photoprism/internal/api/auth_session_test.go

177 lines
6.4 KiB
Go
Raw Normal View History

package api
import (
"net/http"
"testing"
"github.com/stretchr/testify/assert"
"github.com/tidwall/gjson"
"github.com/photoprism/photoprism/internal/i18n"
"github.com/photoprism/photoprism/internal/session"
)
func TestSessionID(t *testing.T) {
t.Run("NoContext", func(t *testing.T) {
result := SessionID(nil)
assert.Equal(t, "", result)
})
}
func TestSession(t *testing.T) {
t.Run("Public", func(t *testing.T) {
assert.Equal(t, session.Public, Session(""))
assert.Equal(t, session.Public, Session("638bffc9b86a8fda0d908ebee84a43930cb8d1e3507f4aa0"))
})
}
func TestCreateSession(t *testing.T) {
t.Run("Success", func(t *testing.T) {
app, router, _ := NewApiTest()
CreateSession(router)
r := PerformRequestWithBody(app, http.MethodPost, "/api/v1/session", `{"name": "admin", "password": "photoprism"}`)
log.Debugf("BODY: %s", r.Body.String())
val2 := gjson.Get(r.Body.String(), "user.Name")
assert.Equal(t, "admin", val2.String())
assert.Equal(t, http.StatusOK, r.Code)
})
t.Run("BadRequest", func(t *testing.T) {
app, router, _ := NewApiTest()
CreateSession(router)
r := PerformRequestWithBody(app, http.MethodPost, "/api/v1/session", `{"name": 123, "password": "xxx"}`)
assert.Equal(t, http.StatusBadRequest, r.Code)
})
t.Run("PublicInvalidToken", func(t *testing.T) {
app, router, _ := NewApiTest()
CreateSession(router)
r := PerformRequestWithBody(app, http.MethodPost, "/api/v1/session", `{"name": "admin", "password": "photoprism", "token": "xxx"}`)
assert.Equal(t, http.StatusNotFound, r.Code)
})
t.Run("AdminInvalidToken", func(t *testing.T) {
app, router, _ := NewApiTest()
// CreateSession(router)
sessId := AuthenticateUser(app, router, "alice", "Alice123!")
r := AuthenticatedRequestWithBody(app, http.MethodPost, "/api/v1/session", `{"token": "xxx"}`, sessId)
assert.Equal(t, http.StatusNotFound, r.Code)
})
t.Run("VisitorInvalidToken", func(t *testing.T) {
app, router, _ := NewApiTest()
CreateSession(router)
r := AuthenticatedRequestWithBody(app, http.MethodPost, "/api/v1/session", `{"token": "xxx"}`, "345346")
assert.Equal(t, http.StatusNotFound, r.Code)
})
t.Run("AdminValidToken", func(t *testing.T) {
app, router, _ := NewApiTest()
sessId := AuthenticateUser(app, router, "alice", "Alice123!")
r := AuthenticatedRequestWithBody(app, http.MethodPost, "/api/v1/session", `{"token": "1jxf3jfn2k"}`, sessId)
assert.Equal(t, http.StatusOK, r.Code)
})
t.Run("PublicValidToken", func(t *testing.T) {
app, router, _ := NewApiTest()
CreateSession(router)
r := PerformRequestWithBody(app, http.MethodPost, "/api/v1/session", `{"name": "admin", "password": "photoprism", "token": "1jxf3jfn2k"}`)
assert.Equal(t, http.StatusOK, r.Code)
})
t.Run("AdminInvalidPassword", func(t *testing.T) {
app, router, _ := NewApiTest()
CreateSession(router)
r := PerformRequestWithBody(app, http.MethodPost, "/api/v1/session", `{"name": "admin", "password": "xxx"}`)
val := gjson.Get(r.Body.String(), "error")
assert.Equal(t, i18n.Msg(i18n.ErrInvalidCredentials), val.String())
assert.Equal(t, http.StatusUnauthorized, r.Code)
})
t.Run("AliceSuccess", func(t *testing.T) {
app, router, _ := NewApiTest()
CreateSession(router)
r := PerformRequestWithBody(app, http.MethodPost, "/api/v1/session", `{"name": "alice", "password": "Alice123!"}`)
userEmail := gjson.Get(r.Body.String(), "user.Email")
userName := gjson.Get(r.Body.String(), "user.Name")
assert.Equal(t, "alice@example.com", userEmail.String())
assert.Equal(t, "alice", userName.String())
assert.Equal(t, http.StatusOK, r.Code)
})
t.Run("BobSuccess", func(t *testing.T) {
app, router, _ := NewApiTest()
CreateSession(router)
r := PerformRequestWithBody(app, http.MethodPost, "/api/v1/session", `{"name": "bob", "password": "Bobbob123!"}`)
userEmail := gjson.Get(r.Body.String(), "user.Email")
userName := gjson.Get(r.Body.String(), "user.Name")
assert.Equal(t, "bob@example.com", userEmail.String())
assert.Equal(t, "bob", userName.String())
assert.Equal(t, http.StatusOK, r.Code)
})
t.Run("BobInvalidPassword", func(t *testing.T) {
app, router, _ := NewApiTest()
CreateSession(router)
r := PerformRequestWithBody(app, http.MethodPost, "/api/v1/session", `{"name": "bob", "password": "helloworld"}`)
val := gjson.Get(r.Body.String(), "error")
assert.Equal(t, i18n.Msg(i18n.ErrInvalidCredentials), val.String())
assert.Equal(t, http.StatusUnauthorized, r.Code)
})
}
func TestGetSession(t *testing.T) {
t.Run("AdminWithoutAuthentication", func(t *testing.T) {
app, router, _ := NewApiTest()
GetSession(router)
sessId := AuthenticateAdmin(app, router)
r := PerformRequest(app, http.MethodGet, "/api/v1/session/"+sessId)
assert.Equal(t, http.StatusForbidden, r.Code)
})
t.Run("AdminAuthenticatedRequest", func(t *testing.T) {
app, router, _ := NewApiTest()
GetSession(router)
sessId := AuthenticateAdmin(app, router)
r := AuthenticatedRequest(app, http.MethodGet, "/api/v1/session/"+sessId, sessId)
assert.Equal(t, http.StatusOK, r.Code)
})
}
func TestDeleteSession(t *testing.T) {
t.Run("AdminWithoutAuthentication", func(t *testing.T) {
app, router, _ := NewApiTest()
DeleteSession(router)
sessId := AuthenticateAdmin(app, router)
r := PerformRequest(app, http.MethodDelete, "/api/v1/session/"+sessId)
assert.Equal(t, http.StatusOK, r.Code)
})
t.Run("AdminAuthenticatedRequest", func(t *testing.T) {
app, router, _ := NewApiTest()
DeleteSession(router)
sessId := AuthenticateAdmin(app, router)
r := AuthenticatedRequest(app, http.MethodDelete, "/api/v1/session/"+sessId, sessId)
assert.Equal(t, http.StatusOK, r.Code)
})
t.Run("UserWithoutAuthentication", func(t *testing.T) {
app, router, _ := NewApiTest()
DeleteSession(router)
sessId := AuthenticateUser(app, router, "alice", "Alice123!")
r := PerformRequest(app, http.MethodDelete, "/api/v1/session/"+sessId)
assert.Equal(t, http.StatusOK, r.Code)
})
t.Run("UserAuthenticatedRequest", func(t *testing.T) {
app, router, _ := NewApiTest()
DeleteSession(router)
sessId := AuthenticateUser(app, router, "alice", "Alice123!")
r := AuthenticatedRequest(app, http.MethodDelete, "/api/v1/session/"+sessId, sessId)
assert.Equal(t, http.StatusOK, r.Code)
})
t.Run("InvalidSession", func(t *testing.T) {
sessId := "638bffc9b86a8fda0d908ebee84a43930cb8d1e3507f4aa0"
app, router, _ := NewApiTest()
DeleteSession(router)
r := PerformRequest(app, http.MethodDelete, "/api/v1/session/"+sessId)
assert.Equal(t, http.StatusOK, r.Code)
})
}