mirror of
https://github.com/hedgedoc/hedgedoc.git
synced 2024-12-23 17:41:52 +00:00
b4a65b47f0
Bcrypt hashes are too slow to be validated on every request. As our tokens are random and have a fixed length, it is reasonable to use SHA-512 instead. SHA-512 is recommended as cryptographically strong by the BSI: https://www.bsi.bund.de/SharedDocs/Downloads/EN/BSI/Publications/TechGuidelines/TG02102/BSI-TR-02102-1.pdf?__blob=publicationFile Fixes https://github.com/hedgedoc/hedgedoc/issues/1881 Signed-off-by: David Mehren <git@herrmehren.de>
78 lines
2.3 KiB
TypeScript
78 lines
2.3 KiB
TypeScript
/*
|
|
* SPDX-FileCopyrightText: 2021 The HedgeDoc developers (see AUTHORS file)
|
|
*
|
|
* SPDX-License-Identifier: AGPL-3.0-only
|
|
*/
|
|
import request from 'supertest';
|
|
|
|
import { AuthConfig } from '../../src/config/auth.config';
|
|
import { User } from '../../src/users/user.entity';
|
|
import { setupSessionMiddleware } from '../../src/utils/session';
|
|
import { TestSetup } from '../test-setup';
|
|
|
|
describe('Tokens', () => {
|
|
let testSetup: TestSetup;
|
|
let agent: request.SuperAgentTest;
|
|
|
|
let user: User;
|
|
let keyId: string;
|
|
|
|
beforeAll(async () => {
|
|
testSetup = await TestSetup.create();
|
|
|
|
user = await testSetup.userService.createUser('hardcoded', 'Testy');
|
|
await testSetup.identityService.createLocalIdentity(user, 'test');
|
|
|
|
const authConfig = testSetup.configService.get('authConfig') as AuthConfig;
|
|
setupSessionMiddleware(testSetup.app, authConfig);
|
|
|
|
await testSetup.app.init();
|
|
|
|
agent = request.agent(testSetup.app.getHttpServer());
|
|
await agent
|
|
.post('/api/private/auth/local/login')
|
|
.send({ username: 'hardcoded', password: 'test' })
|
|
.expect(201);
|
|
});
|
|
|
|
it(`POST /tokens`, async () => {
|
|
const tokenName = 'testToken';
|
|
const response = await agent
|
|
.post('/api/private/tokens')
|
|
.send({
|
|
label: tokenName,
|
|
})
|
|
.expect('Content-Type', /json/)
|
|
.expect(201);
|
|
keyId = response.body.keyId;
|
|
expect(response.body.label).toBe(tokenName);
|
|
expect(response.body.validUntil).toBe(null);
|
|
expect(response.body.lastUsed).toBe(null);
|
|
expect(response.body.secret.length).toBe(98);
|
|
});
|
|
|
|
it(`GET /tokens`, async () => {
|
|
const tokenName = 'testToken';
|
|
const response = await agent
|
|
.get('/api/private/tokens/')
|
|
.expect('Content-Type', /json/)
|
|
.expect(200);
|
|
expect(response.body[0].label).toBe(tokenName);
|
|
expect(response.body[0].validUntil).toBe(null);
|
|
expect(response.body[0].lastUsed).toBe(null);
|
|
expect(response.body[0].secret).not.toBeDefined();
|
|
});
|
|
it(`DELETE /tokens/:keyid`, async () => {
|
|
const response = await agent
|
|
.delete('/api/private/tokens/' + keyId)
|
|
.expect(204);
|
|
expect(response.body).toStrictEqual({});
|
|
});
|
|
it(`GET /tokens 2`, async () => {
|
|
const response = await agent
|
|
.get('/api/private/tokens/')
|
|
.expect('Content-Type', /json/)
|
|
.expect(200);
|
|
expect(response.body).toStrictEqual([]);
|
|
});
|
|
});
|