mirror of
https://github.com/TryGhost/Ghost.git
synced 2025-02-10 23:36:14 -05:00
8dd33c5034
refs https://github.com/TryGhost/Toolbox/issues/138 - Having the "ghost" alias only added cognitive load when reading through the test code and didn't provide any additional value. Removed the pattern to keep things simpler and more explicit
99 lines
3.3 KiB
JavaScript
99 lines
3.3 KiB
JavaScript
const should = require('should');
|
|
const supertest = require('supertest');
|
|
const jwt = require('jsonwebtoken');
|
|
const jwksClient = require('jwks-rsa');
|
|
const testUtils = require('../../../../utils');
|
|
const localUtils = require('./utils');
|
|
const config = require('../../../../../core/shared/config');
|
|
|
|
let request;
|
|
|
|
const verifyJWKS = (endpoint, token) => {
|
|
return new Promise((resolve, reject) => {
|
|
const client = jwksClient({
|
|
jwksUri: endpoint
|
|
});
|
|
|
|
async function getKey(header, callback) {
|
|
const key = await client.getSigningKey(header.kid);
|
|
let signingKey = key.publicKey || key.rsaPublicKey;
|
|
callback(null, signingKey);
|
|
}
|
|
|
|
jwt.verify(token, getKey, {}, (err, decoded) => {
|
|
if (err) {
|
|
reject(err);
|
|
}
|
|
|
|
resolve(decoded);
|
|
});
|
|
});
|
|
};
|
|
|
|
describe('Identities API', function () {
|
|
describe('As Owner', function () {
|
|
before(function () {
|
|
return testUtils.startGhost()
|
|
.then(function () {
|
|
request = supertest.agent(config.get('url'));
|
|
})
|
|
.then(function () {
|
|
return localUtils.doAuth(request);
|
|
});
|
|
});
|
|
|
|
it('Can create JWT token and verify it afterwards with public jwks', function () {
|
|
let identity;
|
|
|
|
return request
|
|
.get(localUtils.API.getApiQuery(`identities/`))
|
|
.set('Origin', config.get('url'))
|
|
.expect('Content-Type', /json/)
|
|
.expect('Cache-Control', testUtils.cacheRules.private)
|
|
.expect(200)
|
|
.then((res) => {
|
|
should.not.exist(res.headers['x-cache-invalidate']);
|
|
const jsonResponse = res.body;
|
|
should.exist(jsonResponse);
|
|
should.exist(jsonResponse.identities);
|
|
|
|
identity = jsonResponse.identities[0];
|
|
})
|
|
.then(() => {
|
|
return verifyJWKS(`${request.app}/ghost/.well-known/jwks.json`, identity.token);
|
|
})
|
|
.then((decoded) => {
|
|
decoded.sub.should.equal('jbloggs@example.com');
|
|
});
|
|
});
|
|
});
|
|
|
|
describe('As non-Owner', function () {
|
|
before(function () {
|
|
return testUtils.startGhost()
|
|
.then(function (_ghostServer) {
|
|
request = supertest.agent(config.get('url'));
|
|
})
|
|
.then(function () {
|
|
return testUtils.createUser({
|
|
user: testUtils.DataGenerator.forKnex.createUser({email: 'admin+1@ghost.org'}),
|
|
role: testUtils.DataGenerator.Content.roles[0].name
|
|
});
|
|
})
|
|
.then(function (admin) {
|
|
request.user = admin;
|
|
|
|
return localUtils.doAuth(request);
|
|
});
|
|
});
|
|
|
|
it('Cannot read', function () {
|
|
return request
|
|
.get(localUtils.API.getApiQuery(`identities/`))
|
|
.set('Origin', config.get('url'))
|
|
.expect('Content-Type', /json/)
|
|
.expect('Cache-Control', testUtils.cacheRules.private)
|
|
.expect(403);
|
|
});
|
|
});
|
|
});
|