chore: getJWTToken -> getSessionToken (#12371)

* getJWTToken -> getSessionToken

Ensure expiry is included in payload

* Refactor test harness to avoid direct usage of getSessionToken

plugins/figma/server/api/figma.test.ts

@@ -13,7 +13,7 @@ describe("#figma.callback", () => {
     const res = await server.get(
       `/api/figma.callback?state=${encodeURIComponent(
         state
-      )}&code=123&token=${user.getJwtToken()}`,
+      )}&code=123&token=${user.getSessionToken()}`,
       { redirect: "manual" }
     );
     const body = await res.json();
@@ -27,7 +27,7 @@ describe("#figma.callback", () => {
     const res = await server.get(
       `/api/figma.callback?state=${encodeURIComponent(
         state
-      )}&code=123&token=${user.getJwtToken()}`,
+      )}&code=123&token=${user.getSessionToken()}`,
       { redirect: "manual" }
     );
     expect(res.status).toEqual(400);
@@ -36,7 +36,7 @@ describe("#figma.callback", () => {
   it("should fail when state is not valid JSON", async () => {
     const user = await buildUser();
     const res = await server.get(
-      `/api/figma.callback?state=bad&code=123&token=${user.getJwtToken()}`,
+      `/api/figma.callback?state=bad&code=123&token=${user.getSessionToken()}`,
       { redirect: "manual" }
     );
     expect(res.status).toEqual(400);

plugins/github/server/api/github.test.ts

@@ -14,7 +14,7 @@ describe("#github.callback", () => {
     const res = await server.get(
       `/api/github.callback?state=${encodeURIComponent(
         state
-      )}&code=123&setup_action=${SetupAction.install}&installation_id=1&token=${user.getJwtToken()}`,
+      )}&code=123&setup_action=${SetupAction.install}&installation_id=1&token=${user.getSessionToken()}`,
       { redirect: "manual" }
     );
     const body = await res.json();
@@ -28,7 +28,7 @@ describe("#github.callback", () => {
     const res = await server.get(
       `/api/github.callback?state=${encodeURIComponent(
         state
-      )}&code=123&setup_action=${SetupAction.install}&installation_id=1&token=${user.getJwtToken()}`,
+      )}&code=123&setup_action=${SetupAction.install}&installation_id=1&token=${user.getSessionToken()}`,
       { redirect: "manual" }
     );
     expect(res.status).toEqual(400);
@@ -37,7 +37,7 @@ describe("#github.callback", () => {
   it("should fail when state is not valid JSON", async () => {
     const user = await buildUser();
     const res = await server.get(
-      `/api/github.callback?state=bad&code=123&setup_action=${SetupAction.install}&installation_id=1&token=${user.getJwtToken()}`,
+      `/api/github.callback?state=bad&code=123&setup_action=${SetupAction.install}&installation_id=1&token=${user.getSessionToken()}`,
       { redirect: "manual" }
     );
     expect(res.status).toEqual(400);

plugins/gitlab/server/api/gitlab.test.ts

@@ -13,7 +13,7 @@ describe("#gitlab.callback", () => {
     const res = await server.get(
       `/api/gitlab.callback?state=${encodeURIComponent(
         state
-      )}&code=123&token=${user.getJwtToken()}`,
+      )}&code=123&token=${user.getSessionToken()}`,
       { redirect: "manual" }
     );
     const body = await res.json();
@@ -27,7 +27,7 @@ describe("#gitlab.callback", () => {
     const res = await server.get(
       `/api/gitlab.callback?state=${encodeURIComponent(
         state
-      )}&code=123&token=${user.getJwtToken()}`,
+      )}&code=123&token=${user.getSessionToken()}`,
       { redirect: "manual" }
     );
     expect(res.status).toEqual(400);
@@ -36,7 +36,7 @@ describe("#gitlab.callback", () => {
   it("should fail when state is not valid JSON", async () => {
     const user = await buildUser();
     const res = await server.get(
-      `/api/gitlab.callback?state=bad&code=123&token=${user.getJwtToken()}`,
+      `/api/gitlab.callback?state=bad&code=123&token=${user.getSessionToken()}`,
       { redirect: "manual" }
     );
     expect(res.status).toEqual(400);

plugins/linear/server/api/linear.test.ts

@@ -13,7 +13,7 @@ describe("#linear.callback", () => {
     const res = await server.get(
       `/api/linear.callback?state=${encodeURIComponent(
         state
-      )}&code=123&token=${user.getJwtToken()}`,
+      )}&code=123&token=${user.getSessionToken()}`,
       { redirect: "manual" }
     );
     const body = await res.json();
@@ -27,7 +27,7 @@ describe("#linear.callback", () => {
     const res = await server.get(
       `/api/linear.callback?state=${encodeURIComponent(
         state
-      )}&code=123&token=${user.getJwtToken()}`,
+      )}&code=123&token=${user.getSessionToken()}`,
       { redirect: "manual" }
     );
     expect(res.status).toEqual(400);
@@ -36,7 +36,7 @@ describe("#linear.callback", () => {
   it("should fail when state is not valid JSON", async () => {
     const user = await buildUser();
     const res = await server.get(
-      `/api/linear.callback?state=bad&code=123&token=${user.getJwtToken()}`,
+      `/api/linear.callback?state=bad&code=123&token=${user.getSessionToken()}`,
       { redirect: "manual" }
     );
     expect(res.status).toEqual(400);

plugins/notion/server/api/notion.test.ts

@@ -13,7 +13,7 @@ describe("#notion.callback", () => {
     const res = await server.get(
       `/api/notion.callback?state=${encodeURIComponent(
         state
-      )}&code=123&token=${user.getJwtToken()}`,
+      )}&code=123&token=${user.getSessionToken()}`,
       { redirect: "manual" }
     );
     const body = await res.json();
@@ -27,7 +27,7 @@ describe("#notion.callback", () => {
     const res = await server.get(
       `/api/notion.callback?state=${encodeURIComponent(
         state
-      )}&code=123&token=${user.getJwtToken()}`,
+      )}&code=123&token=${user.getSessionToken()}`,
       { redirect: "manual" }
     );
     expect(res.status).toEqual(400);
@@ -36,7 +36,7 @@ describe("#notion.callback", () => {
   it("should fail when state is not valid JSON", async () => {
     const user = await buildUser();
     const res = await server.get(
-      `/api/notion.callback?state=bad&code=123&token=${user.getJwtToken()}`,
+      `/api/notion.callback?state=bad&code=123&token=${user.getSessionToken()}`,
       { redirect: "manual" }
     );
     expect(res.status).toEqual(400);

plugins/slack/server/auth/slack.test.ts

@@ -11,7 +11,7 @@ describe("#slack.post", () => {
     const res = await server.get(
       `/auth/slack.post?state=${JSON.stringify(
         {}
-      )}&code=123&token=${user.getJwtToken()}`
+      )}&code=123&token=${user.getSessionToken()}`
     );
     expect(res.status).toEqual(400);
   });
@@ -19,7 +19,7 @@ describe("#slack.post", () => {
   it("should fail with status 400 bad request if query param state is not JSON", async () => {
     const user = await buildUser();
     const res = await server.get(
-      `/auth/slack.post?state=bad&code=123&token=${user.getJwtToken()}`
+      `/auth/slack.post?state=bad&code=123&token=${user.getSessionToken()}`
     );
     expect(res.status).toEqual(400);
   });
@@ -43,7 +43,7 @@ describe("#slack.post", () => {
     const res = await server.get(
       `/auth/slack.post?state=${encodeURIComponent(
         state
-      )}&code=123&token=${user.getJwtToken()}`,
+      )}&code=123&token=${user.getSessionToken()}`,
       { redirect: "manual" }
     );
     const body = await res.json();
@@ -60,7 +60,7 @@ describe("#slack.post", () => {
     const res = await server.get(
       `/auth/slack.post?state=${encodeURIComponent(
         state
-      )}&code=123&token=${user.getJwtToken()}`,
+      )}&code=123&token=${user.getSessionToken()}`,
       { redirect: "manual" }
     );
     expect(res.status).toEqual(400);

plugins/storage/server/api/files.test.ts

@@ -25,9 +25,8 @@ vi.setConfig({ testTimeout: 10000 });
 describe("#files.create", () => {
   it("should fail with status 400 bad request if key is invalid", async () => {
     const user = await buildUser();
-    const res = await server.post("/api/files.create", {
+    const res = await server.post("/api/files.create", user, {
       body: {
-        token: user.getJwtToken(),
         key: "public/foo/bar/baz.png",
       },
     });
@@ -52,7 +51,7 @@ describe("#files.create", () => {
     const form = new FormData();
     form.append("key", attachment.key);
     form.append("file", content, fileName);
-    form.append("token", user.getJwtToken());
+    form.append("token", user.getSessionToken());
 
     const res = await server.post(`/api/files.create`, {
       headers: form.getHeaders(),
@@ -89,7 +88,7 @@ describe("#files.create", () => {
     const form = new FormData();
     form.append("key", attachment.key);
     form.append("file", content, fileName);
-    form.append("token", user.getJwtToken());
+    form.append("token", user.getSessionToken());
 
     const res = await server.post(`/api/files.create`, {
       headers: form.getHeaders(),
@@ -118,7 +117,7 @@ describe("#files.create", () => {
     const form = new FormData();
     form.append("key", attachment.key);
     form.append("file", content, fileName);
-    form.append("token", user.getJwtToken());
+    form.append("token", user.getSessionToken());
 
     const res = await server.post(`/api/files.create`, {
       headers: form.getHeaders(),
@@ -150,7 +149,7 @@ describe("#files.create", () => {
     const form = new FormData();
     form.append("key", attachment.key);
     form.append("file", content, fileName);
-    form.append("token", user.getJwtToken());
+    form.append("token", user.getSessionToken());
 
     const res = await server.post(`/api/files.create`, {
       headers: form.getHeaders(),
@@ -181,7 +180,7 @@ describe("#files.create", () => {
     const form = new FormData();
     form.append("key", attachment.key);
     form.append("file", content, fileName);
-    form.append("token", user.getJwtToken());
+    form.append("token", user.getSessionToken());
 
     const res = await server.post(`/api/files.create`, {
       headers: form.getHeaders(),
@@ -262,7 +261,7 @@ describe("#files.get", () => {
     const form = new FormData();
     form.append("key", attachment.key);
     form.append("file", content, fileName);
-    form.append("token", user.getJwtToken());
+    form.append("token", user.getSessionToken());
 
     await server.post(`/api/files.create`, {
       headers: form.getHeaders(),
@@ -298,7 +297,7 @@ describe("#files.get", () => {
     const form = new FormData();
     form.append("key", attachment.key);
     form.append("file", content, fileName);
-    form.append("token", user.getJwtToken());
+    form.append("token", user.getSessionToken());
 
     await server.post(`/api/files.create`, {
       headers: form.getHeaders(),
@@ -432,7 +431,7 @@ describe("#files.get", () => {
     // Non-owner user should be able to access public-read attachment
     const res = await server.get(`/api/files.get?key=${key}`, {
       headers: {
-        Authorization: `Bearer ${otherUser.getJwtToken()}`,
+        Authorization: `Bearer ${otherUser.getSessionToken()}`,
       },
     });
     expect(res.status).toEqual(200);
@@ -467,7 +466,7 @@ describe("#files.get", () => {
     // Non-owner user should NOT be able to access private attachment
     const res = await server.get(`/api/files.get?key=${key}`, {
       headers: {
-        Authorization: `Bearer ${otherUser.getJwtToken()}`,
+        Authorization: `Bearer ${otherUser.getSessionToken()}`,
       },
     });
     expect(res.status).toEqual(403);

plugins/webhooks/server/api/webhookSubscriptions.test.ts

@@ -21,9 +21,7 @@ describe("#webhookSubscriptions.list", () => {
   it("should fail with status 403 forbidden for non-admin user", async () => {
     const user = await buildUser();
 
-    const res = await server.post("/api/webhookSubscriptions.list", {
+    const res = await server.post("/api/webhookSubscriptions.list", user);
-      body: { token: user.getJwtToken() },
-    });
     const body = await res.json();
 
     expect(res.status).toEqual(403);
@@ -43,9 +41,7 @@ describe("#webhookSubscriptions.list", () => {
         )
     );
 
-    const res = await server.post("/api/webhookSubscriptions.list", {
+    const res = await server.post("/api/webhookSubscriptions.list", user);
-      body: { token: user.getJwtToken() },
-    });
     const body = await res.json();
 
     expect(res.status).toEqual(200);
@@ -70,8 +66,8 @@ describe("#webhookSubscriptions.list", () => {
       name: "Development Hook",
     });
 
-    const res = await server.post("/api/webhookSubscriptions.list", {
+    const res = await server.post("/api/webhookSubscriptions.list", user, {
-      body: { token: user.getJwtToken(), query: "webhook" },
+      body: { query: "webhook" },
     });
     const body = await res.json();
 
@@ -97,8 +93,8 @@ describe("#webhookSubscriptions.list", () => {
       name: "Staging Webhook",
     });
 
-    const res = await server.post("/api/webhookSubscriptions.list", {
+    const res = await server.post("/api/webhookSubscriptions.list", user, {
-      body: { token: user.getJwtToken(), query: "PRODUCTION" },
+      body: { query: "PRODUCTION" },
     });
     const body = await res.json();
 
@@ -115,8 +111,8 @@ describe("#webhookSubscriptions.list", () => {
       name: "Production Webhook",
     });
 
-    const res = await server.post("/api/webhookSubscriptions.list", {
+    const res = await server.post("/api/webhookSubscriptions.list", user, {
-      body: { token: user.getJwtToken(), query: "nonexistent" },
+      body: { query: "nonexistent" },
     });
     const body = await res.json();
 
@@ -139,9 +135,7 @@ describe("#webhookSubscriptions.create", () => {
   it("should fail with status 403 forbidden for non-admin user", async () => {
     const user = await buildUser();
 
-    const res = await server.post("/api/webhookSubscriptions.create", {
+    const res = await server.post("/api/webhookSubscriptions.create", user);
-      body: { token: user.getJwtToken() },
-    });
     const body = await res.json();
 
     expect(res.status).toEqual(403);
@@ -155,9 +149,8 @@ describe("#webhookSubscriptions.create", () => {
     const events = ["comments"];
     const secret = "Test secret";
 
-    const res = await server.post("/api/webhookSubscriptions.create", {
+    const res = await server.post("/api/webhookSubscriptions.create", user, {
       body: {
-        token: user.getJwtToken(),
         name,
         url,
         events,
@@ -190,9 +183,7 @@ describe("#webhookSubscriptions.update", () => {
   it("should fail with status 403 forbidden for non-admin user", async () => {
     const user = await buildUser();
 
-    const res = await server.post("/api/webhookSubscriptions.update", {
+    const res = await server.post("/api/webhookSubscriptions.update", user);
-      body: { token: user.getJwtToken() },
-    });
     const body = await res.json();
 
     expect(res.status).toEqual(403);
@@ -213,9 +204,8 @@ describe("#webhookSubscriptions.update", () => {
       teamId: user.teamId,
     });
 
-    const res = await server.post("/api/webhookSubscriptions.update", {
+    const res = await server.post("/api/webhookSubscriptions.update", user, {
       body: {
-        token: user.getJwtToken(),
         id: existingWebhook.id,
         name,
         url,
@@ -247,9 +237,8 @@ describe("#webhookSubscriptions.update", () => {
       enabled: false,
     });
 
-    const res = await server.post("/api/webhookSubscriptions.update", {
+    const res = await server.post("/api/webhookSubscriptions.update", user, {
       body: {
-        token: user.getJwtToken(),
         id: disabledWebhook.id,
         name,
         url,
@@ -281,9 +270,7 @@ describe("#webhookSubscriptions.delete", () => {
   it("should fail with status 403 forbidden for non-admin user", async () => {
     const user = await buildUser();
 
-    const res = await server.post("/api/webhookSubscriptions.delete", {
+    const res = await server.post("/api/webhookSubscriptions.delete", user);
-      body: { token: user.getJwtToken() },
-    });
     const body = await res.json();
 
     expect(res.status).toEqual(403);
@@ -300,8 +287,8 @@ describe("#webhookSubscriptions.delete", () => {
       teamId: user.teamId,
     });
 
-    const res = await server.post("/api/webhookSubscriptions.delete", {
+    const res = await server.post("/api/webhookSubscriptions.delete", user, {
-      body: { token: user.getJwtToken(), id: createdWebhook.id },
+      body: { id: createdWebhook.id },
     });
     const body = await res.json();
 

server/middlewares/authentication.test.ts

@@ -21,7 +21,7 @@ describe("Authentication middleware", () => {
         {
           // @ts-expect-error mock request
           request: {
-            get: vi.fn(() => `Bearer ${user.getJwtToken()}`),
+            get: vi.fn(() => `Bearer ${user.getSessionToken()}`),
           },
           state,
           cache: {},
@@ -41,7 +41,7 @@ describe("Authentication middleware", () => {
           {
             // @ts-expect-error mock request
             request: {
-              get: vi.fn(() => `Bearer ${user.getJwtToken()}error`),
+              get: vi.fn(() => `Bearer ${user.getSessionToken()}error`),
             },
             state,
             cache: {},
@@ -65,7 +65,7 @@ describe("Authentication middleware", () => {
           {
             // @ts-expect-error mock request
             request: {
-              get: vi.fn(() => `Bearer ${user.getJwtToken()}`),
+              get: vi.fn(() => `Bearer ${user.getSessionToken()}`),
             },
             state,
             cache: {},
@@ -295,7 +295,7 @@ describe("Authentication middleware", () => {
           // @ts-expect-error mock request
           get: vi.fn(() => null),
           query: {
-            token: user.getJwtToken(),
+            token: user.getSessionToken(),
           },
         },
         state,
@@ -316,7 +316,7 @@ describe("Authentication middleware", () => {
           // @ts-expect-error mock request
           get: vi.fn(() => null),
           body: {
-            token: user.getJwtToken(),
+            token: user.getSessionToken(),
           },
         },
         state,
@@ -342,7 +342,7 @@ describe("Authentication middleware", () => {
         {
           // @ts-expect-error mock request
           request: {
-            get: vi.fn(() => `Bearer ${user.getJwtToken()}`),
+            get: vi.fn(() => `Bearer ${user.getSessionToken()}`),
           },
           state,
           cache: {},
@@ -372,7 +372,7 @@ describe("Authentication middleware", () => {
         {
           // @ts-expect-error mock request
           request: {
-            get: vi.fn(() => `Bearer ${user.getJwtToken()}`),
+            get: vi.fn(() => `Bearer ${user.getSessionToken()}`),
           },
           state,
           cache: {},

server/models/User.test.ts

@@ -153,10 +153,10 @@ describe("user model", () => {
     });
   });
 
-  describe("getJwtToken", () => {
+  describe("getSessionToken", () => {
     it("should set JWT secret", async () => {
       const user = await buildUser();
-      expect(user.getJwtToken()).toBeTruthy();
+      expect(user.getSessionToken()).toBeTruthy();
     });
   });
 

server/models/User.ts

@@ -608,7 +608,7 @@ class User extends ParanoidModel<
    * @param service The authentication service used to generate the token, if applicable
    * @returns The session token
    */
-  getJwtToken = (expiresAt?: Date, service?: string) =>
+  getSessionToken = (expiresAt?: Date, service?: string) =>
     JWT.sign(
       {
         id: this.id,

server/routes/api/accessRequests/accessRequests.test.ts

@@ -15,11 +15,7 @@ const server = getTestServer();
 describe("#accessRequests.create", () => {
   it("should require id", async () => {
     const user = await buildUser();
-    const res = await server.post("/api/accessRequests.create", {
+    const res = await server.post("/api/accessRequests.create", user);
-      body: {
-        token: user.getJwtToken(),
-      },
-    });
     const body = await res.json();
     expect(res.status).toEqual(400);
     expect(body.message).toEqual("documentId: Must be a valid UUID or slug");
@@ -37,9 +33,8 @@ describe("#accessRequests.create", () => {
 
   it("should return 404 for non-existent document", async () => {
     const user = await buildUser();
-    const res = await server.post("/api/accessRequests.create", {
+    const res = await server.post("/api/accessRequests.create", user, {
       body: {
-        token: user.getJwtToken(),
         documentId: "a8f22c38-f4eb-4909-8c30-b927af36c5f3",
       },
     });
@@ -63,9 +58,8 @@ describe("#accessRequests.create", () => {
       collectionId: collection.id,
     });
 
-    const res = await server.post("/api/accessRequests.create", {
+    const res = await server.post("/api/accessRequests.create", requester, {
       body: {
-        token: requester.getJwtToken(),
         documentId: document.id,
       },
     });
@@ -85,9 +79,8 @@ describe("#accessRequests.create", () => {
       createdById: owner.id,
     });
 
-    const res = await server.post("/api/accessRequests.create", {
+    const res = await server.post("/api/accessRequests.create", requester, {
       body: {
-        token: requester.getJwtToken(),
         documentId: document.id,
       },
     });
@@ -110,9 +103,8 @@ describe("#accessRequests.create", () => {
       collectionId: collection.id,
     });
 
-    const res = await server.post("/api/accessRequests.create", {
+    const res = await server.post("/api/accessRequests.create", requester, {
       body: {
-        token: requester.getJwtToken(),
         documentId: document.urlId,
       },
     });
@@ -135,17 +127,15 @@ describe("#accessRequests.create", () => {
     });
 
     // Create first access request
-    const res1 = await server.post("/api/accessRequests.create", {
+    const res1 = await server.post("/api/accessRequests.create", requester, {
       body: {
-        token: requester.getJwtToken(),
         documentId: document.id,
       },
     });
 
     // Try to create another
-    const res2 = await server.post("/api/accessRequests.create", {
+    const res2 = await server.post("/api/accessRequests.create", requester, {
       body: {
-        token: requester.getJwtToken(),
         documentId: document.id,
       },
     });
@@ -189,9 +179,8 @@ describe("#accessRequests.create", () => {
     });
 
     // Create new request
-    const res2 = await server.post("/api/accessRequests.create", {
+    const res2 = await server.post("/api/accessRequests.create", requester, {
       body: {
-        token: requester.getJwtToken(),
         documentId: document.id,
       },
     });
@@ -211,11 +200,7 @@ describe("#accessRequests.info", () => {
 
   it("should fail if both id and documentId are missing", async () => {
     const user = await buildUser();
-    const res = await server.post("/api/accessRequests.info", {
+    const res = await server.post("/api/accessRequests.info", user);
-      body: {
-        token: user.getJwtToken(),
-      },
-    });
     expect(res.status).toEqual(400);
   });
 
@@ -234,9 +219,8 @@ describe("#accessRequests.info", () => {
       teamId: team.id,
     });
 
-    const res = await server.post("/api/accessRequests.info", {
+    const res = await server.post("/api/accessRequests.info", requester, {
       body: {
-        token: requester.getJwtToken(),
         id: accessRequest.id,
       },
     });
@@ -262,9 +246,8 @@ describe("#accessRequests.info", () => {
       teamId: team.id,
     });
 
-    const res = await server.post("/api/accessRequests.info", {
+    const res = await server.post("/api/accessRequests.info", requester, {
       body: {
-        token: requester.getJwtToken(),
         documentId: document.urlId,
       },
     });
@@ -277,9 +260,8 @@ describe("#accessRequests.info", () => {
 
   it("should return 404 if access request not found", async () => {
     const user = await buildUser();
-    const res = await server.post("/api/accessRequests.info", {
+    const res = await server.post("/api/accessRequests.info", user, {
       body: {
-        token: user.getJwtToken(),
         id: "00000000-0000-0000-0000-000000000000",
       },
     });
@@ -309,9 +291,8 @@ describe("#accessRequests.approve", () => {
       status: AccessRequestStatus.Pending,
     });
 
-    const res = await server.post("/api/accessRequests.approve", {
+    const res = await server.post("/api/accessRequests.approve", admin, {
       body: {
-        token: admin.getJwtToken(),
         id: accessRequest.id,
         permission: DocumentPermission.ReadWrite,
       },
@@ -355,9 +336,8 @@ describe("#accessRequests.approve", () => {
       teamId: team.id,
     });
 
-    const res = await server.post("/api/accessRequests.approve", {
+    const res = await server.post("/api/accessRequests.approve", nonManager, {
       body: {
-        token: nonManager.getJwtToken(),
         id: accessRequest.id,
         permission: DocumentPermission.ReadWrite,
       },
@@ -389,9 +369,8 @@ describe("#accessRequests.approve", () => {
       status: AccessRequestStatus.Pending,
     });
 
-    const res = await server.post("/api/accessRequests.approve", {
+    const res = await server.post("/api/accessRequests.approve", admin, {
       body: {
-        token: admin.getJwtToken(),
         id: accessRequest.id,
         permission: DocumentPermission.ReadWrite,
       },
@@ -429,9 +408,8 @@ describe("#accessRequests.approve", () => {
       respondedAt: new Date(),
     });
 
-    const res = await server.post("/api/accessRequests.approve", {
+    const res = await server.post("/api/accessRequests.approve", admin, {
       body: {
-        token: admin.getJwtToken(),
         id: accessRequest.id,
         permission: DocumentPermission.ReadWrite,
       },
@@ -463,9 +441,8 @@ describe("#accessRequests.dismiss", () => {
       teamId: team.id,
     });
 
-    const res = await server.post("/api/accessRequests.dismiss", {
+    const res = await server.post("/api/accessRequests.dismiss", admin, {
       body: {
-        token: admin.getJwtToken(),
         id: accessRequest.id,
       },
     });
@@ -509,9 +486,8 @@ describe("#accessRequests.dismiss", () => {
       teamId: team.id,
     });
 
-    const res = await server.post("/api/accessRequests.dismiss", {
+    const res = await server.post("/api/accessRequests.dismiss", nonManager, {
       body: {
-        token: nonManager.getJwtToken(),
         id: accessRequest.id,
       },
     });
@@ -539,9 +515,8 @@ describe("#accessRequests.dismiss", () => {
       respondedAt,
     });
 
-    const res = await server.post("/api/accessRequests.dismiss", {
+    const res = await server.post("/api/accessRequests.dismiss", admin, {
       body: {
-        token: admin.getJwtToken(),
         id: accessRequest.id,
       },
     });

server/routes/api/apiKeys/apiKeys.test.ts

@@ -14,9 +14,8 @@ describe("#apiKeys.create", () => {
     const now = new Date();
     const user = await buildUser();
 
-    const res = await server.post("/api/apiKeys.create", {
+    const res = await server.post("/api/apiKeys.create", user, {
       body: {
-        token: user.getJwtToken(),
         name: "My API Key",
         expiresAt: now.toISOString(),
       },
@@ -32,9 +31,8 @@ describe("#apiKeys.create", () => {
   it("should allow creating an api key without expiry", async () => {
     const user = await buildUser();
 
-    const res = await server.post("/api/apiKeys.create", {
+    const res = await server.post("/api/apiKeys.create", user, {
       body: {
-        token: user.getJwtToken(),
         name: "My API Key",
       },
     });
@@ -49,9 +47,8 @@ describe("#apiKeys.create", () => {
   it("should allow creating an api key with scopes", async () => {
     const user = await buildUser();
 
-    const res = await server.post("/api/apiKeys.create", {
+    const res = await server.post("/api/apiKeys.create", user, {
       body: {
-        token: user.getJwtToken(),
         name: "My API Key",
         scope: [
           "/api/documents.list",
@@ -82,9 +79,8 @@ describe("#apiKeys.create", () => {
   it("should allow viewers to create an api key", async () => {
     const viewer = await buildViewer();
 
-    const res = await server.post("/api/apiKeys.create", {
+    const res = await server.post("/api/apiKeys.create", viewer, {
       body: {
-        token: viewer.getJwtToken(),
         name: "My API Key",
       },
     });
@@ -97,9 +93,8 @@ describe("#apiKeys.create", () => {
   it("should not allow guests to create an api key", async () => {
     const guest = await buildGuestUser();
 
-    const res = await server.post("/api/apiKeys.create", {
+    const res = await server.post("/api/apiKeys.create", guest, {
       body: {
-        token: guest.getJwtToken(),
         name: "My API Key",
       },
     });
@@ -119,10 +114,9 @@ describe("#apiKeys.list", () => {
     const admin = await buildAdmin({ teamId: user.teamId });
     await buildApiKey({ userId: user.id });
 
-    const res = await server.post("/api/apiKeys.list", {
+    const res = await server.post("/api/apiKeys.list", admin, {
       body: {
         userId: user.id,
-        token: admin.getJwtToken(),
       },
     });
     const body = await res.json();
@@ -137,10 +131,9 @@ describe("#apiKeys.list", () => {
     await buildApiKey({ userId: user.id });
     await buildApiKey({ userId: admin.id });
 
-    const res = await server.post("/api/apiKeys.list", {
+    const res = await server.post("/api/apiKeys.list", admin, {
       body: {
         userId: admin.id,
-        token: admin.getJwtToken(),
       },
     });
     const body = await res.json();
@@ -156,11 +149,7 @@ describe("#apiKeys.list", () => {
     await buildApiKey({ userId: user.id });
     await buildApiKey();
 
-    const res = await server.post("/api/apiKeys.list", {
+    const res = await server.post("/api/apiKeys.list", admin);
-      body: {
-        token: admin.getJwtToken(),
-      },
-    });
 
     const body = await res.json();
 
@@ -174,9 +163,8 @@ describe("#apiKeys.list", () => {
     await buildApiKey({ userId: admin.id, name: "Staging Key" });
     await buildApiKey({ userId: admin.id, name: "Development Token" });
 
-    const res = await server.post("/api/apiKeys.list", {
+    const res = await server.post("/api/apiKeys.list", admin, {
       body: {
-        token: admin.getJwtToken(),
         query: "key",
       },
     });
@@ -196,9 +184,8 @@ describe("#apiKeys.list", () => {
     await buildApiKey({ userId: admin.id, name: "Production Key" });
     await buildApiKey({ userId: admin.id, name: "Staging Key" });
 
-    const res = await server.post("/api/apiKeys.list", {
+    const res = await server.post("/api/apiKeys.list", admin, {
       body: {
-        token: admin.getJwtToken(),
         query: "PRODUCTION",
       },
     });
@@ -213,9 +200,8 @@ describe("#apiKeys.list", () => {
     const admin = await buildAdmin();
     await buildApiKey({ userId: admin.id, name: "Production Key" });
 
-    const res = await server.post("/api/apiKeys.list", {
+    const res = await server.post("/api/apiKeys.list", admin, {
       body: {
-        token: admin.getJwtToken(),
         query: "nonexistent",
       },
     });
@@ -229,9 +215,8 @@ describe("#apiKeys.list", () => {
     const viewer = await buildViewer();
     await buildApiKey({ userId: viewer.id });
 
-    const res = await server.post("/api/apiKeys.list", {
+    const res = await server.post("/api/apiKeys.list", viewer, {
       body: {
-        token: viewer.getJwtToken(),
         userId: viewer.id,
       },
     });
@@ -255,9 +240,8 @@ describe("#apiKeys.delete", () => {
       userId: user.id,
     });
 
-    const res = await server.post("/api/apiKeys.delete", {
+    const res = await server.post("/api/apiKeys.delete", user, {
       body: {
-        token: user.getJwtToken(),
         id: apiKey.id,
       },
     });
@@ -273,9 +257,8 @@ describe("#apiKeys.delete", () => {
       userId: otherUser.id,
     });
 
-    const res = await server.post("/api/apiKeys.delete", {
+    const res = await server.post("/api/apiKeys.delete", user, {
       body: {
-        token: user.getJwtToken(),
         id: apiKey.id,
       },
     });
@@ -291,9 +274,8 @@ describe("#apiKeys.delete", () => {
       userId: user.id,
     });
 
-    const res = await server.post("/api/apiKeys.delete", {
+    const res = await server.post("/api/apiKeys.delete", admin, {
       body: {
-        token: admin.getJwtToken(),
         id: apiKey.id,
       },
     });
@@ -305,9 +287,8 @@ describe("#apiKeys.delete", () => {
     const viewer = await buildViewer();
     const apiKey = await buildApiKey({ userId: viewer.id });
 
-    const res = await server.post("/api/apiKeys.delete", {
+    const res = await server.post("/api/apiKeys.delete", viewer, {
       body: {
-        token: viewer.getJwtToken(),
         id: apiKey.id,
       },
     });

server/routes/api/attachments/attachments.test.ts

@@ -33,11 +33,7 @@ describe("#attachments.list", () => {
       userId: user.id,
     });
 
-    const res = await server.post("/api/attachments.list", {
+    const res = await server.post("/api/attachments.list", user);
-      body: {
-        token: user.getJwtToken(),
-      },
-    });
     const body = await res.json();
 
     expect(res.status).toEqual(200);
@@ -61,10 +57,9 @@ describe("#attachments.list", () => {
       userId: admin.id,
     });
 
-    const res = await server.post("/api/attachments.list", {
+    const res = await server.post("/api/attachments.list", admin, {
       body: {
         userId: user.id,
-        token: admin.getJwtToken(),
       },
     });
     const body = await res.json();
@@ -90,10 +85,9 @@ describe("#attachments.list", () => {
       userId: user.id,
     });
 
-    const res = await server.post("/api/attachments.list", {
+    const res = await server.post("/api/attachments.list", user, {
       body: {
         documentId: document.id,
-        token: user.getJwtToken(),
       },
     });
     const body = await res.json();
@@ -113,11 +107,7 @@ describe("#attachments.list", () => {
       userId: anotherUser.id,
     });
 
-    const res = await server.post("/api/attachments.list", {
+    const res = await server.post("/api/attachments.list", user);
-      body: {
-        token: user.getJwtToken(),
-      },
-    });
     const body = await res.json();
 
     expect(res.status).toEqual(200);
@@ -139,13 +129,12 @@ describe("#attachments.create", () => {
   describe("member", () => {
     it("should allow upload using avatar preset", async () => {
       const user = await buildUser();
-      const res = await server.post("/api/attachments.create", {
+      const res = await server.post("/api/attachments.create", user, {
         body: {
           name: "test.png",
           contentType: "image/png",
           size: 1000,
           preset: AttachmentPreset.Avatar,
-          token: user.getJwtToken(),
         },
       });
       expect(res.status).toEqual(200);
@@ -164,14 +153,13 @@ describe("#attachments.create", () => {
         userId: user.id,
       });
 
-      const res = await server.post("/api/attachments.create", {
+      const res = await server.post("/api/attachments.create", user, {
         body: {
           name: "test.png",
           contentType: "image/png",
           size: 1000,
           documentId: document.id,
           preset: AttachmentPreset.DocumentAttachment,
-          token: user.getJwtToken(),
         },
       });
       expect(res.status).toEqual(200);
@@ -179,13 +167,12 @@ describe("#attachments.create", () => {
 
     it("should create expiring attachment using import preset", async () => {
       const user = await buildUser();
-      const res = await server.post("/api/attachments.create", {
+      const res = await server.post("/api/attachments.create", user, {
         body: {
           name: "test.zip",
           contentType: "application/zip",
           size: 10000,
           preset: AttachmentPreset.WorkspaceImport,
-          token: user.getJwtToken(),
         },
       });
       expect(res.status).toEqual(200);
@@ -201,14 +188,13 @@ describe("#attachments.create", () => {
       const user = await buildUser();
       const document = await buildDocument();
 
-      const res = await server.post("/api/attachments.create", {
+      const res = await server.post("/api/attachments.create", user, {
         body: {
           name: "test.png",
           contentType: "image/png",
           size: 1000,
           documentId: document.id,
           preset: AttachmentPreset.DocumentAttachment,
-          token: user.getJwtToken(),
         },
       });
       expect(res.status).toEqual(403);
@@ -216,13 +202,12 @@ describe("#attachments.create", () => {
 
     it("should not allow file upload for avatar preset", async () => {
       const user = await buildUser();
-      const res = await server.post("/api/attachments.create", {
+      const res = await server.post("/api/attachments.create", user, {
         body: {
           name: "test.pdf",
           contentType: "application/pdf",
           size: 1000,
           preset: AttachmentPreset.Avatar,
-          token: user.getJwtToken(),
         },
       });
       expect(res.status).toEqual(400);
@@ -230,13 +215,12 @@ describe("#attachments.create", () => {
 
     it("should reject negative size", async () => {
       const user = await buildUser();
-      const res = await server.post("/api/attachments.create", {
+      const res = await server.post("/api/attachments.create", user, {
         body: {
           name: "test.png",
           contentType: "image/png",
           size: -1,
           preset: AttachmentPreset.Emoji,
-          token: user.getJwtToken(),
         },
       });
       expect(res.status).toEqual(400);
@@ -244,13 +228,12 @@ describe("#attachments.create", () => {
 
     it("should reject non-integer size", async () => {
       const user = await buildUser();
-      const res = await server.post("/api/attachments.create", {
+      const res = await server.post("/api/attachments.create", user, {
         body: {
           name: "test.png",
           contentType: "image/png",
           size: 1.5,
           preset: AttachmentPreset.Emoji,
-          token: user.getJwtToken(),
         },
       });
       expect(res.status).toEqual(400);
@@ -276,14 +259,13 @@ describe("#attachments.create", () => {
         permission: CollectionPermission.ReadWrite,
       });
 
-      const res = await server.post("/api/attachments.create", {
+      const res = await server.post("/api/attachments.create", user, {
         body: {
           name: "test.png",
           contentType: "image/png",
           size: 1000,
           documentId: document.id,
           preset: AttachmentPreset.DocumentAttachment,
-          token: user.getJwtToken(),
         },
       });
       expect(res.status).toEqual(200);
@@ -293,14 +275,13 @@ describe("#attachments.create", () => {
       const user = await buildViewer();
       const document = await buildDocument({ teamId: user.teamId });
 
-      const res = await server.post("/api/attachments.create", {
+      const res = await server.post("/api/attachments.create", user, {
         body: {
           name: "test.png",
           contentType: "image/png",
           size: 1000,
           documentId: document.id,
           preset: AttachmentPreset.DocumentAttachment,
-          token: user.getJwtToken(),
         },
       });
       expect(res.status).toEqual(403);
@@ -308,13 +289,12 @@ describe("#attachments.create", () => {
 
     it("should allow upload using avatar preset", async () => {
       const user = await buildViewer();
-      const res = await server.post("/api/attachments.create", {
+      const res = await server.post("/api/attachments.create", user, {
         body: {
           name: "test.png",
           contentType: "image/png",
           size: 1000,
           preset: AttachmentPreset.Avatar,
-          token: user.getJwtToken(),
         },
       });
       expect(res.status).toEqual(200);
@@ -334,9 +314,8 @@ describe("#attachments.delete", () => {
       teamId: user.teamId,
       userId: user.id,
     });
-    const res = await server.post("/api/attachments.delete", {
+    const res = await server.post("/api/attachments.delete", user, {
       body: {
-        token: user.getJwtToken(),
         id: attachment.id,
       },
     });
@@ -358,9 +337,8 @@ describe("#attachments.delete", () => {
     });
     attachment.documentId = null;
     await attachment.save();
-    const res = await server.post("/api/attachments.delete", {
+    const res = await server.post("/api/attachments.delete", user, {
       body: {
-        token: user.getJwtToken(),
         id: attachment.id,
       },
     });
@@ -381,9 +359,8 @@ describe("#attachments.delete", () => {
     });
     attachment.documentId = null;
     await attachment.save();
-    const res = await server.post("/api/attachments.delete", {
+    const res = await server.post("/api/attachments.delete", user, {
       body: {
-        token: user.getJwtToken(),
         id: attachment.id,
       },
     });
@@ -402,9 +379,8 @@ describe("#attachments.delete", () => {
     const attachment = await buildAttachment();
     attachment.documentId = null;
     await attachment.save();
-    const res = await server.post("/api/attachments.delete", {
+    const res = await server.post("/api/attachments.delete", user, {
       body: {
-        token: user.getJwtToken(),
         id: attachment.id,
       },
     });
@@ -418,9 +394,8 @@ describe("#attachments.delete", () => {
     });
     attachment.documentId = null;
     await attachment.save();
-    const res = await server.post("/api/attachments.delete", {
+    const res = await server.post("/api/attachments.delete", user, {
       body: {
-        token: user.getJwtToken(),
         id: attachment.id,
       },
     });
@@ -443,9 +418,8 @@ describe("#attachments.delete", () => {
       documentId: document.id,
       acl: "private",
     });
-    const res = await server.post("/api/attachments.delete", {
+    const res = await server.post("/api/attachments.delete", user, {
       body: {
-        token: user.getJwtToken(),
         id: attachment.id,
       },
     });
@@ -460,9 +434,8 @@ describe("#attachments.redirect", () => {
       teamId: user.teamId,
       userId: user.id,
     });
-    const res = await server.post("/api/attachments.redirect", {
+    const res = await server.post("/api/attachments.redirect", user, {
       body: {
-        token: user.getJwtToken(),
         id: attachment.id,
       },
       redirect: "manual",
@@ -478,10 +451,8 @@ describe("#attachments.redirect", () => {
     });
     const res = await server.post(
       `/api/attachments.redirect?id=${attachment.id}`,
+      user,
       {
-        body: {
-          token: user.getJwtToken(),
-        },
         redirect: "manual",
       }
     );
@@ -505,9 +476,8 @@ describe("#attachments.redirect", () => {
       teamId: user.teamId,
       userId: user.id,
     });
-    const res = await server.post("/api/attachments.redirect", {
+    const res = await server.post("/api/attachments.redirect", user, {
       body: {
-        token: user.getJwtToken(),
         id: attachment.id,
       },
       redirect: "manual",
@@ -532,9 +502,8 @@ describe("#attachments.redirect", () => {
       userId: user.id,
       documentId: document.id,
     });
-    const res = await server.post("/api/attachments.redirect", {
+    const res = await server.post("/api/attachments.redirect", user, {
       body: {
-        token: user.getJwtToken(),
         id: attachment.id,
       },
       redirect: "manual",
@@ -587,9 +556,8 @@ describe("#attachments.redirect", () => {
       documentId: document.id,
       acl: "private",
     });
-    const res = await server.post("/api/attachments.redirect", {
+    const res = await server.post("/api/attachments.redirect", user, {
       body: {
-        token: user.getJwtToken(),
         id: attachment.id,
       },
     });
@@ -598,11 +566,7 @@ describe("#attachments.redirect", () => {
 
   it("should fail in absence of id", async () => {
     const user = await buildUser();
-    const res = await server.post("/api/attachments.redirect", {
+    const res = await server.post("/api/attachments.redirect", user);
-      body: {
-        token: user.getJwtToken(),
-      },
-    });
     const body = await res.json();
     expect(res.status).toEqual(400);
     expect(body.message).toEqual("id is required");

server/routes/api/auth/auth.test.ts

@@ -27,11 +27,7 @@ describe("#auth.info", () => {
       teamId: team2.id,
       email: user.email,
     });
-    const res = await server.post("/api/auth.info", {
+    const res = await server.post("/api/auth.info", user);
-      body: {
-        token: user.getJwtToken(),
-      },
-    });
     const body = await res.json();
     expect(res.status).toEqual(200);
 
@@ -52,11 +48,7 @@ describe("#auth.info", () => {
     const team = await buildTeam();
     const user = await buildUser({ teamId: team.id });
     await team.destroy();
-    const res = await server.post("/api/auth.info", {
+    const res = await server.post("/api/auth.info", user);
-      body: {
-        token: user.getJwtToken(),
-      },
-    });
     expect(res.status).toEqual(401);
   });
 
@@ -69,18 +61,10 @@ describe("#auth.info", () => {
 describe("#auth.delete", () => {
   it("should make the access token unusable", async () => {
     const user = await buildUser();
-    const res = await server.post("/api/auth.delete", {
+    const res = await server.post("/api/auth.delete", user);
-      body: {
-        token: user.getJwtToken(),
-      },
-    });
     expect(res.status).toEqual(200);
 
-    const res2 = await server.post("/api/auth.info", {
+    const res2 = await server.post("/api/auth.info", user);
-      body: {
-        token: user.getJwtToken(),
-      },
-    });
     expect(res2.status).toEqual(401);
   });
 

server/routes/api/authenticationProviders/authenticationProviders.test.ts

@@ -20,10 +20,9 @@ describe("#authenticationProviders.info", () => {
       teamId: team.id,
     });
     const authenticationProviders = await team.$get("authenticationProviders");
-    const res = await server.post("/api/authenticationProviders.info", {
+    const res = await server.post("/api/authenticationProviders.info", user, {
       body: {
         id: authenticationProviders[0].id,
-        token: user.getJwtToken(),
       },
     });
     const body = await res.json();
@@ -39,10 +38,9 @@ describe("#authenticationProviders.info", () => {
     const team = await buildTeam();
     const user = await buildUser();
     const authenticationProviders = await team.$get("authenticationProviders");
-    const res = await server.post("/api/authenticationProviders.info", {
+    const res = await server.post("/api/authenticationProviders.info", user, {
       body: {
         id: authenticationProviders[0].id,
-        token: user.getJwtToken(),
       },
     });
     expect(res.status).toEqual(403);
@@ -69,11 +67,10 @@ describe("#authenticationProviders.update", () => {
       teamId: team.id,
     });
     const authenticationProviders = await team.$get("authenticationProviders");
-    const res = await server.post("/api/authenticationProviders.update", {
+    const res = await server.post("/api/authenticationProviders.update", user, {
       body: {
         id: authenticationProviders[0].id,
         isEnabled: false,
-        token: user.getJwtToken(),
       },
     });
     expect(res.status).toEqual(400);
@@ -88,11 +85,10 @@ describe("#authenticationProviders.update", () => {
       name: "google",
       providerId: randomUUID(),
     });
-    const res = await server.post("/api/authenticationProviders.update", {
+    const res = await server.post("/api/authenticationProviders.update", user, {
       body: {
         id: googleProvider.id,
         isEnabled: false,
-        token: user.getJwtToken(),
       },
     });
     const body = await res.json();
@@ -106,11 +102,10 @@ describe("#authenticationProviders.update", () => {
     const team = await buildTeam();
     const user = await buildUser({ teamId: team.id });
     const authenticationProviders = await team.$get("authenticationProviders");
-    const res = await server.post("/api/authenticationProviders.update", {
+    const res = await server.post("/api/authenticationProviders.update", user, {
       body: {
         id: authenticationProviders[0].id,
         isEnabled: false,
-        token: user.getJwtToken(),
       },
     });
     expect(res.status).toEqual(403);
@@ -135,11 +130,7 @@ describe("#authenticationProviders.list", () => {
     const user = await buildAdmin({
       teamId: team.id,
     });
-    const res = await server.post("/api/authenticationProviders.list", {
+    const res = await server.post("/api/authenticationProviders.list", user);
-      body: {
-        token: user.getJwtToken(),
-      },
-    });
     const body = await res.json();
     expect(res.status).toEqual(200);
     expect(body.data.length).toBe(3);
@@ -170,10 +161,9 @@ describe("#authenticationProviders.delete", () => {
       name: "google",
       providerId: randomUUID(),
     });
-    const res = await server.post("/api/authenticationProviders.delete", {
+    const res = await server.post("/api/authenticationProviders.delete", user, {
       body: {
         id: googleProvider.id,
-        token: user.getJwtToken(),
       },
     });
     expect(res.status).toEqual(200);
@@ -191,10 +181,9 @@ describe("#authenticationProviders.delete", () => {
       name: "google",
       providerId: randomUUID(),
     });
-    const res = await server.post("/api/authenticationProviders.delete", {
+    const res = await server.post("/api/authenticationProviders.delete", user, {
       body: {
         id: googleProvider.id,
-        token: user.getJwtToken(),
       },
     });
     expect(res.status).toEqual(200);
@@ -213,10 +202,9 @@ describe("#authenticationProviders.delete", () => {
       name: "google",
       providerId: randomUUID(),
     });
-    const res = await server.post("/api/authenticationProviders.delete", {
+    const res = await server.post("/api/authenticationProviders.delete", user, {
       body: {
         id: googleProvider.id,
-        token: user.getJwtToken(),
       },
     });
     expect(res.status).toEqual(403);

server/routes/api/collections/collections.test.ts

@@ -27,11 +27,7 @@ describe("#collections.list", () => {
       userId: user.id,
       teamId: team.id,
     });
-    const res = await server.post("/api/collections.list", {
+    const res = await server.post("/api/collections.list", user);
-      body: {
-        token: user.getJwtToken(),
-      },
-    });
     const body = await res.json();
     expect(res.status).toEqual(200);
     expect(body.data.length).toEqual(1);
@@ -47,9 +43,8 @@ describe("#collections.list", () => {
       teamId: team.id,
       archivedAt: new Date(),
     });
-    const res = await server.post("/api/collections.list", {
+    const res = await server.post("/api/collections.list", admin, {
       body: {
-        token: admin.getJwtToken(),
         statusFilter: [CollectionStatusFilter.Archived],
       },
     });
@@ -68,11 +63,7 @@ describe("#collections.list", () => {
       teamId: team.id,
       archivedAt: new Date(),
     });
-    const res = await server.post("/api/collections.list", {
+    const res = await server.post("/api/collections.list", admin);
-      body: {
-        token: admin.getJwtToken(),
-      },
-    });
     const body = await res.json();
     expect(res.status).toEqual(200);
     expect(body.data).toHaveLength(0);
@@ -89,11 +80,7 @@ describe("#collections.list", () => {
       permission: null,
       teamId: user.teamId,
     });
-    const res = await server.post("/api/collections.list", {
+    const res = await server.post("/api/collections.list", user);
-      body: {
-        token: user.getJwtToken(),
-      },
-    });
     const body = await res.json();
     expect(res.status).toEqual(200);
     expect(body.data.length).toEqual(1);
@@ -112,11 +99,7 @@ describe("#collections.list", () => {
       teamId: user.teamId,
       userId: user.id,
     });
-    const res = await server.post("/api/collections.list", {
+    const res = await server.post("/api/collections.list", user);
-      body: {
-        token: user.getJwtToken(),
-      },
-    });
     const body = await res.json();
     expect(res.status).toEqual(200);
     expect(body.data.length).toEqual(2);
@@ -149,11 +132,7 @@ describe("#collections.list", () => {
         createdById: user.id,
       },
     });
-    const res = await server.post("/api/collections.list", {
+    const res = await server.post("/api/collections.list", user);
-      body: {
-        token: user.getJwtToken(),
-      },
-    });
     const body = await res.json();
     expect(res.status).toEqual(200);
     expect(body.data.length).toEqual(2);
@@ -169,11 +148,7 @@ describe("#collections.list", () => {
       teamId: team.id,
       archivedAt: new Date(),
     });
-    const res = await server.post("/api/collections.list", {
+    const res = await server.post("/api/collections.list", user);
-      body: {
-        token: user.getJwtToken(),
-      },
-    });
     const body = await res.json();
     expect(res.status).toEqual(200);
     expect(body.data.length).toEqual(0);
@@ -187,30 +162,21 @@ describe("#collections.list", () => {
       teamId: team.id,
     });
 
-    const beforeArchiveRes = await server.post("/api/collections.list", {
+    const beforeArchiveRes = await server.post("/api/collections.list", user);
-      body: {
-        token: user.getJwtToken(),
-      },
-    });
     const beforeArchiveBody = await beforeArchiveRes.json();
     expect(beforeArchiveRes.status).toEqual(200);
     expect(beforeArchiveBody.data).toHaveLength(1);
     expect(beforeArchiveBody.data[0].id).toEqual(collection.id);
 
-    const archiveRes = await server.post("/api/collections.archive", {
+    const archiveRes = await server.post("/api/collections.archive", user, {
       body: {
-        token: user.getJwtToken(),
         id: collection.id,
       },
     });
 
     expect(archiveRes.status).toEqual(200);
 
-    const afterArchiveRes = await server.post("/api/collections.list", {
+    const afterArchiveRes = await server.post("/api/collections.list", user);
-      body: {
-        token: user.getJwtToken(),
-      },
-    });
 
     const afterArchiveBody = await afterArchiveRes.json();
     expect(afterArchiveRes.status).toEqual(200);
@@ -221,11 +187,7 @@ describe("#collections.list", () => {
 describe("#collections.import", () => {
   it("should error if no attachmentId is passed", async () => {
     const user = await buildUser();
-    const res = await server.post("/api/collections.import", {
+    const res = await server.post("/api/collections.import", user);
-      body: {
-        token: user.getJwtToken(),
-      },
-    });
     expect(res.status).toEqual(400);
   });
 
@@ -248,9 +210,8 @@ describe("#collections.move", () => {
   it("should require authorization", async () => {
     const user = await buildUser();
     const collection = await buildCollection();
-    const res = await server.post("/api/collections.move", {
+    const res = await server.post("/api/collections.move", user, {
       body: {
-        token: user.getJwtToken(),
         id: collection.id,
         index: "P",
       },
@@ -262,9 +223,8 @@ describe("#collections.move", () => {
     const team = await buildTeam();
     const admin = await buildAdmin({ teamId: team.id });
     const collection = await buildCollection({ teamId: team.id });
-    const res = await server.post("/api/collections.move", {
+    const res = await server.post("/api/collections.move", admin, {
       body: {
-        token: admin.getJwtToken(),
         id: collection.id,
         index: "P",
         icon: "flame",
@@ -279,9 +239,8 @@ describe("#collections.move", () => {
     const team = await buildTeam();
     const admin = await buildAdmin({ teamId: team.id });
     const collection = await buildCollection({ teamId: team.id });
-    const res = await server.post("/api/collections.move", {
+    const res = await server.post("/api/collections.move", admin, {
       body: {
-        token: admin.getJwtToken(),
         id: collection.id,
         index: "P",
         icon: "😁",
@@ -296,9 +255,8 @@ describe("#collections.move", () => {
     const team = await buildTeam();
     const admin = await buildAdmin({ teamId: team.id });
     const collection = await buildCollection({ teamId: team.id });
-    const res = await server.post("/api/collections.move", {
+    const res = await server.post("/api/collections.move", admin, {
       body: {
-        token: admin.getJwtToken(),
         id: collection.id,
         icon: "nonsRence",
       },
@@ -310,9 +268,8 @@ describe("#collections.move", () => {
     const team = await buildTeam();
     const admin = await buildAdmin({ teamId: team.id });
     const collection = await buildCollection({ teamId: team.id });
-    const res = await server.post("/api/collections.move", {
+    const res = await server.post("/api/collections.move", admin, {
       body: {
-        token: admin.getJwtToken(),
         id: collection.id,
         index: "يونيكود",
       },
@@ -330,9 +287,9 @@ describe("#collections.move", () => {
     });
     const createdCollectionResponse = await server.post(
       "/api/collections.create",
+      user,
       {
         body: {
-          token: user.getJwtToken(),
           name: "Test",
           sharing: false,
           index: "Q",
@@ -340,13 +297,16 @@ describe("#collections.move", () => {
       }
     );
     await createdCollectionResponse.json();
-    const movedCollectionRes = await server.post("/api/collections.move", {
+    const movedCollectionRes = await server.post(
-      body: {
+      "/api/collections.move",
-        token: admin.getJwtToken(),
+      admin,
-        id: collection.id,
+      {
-        index: "Q",
+        body: {
-      },
+          id: collection.id,
-    });
+          index: "Q",
+        },
+      }
+    );
     const movedCollection = await movedCollectionRes.json();
     expect(movedCollectionRes.status).toEqual(200);
     expect(movedCollection.success).toBe(true);
@@ -360,9 +320,9 @@ describe("#collections.move", () => {
     const user = await buildUser({ teamId: team.id });
     const createdCollectionAResponse = await server.post(
       "/api/collections.create",
+      user,
       {
         body: {
-          token: user.getJwtToken(),
           name: "A",
           sharing: false,
           index: "a",
@@ -371,9 +331,9 @@ describe("#collections.move", () => {
     );
     const createdCollectionBResponse = await server.post(
       "/api/collections.create",
+      user,
       {
         body: {
-          token: user.getJwtToken(),
           name: "B",
           sharing: false,
           index: "b",
@@ -382,9 +342,9 @@ describe("#collections.move", () => {
     );
     const createdCollectionCResponse = await server.post(
       "/api/collections.create",
+      user,
       {
         body: {
-          token: user.getJwtToken(),
           name: "C",
           sharing: false,
           index: "c",
@@ -396,9 +356,9 @@ describe("#collections.move", () => {
     const createdCollectionC = await createdCollectionCResponse.json();
     const movedCollectionCResponse = await server.post(
       "/api/collections.move",
+      admin,
       {
         body: {
-          token: admin.getJwtToken(),
           id: createdCollectionC.data.id,
           index: "a",
         },
@@ -420,9 +380,8 @@ describe("#collections.export", () => {
       permission: null,
       teamId: user.teamId,
     });
-    const res = await server.post("/api/collections.export", {
+    const res = await server.post("/api/collections.export", user, {
       body: {
-        token: user.getJwtToken(),
         id: collection.id,
       },
     });
@@ -441,9 +400,8 @@ describe("#collections.export", () => {
       userId: admin.id,
       permission: CollectionPermission.ReadWrite,
     });
-    const res = await server.post("/api/collections.export", {
+    const res = await server.post("/api/collections.export", admin, {
       body: {
-        token: admin.getJwtToken(),
         id: collection.id,
       },
     });
@@ -470,9 +428,8 @@ describe("#collections.export", () => {
         createdById: admin.id,
       },
     });
-    const res = await server.post("/api/collections.export", {
+    const res = await server.post("/api/collections.export", admin, {
       body: {
-        token: admin.getJwtToken(),
         id: collection.id,
       },
     });
@@ -493,9 +450,8 @@ describe("#collections.export", () => {
       userId: admin.id,
       teamId: admin.teamId,
     });
-    const res = await server.post("/api/collections.export", {
+    const res = await server.post("/api/collections.export", user, {
       body: {
-        token: user.getJwtToken(),
         id: collection.id,
       },
     });
@@ -507,9 +463,8 @@ describe("#collections.export", () => {
     const collection = await buildCollection({
       teamId: admin.teamId,
     });
-    const res = await server.post("/api/collections.export", {
+    const res = await server.post("/api/collections.export", admin, {
       body: {
-        token: admin.getJwtToken(),
         id: collection.id,
       },
     });
@@ -530,21 +485,13 @@ describe("#collections.export_all", () => {
 
   it("should require authorization", async () => {
     const user = await buildUser();
-    const res = await server.post("/api/collections.export_all", {
+    const res = await server.post("/api/collections.export_all", user);
-      body: {
-        token: user.getJwtToken(),
-      },
-    });
     expect(res.status).toEqual(403);
   });
 
   it("should return success", async () => {
     const admin = await buildAdmin();
-    const res = await server.post("/api/collections.export_all", {
+    const res = await server.post("/api/collections.export_all", admin);
-      body: {
-        token: admin.getJwtToken(),
-      },
-    });
     expect(res.status).toEqual(200);
   });
 });
@@ -566,9 +513,8 @@ describe("#collections.add_user", () => {
       userId: user.id,
       permission: CollectionPermission.Admin,
     });
-    const res = await server.post("/api/collections.add_user", {
+    const res = await server.post("/api/collections.add_user", user, {
       body: {
-        token: user.getJwtToken(),
         id: collection.id,
         userId: anotherUser.id,
       },
@@ -588,9 +534,8 @@ describe("#collections.add_user", () => {
     const anotherUser = await buildUser({
       teamId: admin.teamId,
     });
-    const res = await server.post("/api/collections.add_user", {
+    const res = await server.post("/api/collections.add_user", admin, {
       body: {
-        token: admin.getJwtToken(),
         id: collection.id,
         userId: anotherUser.id,
       },
@@ -606,9 +551,8 @@ describe("#collections.add_user", () => {
       teamId: user.teamId,
       permission: null,
     });
-    const res = await server.post("/api/collections.add_user", {
+    const res = await server.post("/api/collections.add_user", user, {
       body: {
-        token: user.getJwtToken(),
         id: collection.id,
         userId: user.id,
       },
@@ -625,9 +569,8 @@ describe("#collections.add_user", () => {
       permission: null,
     });
     const anotherUser = await buildUser();
-    const res = await server.post("/api/collections.add_user", {
+    const res = await server.post("/api/collections.add_user", user, {
       body: {
-        token: user.getJwtToken(),
         id: collection.id,
         userId: anotherUser.id,
       },
@@ -648,9 +591,8 @@ describe("#collections.add_user", () => {
     const anotherUser = await buildUser({
       teamId: user.teamId,
     });
-    const res = await server.post("/api/collections.add_user", {
+    const res = await server.post("/api/collections.add_user", user, {
       body: {
-        token: user.getJwtToken(),
         id: collection.id,
         userId: anotherUser.id,
       },
@@ -670,9 +612,8 @@ describe("#collections.add_group", () => {
     const group = await buildGroup({
       teamId: user.teamId,
     });
-    const res = await server.post("/api/collections.add_group", {
+    const res = await server.post("/api/collections.add_group", user, {
       body: {
-        token: user.getJwtToken(),
         id: collection.id,
         groupId: group.id,
       },
@@ -692,9 +633,8 @@ describe("#collections.add_group", () => {
     const group = await buildGroup({
       teamId: user.teamId,
     });
-    const res = await server.post("/api/collections.add_group", {
+    const res = await server.post("/api/collections.add_group", user, {
       body: {
-        token: user.getJwtToken(),
         id: collection.id,
         groupId: group.id,
         permission: null,
@@ -715,9 +655,8 @@ describe("#collections.add_group", () => {
       permission: null,
     });
     const group = await buildGroup();
-    const res = await server.post("/api/collections.add_group", {
+    const res = await server.post("/api/collections.add_group", user, {
       body: {
-        token: user.getJwtToken(),
         id: collection.id,
         groupId: group.id,
       },
@@ -738,9 +677,8 @@ describe("#collections.add_group", () => {
     const group = await buildGroup({
       teamId: user.teamId,
     });
-    const res = await server.post("/api/collections.add_group", {
+    const res = await server.post("/api/collections.add_group", user, {
       body: {
-        token: user.getJwtToken(),
         id: collection.id,
         groupId: group.id,
       },
@@ -760,18 +698,16 @@ describe("#collections.remove_group", () => {
     const group = await buildGroup({
       teamId: user.teamId,
     });
-    await server.post("/api/collections.add_group", {
+    await server.post("/api/collections.add_group", user, {
       body: {
-        token: user.getJwtToken(),
         id: collection.id,
         groupId: group.id,
       },
     });
     let groups = await collection.$get("groups");
     expect(groups.length).toEqual(1);
-    const res = await server.post("/api/collections.remove_group", {
+    const res = await server.post("/api/collections.remove_group", user, {
       body: {
-        token: user.getJwtToken(),
         id: collection.id,
         groupId: group.id,
       },
@@ -788,9 +724,8 @@ describe("#collections.remove_group", () => {
       permission: null,
     });
     const group = await buildGroup();
-    const res = await server.post("/api/collections.remove_group", {
+    const res = await server.post("/api/collections.remove_group", user, {
       body: {
-        token: user.getJwtToken(),
         id: collection.id,
         groupId: group.id,
       },
@@ -811,9 +746,8 @@ describe("#collections.remove_group", () => {
     const group = await buildGroup({
       teamId: user.teamId,
     });
-    const res = await server.post("/api/collections.remove_group", {
+    const res = await server.post("/api/collections.remove_group", user, {
       body: {
-        token: user.getJwtToken(),
         id: collection.id,
         groupId: group.id,
       },
@@ -833,16 +767,14 @@ describe("#collections.remove_user", () => {
     const anotherUser = await buildUser({
       teamId: admin.teamId,
     });
-    await server.post("/api/collections.add_user", {
+    await server.post("/api/collections.add_user", admin, {
       body: {
-        token: admin.getJwtToken(),
         id: collection.id,
         userId: anotherUser.id,
       },
     });
-    const res = await server.post("/api/collections.remove_user", {
+    const res = await server.post("/api/collections.remove_user", admin, {
       body: {
-        token: admin.getJwtToken(),
         id: collection.id,
         userId: anotherUser.id,
       },
@@ -862,9 +794,8 @@ describe("#collections.remove_user", () => {
     const nonMember = await buildUser({
       teamId: admin.teamId,
     });
-    const res = await server.post("/api/collections.remove_user", {
+    const res = await server.post("/api/collections.remove_user", admin, {
       body: {
-        token: admin.getJwtToken(),
         id: collection.id,
         userId: nonMember.id,
       },
@@ -881,9 +812,8 @@ describe("#collections.remove_user", () => {
       permission: null,
     });
     const anotherUser = await buildUser();
-    const res = await server.post("/api/collections.remove_user", {
+    const res = await server.post("/api/collections.remove_user", user, {
       body: {
-        token: user.getJwtToken(),
         id: collection.id,
         userId: anotherUser.id,
       },
@@ -904,9 +834,8 @@ describe("#collections.remove_user", () => {
     const anotherUser = await buildUser({
       teamId: user.teamId,
     });
-    const res = await server.post("/api/collections.remove_user", {
+    const res = await server.post("/api/collections.remove_user", user, {
       body: {
-        token: user.getJwtToken(),
         id: collection.id,
         userId: anotherUser.id,
       },
@@ -937,9 +866,8 @@ describe("#collections.group_memberships", () => {
       groupId: group.id,
       permission: CollectionPermission.ReadWrite,
     });
-    const res = await server.post("/api/collections.group_memberships", {
+    const res = await server.post("/api/collections.group_memberships", user, {
       body: {
-        token: user.getJwtToken(),
         id: collection.id,
       },
     });
@@ -987,9 +915,8 @@ describe("#collections.group_memberships", () => {
       groupId: group2.id,
       permission: CollectionPermission.ReadWrite,
     });
-    const res = await server.post("/api/collections.group_memberships", {
+    const res = await server.post("/api/collections.group_memberships", user, {
       body: {
-        token: user.getJwtToken(),
         id: collection.id,
         query: "will",
       },
@@ -1030,9 +957,8 @@ describe("#collections.group_memberships", () => {
       groupId: group2.id,
       permission: CollectionPermission.Read,
     });
-    const res = await server.post("/api/collections.group_memberships", {
+    const res = await server.post("/api/collections.group_memberships", user, {
       body: {
-        token: user.getJwtToken(),
         id: collection.id,
         permission: CollectionPermission.Read,
       },
@@ -1056,9 +982,8 @@ describe("#collections.group_memberships", () => {
       permission: null,
       teamId: user.teamId,
     });
-    const res = await server.post("/api/collections.group_memberships", {
+    const res = await server.post("/api/collections.group_memberships", user, {
       body: {
-        token: user.getJwtToken(),
         id: collection.id,
       },
     });
@@ -1077,9 +1002,8 @@ describe("#collections.memberships", () => {
     collection.permission = null;
     await collection.save();
 
-    const res = await server.post("/api/collections.memberships", {
+    const res = await server.post("/api/collections.memberships", user, {
       body: {
-        token: user.getJwtToken(),
         id: collection.id,
       },
     });
@@ -1111,9 +1035,8 @@ describe("#collections.memberships", () => {
       userId: user2.id,
       permission: CollectionPermission.ReadWrite,
     });
-    const res = await server.post("/api/collections.memberships", {
+    const res = await server.post("/api/collections.memberships", user, {
       body: {
-        token: user.getJwtToken(),
         id: collection.id,
         query: user.name.slice(0, 3),
       },
@@ -1144,9 +1067,8 @@ describe("#collections.memberships", () => {
       userId: user2.id,
       permission: CollectionPermission.Read,
     });
-    const res = await server.post("/api/collections.memberships", {
+    const res = await server.post("/api/collections.memberships", user, {
       body: {
-        token: user.getJwtToken(),
         id: collection.id,
         permission: CollectionPermission.Read,
       },
@@ -1167,9 +1089,8 @@ describe("#collections.memberships", () => {
   it("should require authorization", async () => {
     const collection = await buildCollection();
     const user = await buildUser();
-    const res = await server.post("/api/collections.memberships", {
+    const res = await server.post("/api/collections.memberships", user, {
       body: {
-        token: user.getJwtToken(),
         id: collection.id,
       },
     });
@@ -1187,9 +1108,8 @@ describe("#collections.info", () => {
       archivedAt: new Date(),
       archivedById: user.id,
     });
-    const res = await server.post("/api/collections.info", {
+    const res = await server.post("/api/collections.info", user, {
       body: {
-        token: user.getJwtToken(),
         id: collection.id,
       },
     });
@@ -1205,9 +1125,8 @@ describe("#collections.info", () => {
       userId: user.id,
       teamId: team.id,
     });
-    const res = await server.post("/api/collections.info", {
+    const res = await server.post("/api/collections.info", user, {
       body: {
-        token: user.getJwtToken(),
         id: collection.id,
       },
     });
@@ -1223,9 +1142,8 @@ describe("#collections.info", () => {
       userId: user.id,
       teamId: team.id,
     });
-    const res = await server.post("/api/collections.info", {
+    const res = await server.post("/api/collections.info", user, {
       body: {
-        token: user.getJwtToken(),
         id: `any-slug-${collection.urlId}`,
       },
     });
@@ -1250,9 +1168,8 @@ describe("#collections.info", () => {
         userId: user.id,
       },
     });
-    const res = await server.post("/api/collections.info", {
+    const res = await server.post("/api/collections.info", user, {
       body: {
-        token: user.getJwtToken(),
         id: collection.id,
       },
     });
@@ -1274,9 +1191,8 @@ describe("#collections.info", () => {
       createdById: user.id,
       permission: CollectionPermission.Read,
     });
-    const res = await server.post("/api/collections.info", {
+    const res = await server.post("/api/collections.info", user, {
       body: {
-        token: user.getJwtToken(),
         id: collection.id,
       },
     });
@@ -1295,9 +1211,8 @@ describe("#collections.info", () => {
   it("should require authorization", async () => {
     const collection = await buildCollection();
     const user = await buildUser();
-    const res = await server.post("/api/collections.info", {
+    const res = await server.post("/api/collections.info", user, {
       body: {
-        token: user.getJwtToken(),
         id: collection.id,
       },
     });
@@ -1315,9 +1230,8 @@ describe("#collections.create", () => {
 
   it("should create collection", async () => {
     const user = await buildUser();
-    const res = await server.post("/api/collections.create", {
+    const res = await server.post("/api/collections.create", user, {
       body: {
-        token: user.getJwtToken(),
         name: "Test",
       },
     });
@@ -1333,9 +1247,8 @@ describe("#collections.create", () => {
 
   it("should error when index is invalid", async () => {
     const user = await buildUser();
-    const res = await server.post("/api/collections.create", {
+    const res = await server.post("/api/collections.create", user, {
       body: {
-        token: user.getJwtToken(),
         name: "Test",
         index: "يونيكود",
       },
@@ -1345,9 +1258,8 @@ describe("#collections.create", () => {
 
   it("should allow setting sharing to false", async () => {
     const user = await buildUser();
-    const res = await server.post("/api/collections.create", {
+    const res = await server.post("/api/collections.create", user, {
       body: {
-        token: user.getJwtToken(),
         name: "Test",
         sharing: false,
       },
@@ -1360,9 +1272,8 @@ describe("#collections.create", () => {
 
   it("should return correct policies with private collection", async () => {
     const user = await buildUser();
-    const res = await server.post("/api/collections.create", {
+    const res = await server.post("/api/collections.create", user, {
       body: {
-        token: user.getJwtToken(),
         name: "Test",
         permission: null,
       },
@@ -1381,15 +1292,13 @@ describe("#collections.create", () => {
       buildAdmin({ teamId: team.id }),
     ]);
 
-    const resA = await server.post("/api/collections.create", {
+    const resA = await server.post("/api/collections.create", adminA, {
       body: {
-        token: adminA.getJwtToken(),
         name: "Test A",
       },
     });
-    const resB = await server.post("/api/collections.create", {
+    const resB = await server.post("/api/collections.create", adminB, {
       body: {
-        token: adminB.getJwtToken(),
         name: "Test B",
       },
     });
@@ -1404,9 +1313,9 @@ describe("#collections.create", () => {
     const user = await buildUser();
     const createdCollectionAResponse = await server.post(
       "/api/collections.create",
+      user,
       {
         body: {
-          token: user.getJwtToken(),
           name: "A",
           sharing: false,
           index: "a",
@@ -1416,9 +1325,9 @@ describe("#collections.create", () => {
     await createdCollectionAResponse.json();
     const createCollectionResponse = await server.post(
       "/api/collections.create",
+      user,
       {
         body: {
-          token: user.getJwtToken(),
           name: "C",
           sharing: false,
           index: "a",
@@ -1435,9 +1344,9 @@ describe("#collections.create", () => {
     const user = await buildUser();
     const createdCollectionAResponse = await server.post(
       "/api/collections.create",
+      user,
       {
         body: {
-          token: user.getJwtToken(),
           name: "A",
           sharing: false,
           index: "a",
@@ -1446,9 +1355,9 @@ describe("#collections.create", () => {
     );
     const createdCollectionBResponse = await server.post(
       "/api/collections.create",
+      user,
       {
         body: {
-          token: user.getJwtToken(),
           name: "B",
           sharing: false,
           index: "b",
@@ -1459,9 +1368,9 @@ describe("#collections.create", () => {
     await createdCollectionBResponse.json();
     const createCollectionResponse = await server.post(
       "/api/collections.create",
+      user,
       {
         body: {
-          token: user.getJwtToken(),
           name: "C",
           sharing: false,
           index: "a",
@@ -1493,9 +1402,8 @@ describe("#collections.update", () => {
   it("should require authorization", async () => {
     const collection = await buildCollection();
     const user = await buildUser();
-    const res = await server.post("/api/collections.update", {
+    const res = await server.post("/api/collections.update", user, {
       body: {
-        token: user.getJwtToken(),
         id: collection.id,
         name: "Test",
       },
@@ -1507,9 +1415,8 @@ describe("#collections.update", () => {
     const team = await buildTeam();
     const admin = await buildAdmin({ teamId: team.id });
     const collection = await buildCollection({ teamId: team.id });
-    const res = await server.post("/api/collections.update", {
+    const res = await server.post("/api/collections.update", admin, {
       body: {
-        token: admin.getJwtToken(),
         id: collection.id,
         name: "Test",
       },
@@ -1524,9 +1431,8 @@ describe("#collections.update", () => {
     const team = await buildTeam();
     const admin = await buildAdmin({ teamId: team.id });
     const collection = await buildCollection({ teamId: team.id });
-    const res = await server.post("/api/collections.update", {
+    const res = await server.post("/api/collections.update", admin, {
       body: {
-        token: admin.getJwtToken(),
         id: collection.id,
         description: "Test",
       },
@@ -1545,9 +1451,8 @@ describe("#collections.update", () => {
     const team = await buildTeam();
     const admin = await buildAdmin({ teamId: team.id });
     const collection = await buildCollection({ teamId: team.id });
-    const res = await server.post("/api/collections.update", {
+    const res = await server.post("/api/collections.update", admin, {
       body: {
-        token: admin.getJwtToken(),
         id: collection.id,
         data: {
           content: [
@@ -1570,9 +1475,8 @@ describe("#collections.update", () => {
       field: "index",
       direction: "desc",
     };
-    const res = await server.post("/api/collections.update", {
+    const res = await server.post("/api/collections.update", admin, {
       body: {
-        token: admin.getJwtToken(),
         id: collection.id,
         sort,
       },
@@ -1587,9 +1491,8 @@ describe("#collections.update", () => {
     const team = await buildTeam();
     const admin = await buildAdmin({ teamId: team.id });
     const collection = await buildCollection({ teamId: team.id });
-    const res = await server.post("/api/collections.update", {
+    const res = await server.post("/api/collections.update", admin, {
       body: {
-        token: admin.getJwtToken(),
         id: collection.id,
         permission: null,
       },
@@ -1604,9 +1507,8 @@ describe("#collections.update", () => {
     const team = await buildTeam();
     const admin = await buildAdmin({ teamId: team.id });
     const collection = await buildCollection({ teamId: team.id });
-    const res = await server.post("/api/collections.update", {
+    const res = await server.post("/api/collections.update", admin, {
       body: {
-        token: admin.getJwtToken(),
         id: collection.id,
         permission: null,
         name: "  Test  ",
@@ -1633,9 +1535,8 @@ describe("#collections.update", () => {
       createdById: admin.id,
       permission: CollectionPermission.ReadWrite,
     });
-    const res = await server.post("/api/collections.update", {
+    const res = await server.post("/api/collections.update", admin, {
       body: {
-        token: admin.getJwtToken(),
         id: collection.id,
         permission: CollectionPermission.ReadWrite,
         name: "Test",
@@ -1662,9 +1563,8 @@ describe("#collections.update", () => {
       createdById: admin.id,
       permission: CollectionPermission.ReadWrite,
     });
-    const res = await server.post("/api/collections.update", {
+    const res = await server.post("/api/collections.update", admin, {
       body: {
-        token: admin.getJwtToken(),
         id: collection.id,
         name: "Test",
       },
@@ -1695,9 +1595,8 @@ describe("#collections.update", () => {
         createdById: user.id,
       },
     });
-    const res = await server.post("/api/collections.update", {
+    const res = await server.post("/api/collections.update", user, {
       body: {
-        token: user.getJwtToken(),
         id: collection.id,
         name: "Test",
       },
@@ -1729,9 +1628,8 @@ describe("#collections.update", () => {
         },
       }
     );
-    const res = await server.post("/api/collections.update", {
+    const res = await server.post("/api/collections.update", user, {
       body: {
-        token: user.getJwtToken(),
         id: collection.id,
         name: "Test",
       },
@@ -1747,9 +1645,8 @@ describe("#collections.update", () => {
       field: "blah",
       direction: "desc",
     };
-    const res = await server.post("/api/collections.update", {
+    const res = await server.post("/api/collections.update", admin, {
       body: {
-        token: admin.getJwtToken(),
         id: collection.id,
         sort,
       },
@@ -1765,9 +1662,8 @@ describe("#collections.update", () => {
       field: "title",
       direction: "blah",
     };
-    const res = await server.post("/api/collections.update", {
+    const res = await server.post("/api/collections.update", admin, {
       body: {
-        token: admin.getJwtToken(),
         id: collection.id,
         sort,
       },
@@ -1787,9 +1683,8 @@ describe("#collections.delete", () => {
   it("should require authorization", async () => {
     const collection = await buildCollection();
     const user = await buildUser();
-    const res = await server.post("/api/collections.delete", {
+    const res = await server.post("/api/collections.delete", user, {
       body: {
-        token: user.getJwtToken(),
         id: collection.id,
       },
     });
@@ -1800,9 +1695,8 @@ describe("#collections.delete", () => {
     const team = await buildTeam();
     const admin = await buildAdmin({ teamId: team.id });
     const collection = await buildCollection({ teamId: team.id });
-    const res = await server.post("/api/collections.delete", {
+    const res = await server.post("/api/collections.delete", admin, {
       body: {
-        token: admin.getJwtToken(),
         id: collection.id,
       },
     });
@@ -1815,9 +1709,8 @@ describe("#collections.delete", () => {
     const collection = await buildCollection({ teamId: team.id });
     await buildCollection({ teamId: team.id });
 
-    const res = await server.post("/api/collections.delete", {
+    const res = await server.post("/api/collections.delete", admin, {
       body: {
-        token: admin.getJwtToken(),
         id: collection.id,
       },
     });
@@ -1840,9 +1733,8 @@ describe("#collections.delete", () => {
       collectionId: collection.id,
       archivedAt: new Date(),
     });
-    const res = await server.post("/api/collections.delete", {
+    const res = await server.post("/api/collections.delete", admin, {
       body: {
-        token: admin.getJwtToken(),
         id: collection.id,
       },
     });
@@ -1881,9 +1773,8 @@ describe("#collections.delete", () => {
         createdById: user.id,
       },
     });
-    const res = await server.post("/api/collections.delete", {
+    const res = await server.post("/api/collections.delete", user, {
       body: {
-        token: user.getJwtToken(),
         id: collection.id,
       },
     });
@@ -1907,9 +1798,8 @@ describe("#collections.archive", () => {
     await collection.reload();
     expect(collection.documentStructure).not.toBe(null);
     expect(document.archivedAt).toBe(null);
-    const res = await server.post("/api/collections.archive", {
+    const res = await server.post("/api/collections.archive", admin, {
       body: {
-        token: admin.getJwtToken(),
         id: collection.id,
       },
     });
@@ -1941,9 +1831,8 @@ describe("#collections.restore", () => {
     // reload to ensure documentStructure is set
     await collection.reload();
     expect(collection.documentStructure).not.toBe(null);
-    const archiveRes = await server.post("/api/collections.archive", {
+    const archiveRes = await server.post("/api/collections.archive", admin, {
       body: {
-        token: admin.getJwtToken(),
         id: collection.id,
       },
     });
@@ -1953,9 +1842,8 @@ describe("#collections.restore", () => {
     ]);
     expect(archiveRes.status).toEqual(200);
     expect(archiveBody.data.archivedAt).not.toBe(null);
-    const res = await server.post("/api/collections.restore", {
+    const res = await server.post("/api/collections.restore", admin, {
       body: {
-        token: admin.getJwtToken(),
         id: collection.id,
       },
     });
@@ -1982,9 +1870,8 @@ describe("#collections.restore", () => {
     expect(collection.index).toEqual("P");
     expect(archivedCollection.index).toEqual("P");
 
-    const res = await server.post("/api/collections.restore", {
+    const res = await server.post("/api/collections.restore", admin, {
       body: {
-        token: admin.getJwtToken(),
         id: archivedCollection.id,
       },
     });

server/routes/api/comments/comments.test.ts

@@ -36,9 +36,8 @@ describe("#comments.info", () => {
       userId: user2.id,
       documentId: document.id,
     });
-    const res = await server.post("/api/comments.info", {
+    const res = await server.post("/api/comments.info", user, {
       body: {
-        token: user.getJwtToken(),
         id: comment.id,
       },
     });
@@ -65,9 +64,8 @@ describe("#comments.info", () => {
       userId: user2.id,
       documentId: document.id,
     });
-    const res = await server.post("/api/comments.info", {
+    const res = await server.post("/api/comments.info", user, {
       body: {
-        token: user.getJwtToken(),
         id: comment.id,
       },
     });
@@ -111,9 +109,8 @@ describe("#comments.info", () => {
     } as ProsemirrorData;
     await document.update({ content });
 
-    const res = await server.post("/api/comments.info", {
+    const res = await server.post("/api/comments.info", user, {
       body: {
-        token: user.getJwtToken(),
         id: comment.id,
         includeAnchorText: true,
       },
@@ -154,9 +151,8 @@ describe("#comments.info", () => {
     } as ProsemirrorData;
     await document.update({ content });
 
-    const res = await server.post("/api/comments.info", {
+    const res = await server.post("/api/comments.info", user, {
       body: {
-        token: user.getJwtToken(),
         id: comment.id,
         includeAnchorText: true,
       },
@@ -194,9 +190,8 @@ describe("#comments.list", () => {
       documentId: document.id,
       createdAt: new Date(),
     });
-    const res = await server.post("/api/comments.list", {
+    const res = await server.post("/api/comments.list", user, {
       body: {
-        token: user.getJwtToken(),
         documentId: document.id,
       },
     });
@@ -244,9 +239,8 @@ describe("#comments.list", () => {
     } as ProsemirrorData;
     await document.update({ content });
 
-    const res = await server.post("/api/comments.list", {
+    const res = await server.post("/api/comments.list", user, {
       body: {
-        token: user.getJwtToken(),
         documentId: document.id,
         includeAnchorText: true,
         sort: "createdAt",
@@ -279,9 +273,8 @@ describe("#comments.list", () => {
       userId: user.id,
       documentId: document.id,
     });
-    const res = await server.post("/api/comments.list", {
+    const res = await server.post("/api/comments.list", user, {
       body: {
-        token: user.getJwtToken(),
         collectionId: collection.id,
       },
     });
@@ -311,9 +304,8 @@ describe("#comments.list", () => {
       documentId: document.id,
       parentCommentId: comment.id,
     });
-    const res = await server.post("/api/comments.list", {
+    const res = await server.post("/api/comments.list", user, {
       body: {
-        token: user.getJwtToken(),
         parentCommentId: comment.id,
       },
     });
@@ -342,9 +334,8 @@ describe("#comments.list", () => {
       userId: user.id,
       documentId: document.id,
     });
-    const res = await server.post("/api/comments.list", {
+    const res = await server.post("/api/comments.list", user, {
       body: {
-        token: user.getJwtToken(),
         documentId: document.id,
         statusFilter: [CommentStatusFilter.Resolved],
       },
@@ -390,11 +381,7 @@ describe("#comments.list", () => {
       userId: user.id,
       documentId: document2.id,
     });
-    const res = await server.post("/api/comments.list", {
+    const res = await server.post("/api/comments.list", user);
-      body: {
-        token: user.getJwtToken(),
-      },
-    });
     const body = await res.json();
 
     expect(res.status).toEqual(200);
@@ -425,9 +412,8 @@ describe("#comments.list", () => {
       reactions,
     });
 
-    const res = await server.post("/api/comments.list", {
+    const res = await server.post("/api/comments.list", user, {
       body: {
-        token: user.getJwtToken(),
         documentId: document.id,
       },
     });
@@ -464,9 +450,8 @@ describe("#comments.create", () => {
       documentId: document.id,
     });
 
-    const res = await server.post("/api/comments.create", {
+    const res = await server.post("/api/comments.create", user, {
       body: {
-        token: user.getJwtToken(),
         documentId: document.id,
         data: comment.data,
       },
@@ -491,9 +476,8 @@ describe("#comments.create", () => {
 
     const text = "test\n\n- list item 1\n- list item 2";
 
-    const res = await server.post("/api/comments.create", {
+    const res = await server.post("/api/comments.create", user, {
       body: {
-        token: user.getJwtToken(),
         documentId: document.id,
         text,
       },
@@ -515,17 +499,15 @@ describe("#comments.create", () => {
       teamId: user.teamId,
     });
 
-    const res = await server.post("/api/comments.create", {
+    const res = await server.post("/api/comments.create", user, {
       body: {
-        token: user.getJwtToken(),
         documentId: document.id,
         data: null,
       },
     });
 
-    const anotherRes = await server.post("/api/comments.create", {
+    const anotherRes = await server.post("/api/comments.create", user, {
       body: {
-        token: user.getJwtToken(),
         documentId: document.id,
         data: {
           type: "doc",
@@ -546,9 +528,8 @@ describe("#comments.create", () => {
       teamId: user.teamId,
     });
 
-    const res = await server.post("/api/comments.create", {
+    const res = await server.post("/api/comments.create", user, {
       body: {
-        token: user.getJwtToken(),
         documentId: document.id,
         data: {
           type: "doc",
@@ -573,9 +554,8 @@ describe("#comments.create", () => {
       teamId: user.teamId,
     });
 
-    const res = await server.post("/api/comments.create", {
+    const res = await server.post("/api/comments.create", user, {
       body: {
-        token: user.getJwtToken(),
         documentId: document.id,
         data: {
           type: "doc",
@@ -608,9 +588,8 @@ describe("#comments.create", () => {
       teamId: user.teamId,
     });
 
-    const res = await server.post("/api/comments.create", {
+    const res = await server.post("/api/comments.create", user, {
       body: {
-        token: user.getJwtToken(),
         documentId: document.id,
         data: {
           type: "doc",
@@ -643,9 +622,8 @@ describe("#comments.create", () => {
       teamId: user.teamId,
     });
 
-    const res = await server.post("/api/comments.create", {
+    const res = await server.post("/api/comments.create", user, {
       body: {
-        token: user.getJwtToken(),
         documentId: document.id,
         data: {
           type: "nonsense",
@@ -664,9 +642,8 @@ describe("#comments.create", () => {
       teamId: user.teamId,
     });
 
-    const res = await server.post("/api/comments.create", {
+    const res = await server.post("/api/comments.create", user, {
       body: {
-        token: user.getJwtToken(),
         documentId: document.id,
         data: {
           type: "doc",
@@ -692,9 +669,8 @@ describe("#comments.create", () => {
       teamId: user.teamId,
     });
 
-    const res = await server.post("/api/comments.create", {
+    const res = await server.post("/api/comments.create", user, {
       body: {
-        token: user.getJwtToken(),
         documentId: document.id,
         data: {
           type: "doc",
@@ -730,9 +706,8 @@ describe("#comments.create", () => {
       teamId: user.teamId,
     });
 
-    const res = await server.post("/api/comments.create", {
+    const res = await server.post("/api/comments.create", user, {
       body: {
-        token: user.getJwtToken(),
         documentId: document.id,
         data: {
           type: "doc",
@@ -796,9 +771,8 @@ describe("#comments.update", () => {
       documentId: document.id,
     });
 
-    const res = await server.post("/api/comments.update", {
+    const res = await server.post("/api/comments.update", user, {
       body: {
-        token: user.getJwtToken(),
         id: comment.id,
         data: comment.data,
       },
@@ -825,9 +799,8 @@ describe("#comments.update", () => {
       documentId: document.id,
     });
 
-    const res = await server.post("/api/comments.update", {
+    const res = await server.post("/api/comments.update", user, {
       body: {
-        token: user.getJwtToken(),
         id: comment.id,
         data: {
           type: "doc",
@@ -867,9 +840,8 @@ describe("#comments.resolve", () => {
       documentId: document.id,
     });
 
-    const res = await server.post("/api/comments.resolve", {
+    const res = await server.post("/api/comments.resolve", user, {
       body: {
-        token: user.getJwtToken(),
         id: comment.id,
       },
     });
@@ -907,9 +879,8 @@ describe("#comments.resolve", () => {
       parentCommentId: parentComment.id,
     });
 
-    const res = await server.post("/api/comments.resolve", {
+    const res = await server.post("/api/comments.resolve", user, {
       body: {
-        token: user.getJwtToken(),
         id: comment.id,
       },
     });
@@ -938,9 +909,8 @@ describe("#comments.unresolve", () => {
       documentId: document.id,
     });
 
-    const res = await server.post("/api/comments.unresolve", {
+    const res = await server.post("/api/comments.unresolve", user, {
       body: {
-        token: user.getJwtToken(),
         id: comment.id,
       },
     });
@@ -980,9 +950,8 @@ describe("#comments.add_reaction", () => {
       documentId: document.id,
     });
 
-    const res = await server.post("/api/comments.add_reaction", {
+    const res = await server.post("/api/comments.add_reaction", user, {
       body: {
-        token: user.getJwtToken(),
         id: comment.id,
         emoji: "😄",
       },
@@ -1016,9 +985,8 @@ describe("#comments.add_reaction", () => {
       reactions: [{ emoji: "😄", userIds: ["test-user"] }],
     });
 
-    const res = await server.post("/api/comments.add_reaction", {
+    const res = await server.post("/api/comments.add_reaction", user, {
       body: {
-        token: user.getJwtToken(),
         id: comment.id,
         emoji: "😄",
       },
@@ -1055,9 +1023,8 @@ describe("#comments.add_reaction", () => {
       createdById: user.id,
     });
 
-    const res = await server.post("/api/comments.add_reaction", {
+    const res = await server.post("/api/comments.add_reaction", user, {
       body: {
-        token: user.getJwtToken(),
         id: comment.id,
         emoji: emoji.id,
       },
@@ -1094,9 +1061,8 @@ describe("#comments.add_reaction", () => {
       teamId: otherTeam.id,
     });
 
-    const res = await server.post("/api/comments.add_reaction", {
+    const res = await server.post("/api/comments.add_reaction", user, {
       body: {
-        token: user.getJwtToken(),
         id: comment.id,
         emoji: emoji.id,
       },
@@ -1134,9 +1100,8 @@ describe("#comments.remove_reaction", () => {
       { hooks: false }
     );
 
-    const res = await server.post("/api/comments.remove_reaction", {
+    const res = await server.post("/api/comments.remove_reaction", user, {
       body: {
-        token: user.getJwtToken(),
         id: comment.id,
         emoji: "😄",
       },
@@ -1176,9 +1141,8 @@ describe("#comments.remove_reaction", () => {
       { hooks: false }
     );
 
-    const res = await server.post("/api/comments.remove_reaction", {
+    const res = await server.post("/api/comments.remove_reaction", user, {
       body: {
-        token: user.getJwtToken(),
         id: comment.id,
         emoji: "😄",
       },

server/routes/api/emojis/emojis.test.ts

@@ -33,9 +33,8 @@ describe("#emojis.update", () => {
       userId: user.id,
     });
 
-    const res = await server.post("/api/emojis.update", {
+    const res = await server.post("/api/emojis.update", user, {
       body: {
-        token: user.getJwtToken(),
         id: emoji.id,
         attachmentId: newAttachment.id,
       },
@@ -69,9 +68,8 @@ describe("#emojis.update", () => {
       userId: admin.id,
     });
 
-    const res = await server.post("/api/emojis.update", {
+    const res = await server.post("/api/emojis.update", admin, {
       body: {
-        token: admin.getJwtToken(),
         id: emoji.id,
         attachmentId: newAttachment.id,
       },
@@ -97,9 +95,8 @@ describe("#emojis.update", () => {
       userId: user.id,
     });
 
-    const res = await server.post("/api/emojis.update", {
+    const res = await server.post("/api/emojis.update", user, {
       body: {
-        token: user.getJwtToken(),
         id: emoji.id,
         attachmentId: newAttachment.id,
       },
@@ -121,9 +118,8 @@ describe("#emojis.update", () => {
       userId: user.id,
     });
 
-    const res = await server.post("/api/emojis.update", {
+    const res = await server.post("/api/emojis.update", user, {
       body: {
-        token: user.getJwtToken(),
         id: emoji.id,
         attachmentId: newAttachment.id,
       },
@@ -139,9 +135,8 @@ describe("#emojis.update", () => {
       userId: user.id,
     });
 
-    const res = await server.post("/api/emojis.update", {
+    const res = await server.post("/api/emojis.update", user, {
       body: {
-        token: user.getJwtToken(),
         id: "00000000-0000-0000-0000-000000000000",
         attachmentId: newAttachment.id,
       },
@@ -157,9 +152,8 @@ describe("#emojis.update", () => {
       createdById: user.id,
     });
 
-    const res = await server.post("/api/emojis.update", {
+    const res = await server.post("/api/emojis.update", user, {
       body: {
-        token: user.getJwtToken(),
         id: emoji.id,
         attachmentId: "00000000-0000-0000-0000-000000000000",
       },

server/routes/api/events/events.test.ts

@@ -37,9 +37,8 @@ describe("#events.list", () => {
       teamId: user.teamId,
       actorId: admin.id,
     });
-    const res = await server.post("/api/events.list", {
+    const res = await server.post("/api/events.list", user, {
       body: {
-        token: user.getJwtToken(),
         collectionId: collection.id,
       },
     });
@@ -76,9 +75,8 @@ describe("#events.list", () => {
       teamId: user.teamId,
       actorId: admin.id,
     });
-    const res = await server.post("/api/events.list", {
+    const res = await server.post("/api/events.list", admin, {
       body: {
-        token: admin.getJwtToken(),
         auditLog: true,
       },
     });
@@ -116,9 +114,8 @@ describe("#events.list", () => {
       teamId: user.teamId,
       actorId: user.id,
     });
-    const res = await server.post("/api/events.list", {
+    const res = await server.post("/api/events.list", admin, {
       body: {
-        token: admin.getJwtToken(),
         auditLog: true,
         actorId: admin.id,
       },
@@ -156,9 +153,8 @@ describe("#events.list", () => {
       teamId: user.teamId,
       actorId: user.id,
     });
-    const res = await server.post("/api/events.list", {
+    const res = await server.post("/api/events.list", user, {
       body: {
-        token: user.getJwtToken(),
         actorId: admin.id,
       },
     });
@@ -193,9 +189,8 @@ describe("#events.list", () => {
       teamId: user.teamId,
       actorId: user.id,
     });
-    const res = await server.post("/api/events.list", {
+    const res = await server.post("/api/events.list", user, {
       body: {
-        token: user.getJwtToken(),
         actorId: user.id,
         collectionId: collection.id,
       },
@@ -225,9 +220,8 @@ describe("#events.list", () => {
       teamId: user.teamId,
       actorId: user.id,
     });
-    const res = await server.post("/api/events.list", {
+    const res = await server.post("/api/events.list", admin, {
       body: {
-        token: admin.getJwtToken(),
         documentId: document.id,
       },
     });
@@ -256,9 +250,8 @@ describe("#events.list", () => {
       teamId: user.teamId,
       actorId: user.id,
     });
-    const res = await server.post("/api/events.list", {
+    const res = await server.post("/api/events.list", actor, {
       body: {
-        token: actor.getJwtToken(),
         documentId: document.id,
       },
     });
@@ -292,9 +285,8 @@ describe("#events.list", () => {
       teamId: user.teamId,
       actorId: user.id,
     });
-    const res = await server.post("/api/events.list", {
+    const res = await server.post("/api/events.list", user, {
       body: {
-        token: user.getJwtToken(),
         name: "documents.publish",
         collectionId: collection.id,
       },
@@ -332,9 +324,8 @@ describe("#events.list", () => {
       teamId: user.teamId,
       actorId: user.id,
     });
-    const res = await server.post("/api/events.list", {
+    const res = await server.post("/api/events.list", user, {
       body: {
-        token: user.getJwtToken(),
         events: ["documents.publish"],
         collectionId: collection.id,
       },
@@ -366,11 +357,7 @@ describe("#events.list", () => {
       actorId: user.id,
     });
     await user.destroy({ hooks: false });
-    const res = await server.post("/api/events.list", {
+    const res = await server.post("/api/events.list", admin);
-      body: {
-        token: admin.getJwtToken(),
-      },
-    });
     const body = await res.json();
     expect(res.status).toEqual(200);
     expect(body.data.length).toEqual(1);
@@ -379,9 +366,8 @@ describe("#events.list", () => {
 
   it("should require authorization for audit events", async () => {
     const user = await buildUser();
-    const res = await server.post("/api/events.list", {
+    const res = await server.post("/api/events.list", user, {
       body: {
-        token: user.getJwtToken(),
         auditLog: true,
       },
     });
@@ -421,19 +407,14 @@ describe("#events.list", () => {
     });
 
     // user2 tries to list events without specifying documentId/collectionId
-    const res = await server.post("/api/events.list", {
+    const res = await server.post("/api/events.list", user2);
-      body: {
-        token: user2.getJwtToken(),
-      },
-    });
 
     // Non-admins cannot list events without documentId or collectionId
     expect(res.status).toEqual(403);
 
     // Also verify user2 cannot see the draft when filtering by documentId
-    const res2 = await server.post("/api/events.list", {
+    const res2 = await server.post("/api/events.list", user2, {
       body: {
-        token: user2.getJwtToken(),
         documentId: privateDraft.id,
       },
     });
@@ -462,11 +443,7 @@ describe("#events.list", () => {
     });
 
     // admin lists events
-    const res = await server.post("/api/events.list", {
+    const res = await server.post("/api/events.list", admin);
-      body: {
-        token: admin.getJwtToken(),
-      },
-    });
 
     const body = await res.json();
     expect(res.status).toEqual(200);
@@ -497,9 +474,8 @@ describe("#events.list", () => {
     });
 
     // user lists events for their collection
-    const res = await server.post("/api/events.list", {
+    const res = await server.post("/api/events.list", user, {
       body: {
-        token: user.getJwtToken(),
         collectionId: collection.id,
       },
     });

server/routes/api/fileOperations/fileOperations.test.ts

@@ -25,10 +25,9 @@ describe("#fileOperations.info", () => {
       teamId: team.id,
       userId: admin.id,
     });
-    const res = await server.post("/api/fileOperations.info", {
+    const res = await server.post("/api/fileOperations.info", admin, {
       body: {
         id: exportData.id,
-        token: admin.getJwtToken(),
       },
     });
     const body = await res.json();
@@ -45,10 +44,9 @@ describe("#fileOperations.info", () => {
       teamId: team.id,
       userId: user.id,
     });
-    const res = await server.post("/api/fileOperations.info", {
+    const res = await server.post("/api/fileOperations.info", user, {
       body: {
         id: exportData.id,
-        token: user.getJwtToken(),
       },
     });
     const body = await res.json();
@@ -65,10 +63,9 @@ describe("#fileOperations.info", () => {
       teamId: team.id,
       userId: admin.id,
     });
-    const res = await server.post("/api/fileOperations.info", {
+    const res = await server.post("/api/fileOperations.info", user, {
       body: {
         id: exportData.id,
-        token: user.getJwtToken(),
       },
     });
     expect(res.status).toEqual(403);
@@ -83,10 +80,9 @@ describe("#fileOperations.info", () => {
       teamId: team.id,
       userId: admin1.id,
     });
-    const res = await server.post("/api/fileOperations.info", {
+    const res = await server.post("/api/fileOperations.info", admin2, {
       body: {
         id: exportData.id,
-        token: admin2.getJwtToken(),
       },
     });
     const body = await res.json();
@@ -103,10 +99,9 @@ describe("#fileOperations.info", () => {
       teamId: team.id,
       userId: admin1.id,
     });
-    const res = await server.post("/api/fileOperations.info", {
+    const res = await server.post("/api/fileOperations.info", admin2, {
       body: {
         id: importOp.id,
-        token: admin2.getJwtToken(),
       },
     });
     const body = await res.json();
@@ -125,10 +120,9 @@ describe("#fileOperations.info", () => {
       teamId: team.id,
       userId: admin.id,
     });
-    const res = await server.post("/api/fileOperations.info", {
+    const res = await server.post("/api/fileOperations.info", admin, {
       body: {
         id: exportData.id,
-        token: admin.getJwtToken(),
       },
     });
     expect(res.status).toEqual(403);
@@ -146,9 +140,8 @@ describe("#fileOperations.list", () => {
       teamId: team.id,
       userId: admin.id,
     });
-    const res = await server.post("/api/fileOperations.list", {
+    const res = await server.post("/api/fileOperations.list", admin, {
       body: {
-        token: admin.getJwtToken(),
         type: FileOperationType.Export,
       },
     });
@@ -176,9 +169,8 @@ describe("#fileOperations.list", () => {
       userId: admin.id,
       collectionId: collection.id,
     });
-    const res = await server.post("/api/fileOperations.list", {
+    const res = await server.post("/api/fileOperations.list", admin, {
       body: {
-        token: admin.getJwtToken(),
         type: FileOperationType.Export,
       },
     });
@@ -210,9 +202,8 @@ describe("#fileOperations.list", () => {
     await collection.destroy({ hooks: false });
     const isCollectionPresent = await Collection.findByPk(collection.id);
     expect(isCollectionPresent).toBe(null);
-    const res = await server.post("/api/fileOperations.list", {
+    const res = await server.post("/api/fileOperations.list", admin, {
       body: {
-        token: admin.getJwtToken(),
         type: FileOperationType.Export,
       },
     });
@@ -247,9 +238,8 @@ describe("#fileOperations.list", () => {
     await admin.destroy();
     const isAdminPresent = await User.findByPk(admin.id);
     expect(isAdminPresent).toBe(null);
-    const res = await server.post("/api/fileOperations.list", {
+    const res = await server.post("/api/fileOperations.list", admin2, {
       body: {
-        token: admin2.getJwtToken(),
         type: FileOperationType.Export,
       },
     });
@@ -265,9 +255,8 @@ describe("#fileOperations.list", () => {
 
   it("should require admin", async () => {
     const user = await buildUser();
-    const res = await server.post("/api/fileOperations.list", {
+    const res = await server.post("/api/fileOperations.list", user, {
       body: {
-        token: user.getJwtToken(),
         type: FileOperationType.Export,
       },
     });
@@ -286,9 +275,8 @@ describe("#fileOperations.redirect", () => {
       teamId: team.id,
       userId: admin.id,
     });
-    const res = await server.post("/api/fileOperations.redirect", {
+    const res = await server.post("/api/fileOperations.redirect", admin, {
       body: {
-        token: admin.getJwtToken(),
         id: exportData.id,
       },
     });
@@ -307,9 +295,8 @@ describe("#fileOperations.redirect", () => {
       teamId: team.id,
       userId: admin1.id,
     });
-    const res = await server.post("/api/fileOperations.redirect", {
+    const res = await server.post("/api/fileOperations.redirect", admin2, {
       body: {
-        token: admin2.getJwtToken(),
         id: exportData.id,
       },
       redirect: "manual",
@@ -326,9 +313,8 @@ describe("#fileOperations.redirect", () => {
       teamId: team.id,
       userId: user.id,
     });
-    const res = await server.post("/api/fileOperations.redirect", {
+    const res = await server.post("/api/fileOperations.redirect", user, {
       body: {
-        token: user.getJwtToken(),
         id: exportData.id,
       },
       redirect: "manual",
@@ -346,9 +332,8 @@ describe("#fileOperations.redirect", () => {
       teamId: team.id,
       userId: admin.id,
     });
-    const res = await server.post("/api/fileOperations.redirect", {
+    const res = await server.post("/api/fileOperations.redirect", user, {
       body: {
-        token: user.getJwtToken(),
         id: exportData.id,
       },
     });
@@ -365,9 +350,8 @@ describe("#fileOperations.redirect", () => {
       teamId: team.id,
       userId: user.id,
     });
-    const res = await server.post("/api/fileOperations.redirect", {
+    const res = await server.post("/api/fileOperations.redirect", admin, {
       body: {
-        token: admin.getJwtToken(),
         id: exportData.id,
       },
     });
@@ -387,12 +371,15 @@ describe("#fileOperations.delete", () => {
       userId: admin.id,
       state: FileOperationState.Complete,
     });
-    const deleteResponse = await server.post("/api/fileOperations.delete", {
+    const deleteResponse = await server.post(
-      body: {
+      "/api/fileOperations.delete",
-        token: admin.getJwtToken(),
+      admin,
-        id: exportData.id,
+      {
-      },
+        body: {
-    });
+          id: exportData.id,
+        },
+      }
+    );
     expect(deleteResponse.status).toBe(200);
     expect(
       await Event.count({
@@ -420,9 +407,8 @@ describe("#fileOperations.delete", () => {
       teamId: team.id,
       userId: user.id,
     });
-    const res = await server.post("/api/fileOperations.delete", {
+    const res = await server.post("/api/fileOperations.delete", admin, {
       body: {
-        token: admin.getJwtToken(),
         id: exportData.id,
       },
     });

server/routes/api/groupMemberships/groupMemberships.test.ts

@@ -41,19 +41,14 @@ describe("groupMemberships.list", () => {
       createdById: user.id,
     });
 
-    await server.post("/api/documents.add_group", {
+    await server.post("/api/documents.add_group", user, {
       body: {
-        token: user.getJwtToken(),
         id: document.id,
         groupId: group.id,
       },
     });
 
-    const res = await server.post("/api/groupMemberships.list", {
+    const res = await server.post("/api/groupMemberships.list", member);
-      body: {
-        token: member.getJwtToken(),
-      },
-    });
     const body = await res.json();
     expect(res.status).toEqual(200);
     expect(body.data).not.toBeFalsy();
@@ -107,20 +102,15 @@ describe("groupMemberships.list", () => {
     ]);
 
     for (const document of documents) {
-      await server.post("/api/documents.add_group", {
+      await server.post("/api/documents.add_group", user, {
         body: {
-          token: user.getJwtToken(),
           id: document.id,
           groupId: group.id,
         },
       });
     }
 
-    const res = await server.post("/api/groupMemberships.list", {
+    const res = await server.post("/api/groupMemberships.list", member);
-      body: {
-        token: member.getJwtToken(),
-      },
-    });
     const body = await res.json();
     expect(res.status).toEqual(200);
     expect(body.pagination).not.toBeFalsy();

server/routes/api/groups/groups.test.ts

@@ -15,9 +15,8 @@ describe("#groups.create", () => {
   it("should create a group", async () => {
     const name = "hello I am a group";
     const user = await buildAdmin();
-    const res = await server.post("/api/groups.create", {
+    const res = await server.post("/api/groups.create", user, {
       body: {
-        token: user.getJwtToken(),
         name,
         externalId: "123",
       },
@@ -46,9 +45,8 @@ describe("#groups.update", () => {
   it("should require admin", async () => {
     const group = await buildGroup();
     const user = await buildUser();
-    const res = await server.post("/api/groups.update", {
+    const res = await server.post("/api/groups.update", user, {
       body: {
-        token: user.getJwtToken(),
         id: group.id,
         name: "Test",
       },
@@ -59,9 +57,8 @@ describe("#groups.update", () => {
   it("should require authorization", async () => {
     const group = await buildGroup();
     const user = await buildAdmin();
-    const res = await server.post("/api/groups.update", {
+    const res = await server.post("/api/groups.update", user, {
       body: {
-        token: user.getJwtToken(),
         id: group.id,
         name: "Test",
       },
@@ -79,9 +76,8 @@ describe("#groups.update", () => {
     });
 
     it("allows admin to edit a group", async () => {
-      const res = await server.post("/api/groups.update", {
+      const res = await server.post("/api/groups.update", user, {
         body: {
-          token: user.getJwtToken(),
           id: group.id,
           name: "Test",
           externalId: "123",
@@ -113,9 +109,8 @@ describe("#groups.update", () => {
       const admin = await buildAdmin({
         teamId: user.teamId,
       });
-      await server.post("/api/groups.add_user", {
+      await server.post("/api/groups.add_user", admin, {
         body: {
-          token: admin.getJwtToken(),
           id: group.id,
           userId: user.id,
           permission: "admin",
@@ -124,9 +119,8 @@ describe("#groups.update", () => {
     });
 
     it("allows group admin to edit a group", async () => {
-      const res = await server.post("/api/groups.update", {
+      const res = await server.post("/api/groups.update", user, {
         body: {
-          token: user.getJwtToken(),
           id: group.id,
           name: "Test by Group Admin",
         },
@@ -147,9 +141,8 @@ describe("#groups.update", () => {
     });
 
     it("does not create an event if the update is a noop", async () => {
-      const res = await server.post("/api/groups.update", {
+      const res = await server.post("/api/groups.update", user, {
         body: {
-          token: user.getJwtToken(),
           id: group.id,
           name: group.name,
         },
@@ -171,9 +164,8 @@ describe("#groups.update", () => {
         teamId: user.teamId,
         name: "test",
       });
-      const res = await server.post("/api/groups.update", {
+      const res = await server.post("/api/groups.update", user, {
         body: {
-          token: user.getJwtToken(),
           id: group.id,
           name: "TEST",
         },
@@ -203,11 +195,7 @@ describe("#groups.list", () => {
         createdById: user.id,
       },
     });
-    const res = await server.post("/api/groups.list", {
+    const res = await server.post("/api/groups.list", user);
-      body: {
-        token: user.getJwtToken(),
-      },
-    });
     const body = await res.json();
     expect(res.status).toEqual(200);
     expect(body.pagination.total).toEqual(1);
@@ -239,11 +227,7 @@ describe("#groups.list", () => {
       },
     });
     await user.destroy({ hooks: false });
-    const res = await server.post("/api/groups.list", {
+    const res = await server.post("/api/groups.list", me);
-      body: {
-        token: me.getJwtToken(),
-      },
-    });
     const body = await res.json();
     expect(res.status).toEqual(200);
     expect(body.data.groups.length).toEqual(1);
@@ -277,11 +261,7 @@ describe("#groups.list", () => {
         createdById: user.id,
       },
     });
-    const res = await server.post("/api/groups.list", {
+    const res = await server.post("/api/groups.list", user);
-      body: {
-        token: user.getJwtToken(),
-      },
-    });
     const body = await res.json();
 
     expect(res.status).toEqual(200);
@@ -304,10 +284,9 @@ describe("#groups.list", () => {
     ).toBe(true);
     expect(body.policies.length).toEqual(2);
 
-    const anotherRes = await server.post("/api/groups.list", {
+    const anotherRes = await server.post("/api/groups.list", user, {
       body: {
         userId: user.id,
-        token: user.getJwtToken(),
       },
     });
     const anotherBody = await anotherRes.json();
@@ -335,10 +314,9 @@ describe("#groups.list", () => {
     const group = await buildGroup({ teamId: user.teamId });
     await buildGroup({ teamId: user.teamId });
 
-    const res = await server.post("/api/groups.list", {
+    const res = await server.post("/api/groups.list", user, {
       body: {
         name: group.name,
-        token: user.getJwtToken(),
       },
     });
     const body = await res.json();
@@ -353,10 +331,9 @@ describe("#groups.list", () => {
     const group = await buildGroup({ teamId: user.teamId, externalId: "123" });
     await buildGroup({ teamId: user.teamId });
 
-    const res = await server.post("/api/groups.list", {
+    const res = await server.post("/api/groups.list", user, {
       body: {
         externalId: "123",
-        token: user.getJwtToken(),
       },
     });
     const body = await res.json();
@@ -371,10 +348,9 @@ describe("#groups.list", () => {
     await buildGroup({ teamId: user.teamId });
     await buildGroup({ teamId: user.teamId });
 
-    const res = await server.post("/api/groups.list", {
+    const res = await server.post("/api/groups.list", user, {
       body: {
         limit: 1,
-        token: user.getJwtToken(),
       },
     });
     const body = await res.json();
@@ -414,10 +390,9 @@ describe("#groups.list", () => {
       teamId: otherUser.teamId,
     });
 
-    const res = await server.post("/api/groups.list", {
+    const res = await server.post("/api/groups.list", user, {
       body: {
         source: authProvider.name,
-        token: user.getJwtToken(),
       },
     });
     const body = await res.json();
@@ -433,9 +408,8 @@ describe("#groups.info", () => {
     const group = await buildGroup({
       teamId: user.teamId,
     });
-    const res = await server.post("/api/groups.info", {
+    const res = await server.post("/api/groups.info", user, {
       body: {
-        token: user.getJwtToken(),
         id: group.id,
       },
     });
@@ -450,9 +424,8 @@ describe("#groups.info", () => {
       teamId: user.teamId,
       externalId: "456",
     });
-    const res = await server.post("/api/groups.info", {
+    const res = await server.post("/api/groups.info", user, {
       body: {
-        token: user.getJwtToken(),
         externalId: "456",
       },
     });
@@ -471,9 +444,8 @@ describe("#groups.info", () => {
         createdById: user.id,
       },
     });
-    const res = await server.post("/api/groups.info", {
+    const res = await server.post("/api/groups.info", user, {
       body: {
-        token: user.getJwtToken(),
         id: group.id,
       },
     });
@@ -487,9 +459,8 @@ describe("#groups.info", () => {
     const group = await buildGroup({
       teamId: user.teamId,
     });
-    const res = await server.post("/api/groups.info", {
+    const res = await server.post("/api/groups.info", user, {
       body: {
-        token: user.getJwtToken(),
         id: group.id,
       },
     });
@@ -510,9 +481,8 @@ describe("#groups.info", () => {
   it("should require authorization", async () => {
     const user = await buildUser();
     const group = await buildGroup();
-    const res = await server.post("/api/groups.info", {
+    const res = await server.post("/api/groups.info", user, {
       body: {
-        token: user.getJwtToken(),
         id: group.id,
       },
     });
@@ -536,9 +506,8 @@ describe("#groups.delete", () => {
   it("should require admin", async () => {
     const group = await buildGroup();
     const user = await buildUser();
-    const res = await server.post("/api/groups.delete", {
+    const res = await server.post("/api/groups.delete", user, {
       body: {
-        token: user.getJwtToken(),
         id: group.id,
       },
     });
@@ -548,9 +517,8 @@ describe("#groups.delete", () => {
   it("should require authorization", async () => {
     const group = await buildGroup();
     const user = await buildAdmin();
-    const res = await server.post("/api/groups.delete", {
+    const res = await server.post("/api/groups.delete", user, {
       body: {
-        token: user.getJwtToken(),
         id: group.id,
       },
     });
@@ -562,9 +530,8 @@ describe("#groups.delete", () => {
     const group = await buildGroup({
       teamId: user.teamId,
     });
-    const res = await server.post("/api/groups.delete", {
+    const res = await server.post("/api/groups.delete", user, {
       body: {
-        token: user.getJwtToken(),
         id: group.id,
       },
     });
@@ -585,9 +552,8 @@ describe("#groups.memberships", () => {
         createdById: user.id,
       },
     });
-    const res = await server.post("/api/groups.memberships", {
+    const res = await server.post("/api/groups.memberships", user, {
       body: {
-        token: user.getJwtToken(),
         id: group.id,
       },
     });
@@ -627,9 +593,8 @@ describe("#groups.memberships", () => {
       },
     });
     await user3.destroy();
-    const res = await server.post("/api/groups.memberships", {
+    const res = await server.post("/api/groups.memberships", user, {
       body: {
-        token: user.getJwtToken(),
         id: group.id,
         query: user.name.slice(0, 3),
       },
@@ -650,9 +615,8 @@ describe("#groups.memberships", () => {
   it("should require authorization", async () => {
     const user = await buildUser();
     const group = await buildGroup();
-    const res = await server.post("/api/groups.memberships", {
+    const res = await server.post("/api/groups.memberships", user, {
       body: {
-        token: user.getJwtToken(),
         id: group.id,
       },
     });
@@ -666,9 +630,8 @@ describe("#groups.add_user", () => {
     const group = await buildGroup({
       teamId: user.teamId,
     });
-    const res = await server.post("/api/groups.add_user", {
+    const res = await server.post("/api/groups.add_user", user, {
       body: {
-        token: user.getJwtToken(),
         id: group.id,
         userId: user.id,
       },
@@ -686,9 +649,8 @@ describe("#groups.add_user", () => {
     const group = await buildGroup({
       teamId: user.teamId,
     });
-    const res = await server.post("/api/groups.add_user", {
+    const res = await server.post("/api/groups.add_user", user, {
       body: {
-        token: user.getJwtToken(),
         id: group.id,
         userId: anotherUser.id,
         permission: GroupPermission.Admin,
@@ -712,9 +674,8 @@ describe("#groups.add_user", () => {
       teamId: user.teamId,
     });
     const anotherUser = await buildUser();
-    const res = await server.post("/api/groups.add_user", {
+    const res = await server.post("/api/groups.add_user", user, {
       body: {
-        token: user.getJwtToken(),
         id: group.id,
         userId: anotherUser.id,
       },
@@ -732,9 +693,8 @@ describe("#groups.add_user", () => {
     const anotherUser = await buildUser({
       teamId: user.teamId,
     });
-    const res = await server.post("/api/groups.add_user", {
+    const res = await server.post("/api/groups.add_user", user, {
       body: {
-        token: user.getJwtToken(),
         id: group.id,
         userId: anotherUser.id,
       },
@@ -751,18 +711,16 @@ describe("#groups.remove_user", () => {
     const group = await buildGroup({
       teamId: user.teamId,
     });
-    await server.post("/api/groups.add_user", {
+    await server.post("/api/groups.add_user", user, {
       body: {
-        token: user.getJwtToken(),
         id: group.id,
         userId: user.id,
       },
     });
     const users = await group.$get("users");
     expect(users.length).toEqual(1);
-    const res = await server.post("/api/groups.remove_user", {
+    const res = await server.post("/api/groups.remove_user", user, {
       body: {
-        token: user.getJwtToken(),
         id: group.id,
         userId: user.id,
       },
@@ -783,9 +741,8 @@ describe("#groups.remove_user", () => {
       teamId: user.teamId,
     });
     const anotherUser = await buildUser();
-    const res = await server.post("/api/groups.remove_user", {
+    const res = await server.post("/api/groups.remove_user", user, {
       body: {
-        token: user.getJwtToken(),
         id: group.id,
         userId: anotherUser.id,
       },
@@ -803,9 +760,8 @@ describe("#groups.remove_user", () => {
     const anotherUser = await buildUser({
       teamId: user.teamId,
     });
-    const res = await server.post("/api/groups.remove_user", {
+    const res = await server.post("/api/groups.remove_user", user, {
       body: {
-        token: user.getJwtToken(),
         id: group.id,
         userId: anotherUser.id,
       },
@@ -833,9 +789,8 @@ describe("#groups.update_user", () => {
     });
 
     // Then update the user to be an admin
-    const res = await server.post("/api/groups.update_user", {
+    const res = await server.post("/api/groups.update_user", user, {
       body: {
-        token: user.getJwtToken(),
         id: group.id,
         userId: anotherUser.id,
         permission: GroupPermission.Admin,
@@ -849,9 +804,8 @@ describe("#groups.update_user", () => {
     );
 
     // Update the user to not be an admin
-    const res2 = await server.post("/api/groups.update_user", {
+    const res2 = await server.post("/api/groups.update_user", user, {
       body: {
-        token: user.getJwtToken(),
         id: group.id,
         userId: anotherUser.id,
         permission: "member",
@@ -891,9 +845,8 @@ describe("#groups.update_user", () => {
     });
 
     // Try to update as non-admin
-    const res = await server.post("/api/groups.update_user", {
+    const res = await server.post("/api/groups.update_user", user, {
       body: {
-        token: user.getJwtToken(),
         id: group.id,
         userId: anotherUser.id,
         permission: GroupPermission.Admin,
@@ -912,9 +865,8 @@ describe("#groups.update_user", () => {
       teamId: user.teamId,
     });
 
-    const res = await server.post("/api/groups.update_user", {
+    const res = await server.post("/api/groups.update_user", user, {
       body: {
-        token: user.getJwtToken(),
         id: group.id,
         userId: anotherUser.id,
         permission: GroupPermission.Admin,

server/routes/api/imports/imports.test.ts

@@ -37,12 +37,11 @@ describe("#imports.create", () => {
     });
     const input: NotionImportInput = [{ permission: undefined }];
 
-    const res = await server.post("/api/imports.create", {
+    const res = await server.post("/api/imports.create", admin, {
       body: {
         integrationId: integration.id,
         service: IntegrationService.Notion,
         input,
-        token: admin.getJwtToken(),
       },
     });
     const body = await res.json();
@@ -70,12 +69,11 @@ describe("#imports.create", () => {
       integrationId: integration.id,
     });
 
-    const res = await server.post("/api/imports.create", {
+    const res = await server.post("/api/imports.create", admin, {
       body: {
         integrationId: integration.id,
         service: ImportableIntegrationService.Notion,
         input,
-        token: admin.getJwtToken(),
       },
     });
 
@@ -91,11 +89,7 @@ describe("#imports.create", () => {
   it("should require user to be admin", async () => {
     const user = await buildUser();
 
-    const res = await server.post("/api/imports.create", {
+    const res = await server.post("/api/imports.create", user);
-      body: {
-        token: user.getJwtToken(),
-      },
-    });
 
     expect(res.status).toEqual(403);
   });
@@ -115,10 +109,9 @@ describe("#imports.list", () => {
       }),
     ]);
 
-    const res = await server.post("/api/imports.list", {
+    const res = await server.post("/api/imports.list", admin, {
       body: {
         service: IntegrationService.Notion,
-        token: admin.getJwtToken(),
       },
     });
     const body = await res.json();
@@ -143,11 +136,7 @@ describe("#imports.list", () => {
   it("should require user to be admin", async () => {
     const user = await buildUser();
 
-    const res = await server.post("/api/imports.list", {
+    const res = await server.post("/api/imports.list", user);
-      body: {
-        token: user.getJwtToken(),
-      },
-    });
 
     expect(res.status).toEqual(403);
   });
@@ -161,10 +150,9 @@ describe("#imports.info", () => {
       teamId: admin.teamId,
     });
 
-    const res = await server.post("/api/imports.info", {
+    const res = await server.post("/api/imports.info", admin, {
       body: {
         id: importModel.id,
-        token: admin.getJwtToken(),
       },
     });
     const body = await res.json();
@@ -182,11 +170,7 @@ describe("#imports.info", () => {
   it("should require user to be admin", async () => {
     const user = await buildUser();
 
-    const res = await server.post("/api/imports.info", {
+    const res = await server.post("/api/imports.info", user);
-      body: {
-        token: user.getJwtToken(),
-      },
-    });
 
     expect(res.status).toEqual(403);
   });
@@ -201,10 +185,9 @@ describe("#imports.delete", () => {
       teamId: admin.teamId,
     });
 
-    const res = await server.post("/api/imports.delete", {
+    const res = await server.post("/api/imports.delete", admin, {
       body: {
         id: importModel.id,
-        token: admin.getJwtToken(),
       },
     });
     const body = await res.json();
@@ -221,10 +204,9 @@ describe("#imports.delete", () => {
       teamId: admin.teamId,
     });
 
-    const res = await server.post("/api/imports.delete", {
+    const res = await server.post("/api/imports.delete", admin, {
       body: {
         id: importModel.id,
-        token: admin.getJwtToken(),
       },
     });
 
@@ -240,11 +222,7 @@ describe("#imports.delete", () => {
   it("should require user to be admin", async () => {
     const user = await buildUser();
 
-    const res = await server.post("/api/imports.delete", {
+    const res = await server.post("/api/imports.delete", user);
-      body: {
-        token: user.getJwtToken(),
-      },
-    });
 
     expect(res.status).toEqual(403);
   });
@@ -258,10 +236,9 @@ describe("#imports.cancel", () => {
       teamId: admin.teamId,
     });
 
-    const res = await server.post("/api/imports.cancel", {
+    const res = await server.post("/api/imports.cancel", admin, {
       body: {
         id: importModel.id,
-        token: admin.getJwtToken(),
       },
     });
     const body = await res.json();
@@ -279,10 +256,9 @@ describe("#imports.cancel", () => {
       teamId: admin.teamId,
     });
 
-    const res = await server.post("/api/imports.cancel", {
+    const res = await server.post("/api/imports.cancel", admin, {
       body: {
         id: importModel.id,
-        token: admin.getJwtToken(),
       },
     });
 
@@ -298,11 +274,7 @@ describe("#imports.cancel", () => {
   it("should require user to be admin", async () => {
     const user = await buildUser();
 
-    const res = await server.post("/api/imports.cancel", {
+    const res = await server.post("/api/imports.cancel", user);
-      body: {
-        token: user.getJwtToken(),
-      },
-    });
 
     expect(res.status).toEqual(403);
   });

server/routes/api/installation/installation.test.ts

@@ -64,11 +64,7 @@ describe("installation.info", () => {
 
   it.skip("should return installation information", async () => {
     const user = await buildUser();
-    const res = await server.post("/api/installation.info", {
+    const res = await server.post("/api/installation.info", user);
-      body: {
-        token: user.getJwtToken(),
-      },
-    });
 
     const body = await res.json();
 

server/routes/api/integrations/integrations.test.ts

@@ -20,10 +20,9 @@ describe("#integrations.update", () => {
       teamId: team.id,
     });
 
-    const res = await server.post("/api/integrations.update", {
+    const res = await server.post("/api/integrations.update", user, {
       body: {
         events: ["documents.update"],
-        token: user.getJwtToken(),
         id: integration.id,
       },
     });
@@ -38,9 +37,8 @@ describe("#integrations.update", () => {
     const integration = await buildIntegration({
       userId: user.id,
     });
-    const res = await server.post("/api/integrations.update", {
+    const res = await server.post("/api/integrations.update", user, {
       body: {
-        token: user.getJwtToken(),
         id: integration.id,
       },
     });
@@ -58,9 +56,8 @@ describe("#integrations.update", () => {
       settings: { url: "https://example.com" },
     });
 
-    const res = await server.post("/api/integrations.update", {
+    const res = await server.post("/api/integrations.update", admin, {
       body: {
-        token: admin.getJwtToken(),
         id: integration.id,
         settings: { url: "https://foo.bar" },
       },
@@ -82,9 +79,8 @@ describe("#integrations.update", () => {
       settings: { url: "https://example.com" },
     });
 
-    const res = await server.post("/api/integrations.update", {
+    const res = await server.post("/api/integrations.update", admin, {
       body: {
-        token: admin.getJwtToken(),
         id: integration.id,
         settings: { url: "https://grist.example.com" },
       },
@@ -100,9 +96,8 @@ describe("#integrations.create", () => {
   it("should fail with status 400 bad request for an invalid url value supplied in settings param", async () => {
     const admin = await buildAdmin();
 
-    const res = await server.post("/api/integrations.create", {
+    const res = await server.post("/api/integrations.create", admin, {
       body: {
-        token: admin.getJwtToken(),
         type: IntegrationType.Embed,
         service: IntegrationService.Diagrams,
         settings: { url: "not a url" },
@@ -116,9 +111,8 @@ describe("#integrations.create", () => {
   it("should succeed with status 200 ok for an integration without url", async () => {
     const admin = await buildAdmin();
 
-    const res = await server.post("/api/integrations.create", {
+    const res = await server.post("/api/integrations.create", admin, {
       body: {
-        token: admin.getJwtToken(),
         type: IntegrationType.Analytics,
         service: IntegrationService.GoogleAnalytics,
         settings: { measurementId: "123" },
@@ -135,9 +129,8 @@ describe("#integrations.create", () => {
   it("should succeed with status 200 ok for an grist integration", async () => {
     const admin = await buildAdmin();
 
-    const res = await server.post("/api/integrations.create", {
+    const res = await server.post("/api/integrations.create", admin, {
       body: {
-        token: admin.getJwtToken(),
         type: IntegrationType.Embed,
         service: IntegrationService.Grist,
         settings: { url: "https://grist.example.com" },
@@ -171,9 +164,8 @@ describe("#integrations.delete", () => {
   it("should fail with status 403 unauthorized when the user is not an admin", async () => {
     const user = await buildUser();
 
-    const res = await server.post("/api/integrations.delete", {
+    const res = await server.post("/api/integrations.delete", user, {
       body: {
-        token: user.getJwtToken(),
         id: integration.id,
       },
     });
@@ -181,11 +173,7 @@ describe("#integrations.delete", () => {
   });
 
   it("should fail with status 400 bad request when id is not sent", async () => {
-    const res = await server.post("/api/integrations.delete", {
+    const res = await server.post("/api/integrations.delete", admin);
-      body: {
-        token: admin.getJwtToken(),
-      },
-    });
 
     const body = await res.json();
     expect(res.status).toEqual(400);
@@ -202,9 +190,8 @@ describe("#integrations.delete", () => {
       service: IntegrationService.Slack,
       type: IntegrationType.LinkedAccount,
     });
-    const res = await server.post("/api/integrations.delete", {
+    const res = await server.post("/api/integrations.delete", user, {
       body: {
-        token: user.getJwtToken(),
         id: linkedAccount.id,
       },
     });
@@ -212,9 +199,8 @@ describe("#integrations.delete", () => {
   });
 
   it("should succeed with status 200 ok when integration is deleted", async () => {
-    const res = await server.post("/api/integrations.delete", {
+    const res = await server.post("/api/integrations.delete", admin, {
       body: {
-        token: admin.getJwtToken(),
         id: integration.id,
       },
     });

server/routes/api/middlewares/pagination.test.ts

@@ -6,9 +6,8 @@ const server = getTestServer();
 describe("#pagination", () => {
   it("should allow offset and limit", async () => {
     const user = await buildUser();
-    const res = await server.post("/api/users.list", {
+    const res = await server.post("/api/users.list", user, {
       body: {
-        token: user.getJwtToken(),
         limit: 1,
         offset: 1,
       },
@@ -18,9 +17,8 @@ describe("#pagination", () => {
 
   it("should not allow negative limit", async () => {
     const user = await buildUser();
-    const res = await server.post("/api/users.list", {
+    const res = await server.post("/api/users.list", user, {
       body: {
-        token: user.getJwtToken(),
         limit: -1,
       },
     });
@@ -29,9 +27,8 @@ describe("#pagination", () => {
 
   it("should not allow non-integer limit", async () => {
     const user = await buildUser();
-    const res = await server.post("/api/users.list", {
+    const res = await server.post("/api/users.list", user, {
       body: {
-        token: user.getJwtToken(),
         limit: "blah",
       },
     });
@@ -40,9 +37,8 @@ describe("#pagination", () => {
 
   it("should not allow negative offset", async () => {
     const user = await buildUser();
-    const res = await server.post("/api/users.list", {
+    const res = await server.post("/api/users.list", user, {
       body: {
-        token: user.getJwtToken(),
         offset: -1,
       },
     });
@@ -51,9 +47,8 @@ describe("#pagination", () => {
 
   it("should not allow non-integer offset", async () => {
     const user = await buildUser();
-    const res = await server.post("/api/users.list", {
+    const res = await server.post("/api/users.list", user, {
       body: {
-        token: user.getJwtToken(),
         offset: "blah",
       },
     });

server/routes/api/notifications/notifications.test.ts

@@ -64,11 +64,7 @@ describe("#notifications.list", () => {
       }),
     ]);
 
-    const res = await server.post("/api/notifications.list", {
+    const res = await server.post("/api/notifications.list", user);
-      body: {
-        token: user.getJwtToken(),
-      },
-    });
     const body = await res.json();
 
     expect(res.status).toBe(200);
@@ -130,9 +126,8 @@ describe("#notifications.list", () => {
       }),
     ]);
 
-    const res = await server.post("/api/notifications.list", {
+    const res = await server.post("/api/notifications.list", user, {
       body: {
-        token: user.getJwtToken(),
         eventType: NotificationEventType.MentionedInComment,
       },
     });
@@ -197,9 +192,8 @@ describe("#notifications.list", () => {
       }),
     ]);
 
-    const res = await server.post("/api/notifications.list", {
+    const res = await server.post("/api/notifications.list", user, {
       body: {
-        token: user.getJwtToken(),
         archived: true,
       },
     });
@@ -265,9 +259,8 @@ describe("#notifications.list", () => {
       }),
     ]);
 
-    const res = await server.post("/api/notifications.list", {
+    const res = await server.post("/api/notifications.list", user, {
       body: {
-        token: user.getJwtToken(),
         archived: false,
       },
     });
@@ -385,9 +378,8 @@ describe("#notifications.update", () => {
 
     expect(notification.viewedAt).toBeNull();
 
-    const res = await server.post("/api/notifications.update", {
+    const res = await server.post("/api/notifications.update", user, {
       body: {
-        token: user.getJwtToken(),
         id: notification.id,
         viewedAt: new Date(),
       },
@@ -425,9 +417,8 @@ describe("#notifications.update", () => {
 
     expect(notification.archivedAt).toBeNull();
 
-    const res = await server.post("/api/notifications.update", {
+    const res = await server.post("/api/notifications.update", user, {
       body: {
-        token: user.getJwtToken(),
         id: notification.id,
         archivedAt: new Date(),
       },
@@ -483,11 +474,7 @@ describe("#notifications.update_all", () => {
       }),
     ]);
 
-    const res = await server.post("/api/notifications.update_all", {
+    const res = await server.post("/api/notifications.update_all", user);
-      body: {
-        token: user.getJwtToken(),
-      },
-    });
     const body = await res.json();
     expect(res.status).toBe(200);
     expect(body.success).toBe(true);
@@ -536,9 +523,8 @@ describe("#notifications.update_all", () => {
       }),
     ]);
 
-    const res = await server.post("/api/notifications.update_all", {
+    const res = await server.post("/api/notifications.update_all", user, {
       body: {
-        token: user.getJwtToken(),
         viewedAt: new Date(),
       },
     });
@@ -591,9 +577,8 @@ describe("#notifications.update_all", () => {
       }),
     ]);
 
-    const res = await server.post("/api/notifications.update_all", {
+    const res = await server.post("/api/notifications.update_all", user, {
       body: {
-        token: user.getJwtToken(),
         viewedAt: null,
       },
     });
@@ -645,9 +630,8 @@ describe("#notifications.update_all", () => {
       }),
     ]);
 
-    const res = await server.post("/api/notifications.update_all", {
+    const res = await server.post("/api/notifications.update_all", user, {
       body: {
-        token: user.getJwtToken(),
         archivedAt: new Date(),
       },
     });
@@ -700,9 +684,8 @@ describe("#notifications.update_all", () => {
       }),
     ]);
 
-    const res = await server.post("/api/notifications.update_all", {
+    const res = await server.post("/api/notifications.update_all", user, {
       body: {
-        token: user.getJwtToken(),
         archivedAt: null,
       },
     });

server/routes/api/oauthAuthentications/oauthAuthentications.test.ts

@@ -32,11 +32,7 @@ describe("oauthAuthentications.list", () => {
       scope: ["read"],
     });
 
-    const res = await server.post("/api/oauthAuthentications.list", {
+    const res = await server.post("/api/oauthAuthentications.list", user);
-      body: {
-        token: user.getJwtToken(),
-      },
-    });
 
     const body = await res.json();
     expect(res.status).toEqual(200);
@@ -63,11 +59,7 @@ describe("oauthAuthentications.list", () => {
       scope: ["read"],
     });
 
-    const res = await server.post("/api/oauthAuthentications.list", {
+    const res = await server.post("/api/oauthAuthentications.list", user);
-      body: {
-        token: user.getJwtToken(),
-      },
-    });
 
     const body = await res.json();
     expect(res.status).toEqual(200);
@@ -87,9 +79,8 @@ describe("oauthAuthentications.delete", () => {
     const team = await buildTeam();
     const user = await buildUser({ teamId: team.id });
 
-    const res = await server.post("/api/oauthAuthentications.delete", {
+    const res = await server.post("/api/oauthAuthentications.delete", user, {
       body: {
-        token: user.getJwtToken(),
         oauthClientId: "",
       },
     });
@@ -113,9 +104,8 @@ describe("oauthAuthentications.delete", () => {
       scope: ["read"],
     });
 
-    const res = await server.post("/api/oauthAuthentications.delete", {
+    const res = await server.post("/api/oauthAuthentications.delete", user, {
       body: {
-        token: user.getJwtToken(),
         oauthClientId: oauthClient.id,
       },
     });
@@ -154,9 +144,8 @@ describe("oauthAuthentications.delete", () => {
       scope: ["write"],
     });
 
-    const res = await server.post("/api/oauthAuthentications.delete", {
+    const res = await server.post("/api/oauthAuthentications.delete", user, {
       body: {
-        token: user.getJwtToken(),
         oauthClientId: oauthClient.id,
         scope: ["read"],
       },
@@ -193,9 +182,8 @@ describe("oauthAuthentications.delete", () => {
       scope: ["read"],
     });
 
-    await server.post("/api/oauthAuthentications.delete", {
+    await server.post("/api/oauthAuthentications.delete", user, {
       body: {
-        token: user.getJwtToken(),
         oauthClientId: oauthClient.id,
         scope: "read",
       },

server/routes/api/oauthClients/oauthClients.test.ts

@@ -41,11 +41,7 @@ describe("oauthClients.list", () => {
       published: false,
     });
 
-    const res = await server.post("/api/oauthClients.list", {
+    const res = await server.post("/api/oauthClients.list", admin);
-      body: {
-        token: admin.getJwtToken(),
-      },
-    });
 
     const body = await res.json();
     expect(res.status).toEqual(200);
@@ -78,9 +74,8 @@ describe("oauthClients.info", () => {
       redirectUris: ["https://example.com/callback"],
     });
 
-    const res = await server.post("/api/oauthClients.info", {
+    const res = await server.post("/api/oauthClients.info", user, {
       body: {
-        token: user.getJwtToken(),
         id: client.id,
       },
     });
@@ -105,9 +100,8 @@ describe("oauthClients.info", () => {
       redirectUris: ["https://example.com/callback"],
     });
 
-    const res = await server.post("/api/oauthClients.info", {
+    const res = await server.post("/api/oauthClients.info", user, {
       body: {
-        token: user.getJwtToken(),
         id: client.id,
       },
     });
@@ -132,9 +126,8 @@ describe("oauthClients.info", () => {
       published: true,
     });
 
-    const res = await server.post("/api/oauthClients.info", {
+    const res = await server.post("/api/oauthClients.info", user, {
       body: {
-        token: user.getJwtToken(),
         id: client.id,
       },
     });
@@ -160,9 +153,8 @@ describe("oauthClients.info", () => {
       published: true,
     });
 
-    const res = await server.post("/api/oauthClients.info", {
+    const res = await server.post("/api/oauthClients.info", user, {
       body: {
-        token: user.getJwtToken(),
         clientId: client.clientId,
       },
     });
@@ -192,9 +184,8 @@ describe("oauthClients.info", () => {
     });
 
     // Test with valid redirectUri
-    const validRes = await server.post("/api/oauthClients.info", {
+    const validRes = await server.post("/api/oauthClients.info", user, {
       body: {
-        token: user.getJwtToken(),
         clientId: client.clientId,
         redirectUri: "https://example.com/callback",
       },
@@ -205,9 +196,8 @@ describe("oauthClients.info", () => {
     expect(validBody.data.name).toEqual("Test Client");
 
     // Test with invalid redirectUri
-    const invalidRes = await server.post("/api/oauthClients.info", {
+    const invalidRes = await server.post("/api/oauthClients.info", user, {
       body: {
-        token: user.getJwtToken(),
         clientId: client.clientId,
         redirectUri: "https://malicious.com/callback",
       },
@@ -228,9 +218,8 @@ describe("oauthClients.create", () => {
     const team = await buildTeam();
     const admin = await buildAdmin({ teamId: team.id });
 
-    const res = await server.post("/api/oauthClients.create", {
+    const res = await server.post("/api/oauthClients.create", admin, {
       body: {
-        token: admin.getJwtToken(),
         name: "Test Client",
         redirectUris: ["https://example.com/callback"],
       },
@@ -264,9 +253,8 @@ describe("oauthclients.update", () => {
       published: true,
     });
 
-    const res = await server.post("/api/oauthClients.update", {
+    const res = await server.post("/api/oauthClients.update", admin, {
       body: {
-        token: admin.getJwtToken(),
         id: client.id,
         published: false,
         name: "Renamed",
@@ -301,9 +289,8 @@ describe("oauthClients.rotate_secret", () => {
 
     const originalSecret = client.clientSecret;
 
-    const res = await server.post("/api/oauthClients.rotate_secret", {
+    const res = await server.post("/api/oauthClients.rotate_secret", admin, {
       body: {
-        token: admin.getJwtToken(),
         id: client.id,
       },
     });
@@ -335,9 +322,8 @@ describe("oauthClients.delete", () => {
       redirectUris: ["https://example.com/callback"],
     });
 
-    const res = await server.post("/api/oauthClients.delete", {
+    const res = await server.post("/api/oauthClients.delete", admin, {
       body: {
-        token: admin.getJwtToken(),
         id: client.id,
       },
     });

server/routes/api/pins/pins.test.ts

@@ -47,20 +47,15 @@ describe("#pins.create", () => {
   });
 
   it("should fail with status 400 bad request when documentId is not suppled", async () => {
-    const res = await server.post("/api/pins.create", {
+    const res = await server.post("/api/pins.create", user);
-      body: {
-        token: user.getJwtToken(),
-      },
-    });
     const body = await res.json();
     expect(res.status).toEqual(400);
     expect(body.message).toEqual("documentId: required");
   });
 
   it("should fail with status 400 bad request when documentId is invalid", async () => {
-    const res = await server.post("/api/pins.create", {
+    const res = await server.post("/api/pins.create", user, {
       body: {
-        token: user.getJwtToken(),
         documentId: "foo",
       },
     });
@@ -70,9 +65,8 @@ describe("#pins.create", () => {
   });
 
   it("should fail with status 400 bad request when index is invalid", async () => {
-    const res = await server.post("/api/pins.create", {
+    const res = await server.post("/api/pins.create", user, {
       body: {
-        token: user.getJwtToken(),
         documentId: "foo1234567",
         index: "😀",
       },
@@ -83,9 +77,8 @@ describe("#pins.create", () => {
   });
 
   it("should fail with status 403 forbidden when user is disallowed to read the document", async () => {
-    const res = await server.post("/api/pins.create", {
+    const res = await server.post("/api/pins.create", anotherUser, {
       body: {
-        token: anotherUser.getJwtToken(),
         documentId: document.id,
       },
     });
@@ -95,9 +88,8 @@ describe("#pins.create", () => {
   });
 
   it("should fail with status 403 forbidden when user is disallowed to update the collection", async () => {
-    const res = await server.post("/api/pins.create", {
+    const res = await server.post("/api/pins.create", user, {
       body: {
-        token: user.getJwtToken(),
         documentId: document.id,
         collectionId: collection.id,
       },
@@ -113,9 +105,8 @@ describe("#pins.create", () => {
       teamId: admin.teamId,
       collectionId: collection.id,
     });
-    const res = await server.post("/api/pins.create", {
+    const res = await server.post("/api/pins.create", admin, {
       body: {
-        token: admin.getJwtToken(),
         // A draft document cannot be pinned, neither by a member nor by an admin
         documentId: draft.id,
         collectionId: collection.id,
@@ -127,9 +118,8 @@ describe("#pins.create", () => {
   });
 
   it("should fail with status 403 forbidden when user is disallowed to pin the document to home page", async () => {
-    const res = await server.post("/api/pins.create", {
+    const res = await server.post("/api/pins.create", user, {
       body: {
-        token: user.getJwtToken(),
         documentId: document.id,
       },
     });
@@ -139,9 +129,8 @@ describe("#pins.create", () => {
   });
 
   it("should succeed with status 200 ok when user is allowed to pin", async () => {
-    const res = await server.post("/api/pins.create", {
+    const res = await server.post("/api/pins.create", admin, {
       body: {
-        token: admin.getJwtToken(),
         documentId: document.id,
       },
     });
@@ -153,9 +142,8 @@ describe("#pins.create", () => {
   });
 
   it("should succeed with status 200 ok when valid collectionId is supplied", async () => {
-    const res = await server.post("/api/pins.create", {
+    const res = await server.post("/api/pins.create", admin, {
       body: {
-        token: admin.getJwtToken(),
         documentId: document.id,
         collectionId: collection.id,
       },
@@ -176,16 +164,14 @@ describe("#pins.info", () => {
       teamId: admin.teamId,
     });
 
-    await server.post("/api/pins.create", {
+    await server.post("/api/pins.create", admin, {
       body: {
-        token: admin.getJwtToken(),
         documentId: document.id,
       },
     });
 
-    const res = await server.post("/api/pins.info", {
+    const res = await server.post("/api/pins.info", admin, {
       body: {
-        token: admin.getJwtToken(),
         documentId: document.id,
       },
     });
@@ -204,17 +190,15 @@ describe("#pins.info", () => {
       teamId: user.teamId,
     });
 
-    await server.post("/api/pins.create", {
+    await server.post("/api/pins.create", user, {
       body: {
-        token: user.getJwtToken(),
         documentId: document.id,
         collectionId: document.collectionId,
       },
     });
 
-    const res = await server.post("/api/pins.info", {
+    const res = await server.post("/api/pins.info", user, {
       body: {
-        token: user.getJwtToken(),
         documentId: document.id,
         collectionId: document.collectionId,
       },
@@ -234,9 +218,8 @@ describe("#pins.info", () => {
       teamId: user.teamId,
     });
 
-    const res = await server.post("/api/pins.info", {
+    const res = await server.post("/api/pins.info", user, {
       body: {
-        token: user.getJwtToken(),
         documentId: document.id,
         collectionId: null,
       },
@@ -292,11 +275,7 @@ describe("#pins.list", () => {
   });
 
   it("should succeed with status 200 ok returning pinned documents", async () => {
-    const res = await server.post("/api/pins.list", {
+    const res = await server.post("/api/pins.list", user);
-      body: {
-        token: user.getJwtToken(),
-      },
-    });
     const body = await res.json();
     expect(res.status).toEqual(200);
     expect(body.data).toBeTruthy();
@@ -311,9 +290,8 @@ describe("#pins.list", () => {
   });
 
   it("should succeed with status 200 ok returning pinned documents filtered by collectionId supplied", async () => {
-    const res = await server.post("/api/pins.list", {
+    const res = await server.post("/api/pins.list", user, {
       body: {
-        token: user.getJwtToken(),
         collectionId: collection.id,
       },
     });
@@ -345,9 +323,8 @@ describe("#pins.list", () => {
     // Create a user on the same team but without access to the private collection
     const teamMember = await buildUser({ teamId: otherUser.teamId });
 
-    const res = await server.post("/api/pins.list", {
+    const res = await server.post("/api/pins.list", teamMember, {
       body: {
-        token: teamMember.getJwtToken(),
         collectionId: privateCollection.id,
       },
     });
@@ -372,9 +349,8 @@ describe("#pins.list", () => {
       teamId: user.teamId,
     });
 
-    const res = await server.post("/api/pins.list", {
+    const res = await server.post("/api/pins.list", user, {
       body: {
-        token: user.getJwtToken(),
         collectionId: collectionWithPins.id,
       },
     });
@@ -387,9 +363,8 @@ describe("#pins.list", () => {
   });
 
   it("should fail with status 403 forbidden when collection does not exist", async () => {
-    const res = await server.post("/api/pins.list", {
+    const res = await server.post("/api/pins.list", user, {
       body: {
-        token: user.getJwtToken(),
         collectionId: "00000000-0000-0000-0000-000000000000",
       },
     });
@@ -437,11 +412,7 @@ describe("#pins.update", () => {
   });
 
   it("should fail with status 400 bad request when id is missing", async () => {
-    const res = await server.post("/api/pins.update", {
+    const res = await server.post("/api/pins.update", admin);
-      body: {
-        token: admin.getJwtToken(),
-      },
-    });
     const body = await res.json();
     expect(res.status).toEqual(400);
     expect(body.message).toEqual(
@@ -450,9 +421,8 @@ describe("#pins.update", () => {
   });
 
   it("should fail with status 400 bad request when index is missing", async () => {
-    const res = await server.post("/api/pins.update", {
+    const res = await server.post("/api/pins.update", admin, {
       body: {
-        token: admin.getJwtToken(),
         id: pin.id,
       },
     });
@@ -464,9 +434,8 @@ describe("#pins.update", () => {
   });
 
   it("should fail with status 400 bad request when an invalid index is sent", async () => {
-    const res = await server.post("/api/pins.update", {
+    const res = await server.post("/api/pins.update", admin, {
       body: {
-        token: admin.getJwtToken(),
         id: pin.id,
         index: "😀",
       },
@@ -477,9 +446,8 @@ describe("#pins.update", () => {
   });
 
   it("should fail with status 403 forbidden when user is disallowed to update the pin", async () => {
-    const res = await server.post("/api/pins.update", {
+    const res = await server.post("/api/pins.update", user, {
       body: {
-        token: user.getJwtToken(),
         id: pin.id,
         index: "b",
       },
@@ -490,9 +458,8 @@ describe("#pins.update", () => {
   });
 
   it("should succeed with status 200 ok and when user is allowed to update the pin", async () => {
-    const res = await server.post("/api/pins.update", {
+    const res = await server.post("/api/pins.update", admin, {
       body: {
-        token: admin.getJwtToken(),
         id: pin.id,
         index: "b",
       },
@@ -527,11 +494,7 @@ describe("#pins.delete", () => {
   });
 
   it("should fail with status 400 bad request when id is missing", async () => {
-    const res = await server.post("/api/pins.delete", {
+    const res = await server.post("/api/pins.delete", admin);
-      body: {
-        token: admin.getJwtToken(),
-      },
-    });
     const body = await res.json();
     expect(res.status).toEqual(400);
     expect(body.message).toEqual(
@@ -543,9 +506,8 @@ describe("#pins.delete", () => {
     const user = await buildUser({
       teamId: admin.teamId,
     });
-    const res = await server.post("/api/pins.delete", {
+    const res = await server.post("/api/pins.delete", user, {
       body: {
-        token: user.getJwtToken(),
         id: pin.id,
       },
     });
@@ -555,9 +517,8 @@ describe("#pins.delete", () => {
   });
 
   it("should succeed with status 200 ok when user is allowed to delete the pin", async () => {
-    const res = await server.post("/api/pins.delete", {
+    const res = await server.post("/api/pins.delete", admin, {
       body: {
-        token: admin.getJwtToken(),
         id: pin.id,
       },
     });

server/routes/api/reactions/reactions.test.ts

@@ -33,9 +33,8 @@ describe("#reactions.list", () => {
       { emoji: "😅", commentId: comment.id, userId: user.id },
     ]);
 
-    const res = await server.post("/api/reactions.list", {
+    const res = await server.post("/api/reactions.list", user, {
       body: {
-        token: user.getJwtToken(),
         commentId: comment.id,
       },
     });

server/routes/api/relationships/relationships.test.ts

@@ -55,11 +55,7 @@ describe("#relationships.info", () => {
   });
 
   it("should fail with status 400 bad request when id is not supplied", async () => {
-    const res = await server.post("/api/relationships.info", {
+    const res = await server.post("/api/relationships.info", user);
-      body: {
-        token: user.getJwtToken(),
-      },
-    });
     const body = await res.json();
     expect(res.status).toEqual(400);
     expect(body.message).toEqual(
@@ -68,9 +64,8 @@ describe("#relationships.info", () => {
   });
 
   it("should fail with status 400 bad request when id is not a valid UUID", async () => {
-    const res = await server.post("/api/relationships.info", {
+    const res = await server.post("/api/relationships.info", user, {
       body: {
-        token: user.getJwtToken(),
         id: "invalid-uuid",
       },
     });
@@ -80,9 +75,8 @@ describe("#relationships.info", () => {
   });
 
   it("should fail with status 404 not found when relationship does not exist", async () => {
-    const res = await server.post("/api/relationships.info", {
+    const res = await server.post("/api/relationships.info", admin, {
       body: {
-        token: admin.getJwtToken(),
         id: "550e8400-e29b-41d4-a716-446655440000",
       },
     });
@@ -92,9 +86,8 @@ describe("#relationships.info", () => {
   });
 
   it("should fail with status 403 forbidden when user cannot read the document", async () => {
-    const res = await server.post("/api/relationships.info", {
+    const res = await server.post("/api/relationships.info", anotherUser, {
       body: {
-        token: anotherUser.getJwtToken(),
         id: relationship.id,
       },
     });
@@ -104,9 +97,8 @@ describe("#relationships.info", () => {
   });
 
   it("should succeed with status 200 ok when user can read the document", async () => {
-    const res = await server.post("/api/relationships.info", {
+    const res = await server.post("/api/relationships.info", admin, {
       body: {
-        token: admin.getJwtToken(),
         id: relationship.id,
       },
     });
@@ -143,9 +135,8 @@ describe("#relationships.info", () => {
       reverseDocumentId: adminDocument.id,
     });
 
-    const res = await server.post("/api/relationships.info", {
+    const res = await server.post("/api/relationships.info", user, {
       body: {
-        token: user.getJwtToken(),
         id: userRelationship.id,
       },
     });
@@ -165,9 +156,8 @@ describe("#relationships.info", () => {
     // Make user team member so they can read both documents
     const teamUser = await buildUser({ teamId: admin.teamId });
 
-    const res = await server.post("/api/relationships.info", {
+    const res = await server.post("/api/relationships.info", teamUser, {
       body: {
-        token: teamUser.getJwtToken(),
         id: relationship.id,
       },
     });
@@ -243,11 +233,7 @@ describe("#relationships.list", () => {
   });
 
   it("should succeed with status 200 ok returning all relationships", async () => {
-    const res = await server.post("/api/relationships.list", {
+    const res = await server.post("/api/relationships.list", admin);
-      body: {
-        token: admin.getJwtToken(),
-      },
-    });
     const body = await res.json();
     expect(res.status).toEqual(200);
     expect(body.data).toBeTruthy();
@@ -259,9 +245,8 @@ describe("#relationships.list", () => {
   });
 
   it("should succeed with status 200 ok returning relationships filtered by type", async () => {
-    const res = await server.post("/api/relationships.list", {
+    const res = await server.post("/api/relationships.list", admin, {
       body: {
-        token: admin.getJwtToken(),
         type: RelationshipType.Backlink,
       },
     });
@@ -277,9 +262,8 @@ describe("#relationships.list", () => {
   });
 
   it("should succeed with status 200 ok returning relationships filtered by documentId", async () => {
-    const res = await server.post("/api/relationships.list", {
+    const res = await server.post("/api/relationships.list", admin, {
       body: {
-        token: admin.getJwtToken(),
         documentId: documents[0].id,
       },
     });
@@ -295,9 +279,8 @@ describe("#relationships.list", () => {
   });
 
   it("should succeed with status 200 ok returning relationships filtered by reverseDocumentId", async () => {
-    const res = await server.post("/api/relationships.list", {
+    const res = await server.post("/api/relationships.list", admin, {
       body: {
-        token: admin.getJwtToken(),
         reverseDocumentId: documents[1].id,
       },
     });
@@ -313,9 +296,8 @@ describe("#relationships.list", () => {
   });
 
   it("should succeed with status 200 ok returning relationships with multiple filters", async () => {
-    const res = await server.post("/api/relationships.list", {
+    const res = await server.post("/api/relationships.list", admin, {
       body: {
-        token: admin.getJwtToken(),
         type: RelationshipType.Backlink,
         documentId: documents[0].id,
       },
@@ -335,9 +317,8 @@ describe("#relationships.list", () => {
   });
 
   it("should fail with status 400 bad request when documentId is invalid", async () => {
-    const res = await server.post("/api/relationships.list", {
+    const res = await server.post("/api/relationships.list", admin, {
       body: {
-        token: admin.getJwtToken(),
         documentId: "invalid-id",
       },
     });
@@ -345,9 +326,8 @@ describe("#relationships.list", () => {
   });
 
   it("should fail with status 400 bad request when reverseDocumentId is invalid", async () => {
-    const res = await server.post("/api/relationships.list", {
+    const res = await server.post("/api/relationships.list", admin, {
       body: {
-        token: admin.getJwtToken(),
         reverseDocumentId: "invalid-id",
       },
     });
@@ -357,9 +337,8 @@ describe("#relationships.list", () => {
   });
 
   it("should respect pagination", async () => {
-    const res = await server.post("/api/relationships.list", {
+    const res = await server.post("/api/relationships.list", admin, {
       body: {
-        token: admin.getJwtToken(),
         limit: 1,
         offset: 0,
       },
@@ -373,9 +352,8 @@ describe("#relationships.list", () => {
   });
 
   it("should return empty results when no relationships match filters", async () => {
-    const res = await server.post("/api/relationships.list", {
+    const res = await server.post("/api/relationships.list", admin, {
       body: {
-        token: admin.getJwtToken(),
         documentId: "550e8400-e29b-41d4-a716-446655440000",
       },
     });
@@ -411,9 +389,8 @@ describe("#relationships.list", () => {
       reverseDocumentId: cannotAccessDocument.id,
     });
 
-    const res = await server.post("/api/relationships.list", {
+    const res = await server.post("/api/relationships.list", user, {
       body: {
-        token: user.getJwtToken(),
         documentId: userDocument.id,
       },
     });

server/routes/api/revisions/revisions.test.ts

@@ -21,9 +21,8 @@ describe("#revisions.info", () => {
       createContext({ user }),
       document
     );
-    const res = await server.post("/api/revisions.info", {
+    const res = await server.post("/api/revisions.info", user, {
       body: {
-        token: user.getJwtToken(),
         id: revision.id,
       },
     });
@@ -44,9 +43,8 @@ describe("#revisions.info", () => {
       document
     );
     const user = await buildUser();
-    const res = await server.post("/api/revisions.info", {
+    const res = await server.post("/api/revisions.info", user, {
       body: {
-        token: user.getJwtToken(),
         id: revision.id,
       },
     });
@@ -66,9 +64,8 @@ describe("#revisions.update", () => {
       document
     );
 
-    const res = await server.post("/api/revisions.update", {
+    const res = await server.post("/api/revisions.update", user, {
       body: {
-        token: user.getJwtToken(),
         id: revision.id,
         name: "new name",
       },
@@ -89,9 +86,8 @@ describe("#revisions.update", () => {
       document
     );
 
-    const res = await server.post("/api/revisions.update", {
+    const res = await server.post("/api/revisions.update", user, {
       body: {
-        token: user.getJwtToken(),
         id: revision.id,
         name: null,
       },
@@ -112,9 +108,8 @@ describe("#revisions.update", () => {
       document
     );
 
-    const res = await server.post("/api/revisions.update", {
+    const res = await server.post("/api/revisions.update", user, {
       body: {
-        token: user.getJwtToken(),
         id: revision.id,
         name: "",
       },
@@ -133,9 +128,8 @@ describe("#revisions.update", () => {
       document
     );
 
-    const res = await server.post("/api/revisions.update", {
+    const res = await server.post("/api/revisions.update", admin, {
       body: {
-        token: admin.getJwtToken(),
         id: revision.id,
         name: "new name",
       },
@@ -156,9 +150,8 @@ describe("#revisions.update", () => {
       document
     );
     const user = await buildUser();
-    const res = await server.post("/api/revisions.update", {
+    const res = await server.post("/api/revisions.update", user, {
       body: {
-        token: user.getJwtToken(),
         id: revision.id,
         name: "new name",
       },
@@ -175,9 +168,8 @@ describe("#revisions.list", () => {
       teamId: user.teamId,
     });
     await Revision.createFromDocument(createContext({ user }), document);
-    const res = await server.post("/api/revisions.list", {
+    const res = await server.post("/api/revisions.list", user, {
       body: {
-        token: user.getJwtToken(),
         documentId: document.id,
       },
     });
@@ -208,9 +200,8 @@ describe("#revisions.list", () => {
         collectionId: collection.id,
       },
     });
-    const res = await server.post("/api/revisions.list", {
+    const res = await server.post("/api/revisions.list", user, {
       body: {
-        token: user.getJwtToken(),
         documentId: document.id,
       },
     });
@@ -220,9 +211,8 @@ describe("#revisions.list", () => {
   it("should require authorization", async () => {
     const document = await buildDocument();
     const user = await buildUser();
-    const res = await server.post("/api/revisions.list", {
+    const res = await server.post("/api/revisions.list", user, {
       body: {
-        token: user.getJwtToken(),
         documentId: document.id,
       },
     });
@@ -241,9 +231,8 @@ describe("#revisions.export", () => {
       createContext({ user }),
       document
     );
-    const res = await server.post("/api/revisions.export", {
+    const res = await server.post("/api/revisions.export", user, {
       body: {
-        token: user.getJwtToken(),
         id: revision.id,
       },
     });
@@ -262,9 +251,8 @@ describe("#revisions.export", () => {
       createContext({ user }),
       document
     );
-    const res = await server.post("/api/revisions.export", {
+    const res = await server.post("/api/revisions.export", user, {
       body: {
-        token: user.getJwtToken(),
         id: revision.id,
       },
       headers: {
@@ -286,9 +274,8 @@ describe("#revisions.export", () => {
       createContext({ user }),
       document
     );
-    const res = await server.post("/api/revisions.export", {
+    const res = await server.post("/api/revisions.export", user, {
       body: {
-        token: user.getJwtToken(),
         id: revision.id,
       },
       headers: {
@@ -330,9 +317,8 @@ describe("#revisions.export", () => {
       document
     );
     const user = await buildUser();
-    const res = await server.post("/api/revisions.export", {
+    const res = await server.post("/api/revisions.export", user, {
       body: {
-        token: user.getJwtToken(),
         id: revision.id,
       },
     });

server/routes/api/searches/searches.test.ts

@@ -31,11 +31,7 @@ describe("#searches.list", () => {
   });
 
   it("should succeed with status 200 ok returning results", async () => {
-    const res = await server.post("/api/searches.list", {
+    const res = await server.post("/api/searches.list", user);
-      body: {
-        token: user.getJwtToken(),
-      },
-    });
     const body = await res.json();
     expect(res.status).toEqual(200);
     expect(body.data).toHaveLength(3);
@@ -46,9 +42,8 @@ describe("#searches.list", () => {
   });
 
   it("should allow filtering by source", async () => {
-    const res = await server.post("/api/searches.list", {
+    const res = await server.post("/api/searches.list", user, {
       body: {
-        token: user.getJwtToken(),
         source: "api",
       },
     });
@@ -72,9 +67,8 @@ describe("#searches.update", () => {
   });
 
   it("should fail with status 400 bad request when an invalid id is provided", async () => {
-    const res = await server.post("/api/searches.update", {
+    const res = await server.post("/api/searches.update", user, {
       body: {
-        token: user.getJwtToken(),
         id: "id",
         score: 1,
       },
@@ -83,9 +77,8 @@ describe("#searches.update", () => {
   });
 
   it("should fail with status 400 bad request when an invalid score is provided", async () => {
-    const res = await server.post("/api/searches.update", {
+    const res = await server.post("/api/searches.update", user, {
       body: {
-        token: user.getJwtToken(),
         id: searchQuery.id,
         score: 2,
       },
@@ -94,9 +87,8 @@ describe("#searches.update", () => {
   });
 
   it("should succeed with status 200 ok and successfully update the query", async () => {
-    const res = await server.post("/api/searches.update", {
+    const res = await server.post("/api/searches.update", user, {
       body: {
-        token: user.getJwtToken(),
         id: searchQuery.id,
         score: 1,
       },
@@ -123,11 +115,7 @@ describe("#searches.delete", () => {
   });
 
   it("should fail with status 400 bad request when no id or query is provided", async () => {
-    const res = await server.post("/api/searches.delete", {
+    const res = await server.post("/api/searches.delete", user);
-      body: {
-        token: user.getJwtToken(),
-      },
-    });
 
     const body = await res.json();
     expect(res.status).toEqual(400);
@@ -135,9 +123,8 @@ describe("#searches.delete", () => {
   });
 
   it("should fail with status 400 bad request when an invalid id is provided", async () => {
-    const res = await server.post("/api/searches.delete", {
+    const res = await server.post("/api/searches.delete", user, {
       body: {
-        token: user.getJwtToken(),
         id: "id",
       },
     });
@@ -156,9 +143,8 @@ describe("#searches.delete", () => {
     });
     expect(searchQueries).toHaveLength(1);
 
-    const res = await server.post("/api/searches.delete", {
+    const res = await server.post("/api/searches.delete", user, {
       body: {
-        token: user.getJwtToken(),
         id: searchQuery.id,
       },
     });

server/routes/api/shares/shares.test.ts

@@ -19,9 +19,8 @@ const server = getTestServer();
 describe("#shares.list", () => {
   it("should fail with status 400 bad request when an invalid sort value is suppled", async () => {
     const user = await buildUser();
-    const res = await server.post("/api/shares.list", {
+    const res = await server.post("/api/shares.list", user, {
       body: {
-        token: user.getJwtToken(),
         sort: "foo",
       },
     });
@@ -47,11 +46,7 @@ describe("#shares.list", () => {
       teamId: user.teamId,
       userId: user.id,
     });
-    const res = await server.post("/api/shares.list", {
+    const res = await server.post("/api/shares.list", user);
-      body: {
-        token: user.getJwtToken(),
-      },
-    });
     const body = await res.json();
     expect(res.status).toEqual(200);
     expect(body.data.length).toEqual(1);
@@ -71,9 +66,8 @@ describe("#shares.list", () => {
       teamId: user.teamId,
       userId: user.id,
     });
-    const res = await server.post("/api/shares.list", {
+    const res = await server.post("/api/shares.list", user, {
       body: {
-        token: user.getJwtToken(),
         query: "test",
       },
     });
@@ -98,9 +92,8 @@ describe("#shares.list", () => {
       teamId: user.teamId,
       userId: user.id,
     });
-    const res = await server.post("/api/shares.list", {
+    const res = await server.post("/api/shares.list", user, {
       body: {
-        token: user.getJwtToken(),
         query: "test",
       },
     });
@@ -123,11 +116,7 @@ describe("#shares.list", () => {
       userId: user.id,
     });
     await share.revoke(createContext({ user }));
-    const res = await server.post("/api/shares.list", {
+    const res = await server.post("/api/shares.list", user);
-      body: {
-        token: user.getJwtToken(),
-      },
-    });
     const body = await res.json();
     expect(res.status).toEqual(200);
     expect(body.data.length).toEqual(0);
@@ -145,11 +134,7 @@ describe("#shares.list", () => {
       teamId: user.teamId,
       userId: user.id,
     });
-    const res = await server.post("/api/shares.list", {
+    const res = await server.post("/api/shares.list", user);
-      body: {
-        token: user.getJwtToken(),
-      },
-    });
     const body = await res.json();
     expect(res.status).toEqual(200);
     expect(body.data.length).toEqual(0);
@@ -167,11 +152,7 @@ describe("#shares.list", () => {
       userId: user.id,
     });
     await withAPIContext(user, (ctx) => document.destroyWithCtx(ctx));
-    const res = await server.post("/api/shares.list", {
+    const res = await server.post("/api/shares.list", user);
-      body: {
-        token: user.getJwtToken(),
-      },
-    });
     const body = await res.json();
     expect(res.status).toEqual(200);
     expect(body.data.length).toEqual(0);
@@ -187,11 +168,7 @@ describe("#shares.list", () => {
       teamId: admin.teamId,
       userId: user.id,
     });
-    const res = await server.post("/api/shares.list", {
+    const res = await server.post("/api/shares.list", admin);
-      body: {
-        token: admin.getJwtToken(),
-      },
-    });
     const body = await res.json();
     expect(res.status).toEqual(200);
     expect(body.data.length).toEqual(1);
@@ -219,11 +196,7 @@ describe("#shares.list", () => {
     });
     collection.permission = null;
     await collection.save();
-    const res = await server.post("/api/shares.list", {
+    const res = await server.post("/api/shares.list", admin);
-      body: {
-        token: admin.getJwtToken(),
-      },
-    });
     const body = await res.json();
     expect(res.status).toEqual(200);
     expect(body.data.length).toEqual(0);
@@ -240,11 +213,7 @@ describe("#shares.list", () => {
 describe("#shares.create", () => {
   it("should fail with status 400 bad request when both documentId and collectionId are missing", async () => {
     const user = await buildUser();
-    const res = await server.post("/api/shares.create", {
+    const res = await server.post("/api/shares.create", user);
-      body: {
-        token: user.getJwtToken(),
-      },
-    });
     const body = await res.json();
     expect(res.status).toEqual(400);
     expect(body.message).toEqual(
@@ -254,9 +223,8 @@ describe("#shares.create", () => {
 
   it("should fail with status 400 bad request when documentId is invalid", async () => {
     const user = await buildUser();
-    const res = await server.post("/api/shares.create", {
+    const res = await server.post("/api/shares.create", user, {
       body: {
-        token: user.getJwtToken(),
         documentId: "foo",
       },
     });
@@ -271,9 +239,8 @@ describe("#shares.create", () => {
       userId: user.id,
       teamId: user.teamId,
     });
-    const res = await server.post("/api/shares.create", {
+    const res = await server.post("/api/shares.create", user, {
       body: {
-        token: user.getJwtToken(),
         collectionId: collection.id,
       },
     });
@@ -289,9 +256,8 @@ describe("#shares.create", () => {
       userId: user.id,
       teamId: user.teamId,
     });
-    const res = await server.post("/api/shares.create", {
+    const res = await server.post("/api/shares.create", user, {
       body: {
-        token: user.getJwtToken(),
         documentId: document.id,
       },
     });
@@ -307,9 +273,8 @@ describe("#shares.create", () => {
       userId: user.id,
       teamId: user.teamId,
     });
-    const res = await server.post("/api/shares.create", {
+    const res = await server.post("/api/shares.create", user, {
       body: {
-        token: user.getJwtToken(),
         documentId: document.id,
         includeChildDocuments: true,
         published: true,
@@ -330,9 +295,8 @@ describe("#shares.create", () => {
       userId: user.id,
       teamId: user.teamId,
     });
-    const res = await server.post("/api/shares.create", {
+    const res = await server.post("/api/shares.create", user, {
       body: {
-        token: user.getJwtToken(),
         documentId: document.id,
         published: true,
       },
@@ -349,9 +313,8 @@ describe("#shares.create", () => {
       userId: user.id,
       teamId: user.teamId,
     });
-    const res = await server.post("/api/shares.create", {
+    const res = await server.post("/api/shares.create", user, {
       body: {
-        token: user.getJwtToken(),
         documentId: document.id,
         published: true,
         allowIndexing: false,
@@ -392,9 +355,8 @@ describe("#shares.create", () => {
         },
       }
     );
-    const res = await server.post("/api/shares.create", {
+    const res = await server.post("/api/shares.create", user, {
       body: {
-        token: user.getJwtToken(),
         documentId: document.id,
         published: true,
       },
@@ -428,17 +390,15 @@ describe("#shares.create", () => {
         },
       }
     );
-    const res = await server.post("/api/shares.create", {
+    const res = await server.post("/api/shares.create", user, {
       body: {
-        token: user.getJwtToken(),
         documentId: document.id,
       },
     });
     const body = await res.json();
     expect(res.status).toEqual(200);
-    const response = await server.post("/api/shares.update", {
+    const response = await server.post("/api/shares.update", user, {
       body: {
-        token: user.getJwtToken(),
         id: body.data.id,
         published: true,
       },
@@ -458,9 +418,8 @@ describe("#shares.create", () => {
       userId: user.id,
     });
     await share.revoke(createContext({ user }));
-    const res = await server.post("/api/shares.create", {
+    const res = await server.post("/api/shares.create", user, {
       body: {
-        token: user.getJwtToken(),
         documentId: document.id,
       },
     });
@@ -481,9 +440,8 @@ describe("#shares.create", () => {
       teamId: user.teamId,
       userId: user.id,
     });
-    const res = await server.post("/api/shares.create", {
+    const res = await server.post("/api/shares.create", user, {
       body: {
-        token: user.getJwtToken(),
         documentId: document.id,
       },
     });
@@ -499,17 +457,15 @@ describe("#shares.create", () => {
       teamId: user.teamId,
       userId: user.id,
     });
-    const res = await server.post("/api/shares.create", {
+    const res = await server.post("/api/shares.create", user, {
       body: {
-        token: user.getJwtToken(),
         documentId: document.id,
       },
     });
     const body = await res.json();
     expect(res.status).toEqual(200);
-    const response = await server.post("/api/shares.update", {
+    const response = await server.post("/api/shares.update", user, {
       body: {
-        token: user.getJwtToken(),
         id: body.data.id,
         published: true,
       },
@@ -529,17 +485,15 @@ describe("#shares.create", () => {
       collectionId: collection.id,
       teamId: user.teamId,
     });
-    const res = await server.post("/api/shares.create", {
+    const res = await server.post("/api/shares.create", user, {
       body: {
-        token: user.getJwtToken(),
         documentId: document.id,
       },
     });
     const body = await res.json();
     expect(res.status).toEqual(200);
-    const response = await server.post("/api/shares.update", {
+    const response = await server.post("/api/shares.update", user, {
       body: {
-        token: user.getJwtToken(),
         id: body.data.id,
         published: true,
       },
@@ -562,9 +516,8 @@ describe("#shares.create", () => {
   it("should require authorization", async () => {
     const document = await buildDocument();
     const user = await buildUser();
-    const res = await server.post("/api/shares.create", {
+    const res = await server.post("/api/shares.create", user, {
       body: {
-        token: user.getJwtToken(),
         documentId: document.id,
       },
     });
@@ -575,9 +528,8 @@ describe("#shares.create", () => {
     const user = await buildUser();
     const otherDocument = await buildDocument();
 
-    const res = await server.post("/api/shares.create", {
+    const res = await server.post("/api/shares.create", user, {
       body: {
-        token: user.getJwtToken(),
         documentId: otherDocument.id,
       },
     });
@@ -588,9 +540,8 @@ describe("#shares.create", () => {
     const user = await buildUser();
     const otherDocument = await buildDocument();
 
-    const res = await server.post("/api/shares.create", {
+    const res = await server.post("/api/shares.create", user, {
       body: {
-        token: user.getJwtToken(),
         documentId: otherDocument.id,
         published: true,
       },
@@ -602,9 +553,8 @@ describe("#shares.create", () => {
     const user = await buildUser();
     const otherCollection = await buildCollection();
 
-    const res = await server.post("/api/shares.create", {
+    const res = await server.post("/api/shares.create", user, {
       body: {
-        token: user.getJwtToken(),
         collectionId: otherCollection.id,
       },
     });
@@ -622,9 +572,8 @@ describe("#shares.create", () => {
       teamId: user.teamId,
     });
 
-    const res = await server.post("/api/shares.create", {
+    const res = await server.post("/api/shares.create", user, {
       body: {
-        token: user.getJwtToken(),
         collectionId: collection.id,
         documentId: document.id,
       },
@@ -643,9 +592,8 @@ describe("#shares.create", () => {
       teamId: user.teamId,
     });
 
-    const res = await server.post("/api/shares.create", {
+    const res = await server.post("/api/shares.create", user, {
       body: {
-        token: user.getJwtToken(),
         collectionId: collection.id,
         documentId: document.id,
         published: true,
@@ -658,11 +606,7 @@ describe("#shares.create", () => {
 describe("#shares.info", () => {
   it("should fail with status 400 bad request when id, collectionId and documentId are missing", async () => {
     const user = await buildUser();
-    const res = await server.post("/api/shares.info", {
+    const res = await server.post("/api/shares.info", user);
-      body: {
-        token: user.getJwtToken(),
-      },
-    });
     const body = await res.json();
     expect(res.status).toEqual(400);
     expect(body.message).toEqual(
@@ -672,9 +616,8 @@ describe("#shares.info", () => {
 
   it("should fail with status 400 bad request when documentId is invalid", async () => {
     const user = await buildUser();
-    const res = await server.post("/api/shares.info", {
+    const res = await server.post("/api/shares.info", user, {
       body: {
-        token: user.getJwtToken(),
         documentId: "foo",
       },
     });
@@ -702,9 +645,8 @@ describe("#shares.info", () => {
       teamId: admin.teamId,
       userId: admin.id,
     });
-    const res = await server.post("/api/shares.info", {
+    const res = await server.post("/api/shares.info", user, {
       body: {
-        token: user.getJwtToken(),
         documentId: document.id,
       },
     });
@@ -722,9 +664,8 @@ describe("#shares.info", () => {
       teamId: user.teamId,
       userId: user.id,
     });
-    const res = await server.post("/api/shares.info", {
+    const res = await server.post("/api/shares.info", user, {
       body: {
-        token: user.getJwtToken(),
         id: share.id,
       },
     });
@@ -747,9 +688,8 @@ describe("#shares.info", () => {
       teamId: user.teamId,
       userId: user.id,
     });
-    const res = await server.post("/api/shares.info", {
+    const res = await server.post("/api/shares.info", user, {
       body: {
-        token: user.getJwtToken(),
         documentId: document.id,
       },
     });
@@ -765,9 +705,8 @@ describe("#shares.info", () => {
       userId: user.id,
       teamId: user.teamId,
     });
-    const res = await server.post("/api/shares.info", {
+    const res = await server.post("/api/shares.info", user, {
       body: {
-        token: user.getJwtToken(),
         documentId: document.id,
       },
     });
@@ -803,9 +742,8 @@ describe("#shares.info", () => {
     });
     await collection.reload();
     await collection.addDocumentToStructure(childDocument, 0);
-    const res = await server.post("/api/shares.info", {
+    const res = await server.post("/api/shares.info", user, {
       body: {
-        token: user.getJwtToken(),
         documentId: childDocument.id,
       },
     });
@@ -852,9 +790,8 @@ describe("#shares.info", () => {
       userId: user.id,
     });
     await collection.addDocumentToStructure(childDocument, 0);
-    const res = await server.post("/api/shares.info", {
+    const res = await server.post("/api/shares.info", user, {
       body: {
-        token: user.getJwtToken(),
         documentId: childDocument.id,
       },
     });
@@ -897,9 +834,8 @@ describe("#shares.info", () => {
     });
     await collection.reload();
     await collection.addDocumentToStructure(childDocument, 0);
-    const res = await server.post("/api/shares.info", {
+    const res = await server.post("/api/shares.info", user, {
       body: {
-        token: user.getJwtToken(),
         documentId: childDocument.id,
       },
     });
@@ -928,9 +864,8 @@ describe("#shares.update", () => {
       documentId: document.id,
       teamId: user.teamId,
     });
-    const res = await server.post("/api/shares.update", {
+    const res = await server.post("/api/shares.update", user, {
       body: {
-        token: user.getJwtToken(),
         id: share.id,
         urlId: "url_id",
       },
@@ -944,9 +879,8 @@ describe("#shares.update", () => {
 
   it("should fail with status 400 bad request when id is missing", async () => {
     const user = await buildUser();
-    const res = await server.post("/api/shares.update", {
+    const res = await server.post("/api/shares.update", user, {
       body: {
-        token: user.getJwtToken(),
         urlId: "url-id",
       },
     });
@@ -967,9 +901,8 @@ describe("#shares.update", () => {
       documentId: document.id,
       teamId: user.teamId,
     });
-    const res = await server.post("/api/shares.update", {
+    const res = await server.post("/api/shares.update", user, {
       body: {
-        token: user.getJwtToken(),
         id: share.id,
         urlId: "url-id",
       },
@@ -989,17 +922,15 @@ describe("#shares.update", () => {
       documentId: document.id,
       teamId: user.teamId,
     });
-    await server.post("/api/shares.update", {
+    await server.post("/api/shares.update", user, {
       body: {
-        token: user.getJwtToken(),
         id: share.id,
         urlId: "url-id",
       },
     });
 
-    const res = await server.post("/api/shares.update", {
+    const res = await server.post("/api/shares.update", user, {
       body: {
-        token: user.getJwtToken(),
         id: share.id,
         urlId: null,
       },
@@ -1019,9 +950,8 @@ describe("#shares.update", () => {
       documentId: document.id,
       teamId: user.teamId,
     });
-    const res = await server.post("/api/shares.update", {
+    const res = await server.post("/api/shares.update", user, {
       body: {
-        token: user.getJwtToken(),
         id: share.id,
         title: "Custom Title",
         iconUrl: "https://example.com/icon.png",
@@ -1045,9 +975,8 @@ describe("#shares.update", () => {
       title: "Custom Title",
       iconUrl: "https://example.com/icon.png",
     });
-    const res = await server.post("/api/shares.update", {
+    const res = await server.post("/api/shares.update", user, {
       body: {
-        token: user.getJwtToken(),
         id: share.id,
         title: null,
         iconUrl: null,
@@ -1070,9 +999,8 @@ describe("#shares.update", () => {
       teamId: user.teamId,
       title: "Custom Title",
     });
-    const res = await server.post("/api/shares.update", {
+    const res = await server.post("/api/shares.update", user, {
       body: {
-        token: user.getJwtToken(),
         id: share.id,
         title: "",
       },
@@ -1092,9 +1020,8 @@ describe("#shares.update", () => {
       documentId: document.id,
       teamId: user.teamId,
     });
-    const res = await server.post("/api/shares.update", {
+    const res = await server.post("/api/shares.update", user, {
       body: {
-        token: user.getJwtToken(),
         id: share.id,
         iconUrl: "/uploads/icon.png",
       },
@@ -1114,9 +1041,8 @@ describe("#shares.update", () => {
       documentId: document.id,
       teamId: user.teamId,
     });
-    const res = await server.post("/api/shares.update", {
+    const res = await server.post("/api/shares.update", user, {
       body: {
-        token: user.getJwtToken(),
         id: share.id,
         iconUrl: "not a url",
       },
@@ -1134,9 +1060,8 @@ describe("#shares.update", () => {
       documentId: document.id,
       teamId: user.teamId,
     });
-    const res = await server.post("/api/shares.update", {
+    const res = await server.post("/api/shares.update", user, {
       body: {
-        token: user.getJwtToken(),
         id: share.id,
         iconUrl: "javascript:alert(1)",
       },
@@ -1154,9 +1079,8 @@ describe("#shares.update", () => {
       documentId: document.id,
       teamId: user.teamId,
     });
-    const res = await server.post("/api/shares.update", {
+    const res = await server.post("/api/shares.update", user, {
       body: {
-        token: user.getJwtToken(),
         id: share.id,
         published: true,
       },
@@ -1178,9 +1102,8 @@ describe("#shares.update", () => {
       teamId: user.teamId,
       userId: user.id,
     });
-    const res = await server.post("/api/shares.update", {
+    const res = await server.post("/api/shares.update", user, {
       body: {
-        token: user.getJwtToken(),
         id: share.id,
         published: true,
       },
@@ -1201,9 +1124,8 @@ describe("#shares.update", () => {
       teamId: user.teamId,
       userId: user.id,
     });
-    const res = await server.post("/api/shares.update", {
+    const res = await server.post("/api/shares.update", admin, {
       body: {
-        token: admin.getJwtToken(),
         id: share.id,
         published: true,
       },
@@ -1246,9 +1168,8 @@ describe("#shares.update", () => {
       teamId: admin.teamId,
       userId: admin.id,
     });
-    const res = await server.post("/api/shares.update", {
+    const res = await server.post("/api/shares.update", user, {
       body: {
-        token: user.getJwtToken(),
         id: share.id,
         published: true,
       },
@@ -1260,11 +1181,7 @@ describe("#shares.update", () => {
 describe("#shares.revoke", () => {
   it("should fail with status 400 bad request when id is missing", async () => {
     const user = await buildUser();
-    const res = await server.post("/api/shares.revoke", {
+    const res = await server.post("/api/shares.revoke", user);
-      body: {
-        token: user.getJwtToken(),
-      },
-    });
     const body = await res.json();
     expect(res.status).toEqual(400);
     expect(body.message).toEqual(
@@ -1283,9 +1200,8 @@ describe("#shares.revoke", () => {
       teamId: user.teamId,
       userId: user.id,
     });
-    const res = await server.post("/api/shares.revoke", {
+    const res = await server.post("/api/shares.revoke", user, {
       body: {
-        token: user.getJwtToken(),
         id: share.id,
       },
     });
@@ -1303,9 +1219,8 @@ describe("#shares.revoke", () => {
       teamId: user.teamId,
       userId: user.id,
     });
-    const res = await server.post("/api/shares.revoke", {
+    const res = await server.post("/api/shares.revoke", user, {
       body: {
-        token: user.getJwtToken(),
         id: share.id,
       },
     });
@@ -1324,9 +1239,8 @@ describe("#shares.revoke", () => {
       userId: user.id,
     });
     await withAPIContext(user, (ctx) => document.destroyWithCtx(ctx));
-    const res = await server.post("/api/shares.revoke", {
+    const res = await server.post("/api/shares.revoke", user, {
       body: {
-        token: user.getJwtToken(),
         id: share.id,
       },
     });
@@ -1343,9 +1257,8 @@ describe("#shares.revoke", () => {
       teamId: user.teamId,
       userId: user.id,
     });
-    const res = await server.post("/api/shares.revoke", {
+    const res = await server.post("/api/shares.revoke", admin, {
       body: {
-        token: admin.getJwtToken(),
         id: share.id,
       },
     });
@@ -1383,9 +1296,8 @@ describe("#shares.revoke", () => {
       teamId: admin.teamId,
       userId: admin.id,
     });
-    const res = await server.post("/api/shares.revoke", {
+    const res = await server.post("/api/shares.revoke", user, {
       body: {
-        token: user.getJwtToken(),
         id: share.id,
       },
     });

server/routes/api/stars/stars.test.ts

@@ -7,11 +7,7 @@ describe("#stars.create", () => {
   it("should fail with status 400 bad request when both documentId and collectionId are missing", async () => {
     const user = await buildUser();
 
-    const res = await server.post("/api/stars.create", {
+    const res = await server.post("/api/stars.create", user);
-      body: {
-        token: user.getJwtToken(),
-      },
-    });
 
     const body = await res.json();
     expect(res.status).toEqual(400);
@@ -27,9 +23,8 @@ describe("#stars.create", () => {
       teamId: user.teamId,
     });
 
-    const res = await server.post("/api/stars.create", {
+    const res = await server.post("/api/stars.create", user, {
       body: {
-        token: user.getJwtToken(),
         documentId: document.id,
       },
     });
@@ -55,11 +50,7 @@ describe("#stars.list", () => {
       userId: user.id,
     });
 
-    const res = await server.post("/api/stars.list", {
+    const res = await server.post("/api/stars.list", user);
-      body: {
-        token: user.getJwtToken(),
-      },
-    });
 
     const body = await res.json();
     expect(res.status).toEqual(200);
@@ -76,11 +67,7 @@ describe("#stars.list", () => {
 describe("#stars.update", () => {
   it("should fail with status 400 bad request when id is missing", async () => {
     const user = await buildUser();
-    const res = await server.post("/api/stars.update", {
+    const res = await server.post("/api/stars.update", user);
-      body: {
-        token: user.getJwtToken(),
-      },
-    });
     const body = await res.json();
     expect(res.status).toEqual(400);
     expect(body.message).toEqual(
@@ -93,9 +80,8 @@ describe("#stars.update", () => {
     const star = await buildStar({
       userId: user.id,
     });
-    const res = await server.post("/api/stars.update", {
+    const res = await server.post("/api/stars.update", user, {
       body: {
-        token: user.getJwtToken(),
         id: star.id,
         index: "i",
       },
@@ -111,11 +97,7 @@ describe("#stars.update", () => {
 describe("#stars.delete", () => {
   it("should fail with status 400 bad request when id is missing", async () => {
     const user = await buildUser();
-    const res = await server.post("/api/stars.delete", {
+    const res = await server.post("/api/stars.delete", user);
-      body: {
-        token: user.getJwtToken(),
-      },
-    });
     const body = await res.json();
     expect(res.status).toEqual(400);
     expect(body.message).toEqual(
@@ -129,10 +111,9 @@ describe("#stars.delete", () => {
       userId: user.id,
     });
 
-    const res = await server.post("/api/stars.delete", {
+    const res = await server.post("/api/stars.delete", user, {
       body: {
         id: star.id,
-        token: user.getJwtToken(),
       },
     });
 

server/routes/api/subscriptions/subscriptions.test.ts

@@ -22,9 +22,8 @@ describe("#subscriptions.create", () => {
       teamId: user.teamId,
     });
 
-    const res = await server.post("/api/subscriptions.create", {
+    const res = await server.post("/api/subscriptions.create", user, {
       body: {
-        token: user.getJwtToken(),
         collectionId: collection.id,
         event: SubscriptionType.Document,
       },
@@ -46,9 +45,8 @@ describe("#subscriptions.create", () => {
       teamId: user.teamId,
     });
 
-    const res = await server.post("/api/subscriptions.create", {
+    const res = await server.post("/api/subscriptions.create", user, {
       body: {
-        token: user.getJwtToken(),
         documentId: document.id,
         event: SubscriptionType.Document,
       },
@@ -70,9 +68,8 @@ describe("#subscriptions.create", () => {
       teamId: user.teamId,
     });
 
-    const res = await server.post("/api/subscriptions.create", {
+    const res = await server.post("/api/subscriptions.create", user, {
       body: {
-        token: user.getJwtToken(),
         documentId: document.id,
         event: SubscriptionType.Document,
       },
@@ -104,36 +101,32 @@ describe("#subscriptions.create", () => {
     });
 
     // First `subscriptions.create` request.
-    await server.post("/api/subscriptions.create", {
+    await server.post("/api/subscriptions.create", user, {
       body: {
-        token: user.getJwtToken(),
         documentId: document.id,
         event: SubscriptionType.Document,
       },
     });
 
     // Second `subscriptions.create` request.
-    await server.post("/api/subscriptions.create", {
+    await server.post("/api/subscriptions.create", user, {
       body: {
-        token: user.getJwtToken(),
         documentId: document.id,
         event: SubscriptionType.Document,
       },
     });
 
     // Third `subscriptions.create` request.
-    await server.post("/api/subscriptions.create", {
+    await server.post("/api/subscriptions.create", user, {
       body: {
-        token: user.getJwtToken(),
         documentId: document.id,
         event: SubscriptionType.Document,
       },
     });
 
     // List subscriptions associated with `document.id`
-    const res = await server.post("/api/subscriptions.list", {
+    const res = await server.post("/api/subscriptions.list", user, {
       body: {
-        token: user.getJwtToken(),
         documentId: document.id,
         event: SubscriptionType.Document,
       },
@@ -156,9 +149,8 @@ describe("#subscriptions.create", () => {
       teamId: user.teamId,
     });
 
-    const res = await server.post("/api/subscriptions.create", {
+    const res = await server.post("/api/subscriptions.create", user, {
       body: {
-        token: user.getJwtToken(),
         documentId: document.id,
         // Subscription on event that cannot be subscribed to.
         event: "documents.publish",
@@ -178,9 +170,8 @@ describe("#subscriptions.create", () => {
   it("should throw 400 when neither documentId nor collectionId is provided", async () => {
     const user = await buildUser();
 
-    const res = await server.post("/api/subscriptions.create", {
+    const res = await server.post("/api/subscriptions.create", user, {
       body: {
-        token: user.getJwtToken(),
         event: SubscriptionType.Document,
       },
     });
@@ -205,9 +196,8 @@ describe("#subscriptions.create", () => {
       teamId: user.teamId,
     });
 
-    const res = await server.post("/api/subscriptions.create", {
+    const res = await server.post("/api/subscriptions.create", user, {
       body: {
-        token: user.getJwtToken(),
         collectionId: collection.id,
         documentId: document.id,
         event: SubscriptionType.Document,
@@ -236,9 +226,8 @@ describe("#subscriptions.create", () => {
       teamId: otherUser.teamId,
     });
 
-    const res = await server.post("/api/subscriptions.create", {
+    const res = await server.post("/api/subscriptions.create", user, {
       body: {
-        token: user.getJwtToken(),
         collectionId: collection.id,
         documentId: otherDocument.id,
         event: SubscriptionType.Document,
@@ -265,17 +254,15 @@ describe("#subscriptions.info", () => {
       teamId: user.teamId,
     });
 
-    await server.post("/api/subscriptions.create", {
+    await server.post("/api/subscriptions.create", subscriber, {
       body: {
-        token: subscriber.getJwtToken(),
         collectionId: collection.id,
         event: SubscriptionType.Document,
       },
     });
 
-    const res = await server.post("/api/subscriptions.info", {
+    const res = await server.post("/api/subscriptions.info", subscriber, {
       body: {
-        token: subscriber.getJwtToken(),
         collectionId: collection.id,
         event: SubscriptionType.Document,
       },
@@ -305,18 +292,16 @@ describe("#subscriptions.info", () => {
     });
 
     // `subscriber` subscribes to `document0`.
-    await server.post("/api/subscriptions.create", {
+    await server.post("/api/subscriptions.create", subscriber, {
       body: {
-        token: subscriber.getJwtToken(),
         documentId: document0.id,
         event: SubscriptionType.Document,
       },
     });
 
     // `subscriber` subscribes to `document1`.
-    await server.post("/api/subscriptions.create", {
+    await server.post("/api/subscriptions.create", subscriber, {
       body: {
-        token: subscriber.getJwtToken(),
         documentId: document1.id,
         event: SubscriptionType.Document,
       },
@@ -324,13 +309,16 @@ describe("#subscriptions.info", () => {
 
     // `subscriber` wants info about
     // their subscription on `document0`.
-    const subscription0 = await server.post("/api/subscriptions.info", {
+    const subscription0 = await server.post(
-      body: {
+      "/api/subscriptions.info",
-        token: subscriber.getJwtToken(),
+      subscriber,
-        documentId: document0.id,
+      {
-        event: SubscriptionType.Document,
+        body: {
-      },
+          documentId: document0.id,
-    });
+          event: SubscriptionType.Document,
+        },
+      }
+    );
 
     const response0 = await subscription0.json();
 
@@ -343,9 +331,8 @@ describe("#subscriptions.info", () => {
   it("should throw 400 when neither documentId nor collectionId is provided", async () => {
     const user = await buildUser();
 
-    const res = await server.post("/api/subscriptions.info", {
+    const res = await server.post("/api/subscriptions.info", user, {
       body: {
-        token: user.getJwtToken(),
         event: SubscriptionType.Document,
       },
     });
@@ -367,9 +354,8 @@ describe("#subscriptions.info", () => {
       teamId: author.teamId,
     });
 
-    const res = await server.post("/api/subscriptions.info", {
+    const res = await server.post("/api/subscriptions.info", subscriber, {
       body: {
-        token: subscriber.getJwtToken(),
         documentId: document.id,
         event: SubscriptionType.Document,
       },
@@ -396,27 +382,24 @@ describe("#subscriptions.info", () => {
     });
 
     // `subscriber` subscribes to `document0`.
-    await server.post("/api/subscriptions.create", {
+    await server.post("/api/subscriptions.create", subscriber, {
       body: {
-        token: subscriber.getJwtToken(),
         documentId: document0.id,
         event: SubscriptionType.Document,
       },
     });
 
     // `subscriber` subscribes to `document1`.
-    await server.post("/api/subscriptions.create", {
+    await server.post("/api/subscriptions.create", subscriber, {
       body: {
-        token: subscriber.getJwtToken(),
         documentId: document1.id,
         event: SubscriptionType.Document,
       },
     });
 
     // `viewer` wants info about `subscriber`'s subscription on `document0`.
-    const subscription0 = await server.post("/api/subscriptions.info", {
+    const subscription0 = await server.post("/api/subscriptions.info", viewer, {
       body: {
-        token: viewer.getJwtToken(),
         documentId: document0.id,
         event: SubscriptionType.Document,
       },
@@ -431,9 +414,8 @@ describe("#subscriptions.info", () => {
     expect(response0.message).toEqual("Authorization error");
 
     // `viewer` wants info about `subscriber`'s subscription on `document0`.
-    const subscription1 = await server.post("/api/subscriptions.info", {
+    const subscription1 = await server.post("/api/subscriptions.info", viewer, {
       body: {
-        token: viewer.getJwtToken(),
         documentId: document1.id,
         event: SubscriptionType.Document,
       },
@@ -467,27 +449,24 @@ describe("#subscriptions.info", () => {
     });
 
     // `subscriber` subscribes to `document0`.
-    await server.post("/api/subscriptions.create", {
+    await server.post("/api/subscriptions.create", subscriber, {
       body: {
-        token: subscriber.getJwtToken(),
         documentId: document0.id,
         event: SubscriptionType.Document,
       },
     });
 
     // `subscriber` subscribes to `document1`.
-    await server.post("/api/subscriptions.create", {
+    await server.post("/api/subscriptions.create", subscriber, {
       body: {
-        token: subscriber.getJwtToken(),
         documentId: document1.id,
         event: SubscriptionType.Document,
       },
     });
 
     // `viewer` wants info about `subscriber`'s subscription on `document0` - they have requested an invalid event.
-    const subscription0 = await server.post("/api/subscriptions.info", {
+    const subscription0 = await server.post("/api/subscriptions.info", viewer, {
       body: {
-        token: viewer.getJwtToken(),
         documentId: document0.id,
         event: "documents.changed",
       },
@@ -505,9 +484,8 @@ describe("#subscriptions.info", () => {
     // `viewer` wants info about `subscriber`'s
     // subscription on `document0`.
     // They have requested an invalid event.
-    const subscription1 = await server.post("/api/subscriptions.info", {
+    const subscription1 = await server.post("/api/subscriptions.info", viewer, {
       body: {
-        token: viewer.getJwtToken(),
         documentId: document1.id,
         event: "doc.affected",
       },
@@ -538,9 +516,8 @@ describe("#subscriptions.list", () => {
       documentId: document.id,
     });
 
-    const res = await server.post("/api/subscriptions.list", {
+    const res = await server.post("/api/subscriptions.list", user, {
       body: {
-        token: user.getJwtToken(),
         documentId: document.id,
         event: SubscriptionType.Document,
       },
@@ -570,9 +547,8 @@ describe("#subscriptions.list", () => {
 
     // `subscriber0` wants to be notified about
     // changes on this document.
-    await server.post("/api/subscriptions.create", {
+    await server.post("/api/subscriptions.create", subscriber0, {
       body: {
-        token: subscriber0.getJwtToken(),
         documentId: document.id,
         event: "documents.update",
       },
@@ -580,9 +556,8 @@ describe("#subscriptions.list", () => {
 
     // `subscriber1` wants to be notified about
     // changes on this document.
-    await server.post("/api/subscriptions.create", {
+    await server.post("/api/subscriptions.create", subscriber1, {
       body: {
-        token: subscriber1.getJwtToken(),
         documentId: document.id,
         event: "documents.update",
       },
@@ -590,9 +565,8 @@ describe("#subscriptions.list", () => {
 
     // `viewer` just wants to know the subscribers
     // for this document.
-    const res = await server.post("/api/subscriptions.list", {
+    const res = await server.post("/api/subscriptions.list", viewer, {
       body: {
-        token: viewer.getJwtToken(),
         documentId: document.id,
         event: "documents.update",
       },
@@ -606,9 +580,8 @@ describe("#subscriptions.list", () => {
 
     // `subscriber0` wants to know the subscribers
     // for this document.
-    const res0 = await server.post("/api/subscriptions.list", {
+    const res0 = await server.post("/api/subscriptions.list", subscriber0, {
       body: {
-        token: subscriber0.getJwtToken(),
         documentId: document.id,
         event: "documents.update",
       },
@@ -623,9 +596,8 @@ describe("#subscriptions.list", () => {
 
     // `subscriber1` wants to know the subscribers
     // for this document.
-    const res1 = await server.post("/api/subscriptions.list", {
+    const res1 = await server.post("/api/subscriptions.list", subscriber1, {
       body: {
-        token: subscriber1.getJwtToken(),
         documentId: document.id,
         event: "documents.update",
       },
@@ -654,9 +626,8 @@ describe("#subscriptions.list", () => {
 
     // `subscriber0` wants to be notified about
     // changes on this document.
-    await server.post("/api/subscriptions.create", {
+    await server.post("/api/subscriptions.create", subscriber0, {
       body: {
-        token: subscriber0.getJwtToken(),
         documentId: document.id,
         event: "documents.update",
       },
@@ -664,9 +635,8 @@ describe("#subscriptions.list", () => {
 
     // `subscriber1` wants to be notified about
     // changes on this document.
-    await server.post("/api/subscriptions.create", {
+    await server.post("/api/subscriptions.create", subscriber1, {
       body: {
-        token: subscriber1.getJwtToken(),
         documentId: document.id,
         event: "documents.update",
       },
@@ -674,9 +644,8 @@ describe("#subscriptions.list", () => {
 
     // `viewer` just wants to know the subscribers
     // for this document.
-    const res = await server.post("/api/subscriptions.list", {
+    const res = await server.post("/api/subscriptions.list", viewer, {
       body: {
-        token: viewer.getJwtToken(),
         documentId: document.id,
         event: "changes.on.documents",
       },
@@ -707,9 +676,8 @@ describe("#subscriptions.list", () => {
 
     // `subscriber0` wants to be notified about
     // changes on this document.
-    await server.post("/api/subscriptions.create", {
+    await server.post("/api/subscriptions.create", subscriber0, {
       body: {
-        token: subscriber0.getJwtToken(),
         documentId: document.id,
         event: "documents.update",
       },
@@ -717,9 +685,8 @@ describe("#subscriptions.list", () => {
 
     // `subscriber1` wants to be notified about
     // changes on this document.
-    await server.post("/api/subscriptions.create", {
+    await server.post("/api/subscriptions.create", subscriber1, {
       body: {
-        token: subscriber1.getJwtToken(),
         documentId: document.id,
         event: "documents.update",
       },
@@ -727,9 +694,8 @@ describe("#subscriptions.list", () => {
 
     // `viewer` wants to know the subscribers
     // for this internal document.
-    const res = await server.post("/api/subscriptions.info", {
+    const res = await server.post("/api/subscriptions.info", viewer, {
       body: {
-        token: viewer.getJwtToken(),
         documentId: document.id,
         event: "documents.update",
       },
@@ -748,9 +714,8 @@ describe("#subscriptions.list", () => {
   it("should throw 400 when neither documentId nor collectionId is provided", async () => {
     const user = await buildUser();
 
-    const res = await server.post("/api/subscriptions.list", {
+    const res = await server.post("/api/subscriptions.list", user, {
       body: {
-        token: user.getJwtToken(),
         event: SubscriptionType.Document,
       },
     });
@@ -870,10 +835,9 @@ describe("#subscriptions.delete", () => {
         documentId: document.id,
       });
 
-      const res = await server.post("/api/subscriptions.delete", {
+      const res = await server.post("/api/subscriptions.delete", user, {
         body: {
           id: subscription.id,
-          token: user.getJwtToken(),
         },
       });
 
@@ -904,10 +868,9 @@ describe("#subscriptions.delete", () => {
         collectionId: collection.id,
       });
 
-      const res = await server.post("/api/subscriptions.delete", {
+      const res = await server.post("/api/subscriptions.delete", user, {
         body: {
           id: subscription.id,
-          token: user.getJwtToken(),
         },
       });
 
@@ -943,9 +906,8 @@ describe("#subscriptions.delete", () => {
 
       // `subscriber0` wants to be notified about
       // changes on this document.
-      await server.post("/api/subscriptions.create", {
+      await server.post("/api/subscriptions.create", subscriber0, {
         body: {
-          token: subscriber0.getJwtToken(),
           documentId: document.id,
           event: "documents.update",
         },
@@ -953,9 +915,8 @@ describe("#subscriptions.delete", () => {
 
       // `subscriber1` wants to be notified about
       // changes on this document.
-      const resp = await server.post("/api/subscriptions.create", {
+      const resp = await server.post("/api/subscriptions.create", subscriber1, {
         body: {
-          token: subscriber1.getJwtToken(),
           documentId: document.id,
           event: "documents.update",
         },
@@ -966,10 +927,9 @@ describe("#subscriptions.delete", () => {
 
       // `subscriber0` wants to change `subscriber1`'s
       // subscription for this document.
-      const res = await server.post("/api/subscriptions.delete", {
+      const res = await server.post("/api/subscriptions.delete", subscriber0, {
         body: {
           id: subscription1Id,
-          token: subscriber0.getJwtToken(),
         },
       });
 

server/routes/api/teams/teams.test.ts

@@ -15,9 +15,8 @@ describe("teams.create", () => {
     const team = await buildTeam();
     const user = await buildAdmin({ teamId: team.id });
     const name = faker.company.name();
-    const res = await server.post("/api/teams.create", {
+    const res = await server.post("/api/teams.create", user, {
       body: {
-        token: user.getJwtToken(),
         name,
       },
     });
@@ -31,9 +30,8 @@ describe("teams.create", () => {
 
     const team = await buildTeam();
     const user = await buildAdmin({ teamId: team.id });
-    const res = await server.post("/api/teams.create", {
+    const res = await server.post("/api/teams.create", user, {
       body: {
-        token: user.getJwtToken(),
         name: faker.company.name(),
       },
     });
@@ -45,9 +43,8 @@ describe("#team.update", () => {
   it("should update team details", async () => {
     const admin = await buildAdmin();
     const name = faker.company.name();
-    const res = await server.post("/api/team.update", {
+    const res = await server.post("/api/team.update", admin, {
       body: {
-        token: admin.getJwtToken(),
         name,
       },
     });
@@ -59,9 +56,8 @@ describe("#team.update", () => {
   it("should add avatar", async () => {
     const team = await buildTeam();
     const admin = await buildAdmin({ teamId: team.id });
-    const res = await server.post("/api/team.update", {
+    const res = await server.post("/api/team.update", admin, {
       body: {
-        token: admin.getJwtToken(),
         avatarUrl: "https://random-url.com",
       },
     });
@@ -73,9 +69,8 @@ describe("#team.update", () => {
   it("should remove avatar", async () => {
     const team = await buildTeam({ avatarUrl: "https://random-url.com" });
     const admin = await buildAdmin({ teamId: team.id });
-    const res = await server.post("/api/team.update", {
+    const res = await server.post("/api/team.update", admin, {
       body: {
-        token: admin.getJwtToken(),
         avatarUrl: null,
       },
     });
@@ -86,9 +81,8 @@ describe("#team.update", () => {
 
   it("should not invalidate request if subdomain is sent as null", async () => {
     const admin = await buildAdmin();
-    const res = await server.post("/api/team.update", {
+    const res = await server.post("/api/team.update", admin, {
       body: {
-        token: admin.getJwtToken(),
         subdomain: null,
       },
     });
@@ -100,9 +94,8 @@ describe("#team.update", () => {
     const admin = await buildAdmin({ teamId: team.id });
     const domain1 = faker.internet.domainName();
     const domain2 = faker.internet.domainName();
-    const res = await server.post("/api/team.update", {
+    const res = await server.post("/api/team.update", admin, {
       body: {
-        token: admin.getJwtToken(),
         allowedDomains: [domain1, "", domain2, "", ""],
       },
     });
@@ -127,9 +120,8 @@ describe("#team.update", () => {
       createdById: admin.id,
     });
 
-    const res = await server.post("/api/team.update", {
+    const res = await server.post("/api/team.update", admin, {
       body: {
-        token: admin.getJwtToken(),
         allowedDomains: [],
       },
     });
@@ -156,9 +148,8 @@ describe("#team.update", () => {
     const domain1 = faker.internet.domainName();
     const domain2 = faker.internet.domainName();
 
-    const res = await server.post("/api/team.update", {
+    const res = await server.post("/api/team.update", admin, {
       body: {
-        token: admin.getJwtToken(),
         allowedDomains: [domain1, domain2],
       },
     });
@@ -177,16 +168,14 @@ describe("#team.update", () => {
 
   it("should only allow member,viewer or admin as default role", async () => {
     const admin = await buildAdmin();
-    const res = await server.post("/api/team.update", {
+    const res = await server.post("/api/team.update", admin, {
       body: {
-        token: admin.getJwtToken(),
         defaultUserRole: "New name",
       },
     });
     expect(res.status).toEqual(400);
-    const successRes = await server.post("/api/team.update", {
+    const successRes = await server.post("/api/team.update", admin, {
       body: {
-        token: admin.getJwtToken(),
         defaultUserRole: "viewer",
       },
     });
@@ -198,9 +187,8 @@ describe("#team.update", () => {
   it("should allow identical team details", async () => {
     const team = await buildTeam();
     const admin = await buildAdmin({ teamId: team.id });
-    const res = await server.post("/api/team.update", {
+    const res = await server.post("/api/team.update", admin, {
       body: {
-        token: admin.getJwtToken(),
         name: team.name,
       },
     });
@@ -211,9 +199,8 @@ describe("#team.update", () => {
 
   it("should require admin", async () => {
     const user = await buildUser();
-    const res = await server.post("/api/team.update", {
+    const res = await server.post("/api/team.update", user, {
       body: {
-        token: user.getJwtToken(),
         name: faker.company.name(),
       },
     });
@@ -227,9 +214,8 @@ describe("#team.update", () => {
 
   it("should not allow setting team name to null", async () => {
     const admin = await buildAdmin();
-    const res = await server.post("/api/team.update", {
+    const res = await server.post("/api/team.update", admin, {
       body: {
-        token: admin.getJwtToken(),
         name: null,
       },
     });
@@ -244,9 +230,8 @@ describe("#team.update", () => {
       userId: admin.id,
     });
 
-    const res = await server.post("/api/team.update", {
+    const res = await server.post("/api/team.update", admin, {
       body: {
-        token: admin.getJwtToken(),
         defaultCollectionId: collection.id,
       },
     });
@@ -268,9 +253,8 @@ describe("#team.update", () => {
       userId: admin.id,
     });
 
-    const res = await server.post("/api/team.update", {
+    const res = await server.post("/api/team.update", admin, {
       body: {
-        token: admin.getJwtToken(),
         defaultCollectionId: collection.id,
       },
     });
@@ -279,9 +263,8 @@ describe("#team.update", () => {
     expect(res.status).toEqual(200);
     expect(body.data.defaultCollectionId).toEqual(collection.id);
 
-    const updateRes = await server.post("/api/collections.update", {
+    const updateRes = await server.post("/api/collections.update", admin, {
       body: {
-        token: admin.getJwtToken(),
         id: collection.id,
         permission: null,
       },
@@ -289,11 +272,7 @@ describe("#team.update", () => {
 
     expect(updateRes.status).toEqual(200);
 
-    const res3 = await server.post("/api/auth.info", {
+    const res3 = await server.post("/api/auth.info", admin);
-      body: {
-        token: admin.getJwtToken(),
-      },
-    });
     const body3 = await res3.json();
     expect(res3.status).toEqual(200);
     expect(body3.data.team.defaultCollectionId).toEqual(null);

server/routes/api/templates/templates.test.ts

@@ -20,11 +20,7 @@ describe("#templates.list", () => {
       teamId: user.teamId,
     });
 
-    const res = await server.post("/api/templates.list", {
+    const res = await server.post("/api/templates.list", user);
-      body: {
-        token: user.getJwtToken(),
-      },
-    });
 
     const body = await res.json();
     expect(res.status).toEqual(200);
@@ -45,9 +41,8 @@ describe("#templates.list", () => {
       collectionId: collection.id,
     });
 
-    const res = await server.post("/api/templates.list", {
+    const res = await server.post("/api/templates.list", user, {
       body: {
-        token: user.getJwtToken(),
         collectionId: collection.id,
       },
     });
@@ -72,9 +67,8 @@ describe("#templates.info", () => {
       teamId: user.teamId,
     });
 
-    const res = await server.post("/api/templates.info", {
+    const res = await server.post("/api/templates.info", user, {
       body: {
-        token: user.getJwtToken(),
         id: template.id,
       },
     });
@@ -92,9 +86,8 @@ describe("#templates.info", () => {
 
   it("should fail for invalid template id", async () => {
     const user = await buildUser();
-    const res = await server.post("/api/templates.info", {
+    const res = await server.post("/api/templates.info", user, {
       body: {
-        token: user.getJwtToken(),
         id: "invalid",
       },
     });
@@ -112,9 +105,8 @@ describe("#templates.update", () => {
       title: "Original title",
     });
 
-    const res = await server.post("/api/templates.update", {
+    const res = await server.post("/api/templates.update", user, {
       body: {
-        token: user.getJwtToken(),
         id: template.id,
         title: "New title",
       },
@@ -148,9 +140,8 @@ describe("#templates.update", () => {
       ],
     };
 
-    const res = await server.post("/api/templates.update", {
+    const res = await server.post("/api/templates.update", user, {
       body: {
-        token: user.getJwtToken(),
         id: template.id,
         data,
       },
@@ -173,9 +164,8 @@ describe("#templates.update", () => {
       teamId: admin.teamId,
     });
 
-    const res = await server.post("/api/templates.update", {
+    const res = await server.post("/api/templates.update", admin, {
       body: {
-        token: admin.getJwtToken(),
         id: template.id,
         collectionId: targetCollection.id,
       },
@@ -199,9 +189,8 @@ describe("#templates.update", () => {
       permission: null,
     });
 
-    const res = await server.post("/api/templates.update", {
+    const res = await server.post("/api/templates.update", user, {
       body: {
-        token: user.getJwtToken(),
         id: template.id,
         collectionId: inaccessibleCollection.id,
       },
@@ -222,9 +211,8 @@ describe("#templates.update", () => {
     // but is not a team admin
     const user = await buildUser({ teamId: admin.teamId });
 
-    const res = await server.post("/api/templates.update", {
+    const res = await server.post("/api/templates.update", user, {
       body: {
-        token: user.getJwtToken(),
         id: template.id,
         collectionId: null,
       },
@@ -240,9 +228,8 @@ describe("#templates.update", () => {
       teamId: admin.teamId,
     });
 
-    const res = await server.post("/api/templates.update", {
+    const res = await server.post("/api/templates.update", admin, {
       body: {
-        token: admin.getJwtToken(),
         id: template.id,
         collectionId: null,
       },
@@ -255,9 +242,8 @@ describe("#templates.update", () => {
 
   it("should fail with status 400 bad request when id is missing", async () => {
     const user = await buildUser();
-    const res = await server.post("/api/templates.update", {
+    const res = await server.post("/api/templates.update", user, {
       body: {
-        token: user.getJwtToken(),
         title: "New title",
       },
     });
@@ -281,9 +267,8 @@ describe("#templates.duplicate", () => {
       title: "test",
     });
 
-    const res = await server.post("/api/templates.duplicate", {
+    const res = await server.post("/api/templates.duplicate", user, {
       body: {
-        token: user.getJwtToken(),
         id: template.id,
       },
     });
@@ -302,9 +287,8 @@ describe("#templates.duplicate", () => {
       teamId: user.teamId,
     });
 
-    const res = await server.post("/api/templates.duplicate", {
+    const res = await server.post("/api/templates.duplicate", user, {
       body: {
-        token: user.getJwtToken(),
         id: template.id,
         title: "New title",
       },
@@ -329,9 +313,8 @@ describe("#templates.duplicate", () => {
       teamId: admin.teamId,
     });
 
-    const res = await server.post("/api/templates.duplicate", {
+    const res = await server.post("/api/templates.duplicate", admin, {
       body: {
-        token: admin.getJwtToken(),
         id: template.id,
         collectionId: targetCollection.id,
       },
@@ -355,9 +338,8 @@ describe("#templates.duplicate", () => {
       permission: null,
     });
 
-    const res = await server.post("/api/templates.duplicate", {
+    const res = await server.post("/api/templates.duplicate", user, {
       body: {
-        token: user.getJwtToken(),
         id: template.id,
         collectionId: inaccessibleCollection.id,
       },
@@ -376,9 +358,8 @@ describe("#templates.duplicate", () => {
     // Non-admin member on the same team
     const user = await buildUser({ teamId: admin.teamId });
 
-    const res = await server.post("/api/templates.duplicate", {
+    const res = await server.post("/api/templates.duplicate", user, {
       body: {
-        token: user.getJwtToken(),
         id: template.id,
         collectionId: null,
       },
@@ -394,9 +375,8 @@ describe("#templates.duplicate", () => {
       teamId: admin.teamId,
     });
 
-    const res = await server.post("/api/templates.duplicate", {
+    const res = await server.post("/api/templates.duplicate", admin, {
       body: {
-        token: admin.getJwtToken(),
         id: template.id,
         collectionId: null,
       },
@@ -414,9 +394,8 @@ describe("#templates.duplicate", () => {
       teamId: user.teamId,
     });
 
-    const res = await server.post("/api/templates.duplicate", {
+    const res = await server.post("/api/templates.duplicate", user, {
       body: {
-        token: user.getJwtToken(),
         id: template.id,
       },
     });
@@ -433,9 +412,8 @@ describe("#templates.duplicate", () => {
 
   it("should fail for invalid template id", async () => {
     const user = await buildUser();
-    const res = await server.post("/api/templates.duplicate", {
+    const res = await server.post("/api/templates.duplicate", user, {
       body: {
-        token: user.getJwtToken(),
         id: "invalid",
       },
     });
@@ -452,9 +430,8 @@ describe("#templates.delete", () => {
       teamId: user.teamId,
     });
 
-    const res = await server.post("/api/templates.delete", {
+    const res = await server.post("/api/templates.delete", user, {
       body: {
-        token: user.getJwtToken(),
         id: template.id,
       },
     });
@@ -466,11 +443,7 @@ describe("#templates.delete", () => {
 
   it("should fail with status 400 bad request when id is missing", async () => {
     const user = await buildUser();
-    const res = await server.post("/api/templates.delete", {
+    const res = await server.post("/api/templates.delete", user);
-      body: {
-        token: user.getJwtToken(),
-      },
-    });
     const body = await res.json();
     expect(res.status).toEqual(400);
     expect(body.message).toEqual("id: Must be a valid UUID or slug");
@@ -494,9 +467,8 @@ describe("templateManagement", () => {
 
       const member = await buildUser({ teamId: admin.teamId });
 
-      const res = await server.post("/api/templates.create", {
+      const res = await server.post("/api/templates.create", member, {
         body: {
-          token: member.getJwtToken(),
           collectionId: collection.id,
           title: "Member template",
           data: {
@@ -527,9 +499,8 @@ describe("templateManagement", () => {
 
       const member = await buildUser({ teamId: admin.teamId });
 
-      const res = await server.post("/api/templates.create", {
+      const res = await server.post("/api/templates.create", member, {
         body: {
-          token: member.getJwtToken(),
           collectionId: collection.id,
           title: "Member template",
           data: {
@@ -564,9 +535,8 @@ describe("templateManagement", () => {
         permission: CollectionPermission.ReadWrite,
       });
 
-      const res = await server.post("/api/templates.create", {
+      const res = await server.post("/api/templates.create", member, {
         body: {
-          token: member.getJwtToken(),
           collectionId: collection.id,
           title: "Member template",
           data: {
@@ -603,9 +573,8 @@ describe("templateManagement", () => {
         permission: CollectionPermission.Read,
       });
 
-      const res = await server.post("/api/templates.create", {
+      const res = await server.post("/api/templates.create", member, {
         body: {
-          token: member.getJwtToken(),
           collectionId: collection.id,
           title: "Member template",
           data: {
@@ -640,9 +609,8 @@ describe("templateManagement", () => {
         collectionId: collection.id,
       });
 
-      const res = await server.post("/api/templates.update", {
+      const res = await server.post("/api/templates.update", member, {
         body: {
-          token: member.getJwtToken(),
           id: template.id,
           title: "Updated by member",
         },
@@ -668,9 +636,8 @@ describe("templateManagement", () => {
         collectionId: collection.id,
       });
 
-      const res = await server.post("/api/templates.update", {
+      const res = await server.post("/api/templates.update", member, {
         body: {
-          token: member.getJwtToken(),
           id: template.id,
           title: "Updated by member",
         },
@@ -696,9 +663,8 @@ describe("templateManagement", () => {
         collectionId: collection.id,
       });
 
-      const res = await server.post("/api/templates.duplicate", {
+      const res = await server.post("/api/templates.duplicate", member, {
         body: {
-          token: member.getJwtToken(),
           id: template.id,
         },
       });
@@ -723,9 +689,8 @@ describe("templateManagement", () => {
         collectionId: collection.id,
       });
 
-      const res = await server.post("/api/templates.duplicate", {
+      const res = await server.post("/api/templates.duplicate", member, {
         body: {
-          token: member.getJwtToken(),
           id: template.id,
         },
       });
@@ -751,9 +716,8 @@ describe("templateManagement", () => {
       });
       await template.destroy();
 
-      const res = await server.post("/api/templates.restore", {
+      const res = await server.post("/api/templates.restore", member, {
         body: {
-          token: member.getJwtToken(),
           id: template.id,
         },
       });
@@ -779,9 +743,8 @@ describe("templateManagement", () => {
       });
       await template.destroy();
 
-      const res = await server.post("/api/templates.restore", {
+      const res = await server.post("/api/templates.restore", member, {
         body: {
-          token: member.getJwtToken(),
           id: template.id,
         },
       });
@@ -806,9 +769,8 @@ describe("templateManagement", () => {
         collectionId: collection.id,
       });
 
-      const res = await server.post("/api/templates.delete", {
+      const res = await server.post("/api/templates.delete", member, {
         body: {
-          token: member.getJwtToken(),
           id: template.id,
         },
       });
@@ -833,9 +795,8 @@ describe("templateManagement", () => {
         collectionId: collection.id,
       });
 
-      const res = await server.post("/api/templates.delete", {
+      const res = await server.post("/api/templates.delete", member, {
         body: {
-          token: member.getJwtToken(),
           id: template.id,
         },
       });

server/routes/api/urls/urls.test.ts

@@ -53,9 +53,8 @@ describe("#urls.unfurl", () => {
   });
 
   it("should fail with status 400 bad request when url is invalid", async () => {
-    const res = await server.post("/api/urls.unfurl", {
+    const res = await server.post("/api/urls.unfurl", user, {
       body: {
-        token: user.getJwtToken(),
         url: "/doc/foo-bar",
       },
     });
@@ -66,9 +65,8 @@ describe("#urls.unfurl", () => {
   });
 
   it("should fail with status 400 bad request when mention url is invalid", async () => {
-    const res = await server.post("/api/urls.unfurl", {
+    const res = await server.post("/api/urls.unfurl", user, {
       body: {
-        token: user.getJwtToken(),
         url: "mention://1/foo/1",
       },
     });
@@ -79,9 +77,8 @@ describe("#urls.unfurl", () => {
   });
 
   it("should fail with status 400 bad request when mention url is supplied without documentId", async () => {
-    const res = await server.post("/api/urls.unfurl", {
+    const res = await server.post("/api/urls.unfurl", user, {
       body: {
-        token: user.getJwtToken(),
         url: "mention://2767ba0e-ac5c-4533-b9cf-4f5fc456600e/user/34095ac1-c808-45c0-8c6e-6c554497de64",
       },
     });
@@ -92,9 +89,8 @@ describe("#urls.unfurl", () => {
   });
 
   it("should fail with status 404 not found when mention user does not exist", async () => {
-    const res = await server.post("/api/urls.unfurl", {
+    const res = await server.post("/api/urls.unfurl", user, {
       body: {
-        token: user.getJwtToken(),
         url: "mention://2767ba0e-ac5c-4533-b9cf-4f5fc456600e/user/34095ac1-c808-45c0-8c6e-6c554497de64",
         documentId: "2767ba0e-ac5c-4533-b9cf-4f5fc456600e",
       },
@@ -110,9 +106,8 @@ describe("#urls.unfurl", () => {
       teamId: user.teamId,
     });
 
-    const res = await server.post("/api/urls.unfurl", {
+    const res = await server.post("/api/urls.unfurl", user, {
       body: {
-        token: user.getJwtToken(),
         url: `mention://2767ba0e-ac5c-4533-b9cf-4f5fc456600e/user/${mentionedUser.id}`,
         documentId: "2767ba0e-ac5c-4533-b9cf-4f5fc456600e",
       },
@@ -129,9 +124,8 @@ describe("#urls.unfurl", () => {
       teamId: user.teamId,
     });
 
-    const res = await server.post("/api/urls.unfurl", {
+    const res = await server.post("/api/urls.unfurl", user, {
       body: {
-        token: user.getJwtToken(),
         url: `mention://2767ba0e-ac5c-4533-b9cf-4f5fc456600e/user/${mentionedUser.id}`,
         documentId: document.id,
       },
@@ -147,9 +141,8 @@ describe("#urls.unfurl", () => {
       teamId: user.teamId,
     });
 
-    const res = await server.post("/api/urls.unfurl", {
+    const res = await server.post("/api/urls.unfurl", user, {
       body: {
-        token: user.getJwtToken(),
         url: `mention://2767ba0e-ac5c-4533-b9cf-4f5fc456600e/user/${mentionedUser.id}`,
         documentId: document.id,
       },
@@ -161,9 +154,8 @@ describe("#urls.unfurl", () => {
   });
 
   it("should return 204 when internal document url points to non-existent document", async () => {
-    const res = await server.post("/api/urls.unfurl", {
+    const res = await server.post("/api/urls.unfurl", user, {
       body: {
-        token: user.getJwtToken(),
         url: `${env.URL}/doc/non-existent-doc-abc123`,
       },
     });
@@ -175,9 +167,8 @@ describe("#urls.unfurl", () => {
       teamId: user.teamId,
     });
 
-    const res = await server.post("/api/urls.unfurl", {
+    const res = await server.post("/api/urls.unfurl", user, {
       body: {
-        token: user.getJwtToken(),
         url: `${env.URL}/${document.url}`,
         documentId: document.id,
       },
@@ -200,9 +191,8 @@ describe("#urls.unfurl", () => {
       published: true,
     });
 
-    const res = await server.post("/api/urls.unfurl", {
+    const res = await server.post("/api/urls.unfurl", user, {
       body: {
-        token: user.getJwtToken(),
         url: `${env.URL}/s/${share.id}/doc/${document.urlId}`,
       },
     });
@@ -225,9 +215,8 @@ describe("#urls.unfurl", () => {
       published: true,
     });
 
-    const res = await server.post("/api/urls.unfurl", {
+    const res = await server.post("/api/urls.unfurl", user, {
       body: {
-        token: user.getJwtToken(),
         url: `${env.URL}/s/${share.urlId}/doc/${document.urlId}`,
       },
     });
@@ -272,9 +261,8 @@ describe("#urls.unfurl", () => {
       published: true,
     });
 
-    const res = await server.post("/api/urls.unfurl", {
+    const res = await server.post("/api/urls.unfurl", user, {
       body: {
-        token: user.getJwtToken(),
         url: `${env.URL}/s/${share.id}/doc/${document.urlId}`,
       },
     });
@@ -294,9 +282,8 @@ describe("#urls.unfurl", () => {
       published: true,
     });
 
-    const res = await server.post("/api/urls.unfurl", {
+    const res = await server.post("/api/urls.unfurl", user, {
       body: {
-        token: user.getJwtToken(),
         url: `${env.URL}/s/${share.id}`,
       },
     });
@@ -337,9 +324,8 @@ describe("#urls.unfurl", () => {
       })
     );
 
-    const res = await server.post("/api/urls.unfurl", {
+    const res = await server.post("/api/urls.unfurl", user, {
       body: {
-        token: user.getJwtToken(),
         url: "https://www.flickr.com",
       },
     });
@@ -368,9 +354,8 @@ describe("#urls.unfurl", () => {
       })
     );
 
-    const res = await server.post("/api/urls.unfurl", {
+    const res = await server.post("/api/urls.unfurl", user, {
       body: {
-        token: user.getJwtToken(),
         url: "https://random.url",
       },
     });
@@ -386,19 +371,14 @@ describe("#urls.checkEmbed", () => {
   });
 
   it("should fail with status 400 bad request when url is missing", async () => {
-    const res = await server.post("/api/urls.checkEmbed", {
+    const res = await server.post("/api/urls.checkEmbed", user);
-      body: {
-        token: user.getJwtToken(),
-      },
-    });
 
     expect(res.status).toEqual(400);
   });
 
   it("should fail with status 400 bad request when url is not a valid URL", async () => {
-    const res = await server.post("/api/urls.checkEmbed", {
+    const res = await server.post("/api/urls.checkEmbed", user, {
       body: {
-        token: user.getJwtToken(),
         url: "not-a-url",
       },
     });
@@ -408,9 +388,8 @@ describe("#urls.checkEmbed", () => {
 
   it("should return a result for valid URLs", async () => {
     // Use a YouTube URL which matches a known embed pattern
-    const res = await server.post("/api/urls.checkEmbed", {
+    const res = await server.post("/api/urls.checkEmbed", user, {
       body: {
-        token: user.getJwtToken(),
         url: "https://www.youtube.com/watch?v=dQw4w9WgXcQ",
       },
     });
@@ -425,9 +404,8 @@ describe("#urls.checkEmbed", () => {
 describe("#urls.validateCustomDomain", () => {
   it("should succeed with custom domain pointing at server", async () => {
     const user = await buildUser();
-    const res = await server.post("/api/urls.validateCustomDomain", {
+    const res = await server.post("/api/urls.validateCustomDomain", user, {
       body: {
-        token: user.getJwtToken(),
         hostname: "valid.custom.domain",
       },
     });
@@ -436,9 +414,8 @@ describe("#urls.validateCustomDomain", () => {
 
   it("should fail with another domain", async () => {
     const user = await buildUser();
-    const res = await server.post("/api/urls.validateCustomDomain", {
+    const res = await server.post("/api/urls.validateCustomDomain", user, {
       body: {
-        token: user.getJwtToken(),
         hostname: "google.com",
       },
     });

server/routes/api/userMemberships/userMemberships.test.ts

@@ -30,20 +30,15 @@ describe("#userMemberships.list", () => {
     const member = await buildUser({
       teamId: user.teamId,
     });
-    await server.post("/api/documents.add_user", {
+    await server.post("/api/documents.add_user", user, {
       body: {
-        token: user.getJwtToken(),
         id: document.id,
         userId: member.id,
       },
     });
     const users = await document.$get("users");
     expect(users.length).toEqual(1);
-    const res = await server.post("/api/userMemberships.list", {
+    const res = await server.post("/api/userMemberships.list", member);
-      body: {
-        token: member.getJwtToken(),
-      },
-    });
     const body = await res.json();
     expect(res.status).toEqual(200);
     expect(body.data).not.toBeFalsy();
@@ -79,9 +74,8 @@ describe("#userMemberships.update", () => {
     const member = await buildUser({
       teamId: user.teamId,
     });
-    const resp = await server.post("/api/documents.add_user", {
+    const resp = await server.post("/api/documents.add_user", user, {
       body: {
-        token: user.getJwtToken(),
         id: document.id,
         userId: member.id,
       },
@@ -93,9 +87,8 @@ describe("#userMemberships.update", () => {
 
     const users = await document.$get("users");
     expect(users.length).toEqual(1);
-    const res = await server.post("/api/userMemberships.update", {
+    const res = await server.post("/api/userMemberships.update", member, {
       body: {
-        token: member.getJwtToken(),
         id: respBody.data.memberships[0].id,
         index: "V",
       },

server/routes/api/users/users.test.ts

@@ -27,10 +27,9 @@ describe("#users.list", () => {
       email: "john.doe@example.com",
     });
 
-    const res = await server.post("/api/users.list", {
+    const res = await server.post("/api/users.list", user, {
       body: {
         query: "john.doe@e",
-        token: user.getJwtToken(),
       },
     });
     const body = await res.json();
@@ -49,10 +48,9 @@ describe("#users.list", () => {
       teamId: user.teamId,
       suspendedAt: new Date(),
     });
-    const res = await server.post("/api/users.list", {
+    const res = await server.post("/api/users.list", user, {
       body: {
         query: "test",
-        token: user.getJwtToken(),
       },
     });
     const body = await res.json();
@@ -69,10 +67,9 @@ describe("#users.list", () => {
       name: "Admin",
       teamId: user.teamId,
     });
-    const res = await server.post("/api/users.list", {
+    const res = await server.post("/api/users.list", user, {
       body: {
         role: UserRole.Admin,
-        token: user.getJwtToken(),
       },
     });
     const body = await res.json();
@@ -88,11 +85,10 @@ describe("#users.list", () => {
       teamId: admin.teamId,
       suspendedAt: new Date(),
     });
-    const res = await server.post("/api/users.list", {
+    const res = await server.post("/api/users.list", admin, {
       body: {
         query: "test",
         filter: "suspended",
-        token: admin.getJwtToken(),
       },
     });
     const body = await res.json();
@@ -107,10 +103,9 @@ describe("#users.list", () => {
       teamId: user.teamId,
       suspendedAt: new Date(),
     });
-    const res = await server.post("/api/users.list", {
+    const res = await server.post("/api/users.list", user, {
       body: {
         query: "test",
-        token: user.getJwtToken(),
       },
     });
     const body = await res.json();
@@ -126,11 +121,10 @@ describe("#users.list", () => {
       name: "Tester",
       teamId: user.teamId,
     });
-    const res = await server.post("/api/users.list", {
+    const res = await server.post("/api/users.list", user, {
       body: {
         query: "test",
         filter: "active",
-        token: user.getJwtToken(),
       },
     });
     const body = await res.json();
@@ -147,11 +141,10 @@ describe("#users.list", () => {
       teamId: user.teamId,
       lastActiveAt: null,
     });
-    const res = await server.post("/api/users.list", {
+    const res = await server.post("/api/users.list", user, {
       body: {
         query: "test",
         filter: "invited",
-        token: user.getJwtToken(),
       },
     });
     const body = await res.json();
@@ -164,9 +157,8 @@ describe("#users.list", () => {
     const admin = await buildAdmin({ teamId: team.id });
     await buildUser({ teamId: team.id });
 
-    const res = await server.post("/api/users.list", {
+    const res = await server.post("/api/users.list", admin, {
       body: {
-        token: admin.getJwtToken(),
         sort: "createdAt",
         direction: "DESC",
       },
@@ -181,9 +173,8 @@ describe("#users.list", () => {
     const admin = await buildAdmin({ teamId: team.id });
     const user = await buildUser({ teamId: team.id });
 
-    const res = await server.post("/api/users.list", {
+    const res = await server.post("/api/users.list", admin, {
       body: {
-        token: admin.getJwtToken(),
         ids: [user.id],
       },
     });
@@ -198,9 +189,8 @@ describe("#users.list", () => {
     const admin = await buildAdmin({ teamId: team.id });
     const user = await buildUser({ teamId: team.id });
 
-    const res = await server.post("/api/users.list", {
+    const res = await server.post("/api/users.list", admin, {
       body: {
-        token: admin.getJwtToken(),
         emails: [user.email],
       },
     });
@@ -216,9 +206,8 @@ describe("#users.list", () => {
     const user = await buildUser({ teamId: team.id });
 
     // Test with uppercase email
-    const res = await server.post("/api/users.list", {
+    const res = await server.post("/api/users.list", admin, {
       body: {
-        token: admin.getJwtToken(),
         emails: [user.email!.toUpperCase()],
       },
     });
@@ -235,9 +224,8 @@ describe("#users.list", () => {
       )
       .join("@");
 
-    const res2 = await server.post("/api/users.list", {
+    const res2 = await server.post("/api/users.list", admin, {
       body: {
-        token: admin.getJwtToken(),
         emails: [mixedCaseEmail],
       },
     });
@@ -251,11 +239,7 @@ describe("#users.list", () => {
     const team = await buildTeam();
     await buildUser({ teamId: team.id });
     const guest = await buildUser({ teamId: team.id, role: UserRole.Guest });
-    const res = await server.post("/api/users.list", {
+    const res = await server.post("/api/users.list", guest);
-      body: {
-        token: guest.getJwtToken(),
-      },
-    });
     const body = await res.json();
     expect(res.status).toEqual(200);
     expect(body.data).toHaveLength(2);
@@ -267,11 +251,7 @@ describe("#users.list", () => {
     const team = await buildTeam();
     await buildUser({ teamId: team.id });
     const viewer = await buildUser({ teamId: team.id, role: UserRole.Viewer });
-    const res = await server.post("/api/users.list", {
+    const res = await server.post("/api/users.list", viewer);
-      body: {
-        token: viewer.getJwtToken(),
-      },
-    });
     const body = await res.json();
     expect(res.status).toEqual(200);
     expect(body.data).toHaveLength(2);
@@ -283,11 +263,7 @@ describe("#users.list", () => {
     const team = await buildTeam();
     const user = await buildUser({ teamId: team.id });
     const member = await buildUser({ teamId: team.id, role: UserRole.Member });
-    const res = await server.post("/api/users.list", {
+    const res = await server.post("/api/users.list", member);
-      body: {
-        token: member.getJwtToken(),
-      },
-    });
     const body = await res.json();
     expect(res.status).toEqual(200);
     expect(body.data).toHaveLength(2);
@@ -299,11 +275,7 @@ describe("#users.list", () => {
     const team = await buildTeam();
     await buildUser({ teamId: team.id });
     const guest = await buildUser({ teamId: team.id, role: UserRole.Guest });
-    const res = await server.post("/api/users.list", {
+    const res = await server.post("/api/users.list", guest);
-      body: {
-        token: guest.getJwtToken(),
-      },
-    });
     const body = await res.json();
     expect(res.status).toEqual(200);
     expect(body.data).toHaveLength(2);
@@ -321,11 +293,7 @@ describe("#users.list", () => {
     const team = await buildTeam();
     await buildUser({ teamId: team.id });
     const viewer = await buildUser({ teamId: team.id, role: UserRole.Viewer });
-    const res = await server.post("/api/users.list", {
+    const res = await server.post("/api/users.list", viewer);
-      body: {
-        token: viewer.getJwtToken(),
-      },
-    });
     const body = await res.json();
     expect(res.status).toEqual(200);
     expect(body.data).toHaveLength(2);
@@ -343,11 +311,7 @@ describe("#users.list", () => {
     const team = await buildTeam();
     await buildUser({ teamId: team.id });
     const member = await buildUser({ teamId: team.id, role: UserRole.Member });
-    const res = await server.post("/api/users.list", {
+    const res = await server.post("/api/users.list", member);
-      body: {
-        token: member.getJwtToken(),
-      },
-    });
     const body = await res.json();
     expect(res.status).toEqual(200);
     expect(body.data).toHaveLength(2);
@@ -365,11 +329,7 @@ describe("#users.list", () => {
     const team = await buildTeam();
     const admin = await buildAdmin({ teamId: team.id });
     const user = await buildUser({ teamId: team.id });
-    const res = await server.post("/api/users.list", {
+    const res = await server.post("/api/users.list", admin);
-      body: {
-        token: admin.getJwtToken(),
-      },
-    });
     const body = await res.json();
     expect(res.status).toEqual(200);
     expect(body.data).toHaveLength(2);
@@ -389,11 +349,7 @@ describe("#users.list", () => {
 describe("#users.info", () => {
   it("should return current user with no id", async () => {
     const user = await buildUser();
-    const res = await server.post("/api/users.info", {
+    const res = await server.post("/api/users.info", user);
-      body: {
-        token: user.getJwtToken(),
-      },
-    });
     const body = await res.json();
     expect(res.status).toEqual(200);
     expect(body.data.id).toEqual(user.id);
@@ -406,9 +362,8 @@ describe("#users.info", () => {
     const another = await buildUser({
       teamId: user.teamId,
     });
-    const res = await server.post("/api/users.info", {
+    const res = await server.post("/api/users.info", user, {
       body: {
-        token: user.getJwtToken(),
         id: another.id,
       },
     });
@@ -423,9 +378,8 @@ describe("#users.info", () => {
   it("should now return user without permission", async () => {
     const user = await buildUser();
     const another = await buildUser();
-    const res = await server.post("/api/users.info", {
+    const res = await server.post("/api/users.info", user, {
       body: {
-        token: user.getJwtToken(),
         id: another.id,
       },
     });
@@ -441,9 +395,8 @@ describe("#users.info", () => {
 describe("#users.invite", () => {
   it("should return sent invites", async () => {
     const user = await buildAdmin();
-    const res = await server.post("/api/users.invite", {
+    const res = await server.post("/api/users.invite", user, {
       body: {
-        token: user.getJwtToken(),
         invites: [
           {
             email: "test@example.com",
@@ -460,9 +413,8 @@ describe("#users.invite", () => {
 
   it("should require invites to be an array", async () => {
     const admin = await buildAdmin();
-    const res = await server.post("/api/users.invite", {
+    const res = await server.post("/api/users.invite", admin, {
       body: {
-        token: admin.getJwtToken(),
         invites: {
           email: "test@example.com",
           name: "Test",
@@ -475,9 +427,8 @@ describe("#users.invite", () => {
 
   it("should allow members to invite members", async () => {
     const user = await buildUser();
-    const res = await server.post("/api/users.invite", {
+    const res = await server.post("/api/users.invite", user, {
       body: {
-        token: user.getJwtToken(),
         invites: [
           {
             email: "test@example.com",
@@ -494,9 +445,8 @@ describe("#users.invite", () => {
 
   it("should now allow viewers to invite", async () => {
     const user = await buildViewer();
-    const res = await server.post("/api/users.invite", {
+    const res = await server.post("/api/users.invite", user, {
       body: {
-        token: user.getJwtToken(),
         invites: [
           {
             email: "test@example.com",
@@ -515,9 +465,8 @@ describe("#users.invite", () => {
     await team.save();
 
     const user = await buildUser({ teamId: team.id });
-    const res = await server.post("/api/users.invite", {
+    const res = await server.post("/api/users.invite", user, {
       body: {
-        token: user.getJwtToken(),
         invites: [
           {
             email: "test@example.com",
@@ -532,9 +481,8 @@ describe("#users.invite", () => {
 
   it("should invite user as an admin", async () => {
     const admin = await buildAdmin();
-    const res = await server.post("/api/users.invite", {
+    const res = await server.post("/api/users.invite", admin, {
       body: {
-        token: admin.getJwtToken(),
         invites: [
           {
             email: "test@example.com",
@@ -552,9 +500,8 @@ describe("#users.invite", () => {
 
   it("should invite user as a viewer", async () => {
     const admin = await buildAdmin();
-    const res = await server.post("/api/users.invite", {
+    const res = await server.post("/api/users.invite", admin, {
       body: {
-        token: admin.getJwtToken(),
         invites: [
           {
             email: "test@example.com",
@@ -572,9 +519,8 @@ describe("#users.invite", () => {
 
   it("should limit number of invites", async () => {
     const user = await buildUser();
-    const res = await server.post("/api/users.invite", {
+    const res = await server.post("/api/users.invite", user, {
       body: {
-        token: user.getJwtToken(),
         invites: new Array(21).fill({
           email: "test@example.com",
           name: "Test",
@@ -597,11 +543,7 @@ describe("#users.delete", () => {
     await buildUser({
       teamId: user.teamId,
     });
-    const res = await server.post("/api/users.delete", {
+    const res = await server.post("/api/users.delete", user);
-      body: {
-        token: user.getJwtToken(),
-      },
-    });
     expect(res.status).toEqual(400);
   });
 
@@ -610,10 +552,9 @@ describe("#users.delete", () => {
     await buildUser({
       teamId: user.teamId,
     });
-    const res = await server.post("/api/users.delete", {
+    const res = await server.post("/api/users.delete", user, {
       body: {
         code: "123",
-        token: user.getJwtToken(),
       },
     });
     expect(res.status).toEqual(400);
@@ -624,10 +565,9 @@ describe("#users.delete", () => {
     await buildUser({
       teamId: user.teamId,
     });
-    const res = await server.post("/api/users.delete", {
+    const res = await server.post("/api/users.delete", user, {
       body: {
         code: user.deleteConfirmationCode,
-        token: user.getJwtToken(),
       },
     });
     expect(res.status).toEqual(200);
@@ -638,10 +578,9 @@ describe("#users.delete", () => {
     const user = await buildUser({
       teamId: admin.teamId,
     });
-    const res = await server.post("/api/users.delete", {
+    const res = await server.post("/api/users.delete", admin, {
       body: {
         id: user.id,
-        token: admin.getJwtToken(),
       },
     });
     expect(res.status).toEqual(200);
@@ -658,9 +597,8 @@ describe("#users.delete", () => {
 describe("#users.update", () => {
   it("should update user profile information", async () => {
     const user = await buildUser();
-    const res = await server.post("/api/users.update", {
+    const res = await server.post("/api/users.update", user, {
       body: {
-        token: user.getJwtToken(),
         name: "New name",
       },
     });
@@ -674,10 +612,9 @@ describe("#users.update", () => {
     const user = await buildUser({
       teamId: admin.teamId,
     });
-    const res = await server.post("/api/users.update", {
+    const res = await server.post("/api/users.update", admin, {
       body: {
         id: user.id,
-        token: admin.getJwtToken(),
         name: "New name",
       },
     });
@@ -692,10 +629,9 @@ describe("#users.update", () => {
     const user = await buildUser({
       teamId: actor.teamId,
     });
-    const res = await server.post("/api/users.update", {
+    const res = await server.post("/api/users.update", actor, {
       body: {
         id: user.id,
-        token: actor.getJwtToken(),
         name: "New name",
       },
     });
@@ -704,9 +640,8 @@ describe("#users.update", () => {
 
   it("should fail upon sending invalid user preference", async () => {
     const user = await buildUser();
-    const res = await server.post("/api/users.update", {
+    const res = await server.post("/api/users.update", user, {
       body: {
-        token: user.getJwtToken(),
         name: "New name",
         preferences: { invalidPreference: "invalidValue" },
       },
@@ -716,9 +651,8 @@ describe("#users.update", () => {
 
   it("should fail upon sending invalid user preference value", async () => {
     const user = await buildUser();
-    const res = await server.post("/api/users.update", {
+    const res = await server.post("/api/users.update", user, {
       body: {
-        token: user.getJwtToken(),
         name: "New name",
         preferences: { rememberLastPath: "invalidValue" },
       },
@@ -728,9 +662,8 @@ describe("#users.update", () => {
 
   it("should update rememberLastPath user preference", async () => {
     const user = await buildUser();
-    const res = await server.post("/api/users.update", {
+    const res = await server.post("/api/users.update", user, {
       body: {
-        token: user.getJwtToken(),
         name: "New name",
         preferences: {
           rememberLastPath: true,
@@ -744,9 +677,8 @@ describe("#users.update", () => {
 
   it("should update user timezone", async () => {
     const user = await buildUser();
-    const res = await server.post("/api/users.update", {
+    const res = await server.post("/api/users.update", user, {
       body: {
-        token: user.getJwtToken(),
         timezone: "Asia/Calcutta",
       },
     });
@@ -768,9 +700,8 @@ describe("#users.updateEmail", () => {
     it("should trigger verification email", async () => {
       const spy = vi.spyOn(ConfirmUpdateEmail.prototype, "schedule");
       const user = await buildUser();
-      const res = await server.post("/api/users.updateEmail", {
+      const res = await server.post("/api/users.updateEmail", user, {
         body: {
-          token: user.getJwtToken(),
           email: faker.internet.email(),
         },
       });
@@ -791,9 +722,8 @@ describe("#users.updateEmail", () => {
         createdById: user.id,
       });
 
-      const res = await server.post("/api/users.updateEmail", {
+      const res = await server.post("/api/users.updateEmail", user, {
         body: {
-          token: user.getJwtToken(),
           email: faker.internet.email(),
         },
       });
@@ -807,9 +737,8 @@ describe("#users.updateEmail", () => {
       const email = faker.internet.email().toLowerCase();
       await buildUser({ teamId: user.teamId, email });
 
-      const res = await server.post("/api/users.updateEmail", {
+      const res = await server.post("/api/users.updateEmail", user, {
         body: {
-          token: user.getJwtToken(),
           email,
         },
       });
@@ -831,7 +760,7 @@ describe("#users.updateEmail", () => {
       const user = await buildUser();
       const email = faker.internet.email();
       await server.get(
-        `/api/users.updateEmail?token=${user.getJwtToken()}&code=${user.getEmailUpdateToken(
+        `/api/users.updateEmail?token=${user.getSessionToken()}&code=${user.getEmailUpdateToken(
           email
         )}&follow=true`
       );
@@ -848,9 +777,8 @@ describe("#users.update_role", () => {
     const admin = await buildAdmin({ teamId: team.id });
     const user = await buildUser({ teamId: team.id });
 
-    const res = await server.post("/api/users.update_role", {
+    const res = await server.post("/api/users.update_role", admin, {
       body: {
-        token: admin.getJwtToken(),
         id: user.id,
         role: UserRole.Admin,
       },
@@ -864,9 +792,8 @@ describe("#users.update_role", () => {
     const admin = await buildAdmin({ teamId: team.id });
     const user = await buildAdmin({ teamId: team.id });
 
-    const res = await server.post("/api/users.update_role", {
+    const res = await server.post("/api/users.update_role", admin, {
       body: {
-        token: admin.getJwtToken(),
         id: user.id,
         role: UserRole.Viewer,
       },
@@ -880,9 +807,8 @@ describe("#users.update_role", () => {
     const admin = await buildAdmin({ teamId: team.id });
     const user = await buildAdmin({ teamId: team.id });
 
-    const res = await server.post("/api/users.update_role", {
+    const res = await server.post("/api/users.update_role", admin, {
       body: {
-        token: admin.getJwtToken(),
         id: user.id,
         role: UserRole.Admin,
       },
@@ -897,9 +823,8 @@ describe("#users.promote", () => {
     const admin = await buildAdmin({ teamId: team.id });
     const user = await buildUser({ teamId: team.id });
 
-    const res = await server.post("/api/users.promote", {
+    const res = await server.post("/api/users.promote", admin, {
       body: {
-        token: admin.getJwtToken(),
         id: user.id,
       },
     });
@@ -908,9 +833,8 @@ describe("#users.promote", () => {
 
   it("should require admin", async () => {
     const user = await buildUser();
-    const res = await server.post("/api/users.promote", {
+    const res = await server.post("/api/users.promote", user, {
       body: {
-        token: user.getJwtToken(),
         id: user.id,
       },
     });
@@ -926,9 +850,8 @@ describe("#users.demote", () => {
     const admin = await buildAdmin({ teamId: team.id });
     const user = await buildAdmin({ teamId: team.id });
 
-    const res = await server.post("/api/users.demote", {
+    const res = await server.post("/api/users.demote", admin, {
       body: {
-        token: admin.getJwtToken(),
         id: user.id,
       },
     });
@@ -940,9 +863,8 @@ describe("#users.demote", () => {
     const admin = await buildAdmin({ teamId: team.id });
     const user = await buildAdmin({ teamId: team.id });
 
-    const res = await server.post("/api/users.demote", {
+    const res = await server.post("/api/users.demote", admin, {
       body: {
-        token: admin.getJwtToken(),
         id: user.id,
         to: "viewer",
       },
@@ -955,9 +877,8 @@ describe("#users.demote", () => {
     const admin = await buildAdmin({ teamId: team.id });
     const user = await buildAdmin({ teamId: team.id });
 
-    const res = await server.post("/api/users.demote", {
+    const res = await server.post("/api/users.demote", admin, {
       body: {
-        token: admin.getJwtToken(),
         id: user.id,
         to: "member",
       },
@@ -968,9 +889,8 @@ describe("#users.demote", () => {
   it("should not allow demoting self", async () => {
     const admin = await buildAdmin();
     await buildAdmin({ teamId: admin.teamId });
-    const res = await server.post("/api/users.demote", {
+    const res = await server.post("/api/users.demote", admin, {
       body: {
-        token: admin.getJwtToken(),
         id: admin.id,
       },
     });
@@ -981,9 +901,8 @@ describe("#users.demote", () => {
 
   it("should require admin", async () => {
     const user = await buildUser();
-    const res = await server.post("/api/users.promote", {
+    const res = await server.post("/api/users.promote", user, {
       body: {
-        token: user.getJwtToken(),
         id: user.id,
       },
     });
@@ -999,9 +918,8 @@ describe("#users.suspend", () => {
     const admin = await buildAdmin({ teamId: team.id });
     const user = await buildUser({ teamId: team.id });
 
-    const res = await server.post("/api/users.suspend", {
+    const res = await server.post("/api/users.suspend", admin, {
       body: {
-        token: admin.getJwtToken(),
         id: user.id,
       },
     });
@@ -1010,9 +928,8 @@ describe("#users.suspend", () => {
 
   it("should not allow suspending self", async () => {
     const admin = await buildAdmin();
-    const res = await server.post("/api/users.suspend", {
+    const res = await server.post("/api/users.suspend", admin, {
       body: {
-        token: admin.getJwtToken(),
         id: admin.id,
       },
     });
@@ -1023,9 +940,8 @@ describe("#users.suspend", () => {
 
   it("should require admin", async () => {
     const user = await buildUser();
-    const res = await server.post("/api/users.suspend", {
+    const res = await server.post("/api/users.suspend", user, {
       body: {
-        token: user.getJwtToken(),
         id: user.id,
       },
     });
@@ -1046,9 +962,8 @@ describe("#users.activate", () => {
       suspendedAt: new Date(),
     });
     expect(user.isSuspended).toBe(true);
-    const res = await server.post("/api/users.activate", {
+    const res = await server.post("/api/users.activate", admin, {
       body: {
-        token: admin.getJwtToken(),
         id: user.id,
       },
     });
@@ -1057,9 +972,8 @@ describe("#users.activate", () => {
 
   it("should require admin", async () => {
     const user = await buildUser();
-    const res = await server.post("/api/users.activate", {
+    const res = await server.post("/api/users.activate", user, {
       body: {
-        token: user.getJwtToken(),
         id: user.id,
       },
     });

server/routes/api/views/views.test.ts

@@ -23,9 +23,8 @@ describe("#views.list", () => {
       documentId: document.id,
       userId: user.id,
     });
-    const res = await server.post("/api/views.list", {
+    const res = await server.post("/api/views.list", user, {
       body: {
-        token: user.getJwtToken(),
         documentId: document.id,
       },
     });
@@ -47,9 +46,8 @@ describe("#views.list", () => {
 
     await user.update({ suspendedAt: new Date() });
 
-    const res = await server.post("/api/views.list", {
+    const res = await server.post("/api/views.list", admin, {
       body: {
-        token: admin.getJwtToken(),
         documentId: document.id,
       },
     });
@@ -82,9 +80,8 @@ describe("#views.list", () => {
       documentId: document.id,
       userId: user.id,
     });
-    const res = await server.post("/api/views.list", {
+    const res = await server.post("/api/views.list", user, {
       body: {
-        token: user.getJwtToken(),
         documentId: document.id,
       },
     });
@@ -109,9 +106,8 @@ describe("#views.list", () => {
   it("should require authorization", async () => {
     const document = await buildDocument();
     const user = await buildUser();
-    const res = await server.post("/api/views.list", {
+    const res = await server.post("/api/views.list", user, {
       body: {
-        token: user.getJwtToken(),
         documentId: document.id,
       },
     });
@@ -126,9 +122,8 @@ describe("#views.create", () => {
       userId: user.id,
       teamId: user.teamId,
     });
-    const res = await server.post("/api/views.create", {
+    const res = await server.post("/api/views.create", user, {
       body: {
-        token: user.getJwtToken(),
         documentId: document.id,
       },
     });
@@ -157,9 +152,8 @@ describe("#views.create", () => {
       userId: user.id,
       permission: CollectionPermission.Read,
     });
-    const res = await server.post("/api/views.create", {
+    const res = await server.post("/api/views.create", user, {
       body: {
-        token: user.getJwtToken(),
         documentId: document.id,
       },
     });
@@ -183,9 +177,8 @@ describe("#views.create", () => {
   it("should require authorization", async () => {
     const document = await buildDocument();
     const user = await buildUser();
-    const res = await server.post("/api/views.create", {
+    const res = await server.post("/api/views.create", user, {
       body: {
-        token: user.getJwtToken(),
         documentId: document.id,
       },
     });

server/routes/auth/index.test.ts

@@ -1,5 +1,7 @@
+import { addMonths } from "date-fns";
 import { buildUser, buildCollection } from "@server/test/factories";
 import { getTestServer } from "@server/test/support";
+import { getJWTPayload } from "@server/utils/jwt";
 
 const server = getTestServer();
 
@@ -33,9 +35,36 @@ describe("auth/redirect", () => {
     expect(res.headers.get("location")!.includes(collection.path)).toBeTruthy();
   });
 
+  it("should issue a session token with an expiry", async () => {
+    const user = await buildUser();
+    const before = Date.now();
+    const res = await server.get(
+      `/auth/redirect?token=${user.getTransferToken()}`,
+      {
+        redirect: "manual",
+      }
+    );
+    expect(res.status).toEqual(302);
+
+    const cookie = res.headers.get("set-cookie");
+    expect(cookie).not.toBeNull();
+    const match = cookie!.match(/accessToken=([^;]+)/);
+    expect(match).not.toBeNull();
+
+    const payload = getJWTPayload(match![1]);
+    expect(payload.type).toEqual("session");
+    expect(payload.expiresAt).toBeDefined();
+
+    const expiresAt = new Date(payload.expiresAt as string).getTime();
+    const expectedMin = addMonths(before, 3).getTime() - 1000;
+    const expectedMax = addMonths(Date.now(), 3).getTime() + 1000;
+    expect(expiresAt).toBeGreaterThanOrEqual(expectedMin);
+    expect(expiresAt).toBeLessThanOrEqual(expectedMax);
+  });
+
   it("should prevent token extension by rejecting JWT tokens", async () => {
     const user = await buildUser();
-    const jwtToken = user.getJwtToken();
+    const jwtToken = user.getSessionToken();
 
     const res = await server.get(`/auth/redirect?token=${jwtToken}`, {
       redirect: "manual",

server/routes/auth/index.ts

@@ -43,14 +43,15 @@ router.get(
       throw AuthenticationError("Cannot extend token");
     }
 
-    const jwtToken = user.getJwtToken(undefined, service);
+    const expires = addMonths(new Date(), 3);
+    const jwtToken = user.getSessionToken(expires, service);
 
     // ensure that the lastActiveAt on user is updated to prevent replay requests
     await user.updateActiveAt(ctx, true);
 
     ctx.cookies.set("accessToken", jwtToken, {
       sameSite: "lax",
-      expires: addMonths(new Date(), 3),
+      expires,
     });
     const [team, collection, view] = await Promise.all([
       Team.findByPk(user.teamId),

server/routes/mcp/index.test.ts

@@ -34,7 +34,7 @@ describe("POST /mcp/", () => {
       const { body } = mcpRequest("tools/list");
       const res = await server.post("/mcp/", {
         headers: {
-          Authorization: `Bearer ${user.getJwtToken()}`,
+          Authorization: `Bearer ${user.getSessionToken()}`,
           Accept: "application/json, text/event-stream",
         },
         body,

server/test/TestServer.ts

@@ -11,6 +11,34 @@ type TestRequestOptions = Omit<RequestInit, "body" | "headers"> & {
   headers?: Record<string, string>;
 };
 
+interface Authable {
+  getSessionToken(): string;
+}
+
+const tokenCache = new WeakMap<Authable, string>();
+
+function getCachedSessionToken(user: Authable): string {
+  let token = tokenCache.get(user);
+  if (!token) {
+    token = user.getSessionToken();
+    tokenCache.set(user, token);
+  }
+  return token;
+}
+
+function normalizeArgs(
+  userOrOpts?: Authable | TestRequestOptions,
+  maybeOpts?: TestRequestOptions
+): { user?: Authable; opts: TestRequestOptions } {
+  if (
+    userOrOpts &&
+    typeof (userOrOpts as Authable).getSessionToken === "function"
+  ) {
+    return { user: userOrOpts as Authable, opts: maybeOpts ?? {} };
+  }
+  return { opts: (userOrOpts as TestRequestOptions) ?? {} };
+}
+
 class TestServer {
   private server: http.Server;
   private listener?: Promise<void> | null;
@@ -36,10 +64,24 @@ class TestServer {
     return this.listener;
   }
 
-  fetch(path: string, opts: TestRequestOptions) {
+  fetch(path: string, opts?: TestRequestOptions): ReturnType<typeof nodeFetch>;
+  fetch(
+    path: string,
+    user: Authable,
+    opts?: TestRequestOptions
+  ): ReturnType<typeof nodeFetch>;
+  fetch(
+    path: string,
+    userOrOpts?: Authable | TestRequestOptions,
+    maybeOpts?: TestRequestOptions
+  ) {
+    const { user, opts } = normalizeArgs(userOrOpts, maybeOpts);
     return this.listen().then(() => {
       const url = `${this.address}${path}`;
       const headers: Record<string, string> = { ...opts.headers };
+      if (user && !headers.Authorization && !headers.authorization) {
+        headers.Authorization = `Bearer ${getCachedSessionToken(user)}`;
+      }
       let body = opts.body;
       const contentType = headers["Content-Type"] ?? headers["content-type"];
       // automatic JSON encoding
@@ -62,32 +104,126 @@ class TestServer {
     this.server.close();
   }
 
-  delete(path: string, options?: TestRequestOptions) {
+  delete(path: string, opts?: TestRequestOptions): ReturnType<typeof nodeFetch>;
-    return this.fetch(path, { ...options, method: "DELETE" });
+  delete(
+    path: string,
+    user: Authable,
+    opts?: TestRequestOptions
+  ): ReturnType<typeof nodeFetch>;
+  delete(
+    path: string,
+    userOrOpts?: Authable | TestRequestOptions,
+    maybeOpts?: TestRequestOptions
+  ) {
+    const { user, opts } = normalizeArgs(userOrOpts, maybeOpts);
+    return user
+      ? this.fetch(path, user, { ...opts, method: "DELETE" })
+      : this.fetch(path, { ...opts, method: "DELETE" });
   }
 
-  get(path: string, options?: TestRequestOptions) {
+  get(path: string, opts?: TestRequestOptions): ReturnType<typeof nodeFetch>;
-    return this.fetch(path, { ...options, method: "GET" });
+  get(
+    path: string,
+    user: Authable,
+    opts?: TestRequestOptions
+  ): ReturnType<typeof nodeFetch>;
+  get(
+    path: string,
+    userOrOpts?: Authable | TestRequestOptions,
+    maybeOpts?: TestRequestOptions
+  ) {
+    const { user, opts } = normalizeArgs(userOrOpts, maybeOpts);
+    return user
+      ? this.fetch(path, user, { ...opts, method: "GET" })
+      : this.fetch(path, { ...opts, method: "GET" });
   }
 
-  head(path: string, options?: TestRequestOptions) {
+  head(path: string, opts?: TestRequestOptions): ReturnType<typeof nodeFetch>;
-    return this.fetch(path, { ...options, method: "HEAD" });
+  head(
+    path: string,
+    user: Authable,
+    opts?: TestRequestOptions
+  ): ReturnType<typeof nodeFetch>;
+  head(
+    path: string,
+    userOrOpts?: Authable | TestRequestOptions,
+    maybeOpts?: TestRequestOptions
+  ) {
+    const { user, opts } = normalizeArgs(userOrOpts, maybeOpts);
+    return user
+      ? this.fetch(path, user, { ...opts, method: "HEAD" })
+      : this.fetch(path, { ...opts, method: "HEAD" });
   }
 
-  options(path: string, options?: TestRequestOptions) {
+  options(
-    return this.fetch(path, { ...options, method: "OPTIONS" });
+    path: string,
+    opts?: TestRequestOptions
+  ): ReturnType<typeof nodeFetch>;
+  options(
+    path: string,
+    user: Authable,
+    opts?: TestRequestOptions
+  ): ReturnType<typeof nodeFetch>;
+  options(
+    path: string,
+    userOrOpts?: Authable | TestRequestOptions,
+    maybeOpts?: TestRequestOptions
+  ) {
+    const { user, opts } = normalizeArgs(userOrOpts, maybeOpts);
+    return user
+      ? this.fetch(path, user, { ...opts, method: "OPTIONS" })
+      : this.fetch(path, { ...opts, method: "OPTIONS" });
   }
 
-  patch(path: string, options?: TestRequestOptions) {
+  patch(path: string, opts?: TestRequestOptions): ReturnType<typeof nodeFetch>;
-    return this.fetch(path, { ...options, method: "PATCH" });
+  patch(
+    path: string,
+    user: Authable,
+    opts?: TestRequestOptions
+  ): ReturnType<typeof nodeFetch>;
+  patch(
+    path: string,
+    userOrOpts?: Authable | TestRequestOptions,
+    maybeOpts?: TestRequestOptions
+  ) {
+    const { user, opts } = normalizeArgs(userOrOpts, maybeOpts);
+    return user
+      ? this.fetch(path, user, { ...opts, method: "PATCH" })
+      : this.fetch(path, { ...opts, method: "PATCH" });
   }
 
-  post(path: string, options?: TestRequestOptions) {
+  post(path: string, opts?: TestRequestOptions): ReturnType<typeof nodeFetch>;
-    return this.fetch(path, { ...options, method: "POST" });
+  post(
+    path: string,
+    user: Authable,
+    opts?: TestRequestOptions
+  ): ReturnType<typeof nodeFetch>;
+  post(
+    path: string,
+    userOrOpts?: Authable | TestRequestOptions,
+    maybeOpts?: TestRequestOptions
+  ) {
+    const { user, opts } = normalizeArgs(userOrOpts, maybeOpts);
+    return user
+      ? this.fetch(path, user, { ...opts, method: "POST" })
+      : this.fetch(path, { ...opts, method: "POST" });
   }
 
-  put(path: string, options?: TestRequestOptions) {
+  put(path: string, opts?: TestRequestOptions): ReturnType<typeof nodeFetch>;
-    return this.fetch(path, { ...options, method: "PUT" });
+  put(
+    path: string,
+    user: Authable,
+    opts?: TestRequestOptions
+  ): ReturnType<typeof nodeFetch>;
+  put(
+    path: string,
+    userOrOpts?: Authable | TestRequestOptions,
+    maybeOpts?: TestRequestOptions
+  ) {
+    const { user, opts } = normalizeArgs(userOrOpts, maybeOpts);
+    return user
+      ? this.fetch(path, user, { ...opts, method: "PUT" })
+      : this.fetch(path, { ...opts, method: "PUT" });
   }
 }
 

server/test/support.ts

@@ -64,7 +64,7 @@ export function withAPIContext<T>(
       auth: {
         user,
         type: AuthenticationType.APP,
-        token: user.getJwtToken(),
+        token: user.getSessionToken(),
       },
       transaction,
     };

server/utils/authentication.ts

@@ -134,7 +134,7 @@ export async function signIn(
       );
     }
   } else {
-    ctx.cookies.set("accessToken", user.getJwtToken(expires, service), {
+    ctx.cookies.set("accessToken", user.getSessionToken(expires, service), {
       sameSite: "lax",
       expires,
     });