GitHub/outline
1
0
Fork 0
mirror of https://github.com/outline/outline.git synced 2026-06-13 11:25:03 +03:00
Code Issues Packages Projects Releases Wiki Activity
Files
77cee2806c8639113cc6677f33fee41470a1fe1f
outline/server/routes/api/shares/shares.test.ts
T
Tom Moor 77cee2806c chore: getJWTToken -> getSessionToken (#12371) 
* getJWTToken -> getSessionToken

Ensure expiry is included in payload

* Refactor test harness to avoid direct usage of getSessionToken
2026-05-17 16:58:52 -04:00

1584 lines
46 KiB
TypeScript
Raw Blame History

import queryString from "query-string";
import { randomString } from "@shared/random";
import { CollectionPermission } from "@shared/types";
import { createContext } from "@server/context";
import { UserMembership, Share, ShareSubscription } from "@server/models";
import {
buildUser,
buildDocument,
buildShare,
buildAdmin,
buildCollection,
buildTeam,
} from "@server/test/factories";
import { getTestServer, withAPIContext } from "@server/test/support";
const server = getTestServer();
describe("#shares.list", () => {
it("should fail with status 400 bad request when an invalid sort value is suppled", async () => {
const user = await buildUser();
const res = await server.post("/api/shares.list", user, {
body: {
sort: "foo",
},
});
const body = await res.json();
expect(res.status).toEqual(400);
expect(body.message).toEqual(
`sort: must be one of ${Object.keys(Share.getAttributes()).join(", ")}`
);
});
it("should only return shares created by user", async () => {
const team = await buildTeam();
const admin = await buildAdmin({ teamId: team.id });
const user = await buildUser({ teamId: team.id });
const document = await buildDocument({ userId: user.id, teamId: team.id });
await buildShare({
documentId: document.id,
teamId: user.teamId,
userId: admin.id,
});
const share = await buildShare({
documentId: document.id,
teamId: user.teamId,
userId: user.id,
});
const res = await server.post("/api/shares.list", user);
const body = await res.json();
expect(res.status).toEqual(200);
expect(body.data.length).toEqual(1);
expect(body.data[0].id).toEqual(share.id);
expect(body.data[0].documentTitle).toBe(document.title);
});
it("should allow filtering by document title", async () => {
const user = await buildUser();
const document = await buildDocument({
userId: user.id,
teamId: user.teamId,
title: "hardcoded",
});
await buildShare({
documentId: document.id,
teamId: user.teamId,
userId: user.id,
});
const res = await server.post("/api/shares.list", user, {
body: {
query: "test",
},
});
const body = await res.json();
expect(res.status).toEqual(200);
expect(body.data.length).toEqual(0);
});
it("should allow filtering by document title and return matching shares", async () => {
const user = await buildUser();
await buildDocument({
userId: user.id,
teamId: user.teamId,
});
const document = await buildDocument({
userId: user.id,
teamId: user.teamId,
title: "test",
});
const share = await buildShare({
documentId: document.id,
teamId: user.teamId,
userId: user.id,
});
const res = await server.post("/api/shares.list", user, {
body: {
query: "test",
},
});
const body = await res.json();
expect(res.status).toEqual(200);
expect(body.data.length).toEqual(1);
expect(body.data[0].id).toEqual(share.id);
expect(body.data[0].documentTitle).toBe("test");
});
it("should not return revoked shares", async () => {
const user = await buildUser();
const document = await buildDocument({
userId: user.id,
teamId: user.teamId,
});
const share = await buildShare({
documentId: document.id,
teamId: user.teamId,
userId: user.id,
});
await share.revoke(createContext({ user }));
const res = await server.post("/api/shares.list", user);
const body = await res.json();
expect(res.status).toEqual(200);
expect(body.data.length).toEqual(0);
});
it("should not return unpublished shares", async () => {
const user = await buildUser();
const document = await buildDocument({
userId: user.id,
teamId: user.teamId,
});
await buildShare({
published: false,
documentId: document.id,
teamId: user.teamId,
userId: user.id,
});
const res = await server.post("/api/shares.list", user);
const body = await res.json();
expect(res.status).toEqual(200);
expect(body.data.length).toEqual(0);
});
it("should not return shares to deleted documents", async () => {
const user = await buildUser();
const document = await buildDocument({
userId: user.id,
teamId: user.teamId,
});
await buildShare({
documentId: document.id,
teamId: user.teamId,
userId: user.id,
});
await withAPIContext(user, (ctx) => document.destroyWithCtx(ctx));
const res = await server.post("/api/shares.list", user);
const body = await res.json();
expect(res.status).toEqual(200);
expect(body.data.length).toEqual(0);
});
it("admins should return shares created by all users", async () => {
const team = await buildTeam();
const admin = await buildAdmin({ teamId: team.id });
const user = await buildUser({ teamId: team.id });
const document = await buildDocument({ userId: user.id, teamId: team.id });
const share = await buildShare({
documentId: document.id,
teamId: admin.teamId,
userId: user.id,
});
const res = await server.post("/api/shares.list", admin);
const body = await res.json();
expect(res.status).toEqual(200);
expect(body.data.length).toEqual(1);
expect(body.data[0].id).toEqual(share.id);
expect(body.data[0].documentTitle).toBe(document.title);
});
it("admins should not return shares in collection not a member of", async () => {
const team = await buildTeam();
const user = await buildUser({ teamId: team.id });
const admin = await buildAdmin({ teamId: team.id });
const collection = await buildCollection({
userId: user.id,
teamId: team.id,
});
const document = await buildDocument({
userId: user.id,
collectionId: collection.id,
teamId: team.id,
});
await buildShare({
documentId: document.id,
teamId: admin.teamId,
userId: admin.id,
});
collection.permission = null;
await collection.save();
const res = await server.post("/api/shares.list", admin);
const body = await res.json();
expect(res.status).toEqual(200);
expect(body.data.length).toEqual(0);
});
it("should require authentication", async () => {
const res = await server.post("/api/shares.list");
const body = await res.json();
expect(res.status).toEqual(401);
expect(body).toMatchSnapshot();
});
});
describe("#shares.create", () => {
it("should fail with status 400 bad request when both documentId and collectionId are missing", async () => {
const user = await buildUser();
const res = await server.post("/api/shares.create", user);
const body = await res.json();
expect(res.status).toEqual(400);
expect(body.message).toEqual(
"body: one of collectionId or documentId is required"
);
});
it("should fail with status 400 bad request when documentId is invalid", async () => {
const user = await buildUser();
const res = await server.post("/api/shares.create", user, {
body: {
documentId: "foo",
},
});
const body = await res.json();
expect(res.status).toEqual(400);
expect(body.message).toEqual("documentId: Must be a valid UUID or slug");
});
it("should allow creating a share record for collection", async () => {
const user = await buildUser();
const collection = await buildCollection({
userId: user.id,
teamId: user.teamId,
});
const res = await server.post("/api/shares.create", user, {
body: {
collectionId: collection.id,
},
});
const body = await res.json();
expect(res.status).toEqual(200);
expect(body.data.published).toBe(false);
expect(body.data.sourceTitle).toBe(collection.name);
});
it("should allow creating a share record for document", async () => {
const user = await buildUser();
const document = await buildDocument({
userId: user.id,
teamId: user.teamId,
});
const res = await server.post("/api/shares.create", user, {
body: {
documentId: document.id,
},
});
const body = await res.json();
expect(res.status).toEqual(200);
expect(body.data.published).toBe(false);
expect(body.data.documentTitle).toBe(document.title);
});
it("should allow creating a published share record for document", async () => {
const user = await buildUser();
const document = await buildDocument({
userId: user.id,
teamId: user.teamId,
});
const res = await server.post("/api/shares.create", user, {
body: {
documentId: document.id,
includeChildDocuments: true,
published: true,
urlId: "test",
},
});
const body = await res.json();
expect(res.status).toEqual(200);
expect(body.data.published).toBe(true);
expect(body.data.includeChildDocuments).toBe(true);
expect(body.data.urlId).toBe("test");
expect(body.data.documentTitle).toBe(document.title);
});
it("should set includeChildDocuments when creating a published share", async () => {
const user = await buildUser();
const document = await buildDocument({
userId: user.id,
teamId: user.teamId,
});
const res = await server.post("/api/shares.create", user, {
body: {
documentId: document.id,
published: true,
},
});
const body = await res.json();
expect(res.status).toEqual(200);
expect(body.data.published).toBe(true);
expect(body.data.includeChildDocuments).toBe(true);
});
it("should accept allowIndexing and showLastUpdated parameters", async () => {
const user = await buildUser();
const document = await buildDocument({
userId: user.id,
teamId: user.teamId,
});
const res = await server.post("/api/shares.create", user, {
body: {
documentId: document.id,
published: true,
allowIndexing: false,
showLastUpdated: true,
},
});
const body = await res.json();
expect(res.status).toEqual(200);
expect(body.data.published).toBe(true);
expect(body.data.allowIndexing).toBe(false);
expect(body.data.showLastUpdated).toBe(true);
expect(body.data.documentTitle).toBe(document.title);
});
it("should fail creating a share record with read-only permissions and publishing", async () => {
const team = await buildTeam();
const user = await buildUser({ teamId: team.id });
const collection = await buildCollection({
userId: user.id,
teamId: team.id,
});
const document = await buildDocument({
userId: user.id,
collectionId: collection.id,
teamId: team.id,
});
collection.permission = null;
await collection.save();
await UserMembership.update(
{
userId: user.id,
permission: CollectionPermission.Read,
},
{
where: {
createdById: user.id,
collectionId: collection.id,
},
}
);
const res = await server.post("/api/shares.create", user, {
body: {
documentId: document.id,
published: true,
},
});
expect(res.status).toEqual(403);
});
it("should allow creating a share record with read-only permissions but not publishing", async () => {
const team = await buildTeam();
const user = await buildUser({ teamId: team.id });
const collection = await buildCollection({
userId: user.id,
teamId: team.id,
});
const document = await buildDocument({
userId: user.id,
collectionId: collection.id,
teamId: team.id,
});
collection.permission = null;
await collection.save();
await UserMembership.update(
{
userId: user.id,
permission: CollectionPermission.Read,
},
{
where: {
createdById: user.id,
collectionId: collection.id,
},
}
);
const res = await server.post("/api/shares.create", user, {
body: {
documentId: document.id,
},
});
const body = await res.json();
expect(res.status).toEqual(200);
const response = await server.post("/api/shares.update", user, {
body: {
id: body.data.id,
published: true,
},
});
expect(response.status).toEqual(403);
});
it("should allow creating a share record if link previously revoked", async () => {
const user = await buildUser();
const document = await buildDocument({
userId: user.id,
teamId: user.teamId,
});
const share = await buildShare({
documentId: document.id,
teamId: user.teamId,
userId: user.id,
});
await share.revoke(createContext({ user }));
const res = await server.post("/api/shares.create", user, {
body: {
documentId: document.id,
},
});
const body = await res.json();
expect(res.status).toEqual(200);
expect(body.data.id).not.toEqual(share.id);
expect(body.data.documentTitle).toBe(document.title);
});
it("should return existing share link for document and user", async () => {
const user = await buildUser();
const document = await buildDocument({
userId: user.id,
teamId: user.teamId,
});
const share = await buildShare({
documentId: document.id,
teamId: user.teamId,
userId: user.id,
});
const res = await server.post("/api/shares.create", user, {
body: {
documentId: document.id,
},
});
const body = await res.json();
expect(res.status).toEqual(200);
expect(body.data.id).toBe(share.id);
});
it("should allow creating a share record if team sharing disabled but not publishing", async () => {
const team = await buildTeam({ sharing: false });
const user = await buildUser({ teamId: team.id });
const document = await buildDocument({
teamId: user.teamId,
userId: user.id,
});
const res = await server.post("/api/shares.create", user, {
body: {
documentId: document.id,
},
});
const body = await res.json();
expect(res.status).toEqual(200);
const response = await server.post("/api/shares.update", user, {
body: {
id: body.data.id,
published: true,
},
});
expect(response.status).toEqual(403);
});
it("should allow creating a share record if collection sharing disabled but not publishing", async () => {
const user = await buildUser();
const collection = await buildCollection({
userId: user.id,
teamId: user.teamId,
sharing: false,
});
const document = await buildDocument({
userId: user.id,
collectionId: collection.id,
teamId: user.teamId,
});
const res = await server.post("/api/shares.create", user, {
body: {
documentId: document.id,
},
});
const body = await res.json();
expect(res.status).toEqual(200);
const response = await server.post("/api/shares.update", user, {
body: {
id: body.data.id,
published: true,
},
});
expect(response.status).toEqual(403);
});
it("should require authentication", async () => {
const document = await buildDocument();
const res = await server.post("/api/shares.create", {
body: {
documentId: document.id,
},
});
const body = await res.json();
expect(res.status).toEqual(401);
expect(body).toMatchSnapshot();
});
it("should require authorization", async () => {
const document = await buildDocument();
const user = await buildUser();
const res = await server.post("/api/shares.create", user, {
body: {
documentId: document.id,
},
});
expect(res.status).toEqual(403);
});
it("should not allow creating a share for a document in another team", async () => {
const user = await buildUser();
const otherDocument = await buildDocument();
const res = await server.post("/api/shares.create", user, {
body: {
documentId: otherDocument.id,
},
});
expect(res.status).toEqual(403);
});
it("should not allow creating a published share for a document in another team", async () => {
const user = await buildUser();
const otherDocument = await buildDocument();
const res = await server.post("/api/shares.create", user, {
body: {
documentId: otherDocument.id,
published: true,
},
});
expect(res.status).toEqual(403);
});
it("should not allow creating a share for a collection in another team", async () => {
const user = await buildUser();
const otherCollection = await buildCollection();
const res = await server.post("/api/shares.create", user, {
body: {
collectionId: otherCollection.id,
},
});
expect(res.status).toEqual(403);
});
it("should not allow creating a share with both a collectionId and documentId", async () => {
const user = await buildUser();
const collection = await buildCollection({
userId: user.id,
teamId: user.teamId,
});
const document = await buildDocument({
userId: user.id,
teamId: user.teamId,
});
const res = await server.post("/api/shares.create", user, {
body: {
collectionId: collection.id,
documentId: document.id,
},
});
expect(res.status).toEqual(400);
});
it("should not allow creating a published share with both a collectionId and documentId", async () => {
const user = await buildUser();
const collection = await buildCollection({
userId: user.id,
teamId: user.teamId,
});
const document = await buildDocument({
userId: user.id,
teamId: user.teamId,
});
const res = await server.post("/api/shares.create", user, {
body: {
collectionId: collection.id,
documentId: document.id,
published: true,
},
});
expect(res.status).toEqual(400);
});
});
describe("#shares.info", () => {
it("should fail with status 400 bad request when id, collectionId and documentId are missing", async () => {
const user = await buildUser();
const res = await server.post("/api/shares.info", user);
const body = await res.json();
expect(res.status).toEqual(400);
expect(body.message).toEqual(
"body: one of id, collectionId, or documentId is required"
);
});
it("should fail with status 400 bad request when documentId is invalid", async () => {
const user = await buildUser();
const res = await server.post("/api/shares.info", user, {
body: {
documentId: "foo",
},
});
const body = await res.json();
expect(res.status).toEqual(400);
expect(body.message).toEqual("documentId: Must be a valid UUID or slug");
});
it("should not find share by documentId in private collection", async () => {
const admin = await buildAdmin();
const collection = await buildCollection({
permission: null,
teamId: admin.teamId,
});
const document = await buildDocument({
collectionId: collection.id,
userId: admin.id,
teamId: admin.teamId,
});
const user = await buildUser({
teamId: admin.teamId,
});
await buildShare({
documentId: document.id,
teamId: admin.teamId,
userId: admin.id,
});
const res = await server.post("/api/shares.info", user, {
body: {
documentId: document.id,
},
});
expect(res.status).toEqual(403);
});
it("should succeed with status 200 ok", async () => {
const user = await buildUser();
const document = await buildDocument({
createdById: user.id,
teamId: user.teamId,
});
const share = await buildShare({
documentId: document.id,
teamId: user.teamId,
userId: user.id,
});
const res = await server.post("/api/shares.info", user, {
body: {
id: share.id,
},
});
const body = await res.json();
expect(res.status).toEqual(200);
expect(body.data).toBeTruthy();
expect(body.data.shares).toBeTruthy();
expect(body.data.shares).toHaveLength(1);
expect(body.data.shares[0].id).toEqual(share.id);
});
it("should allow reading share by documentId", async () => {
const user = await buildUser();
const document = await buildDocument({
userId: user.id,
teamId: user.teamId,
});
const share = await buildShare({
documentId: document.id,
teamId: user.teamId,
userId: user.id,
});
const res = await server.post("/api/shares.info", user, {
body: {
documentId: document.id,
},
});
const body = await res.json();
expect(res.status).toEqual(200);
expect(body.data.shares.length).toBe(1);
expect(body.data.shares[0].id).toBe(share.id);
expect(body.data.shares[0].published).toBe(true);
});
it("should allow reading share by documentId", async () => {
const user = await buildUser();
const document = await buildDocument({
userId: user.id,
teamId: user.teamId,
});
const res = await server.post("/api/shares.info", user, {
body: {
documentId: document.id,
},
});
expect(res.status).toEqual(204);
});
it("should return share for parent document with includeChildDocuments=true", async () => {
const user = await buildUser();
const collection = await buildCollection({
userId: user.id,
teamId: user.teamId,
});
const document = await buildDocument({
userId: user.id,
collectionId: collection.id,
teamId: user.teamId,
});
const childDocument = await buildDocument({
userId: user.id,
teamId: document.teamId,
parentDocumentId: document.id,
collectionId: collection.id,
});
const share = await buildShare({
documentId: document.id,
teamId: document.teamId,
userId: user.id,
includeChildDocuments: true,
});
const childShare = await buildShare({
documentId: childDocument.id,
teamId: childDocument.teamId,
userId: user.id,
});
await collection.reload();
await collection.addDocumentToStructure(childDocument, 0);
const res = await server.post("/api/shares.info", user, {
body: {
documentId: childDocument.id,
},
});
const body = await res.json();
expect(res.status).toEqual(200);
expect(body.data.shares.length).toBe(2);
expect(body.data.shares[0].id).toBe(childShare.id);
expect(body.data.shares[0].documentId).toBe(childDocument.id);
expect(body.data.shares[0].published).toBe(true);
expect(body.data.shares[1].id).toBe(share.id);
expect(body.data.shares[1].documentId).toBe(document.id);
expect(body.data.shares[1].published).toBe(true);
expect(body.data.shares[1].includeChildDocuments).toBe(true);
expect(body.policies.length).toBe(2);
expect(body.policies[0].abilities.update).toBeTruthy();
expect(body.policies[1].abilities.update).toBeTruthy();
});
it("should not return share for parent document with includeChildDocuments=false", async () => {
const team = await buildTeam();
const user = await buildUser({ teamId: team.id });
const collection = await buildCollection({
userId: user.id,
teamId: team.id,
});
const document = await buildDocument({
userId: user.id,
collectionId: collection.id,
teamId: team.id,
});
const childDocument = await buildDocument({
teamId: document.teamId,
parentDocumentId: document.id,
collectionId: collection.id,
});
await buildShare({
documentId: document.id,
teamId: document.teamId,
userId: user.id,
includeChildDocuments: false,
});
const share = await buildShare({
documentId: childDocument.id,
teamId: childDocument.teamId,
userId: user.id,
});
await collection.addDocumentToStructure(childDocument, 0);
const res = await server.post("/api/shares.info", user, {
body: {
documentId: childDocument.id,
},
});
const body = await res.json();
expect(res.status).toEqual(200);
expect(body.data.shares.length).toBe(1);
expect(body.data.shares[0].id).toBe(share.id);
expect(body.data.shares[0].documentId).toBe(childDocument.id);
expect(body.data.shares[0].published).toBe(true);
expect(body.policies.length).toBe(1);
expect(body.policies[0].abilities.update).toBeTruthy();
});
it("should return shares for parent document and current document", async () => {
const user = await buildUser();
const collection = await buildCollection({
userId: user.id,
teamId: user.teamId,
});
const document = await buildDocument({
userId: user.id,
collectionId: collection.id,
teamId: user.teamId,
});
const childDocument = await buildDocument({
teamId: document.teamId,
parentDocumentId: document.id,
collectionId: collection.id,
});
const share = await buildShare({
documentId: childDocument.id,
teamId: user.teamId,
userId: user.id,
includeChildDocuments: false,
});
const share2 = await buildShare({
documentId: document.id,
teamId: document.teamId,
userId: user.id,
includeChildDocuments: true,
});
await collection.reload();
await collection.addDocumentToStructure(childDocument, 0);
const res = await server.post("/api/shares.info", user, {
body: {
documentId: childDocument.id,
},
});
const body = await res.json();
expect(res.status).toEqual(200);
expect(body.data.shares.length).toBe(2);
expect(body.data.shares[0].id).toBe(share.id);
expect(body.data.shares[0].includeChildDocuments).toBe(false);
expect(body.data.shares[0].documentId).toBe(childDocument.id);
expect(body.data.shares[0].published).toBe(true);
expect(body.data.shares[1].id).toBe(share2.id);
expect(body.data.shares[1].documentId).toBe(document.id);
expect(body.data.shares[1].published).toBe(true);
expect(body.data.shares[1].includeChildDocuments).toBe(true);
});
});
describe("#shares.update", () => {
it("should fail for invalid urlId", async () => {
const user = await buildUser();
const document = await buildDocument({
userId: user.id,
teamId: user.teamId,
});
const share = await buildShare({
documentId: document.id,
teamId: user.teamId,
});
const res = await server.post("/api/shares.update", user, {
body: {
id: share.id,
urlId: "url_id",
},
});
const body = await res.json();
expect(res.status).toEqual(400);
expect(body.message).toEqual(
"urlId: must contain only alphanumeric and dashes"
);
});
it("should fail with status 400 bad request when id is missing", async () => {
const user = await buildUser();
const res = await server.post("/api/shares.update", user, {
body: {
urlId: "url-id",
},
});
const body = await res.json();
expect(res.status).toEqual(400);
expect(body.message).toEqual(
"id: Invalid input: expected string, received undefined"
);
});
it("should update urlId", async () => {
const user = await buildUser();
const document = await buildDocument({
userId: user.id,
teamId: user.teamId,
});
const share = await buildShare({
documentId: document.id,
teamId: user.teamId,
});
const res = await server.post("/api/shares.update", user, {
body: {
id: share.id,
urlId: "url-id",
},
});
const body = await res.json();
expect(res.status).toEqual(200);
expect(body.data.urlId).toEqual("url-id");
});
it("should allow clearing urlId", async () => {
const user = await buildUser();
const document = await buildDocument({
userId: user.id,
teamId: user.teamId,
});
const share = await buildShare({
documentId: document.id,
teamId: user.teamId,
});
await server.post("/api/shares.update", user, {
body: {
id: share.id,
urlId: "url-id",
},
});
const res = await server.post("/api/shares.update", user, {
body: {
id: share.id,
urlId: null,
},
});
const body = await res.json();
expect(res.status).toEqual(200);
expect(body.data.urlId).toBeNull();
});
it("should update title and iconUrl", async () => {
const user = await buildUser();
const document = await buildDocument({
userId: user.id,
teamId: user.teamId,
});
const share = await buildShare({
documentId: document.id,
teamId: user.teamId,
});
const res = await server.post("/api/shares.update", user, {
body: {
id: share.id,
title: "Custom Title",
iconUrl: "https://example.com/icon.png",
},
});
const body = await res.json();
expect(res.status).toEqual(200);
expect(body.data.title).toEqual("Custom Title");
expect(body.data.iconUrl).toEqual("https://example.com/icon.png");
});
it("should allow clearing title and iconUrl with null", async () => {
const user = await buildUser();
const document = await buildDocument({
userId: user.id,
teamId: user.teamId,
});
const share = await buildShare({
documentId: document.id,
teamId: user.teamId,
title: "Custom Title",
iconUrl: "https://example.com/icon.png",
});
const res = await server.post("/api/shares.update", user, {
body: {
id: share.id,
title: null,
iconUrl: null,
},
});
const body = await res.json();
expect(res.status).toEqual(200);
expect(body.data.title).toBeNull();
expect(body.data.iconUrl).toBeNull();
});
it("should normalize empty title to null", async () => {
const user = await buildUser();
const document = await buildDocument({
userId: user.id,
teamId: user.teamId,
});
const share = await buildShare({
documentId: document.id,
teamId: user.teamId,
title: "Custom Title",
});
const res = await server.post("/api/shares.update", user, {
body: {
id: share.id,
title: "",
},
});
const body = await res.json();
expect(res.status).toEqual(200);
expect(body.data.title).toBeNull();
});
it("should accept a relative iconUrl", async () => {
const user = await buildUser();
const document = await buildDocument({
userId: user.id,
teamId: user.teamId,
});
const share = await buildShare({
documentId: document.id,
teamId: user.teamId,
});
const res = await server.post("/api/shares.update", user, {
body: {
id: share.id,
iconUrl: "/uploads/icon.png",
},
});
const body = await res.json();
expect(res.status).toEqual(200);
expect(body.data.iconUrl).toEqual("/uploads/icon.png");
});
it("should reject malformed iconUrl", async () => {
const user = await buildUser();
const document = await buildDocument({
userId: user.id,
teamId: user.teamId,
});
const share = await buildShare({
documentId: document.id,
teamId: user.teamId,
});
const res = await server.post("/api/shares.update", user, {
body: {
id: share.id,
iconUrl: "not a url",
},
});
expect(res.status).toEqual(400);
});
it("should reject iconUrl with disallowed protocol", async () => {
const user = await buildUser();
const document = await buildDocument({
userId: user.id,
teamId: user.teamId,
});
const share = await buildShare({
documentId: document.id,
teamId: user.teamId,
});
const res = await server.post("/api/shares.update", user, {
body: {
id: share.id,
iconUrl: "javascript:alert(1)",
},
});
expect(res.status).toEqual(400);
});
it("should allow user to update a share", async () => {
const user = await buildUser();
const document = await buildDocument({
userId: user.id,
teamId: user.teamId,
});
const share = await buildShare({
documentId: document.id,
teamId: user.teamId,
});
const res = await server.post("/api/shares.update", user, {
body: {
id: share.id,
published: true,
},
});
const body = await res.json();
expect(res.status).toEqual(200);
expect(body.data.id).toBe(share.id);
expect(body.data.published).toBe(true);
});
it("should allow author to update a share", async () => {
const user = await buildUser();
const document = await buildDocument({
userId: user.id,
teamId: user.teamId,
});
const share = await buildShare({
documentId: document.id,
teamId: user.teamId,
userId: user.id,
});
const res = await server.post("/api/shares.update", user, {
body: {
id: share.id,
published: true,
},
});
const body = await res.json();
expect(res.status).toEqual(200);
expect(body.data.id).toBe(share.id);
expect(body.data.published).toBe(true);
});
it("should allow admin to update a share", async () => {
const team = await buildTeam();
const admin = await buildAdmin({ teamId: team.id });
const user = await buildUser({ teamId: team.id });
const document = await buildDocument({ userId: user.id, teamId: team.id });
const share = await buildShare({
documentId: document.id,
teamId: user.teamId,
userId: user.id,
});
const res = await server.post("/api/shares.update", admin, {
body: {
id: share.id,
published: true,
},
});
const body = await res.json();
expect(res.status).toEqual(200);
expect(body.data.id).toBe(share.id);
expect(body.data.published).toBe(true);
});
it("should require authentication", async () => {
const user = await buildUser();
const document = await buildDocument({
userId: user.id,
teamId: user.teamId,
});
const share = await buildShare({
documentId: document.id,
teamId: user.teamId,
userId: user.id,
});
const res = await server.post("/api/shares.update", {
body: {
id: share.id,
published: true,
},
});
const body = await res.json();
expect(res.status).toEqual(401);
expect(body).toMatchSnapshot();
});
it("should require authorization", async () => {
const team = await buildTeam();
const admin = await buildAdmin({ teamId: team.id });
const document = await buildDocument({ teamId: team.id });
const user = await buildUser();
const share = await buildShare({
documentId: document.id,
teamId: admin.teamId,
userId: admin.id,
});
const res = await server.post("/api/shares.update", user, {
body: {
id: share.id,
published: true,
},
});
expect(res.status).toEqual(403);
});
});
describe("#shares.revoke", () => {
it("should fail with status 400 bad request when id is missing", async () => {
const user = await buildUser();
const res = await server.post("/api/shares.revoke", user);
const body = await res.json();
expect(res.status).toEqual(400);
expect(body.message).toEqual(
"id: Invalid input: expected string, received undefined"
);
});
it("should allow author to revoke a share", async () => {
const user = await buildUser();
const document = await buildDocument({
userId: user.id,
teamId: user.teamId,
});
const share = await buildShare({
documentId: document.id,
teamId: user.teamId,
userId: user.id,
});
const res = await server.post("/api/shares.revoke", user, {
body: {
id: share.id,
},
});
expect(res.status).toEqual(200);
});
it("should allow author to revoke collection share", async () => {
const user = await buildUser();
const collection = await buildCollection({
userId: user.id,
teamId: user.teamId,
});
const share = await buildShare({
collectionId: collection.id,
teamId: user.teamId,
userId: user.id,
});
const res = await server.post("/api/shares.revoke", user, {
body: {
id: share.id,
},
});
expect(res.status).toEqual(200);
});
it("should 404 if shares document is deleted", async () => {
const user = await buildUser();
const document = await buildDocument({
userId: user.id,
teamId: user.teamId,
});
const share = await buildShare({
documentId: document.id,
teamId: user.teamId,
userId: user.id,
});
await withAPIContext(user, (ctx) => document.destroyWithCtx(ctx));
const res = await server.post("/api/shares.revoke", user, {
body: {
id: share.id,
},
});
expect(res.status).toEqual(404);
});
it("should allow admin to revoke a share", async () => {
const team = await buildTeam();
const admin = await buildAdmin({ teamId: team.id });
const user = await buildUser({ teamId: team.id });
const document = await buildDocument({ userId: user.id, teamId: team.id });
const share = await buildShare({
documentId: document.id,
teamId: user.teamId,
userId: user.id,
});
const res = await server.post("/api/shares.revoke", admin, {
body: {
id: share.id,
},
});
expect(res.status).toEqual(200);
});
it("should require authentication", async () => {
const user = await buildUser();
const document = await buildDocument({
userId: user.id,
teamId: user.teamId,
});
const share = await buildShare({
documentId: document.id,
teamId: user.teamId,
userId: user.id,
});
const res = await server.post("/api/shares.revoke", {
body: {
id: share.id,
},
});
const body = await res.json();
expect(res.status).toEqual(401);
expect(body).toMatchSnapshot();
});
it("should require authorization", async () => {
const team = await buildTeam();
const admin = await buildAdmin({ teamId: team.id });
const document = await buildDocument({ teamId: team.id });
const user = await buildUser();
const share = await buildShare({
documentId: document.id,
teamId: admin.teamId,
userId: admin.id,
});
const res = await server.post("/api/shares.revoke", user, {
body: {
id: share.id,
},
});
expect(res.status).toEqual(403);
});
});
describe("#shares.subscribe", () => {
it("should create a subscription for a published share", async () => {
const share = await buildShare();
const res = await server.post("/api/shares.subscribe", {
body: {
shareId: share.id,
documentId: share.documentId!,
email: "subscriber@example.com",
},
});
const body = await res.json();
expect(res.status).toEqual(200);
expect(body.success).toBe(true);
const subscription = await ShareSubscription.findOne({
where: { shareId: share.id },
});
expect(subscription).not.toBeNull();
expect(subscription!.email).toBe("subscriber@example.com");
expect(subscription!.confirmedAt).toBeNull();
});
it("should normalize email fingerprint on create", async () => {
const share = await buildShare();
await server.post("/api/shares.subscribe", {
body: {
shareId: share.id,
documentId: share.documentId!,
email: "First.Last+tag@Example.com",
},
});
const subscription = await ShareSubscription.findOne({
where: { shareId: share.id },
});
expect(subscription!.emailFingerprint).toBe(
ShareSubscription.normalizeEmailFingerprint("First.Last+tag@Example.com")
);
});
it("should not create duplicate subscriptions for same fingerprint", async () => {
const share = await buildShare();
await server.post("/api/shares.subscribe", {
body: {
shareId: share.id,
documentId: share.documentId!,
email: "user@gmail.com",
},
});
await server.post("/api/shares.subscribe", {
body: {
shareId: share.id,
documentId: share.documentId!,
email: "u.s.e.r@gmail.com",
},
});
const count = await ShareSubscription.count({
where: { shareId: share.id },
});
expect(count).toBe(1);
});
it("should silently succeed for already confirmed subscription", async () => {
const share = await buildShare();
await ShareSubscription.create({
shareId: share.id,
documentId: share.documentId!,
email: "user@example.com",
emailFingerprint:
ShareSubscription.normalizeEmailFingerprint("user@example.com"),
secret: randomString(32),
confirmedAt: new Date(),
});
const res = await server.post("/api/shares.subscribe", {
body: {
shareId: share.id,
documentId: share.documentId!,
email: "user@example.com",
},
});
const body = await res.json();
expect(res.status).toEqual(200);
expect(body.success).toBe(true);
});
it("should allow re-subscribing after unsubscribe", async () => {
const share = await buildShare();
const subscription = await ShareSubscription.create({
shareId: share.id,
documentId: share.documentId!,
email: "user@example.com",
emailFingerprint:
ShareSubscription.normalizeEmailFingerprint("user@example.com"),
secret: randomString(32),
confirmedAt: new Date(),
unsubscribedAt: new Date(),
});
const res = await server.post("/api/shares.subscribe", {
body: {
shareId: share.id,
documentId: share.documentId!,
email: "user@example.com",
},
});
expect(res.status).toEqual(200);
await subscription.reload();
expect(subscription.unsubscribedAt).toBeNull();
expect(subscription.confirmedAt).toBeNull();
});
it("should fail for unpublished share", async () => {
const share = await buildShare({ published: false });
const res = await server.post("/api/shares.subscribe", {
body: {
shareId: share.id,
documentId: share.documentId!,
email: "user@example.com",
},
});
expect(res.status).toEqual(404);
});
it("should fail with invalid email", async () => {
const share = await buildShare();
const res = await server.post("/api/shares.subscribe", {
body: {
shareId: share.id,
documentId: share.documentId!,
email: "not-an-email",
},
});
expect(res.status).toEqual(400);
});
});
describe("#shares.confirmSubscription", () => {
it("should confirm a subscription with valid token", async () => {
const share = await buildShare();
const subscription = await ShareSubscription.create({
shareId: share.id,
documentId: share.documentId!,
email: "user@example.com",
emailFingerprint: "user@example.com",
secret: randomString(32),
});
const token = ShareSubscription.generateConfirmToken(subscription);
const res = await server.get(
`/api/shares.confirmSubscription?${queryString.stringify({
id: subscription.id,
token,
follow: "true",
})}`,
{ redirect: "manual" }
);
expect(res.status).toEqual(302);
expect(res.headers.get("location")).toContain("notice=subscribed");
await subscription.reload();
expect(subscription.confirmedAt).not.toBeNull();
});
it("should reject an invalid token", async () => {
const share = await buildShare();
const subscription = await ShareSubscription.create({
shareId: share.id,
documentId: share.documentId!,
email: "user@example.com",
emailFingerprint: "user@example.com",
secret: randomString(32),
});
const res = await server.get(
`/api/shares.confirmSubscription?${queryString.stringify({
id: subscription.id,
token: "invalid-token",
follow: "true",
})}`,
{ redirect: "manual" }
);
expect(res.status).toEqual(302);
expect(res.headers.get("location")).toContain("notice=invalid-auth");
await subscription.reload();
expect(subscription.confirmedAt).toBeNull();
});
it("should reject an expired token", async () => {
const share = await buildShare();
const subscription = await ShareSubscription.create({
shareId: share.id,
documentId: share.documentId!,
email: "user@example.com",
emailFingerprint: "user@example.com",
secret: randomString(32),
});
// Force updatedAt to 25 hours ago so the token is expired
const expiredDate = new Date(Date.now() - 25 * 60 * 60 * 1000);
await ShareSubscription.update(
{ createdAt: expiredDate, updatedAt: expiredDate },
{ where: { id: subscription.id }, silent: true }
);
await subscription.reload();
const token = ShareSubscription.generateConfirmToken(subscription);
const res = await server.get(
`/api/shares.confirmSubscription?${queryString.stringify({
id: subscription.id,
token,
follow: "true",
})}`,
{ redirect: "manual" }
);
expect(res.status).toEqual(302);
expect(res.headers.get("location")).toContain("notice=expired-token");
});
});
describe("#shares.unsubscribe", () => {
it("should unsubscribe with valid token", async () => {
const share = await buildShare();
const subscription = await ShareSubscription.create({
shareId: share.id,
documentId: share.documentId!,
email: "user@example.com",
emailFingerprint: "user@example.com",
secret: randomString(32),
confirmedAt: new Date(),
});
const token = ShareSubscription.generateUnsubscribeToken(subscription);
const res = await server.get(
`/api/shares.unsubscribe?${queryString.stringify({
id: subscription.id,
token,
follow: "true",
})}`,
{ redirect: "manual" }
);
expect(res.status).toEqual(302);
expect(res.headers.get("location")).toContain("notice=unsubscribed");
await subscription.reload();
expect(subscription.unsubscribedAt).not.toBeNull();
});
it("should reject an invalid token", async () => {
const share = await buildShare();
const subscription = await ShareSubscription.create({
shareId: share.id,
documentId: share.documentId!,
email: "user@example.com",
emailFingerprint: "user@example.com",
secret: randomString(32),
confirmedAt: new Date(),
});
const res = await server.get(
`/api/shares.unsubscribe?${queryString.stringify({
id: subscription.id,
token: "invalid-token",
follow: "true",
})}`,
{ redirect: "manual" }
);
expect(res.status).toEqual(302);
expect(res.headers.get("location")).toContain("notice=invalid-auth");
await subscription.reload();
expect(subscription.unsubscribedAt).toBeNull();
});
});
Reference in New Issue View Git Blame Copy Permalink