null;
const device_check = async (start, device) => {
assert(device && devices[device], `You must set a device that's listed in devices: ${allowed_devices}`);
puppeteer.launch({
headless: process.env.HEADLESS !== undefined,
headless: true

}).then(async browser => {
let page = await browser.newPage();

+ 2
- 0
src/node_modules/api.js View File

@@ -12,6 +12,8 @@ function send({ method, path, data, token }) {

if (token) {
opts.headers['Authorization'] = `Token ${token}`;
} else {
opts.credentials = 'same-origin';
}

return fetch(`${base}/${path}`, opts)

+ 1
- 1
src/node_modules/utils.js View File

@@ -3,7 +3,7 @@ export const fetch = process.browser ? window.fetch : require('node-fetch').defa
export function post(endpoint, data) {
return fetch(endpoint, {
method: 'POST',
credentials: 'include',
credentials: 'same-origin',
body: JSON.stringify(data),
headers: {
'Content-Type': 'application/json'

+ 2
- 2
src/routes/blog/[slug].svelte View File

@@ -9,9 +9,9 @@
export async function preload({ params, query }) {
// the `slug` parameter is available because
// this file is called [slug].svelte
const res = await this.fetch(`blog/${params.slug}.json`);
const res = await this.fetch(`blog/${params.slug}.json`, {credentials: 'same-origin'});
const data = await res.json();
const md_res = await this.fetch(`posts/${params.slug}.md`);
const md_res = await this.fetch(`posts/${params.slug}.md`, {credentials: 'same-origin'});
const content = await md_res.text();

// TODO: refine this! this is junk

+ 2
- 2
src/routes/live/index.svelte View File

@@ -1,6 +1,6 @@
<script context="module">
export async function preload({ params, query }) {
let res = await this.fetch('/streams/test_live.json');
let res = await this.fetch('/streams/test_live.json', {credentials: 'same-origin'});
let data = await res.json();

if(res.status == 200) {
@@ -34,7 +34,7 @@
align-content: center;
-webkit-box-align: center;
-ms-flex-align: center;
align-items: center;
alignitems: center;
justify-content: center;
min-height: 400px;
}

+ 8
- 2
src/routes/user/index.json.js View File

@@ -1,6 +1,12 @@
import { log } from 'logging';

export async function post(req, res) {
log.debug("Received user", req.body);
res.end(JSON.stringify({message: "This doesn't do anything yet."}));
if(req.session.user && req.session.user.verified) {
log.debug("Received user", req.body);
res.end(JSON.stringify({message: "This doesn't do anything yet."}));
} else {
log.debug("Attempt to access API without auth.");
res.statusCode = 403;
res.end(JSON.stringify({message: "Login required."}));
}
}

+ 1
- 0
src/routes/user/index.svelte View File

@@ -9,6 +9,7 @@
import { onMount } from 'svelte';

const { session } = stores();

// TODO: there has to be a better spot for this
if($session.user === undefined) {
goto('auth');

+ 1
- 1
src/service-worker.js View File

@@ -68,7 +68,7 @@ self.addEventListener('fetch', event => {
.open(`offline${timestamp}`)
.then(async cache => {
try {
const response = await fetch(event.request);
const response = await fetch(event.request. {credentials: 'same-origin'});
cache.put(event.request, response.clone());
return response;
} catch(err) {

+ 9
- 0
tests/api/access.spec.js View File

@@ -0,0 +1,9 @@
const api = require('@lib/api');


it('Cannot access URLs without authentication', async () => {
let res = await api.post('/user.json', {user: 'zedshaw'});
expect(res.status).toEqual(403);
let json = await res.json();
expect(json.message).toEqual('Login required.');
});

+ 2
- 2
tests/ui/blog.spec.js View File

@@ -1,6 +1,6 @@
const faker = require('faker');
const t = require('@/testing');
const db = require('@/data');
const t = require('@lib/testing');
const db = require('@lib/data');

const main_user = t.fake_person();


+ 2
- 2
tests/ui/live.spec.js View File

@@ -1,5 +1,5 @@
const t = require('@/testing');
const db = require('@/data');
const t = require('@lib/testing');
const db = require('@lib/data');

const main_user = t.fake_person();


+ 2
- 2
tests/ui/login.spec.js View File

@@ -1,6 +1,6 @@
const faker = require('faker');
const t = require('@/testing');
const db = require('@/data');
const t = require('@lib/testing');
const db = require('@lib/data');

const main_user = t.fake_person();


+ 1
- 1
tests/ui/phones.spec.js View File

@@ -1,4 +1,4 @@
const t = require('@/testing');
const t = require('@lib/testing');
const host = 'http://localhost:3000';

it("iPhoneX doesn't look terrible.", async () => {

+ 2
- 2
tests/ui/register.spec.js View File

@@ -1,6 +1,6 @@

const t = require('@/testing');
const db = require('@/data');
const t = require('@lib/testing');
const db = require('@lib/data');

const main_user = t.fake_person();


Loading…
Cancel
Save