2022-12-12 13:43:23 +08:00
|
|
|
import { mockEsmWithActual, pickDefault } from '@logto/shared/esm';
|
|
|
|
|
2022-11-21 16:38:24 +08:00
|
|
|
import RequestError from '#src/errors/RequestError/index.js';
|
|
|
|
import { createRequester } from '#src/utils/test-utils.js';
|
2022-10-31 18:18:13 +08:00
|
|
|
|
2022-12-12 13:43:23 +08:00
|
|
|
const { jest } = import.meta;
|
|
|
|
|
|
|
|
const { verifyBearerTokenFromRequest } = await mockEsmWithActual(
|
|
|
|
'#src/middleware/koa-auth.js',
|
|
|
|
() => ({
|
|
|
|
verifyBearerTokenFromRequest: jest.fn(),
|
|
|
|
})
|
|
|
|
);
|
|
|
|
|
|
|
|
const request = createRequester({
|
|
|
|
anonymousRoutes: await pickDefault(import('#src/routes/authn.js')),
|
|
|
|
});
|
2022-10-31 18:18:13 +08:00
|
|
|
|
|
|
|
describe('authn route for Hasura', () => {
|
|
|
|
const mockUserId = 'foo';
|
|
|
|
const mockExpectedRole = 'some_role';
|
|
|
|
const mockUnauthorizedRole = 'V';
|
|
|
|
const keys = Object.freeze({
|
|
|
|
expectedRole: 'Expected-Role',
|
|
|
|
hasuraUserId: 'X-Hasura-User-Id',
|
|
|
|
hasuraRole: 'X-Hasura-Role',
|
|
|
|
});
|
|
|
|
|
|
|
|
describe('with successful verification', () => {
|
|
|
|
beforeEach(() => {
|
2022-12-12 13:43:23 +08:00
|
|
|
verifyBearerTokenFromRequest.mockResolvedValue({
|
2022-10-31 18:18:13 +08:00
|
|
|
clientId: 'ok',
|
|
|
|
sub: mockUserId,
|
|
|
|
roleNames: [mockExpectedRole],
|
|
|
|
});
|
|
|
|
});
|
|
|
|
|
|
|
|
it('has expected role', async () => {
|
|
|
|
const response = await request
|
|
|
|
.get('/authn/hasura')
|
|
|
|
.query({ resource: 'https://api.logto.io' })
|
|
|
|
.set(keys.expectedRole, mockExpectedRole);
|
|
|
|
expect(response.status).toEqual(200);
|
|
|
|
expect(response.body).toEqual({
|
|
|
|
[keys.hasuraUserId]: mockUserId,
|
|
|
|
[keys.hasuraRole]: mockExpectedRole,
|
|
|
|
});
|
|
|
|
});
|
|
|
|
|
|
|
|
it('throws 401 if no expected role present', async () => {
|
|
|
|
const response = await request
|
|
|
|
.get('/authn/hasura')
|
|
|
|
.query({ resource: 'https://api.logto.io' })
|
|
|
|
.set(keys.expectedRole, mockExpectedRole + '1');
|
|
|
|
expect(response.status).toEqual(401);
|
|
|
|
});
|
|
|
|
|
|
|
|
it('falls back to unauthorized role if no expected role present', async () => {
|
|
|
|
const response = await request
|
|
|
|
.get('/authn/hasura')
|
|
|
|
.query({ resource: 'https://api.logto.io', unauthorizedRole: mockUnauthorizedRole })
|
|
|
|
.set(keys.expectedRole, mockExpectedRole + '1');
|
|
|
|
expect(response.status).toEqual(200);
|
|
|
|
expect(response.body).toEqual({
|
|
|
|
[keys.hasuraUserId]: mockUserId,
|
|
|
|
[keys.hasuraRole]: mockUnauthorizedRole,
|
|
|
|
});
|
|
|
|
});
|
|
|
|
});
|
|
|
|
|
|
|
|
describe('with failed verification', () => {
|
|
|
|
beforeEach(() => {
|
2022-12-12 13:43:23 +08:00
|
|
|
verifyBearerTokenFromRequest.mockImplementation(async (_, resource) => {
|
|
|
|
if (resource) {
|
|
|
|
throw new RequestError({ code: 'auth.jwt_sub_missing', status: 401 });
|
|
|
|
}
|
2022-10-31 18:18:13 +08:00
|
|
|
|
2022-12-12 13:43:23 +08:00
|
|
|
return { clientId: 'not ok', sub: mockUserId };
|
|
|
|
});
|
2022-10-31 18:18:13 +08:00
|
|
|
});
|
|
|
|
|
|
|
|
it('throws 401 if no unauthorized role presents', async () => {
|
|
|
|
const response = await request
|
|
|
|
.get('/authn/hasura')
|
|
|
|
.query({ resource: 'https://api.logto.io' })
|
|
|
|
.set(keys.expectedRole, mockExpectedRole);
|
|
|
|
expect(response.status).toEqual(401);
|
|
|
|
});
|
|
|
|
|
|
|
|
it('falls back to unauthorized role with user id if no expected resource present', async () => {
|
|
|
|
const response = await request
|
|
|
|
.get('/authn/hasura')
|
|
|
|
.query({ resource: 'https://api.logto.io', unauthorizedRole: mockUnauthorizedRole })
|
|
|
|
.set(keys.expectedRole, mockExpectedRole);
|
|
|
|
expect(response.status).toEqual(200);
|
|
|
|
expect(response.body).toEqual({
|
|
|
|
[keys.hasuraUserId]: mockUserId,
|
|
|
|
[keys.hasuraRole]: mockUnauthorizedRole,
|
|
|
|
});
|
|
|
|
});
|
|
|
|
|
|
|
|
it('falls back to unauthorized role if JWT is invalid', async () => {
|
2022-12-12 13:43:23 +08:00
|
|
|
verifyBearerTokenFromRequest.mockRejectedValue(
|
|
|
|
new RequestError({ code: 'auth.jwt_sub_missing', status: 401 })
|
|
|
|
);
|
|
|
|
|
2022-10-31 18:18:13 +08:00
|
|
|
const response = await request
|
|
|
|
.get('/authn/hasura')
|
|
|
|
.query({ resource: 'https://api.logto.io', unauthorizedRole: mockUnauthorizedRole });
|
|
|
|
expect(response.status).toEqual(200);
|
|
|
|
expect(response.body).toEqual({
|
|
|
|
[keys.hasuraRole]: mockUnauthorizedRole,
|
|
|
|
});
|
|
|
|
});
|
|
|
|
});
|
|
|
|
});
|