added /user DELETE route

2020-04-27 15:10:14 +02:00
parent 1eff39bb16
commit 5a911a455b
6 changed files with 239 additions and 73 deletions
--- a/src/routes/user.spec.ts
+++ b/src/routes/user.spec.ts
@ -236,6 +236,16 @@ describe('/user', () => {
          });
        });
    });
+    it('rejects a username which is in the special names', done => {
+      TestHelper.request(server, done, {
+        method: 'post',
+        url: '/user/new',
+        auth: {basic: 'admin'},
+        httpStatus: 400, default: false,
+        req: {email: 'j.doe@bosch.com', name: 'passreset', pass: 'Abc123!#', level: 'read', location: 'Rng', device_name: 'Alpha II'},
+        res: {status: 'Username already taken'}
+      });
+    });
    it('rejects invalid user details', done => {
      TestHelper.request(server, done, {
        method: 'put',
@ -304,6 +314,73 @@ describe('/user', () => {
    });
  });

+  describe('DELETE /user/{name}', () => {
+    it('deletes own user details', done => {
+      TestHelper.request(server, done, {
+        method: 'delete',
+        url: '/user',
+        auth: {basic: 'janedoe'},
+        httpStatus: 200
+      }).end((err, res) => {
+        if (err) return done (err);
+        should(res.body).be.eql({status: 'OK'});
+        UserModel.find({name: 'janedoe'}).lean().exec( 'find', (err, data) => {
+          if (err) return done(err);
+          should(data).have.lengthOf(0);
+          done();
+        });
+      });
+    });
+    it('deletes other user details for admin', done => {
+      TestHelper.request(server, done, {
+        method: 'delete',
+        url: '/user/janedoe',
+        auth: {basic: 'admin'},
+        httpStatus: 200
+      }).end((err, res) => {
+        if (err) return done (err);
+        should(res.body).be.eql({status: 'OK'});
+        UserModel.find({name: 'janedoe'}).lean().exec( 'find', (err, data) => {
+          if (err) return done(err);
+          should(data).have.lengthOf(0);
+          done();
+        });
+      });
+    });
+    it('rejects requests from non-admins for another user', done => {
+      TestHelper.request(server, done, {
+        method: 'delete',
+        url: '/user/admin',
+        auth: {basic: 'janedoe'},
+        httpStatus: 403
+      });
+    });
+    it('rejects requests from a user API key', done => {
+      TestHelper.request(server, done, {
+        method: 'delete',
+        url: '/user',
+        auth: {key: 'janedoe'},
+        httpStatus: 401
+      });
+    });
+    it('rejects requests from an admin API key', done => {
+      TestHelper.request(server, done, {
+        method: 'delete',
+        url: '/user/janedoe',
+        auth: {key: 'admin'},
+        httpStatus: 401
+      });
+    });
+    it('returns 404 for an unknown user', done => {
+      TestHelper.request(server, done, {
+        method: 'delete',
+        url: '/user/unknown',
+        auth: {basic: 'admin'},
+        httpStatus: 404
+      });
+    });
+  });
+
  describe('POST /user/new', () => {
    it('returns the added user data', done => {
      TestHelper.request(server, done, {
@ -365,6 +442,16 @@ describe('/user', () => {
          });
        });
    });
+    it('rejects a username which is in the special names', done => {
+      TestHelper.request(server, done, {
+        method: 'post',
+        url: '/user/new',
+        auth: {basic: 'admin'},
+        httpStatus: 400, default: false,
+        req: {email: 'j.doe@bosch.com', name: 'passreset', pass: 'Abc123!#', level: 'read', location: 'Rng', device_name: 'Alpha II'},
+        res: {status: 'Username already taken'}
+      });
+    });
    it('rejects invalid user details', done => {
      TestHelper.request(server, done, {
        method: 'post',
--- a/src/routes/user.ts
+++ b/src/routes/user.ts
@ -36,7 +36,7 @@ router.get('/user:username([/](?!key|new).?*|/?)', (req, res, next) => {  // thi
 });

 router.put('/user:username([/](?!key|new).?*|/?)', (req, res, next) => {  // this path matches /user, /user/ and /user/xxx, but not /user/key or user/new
-  console.log(req.authDetails);
+  req.params.username = req.params[0];
  if (!req.auth(res, ['read', 'write', 'maintain', 'dev', 'admin'], 'basic')) return;
  let username = req.authDetails.username;
  if (req.params.username !== undefined) {
@ -44,8 +44,6 @@ router.put('/user:username([/](?!key|new).?*|/?)', (req, res, next) => {  // thi
    username = req.params.username;
  }
  const {error, value: user} = UserValidate.input(req.body, 'change' + (req.authDetails.level === 'admin'? 'admin' : ''));
-  console.log(error);
-  console.log(user);
  if(error !== undefined) {
    res.status(400).json({status: 'Invalid body format'});
    return;
@ -59,7 +57,7 @@ router.put('/user:username([/](?!key|new).?*|/?)', (req, res, next) => {  // thi
  if (user.hasOwnProperty('name') && user.name !== username) {
    UserModel.find({name: user.name}).lean().exec(  (err, data:any) => {
      if (err) next(err);
-      if (data.length > 0) {
+      if (data.length > 0 || UserValidate.isSpecialName(user.name)) {
        res.status(400).json({status: 'Username already taken'});
        return;
      }
@ -88,6 +86,26 @@ router.put('/user:username([/](?!key|new).?*|/?)', (req, res, next) => {  // thi
  }
 });

+router.delete('/user:username([/](?!key|new).?*|/?)', (req, res, next) => {  // this path matches /user, /user/ and /user/xxx, but not /user/key or user/new. See https://forbeslindesay.github.io/express-route-tester/ for the generated regex
+  req.params.username = req.params[0];
+  if (!req.auth(res, ['read', 'write', 'maintain', 'dev', 'admin'], 'basic')) return;
+  let username = req.authDetails.username;
+  if (req.params.username !== undefined) {
+    if (!req.auth(res, ['admin'], 'basic')) return;
+    username = req.params.username;
+  }
+
+  UserModel.findOneAndDelete({name: username}).lean().exec(  (err, data:any) => {
+    if (err) next(err);
+    if (data) {
+      res.json({status: 'OK'})
+    }
+    else {
+      res.status(404).json({status: 'Not found'});
+    }
+  });
+});
+
 router.get('/user/key', (req, res, next) => {
  console.log('hmm');
  if (!req.auth(res, ['read', 'write', 'maintain', 'dev', 'admin'], 'basic')) return;
@ -111,7 +129,7 @@ router.post('/user/new', (req, res, next) => {
  // check that user does not already exist
  UserModel.find({name: user.name}).lean().exec(  (err, data:any) => {
    if (err) next(err);
-    if (data.length > 0) {
+    if (data.length > 0  || UserValidate.isSpecialName(user.name)) {
      res.status(400).json({status: 'Username already taken'});
      return;
    }
--- a/src/routes/validate/user.ts
+++ b/src/routes/validate/user.ts
@ -25,6 +25,8 @@ export default class UserValidate {  // validate input for user
      .allow('')
  };

+  private static specialUsernames = ['admin', 'user', 'key', 'new', 'passreset'];  // names a user cannot take
+
  static input (data, param) {
    if (param === 'new') {
      return joi.object({
@ -71,4 +73,8 @@ export default class UserValidate {  // validate input for user
    }).validate(data, {stripUnknown: true})
    return error !== undefined? null : value;
  }
+
+  static isSpecialName (name) {  // true if name belongs to special names
+    return this.specialUsernames.indexOf(name) > -1;
+  }
 }