2022-09-28 09:01:17 +02:00
|
|
|
package api
|
|
|
|
|
|
|
|
import (
|
|
|
|
"net/http"
|
|
|
|
"testing"
|
|
|
|
|
|
|
|
"github.com/stretchr/testify/assert"
|
|
|
|
"github.com/tidwall/gjson"
|
|
|
|
|
|
|
|
"github.com/photoprism/photoprism/internal/i18n"
|
|
|
|
"github.com/photoprism/photoprism/internal/session"
|
|
|
|
)
|
|
|
|
|
|
|
|
func TestSessionID(t *testing.T) {
|
|
|
|
t.Run("NoContext", func(t *testing.T) {
|
|
|
|
result := SessionID(nil)
|
|
|
|
assert.Equal(t, "", result)
|
|
|
|
})
|
|
|
|
}
|
|
|
|
|
|
|
|
func TestSession(t *testing.T) {
|
|
|
|
t.Run("Public", func(t *testing.T) {
|
|
|
|
assert.Equal(t, session.Public, Session(""))
|
|
|
|
assert.Equal(t, session.Public, Session("638bffc9b86a8fda0d908ebee84a43930cb8d1e3507f4aa0"))
|
|
|
|
})
|
|
|
|
}
|
|
|
|
|
|
|
|
func TestCreateSession(t *testing.T) {
|
|
|
|
t.Run("Success", func(t *testing.T) {
|
|
|
|
app, router, _ := NewApiTest()
|
|
|
|
CreateSession(router)
|
|
|
|
r := PerformRequestWithBody(app, http.MethodPost, "/api/v1/session", `{"name": "admin", "password": "photoprism"}`)
|
|
|
|
log.Debugf("BODY: %s", r.Body.String())
|
|
|
|
val2 := gjson.Get(r.Body.String(), "user.Name")
|
|
|
|
assert.Equal(t, "admin", val2.String())
|
|
|
|
assert.Equal(t, http.StatusOK, r.Code)
|
|
|
|
})
|
|
|
|
t.Run("BadRequest", func(t *testing.T) {
|
|
|
|
app, router, _ := NewApiTest()
|
|
|
|
CreateSession(router)
|
|
|
|
r := PerformRequestWithBody(app, http.MethodPost, "/api/v1/session", `{"name": 123, "password": "xxx"}`)
|
|
|
|
assert.Equal(t, http.StatusBadRequest, r.Code)
|
|
|
|
})
|
2022-10-02 11:38:30 +02:00
|
|
|
t.Run("PublicInvalidToken", func(t *testing.T) {
|
2022-09-28 09:01:17 +02:00
|
|
|
app, router, _ := NewApiTest()
|
|
|
|
CreateSession(router)
|
|
|
|
r := PerformRequestWithBody(app, http.MethodPost, "/api/v1/session", `{"name": "admin", "password": "photoprism", "token": "xxx"}`)
|
|
|
|
assert.Equal(t, http.StatusNotFound, r.Code)
|
|
|
|
})
|
2022-10-02 11:38:30 +02:00
|
|
|
t.Run("AdminInvalidToken", func(t *testing.T) {
|
|
|
|
app, router, _ := NewApiTest()
|
|
|
|
// CreateSession(router)
|
|
|
|
sessId := AuthenticateUser(app, router, "alice", "Alice123!")
|
|
|
|
r := AuthenticatedRequestWithBody(app, http.MethodPost, "/api/v1/session", `{"token": "xxx"}`, sessId)
|
|
|
|
assert.Equal(t, http.StatusNotFound, r.Code)
|
|
|
|
})
|
|
|
|
t.Run("VisitorInvalidToken", func(t *testing.T) {
|
|
|
|
app, router, _ := NewApiTest()
|
|
|
|
CreateSession(router)
|
|
|
|
r := AuthenticatedRequestWithBody(app, http.MethodPost, "/api/v1/session", `{"token": "xxx"}`, "345346")
|
|
|
|
assert.Equal(t, http.StatusNotFound, r.Code)
|
|
|
|
})
|
|
|
|
t.Run("AdminValidToken", func(t *testing.T) {
|
|
|
|
app, router, _ := NewApiTest()
|
|
|
|
sessId := AuthenticateUser(app, router, "alice", "Alice123!")
|
|
|
|
r := AuthenticatedRequestWithBody(app, http.MethodPost, "/api/v1/session", `{"token": "1jxf3jfn2k"}`, sessId)
|
|
|
|
assert.Equal(t, http.StatusOK, r.Code)
|
|
|
|
})
|
|
|
|
t.Run("PublicValidToken", func(t *testing.T) {
|
2022-09-28 09:01:17 +02:00
|
|
|
app, router, _ := NewApiTest()
|
|
|
|
CreateSession(router)
|
|
|
|
r := PerformRequestWithBody(app, http.MethodPost, "/api/v1/session", `{"name": "admin", "password": "photoprism", "token": "1jxf3jfn2k"}`)
|
|
|
|
assert.Equal(t, http.StatusOK, r.Code)
|
|
|
|
})
|
|
|
|
t.Run("AdminInvalidPassword", func(t *testing.T) {
|
|
|
|
app, router, _ := NewApiTest()
|
|
|
|
CreateSession(router)
|
|
|
|
r := PerformRequestWithBody(app, http.MethodPost, "/api/v1/session", `{"name": "admin", "password": "xxx"}`)
|
|
|
|
val := gjson.Get(r.Body.String(), "error")
|
|
|
|
assert.Equal(t, i18n.Msg(i18n.ErrInvalidCredentials), val.String())
|
|
|
|
assert.Equal(t, http.StatusUnauthorized, r.Code)
|
|
|
|
})
|
|
|
|
t.Run("AliceSuccess", func(t *testing.T) {
|
|
|
|
app, router, _ := NewApiTest()
|
|
|
|
CreateSession(router)
|
|
|
|
r := PerformRequestWithBody(app, http.MethodPost, "/api/v1/session", `{"name": "alice", "password": "Alice123!"}`)
|
|
|
|
userEmail := gjson.Get(r.Body.String(), "user.Email")
|
|
|
|
userName := gjson.Get(r.Body.String(), "user.Name")
|
|
|
|
assert.Equal(t, "alice@example.com", userEmail.String())
|
|
|
|
assert.Equal(t, "alice", userName.String())
|
|
|
|
assert.Equal(t, http.StatusOK, r.Code)
|
|
|
|
})
|
|
|
|
t.Run("BobSuccess", func(t *testing.T) {
|
|
|
|
app, router, _ := NewApiTest()
|
|
|
|
CreateSession(router)
|
|
|
|
r := PerformRequestWithBody(app, http.MethodPost, "/api/v1/session", `{"name": "bob", "password": "Bobbob123!"}`)
|
|
|
|
userEmail := gjson.Get(r.Body.String(), "user.Email")
|
|
|
|
userName := gjson.Get(r.Body.String(), "user.Name")
|
|
|
|
assert.Equal(t, "bob@example.com", userEmail.String())
|
|
|
|
assert.Equal(t, "bob", userName.String())
|
|
|
|
assert.Equal(t, http.StatusOK, r.Code)
|
|
|
|
})
|
|
|
|
t.Run("BobInvalidPassword", func(t *testing.T) {
|
|
|
|
app, router, _ := NewApiTest()
|
|
|
|
CreateSession(router)
|
|
|
|
r := PerformRequestWithBody(app, http.MethodPost, "/api/v1/session", `{"name": "bob", "password": "helloworld"}`)
|
|
|
|
val := gjson.Get(r.Body.String(), "error")
|
|
|
|
assert.Equal(t, i18n.Msg(i18n.ErrInvalidCredentials), val.String())
|
|
|
|
assert.Equal(t, http.StatusUnauthorized, r.Code)
|
|
|
|
})
|
|
|
|
}
|
|
|
|
|
|
|
|
func TestGetSession(t *testing.T) {
|
|
|
|
t.Run("AdminWithoutAuthentication", func(t *testing.T) {
|
|
|
|
app, router, _ := NewApiTest()
|
|
|
|
GetSession(router)
|
|
|
|
|
|
|
|
sessId := AuthenticateAdmin(app, router)
|
|
|
|
r := PerformRequest(app, http.MethodGet, "/api/v1/session/"+sessId)
|
|
|
|
assert.Equal(t, http.StatusForbidden, r.Code)
|
|
|
|
})
|
|
|
|
t.Run("AdminAuthenticatedRequest", func(t *testing.T) {
|
|
|
|
app, router, _ := NewApiTest()
|
|
|
|
GetSession(router)
|
|
|
|
|
|
|
|
sessId := AuthenticateAdmin(app, router)
|
|
|
|
r := AuthenticatedRequest(app, http.MethodGet, "/api/v1/session/"+sessId, sessId)
|
|
|
|
assert.Equal(t, http.StatusOK, r.Code)
|
|
|
|
})
|
|
|
|
}
|
|
|
|
|
|
|
|
func TestDeleteSession(t *testing.T) {
|
|
|
|
t.Run("AdminWithoutAuthentication", func(t *testing.T) {
|
|
|
|
app, router, _ := NewApiTest()
|
|
|
|
DeleteSession(router)
|
|
|
|
|
|
|
|
sessId := AuthenticateAdmin(app, router)
|
|
|
|
|
|
|
|
r := PerformRequest(app, http.MethodDelete, "/api/v1/session/"+sessId)
|
|
|
|
assert.Equal(t, http.StatusOK, r.Code)
|
|
|
|
})
|
|
|
|
t.Run("AdminAuthenticatedRequest", func(t *testing.T) {
|
|
|
|
app, router, _ := NewApiTest()
|
|
|
|
DeleteSession(router)
|
|
|
|
|
|
|
|
sessId := AuthenticateAdmin(app, router)
|
|
|
|
|
|
|
|
r := AuthenticatedRequest(app, http.MethodDelete, "/api/v1/session/"+sessId, sessId)
|
|
|
|
assert.Equal(t, http.StatusOK, r.Code)
|
|
|
|
})
|
|
|
|
t.Run("UserWithoutAuthentication", func(t *testing.T) {
|
|
|
|
app, router, _ := NewApiTest()
|
|
|
|
DeleteSession(router)
|
|
|
|
|
|
|
|
sessId := AuthenticateUser(app, router, "alice", "Alice123!")
|
|
|
|
|
|
|
|
r := PerformRequest(app, http.MethodDelete, "/api/v1/session/"+sessId)
|
|
|
|
assert.Equal(t, http.StatusOK, r.Code)
|
|
|
|
})
|
|
|
|
t.Run("UserAuthenticatedRequest", func(t *testing.T) {
|
|
|
|
app, router, _ := NewApiTest()
|
|
|
|
DeleteSession(router)
|
|
|
|
|
|
|
|
sessId := AuthenticateUser(app, router, "alice", "Alice123!")
|
|
|
|
|
|
|
|
r := AuthenticatedRequest(app, http.MethodDelete, "/api/v1/session/"+sessId, sessId)
|
|
|
|
assert.Equal(t, http.StatusOK, r.Code)
|
|
|
|
})
|
|
|
|
t.Run("InvalidSession", func(t *testing.T) {
|
|
|
|
sessId := "638bffc9b86a8fda0d908ebee84a43930cb8d1e3507f4aa0"
|
|
|
|
app, router, _ := NewApiTest()
|
|
|
|
DeleteSession(router)
|
|
|
|
r := PerformRequest(app, http.MethodDelete, "/api/v1/session/"+sessId)
|
|
|
|
assert.Equal(t, http.StatusOK, r.Code)
|
|
|
|
})
|
|
|
|
}
|