added PUT /user route
This commit is contained in:
parent
a64229d1dc
commit
7a917c1f6b
@ -23,7 +23,7 @@ info:
|
||||
<li>at least one digit</li>
|
||||
<li>at least one lower case letter</li>
|
||||
<li>at least one upper case letter</li>
|
||||
<li>at least one of the following special characters: !"#$%&'()*+,-./:;<=>?@[\]^_`{|}~</li>
|
||||
<li>at least one of the following special characters: !"#%&'()*+,-./:;<=>?@[\]^_`{|}~</li>
|
||||
<li>no whitespace</li>
|
||||
<li>at least 8 characters</li>
|
||||
</ul>
|
||||
|
@ -36,14 +36,10 @@
|
||||
application/json:
|
||||
schema:
|
||||
$ref: 'oas.yaml#/components/schemas/User'
|
||||
400:
|
||||
$ref: 'oas.yaml#/components/responses/400'
|
||||
401:
|
||||
$ref: 'oas.yaml#/components/responses/401'
|
||||
403:
|
||||
$ref: 'oas.yaml#/components/responses/403'
|
||||
404:
|
||||
$ref: 'oas.yaml#/components/responses/404'
|
||||
500:
|
||||
$ref: 'oas.yaml#/components/responses/500'
|
||||
put:
|
||||
@ -86,8 +82,6 @@
|
||||
$ref: 'oas.yaml#/components/responses/401'
|
||||
403:
|
||||
$ref: 'oas.yaml#/components/responses/403'
|
||||
404:
|
||||
$ref: 'oas.yaml#/components/responses/404'
|
||||
500:
|
||||
$ref: 'oas.yaml#/components/responses/500'
|
||||
delete:
|
||||
@ -106,8 +100,6 @@
|
||||
$ref: 'oas.yaml#/components/responses/401'
|
||||
403:
|
||||
$ref: 'oas.yaml#/components/responses/403'
|
||||
404:
|
||||
$ref: 'oas.yaml#/components/responses/404'
|
||||
500:
|
||||
$ref: 'oas.yaml#/components/responses/500'
|
||||
/user/{name}:
|
||||
@ -127,8 +119,6 @@
|
||||
application/json:
|
||||
schema:
|
||||
$ref: 'oas.yaml#/components/schemas/User'
|
||||
400:
|
||||
$ref: 'oas.yaml#/components/responses/400'
|
||||
401:
|
||||
$ref: 'oas.yaml#/components/responses/401'
|
||||
403:
|
||||
|
@ -160,6 +160,18 @@ describe('GET /user/{name}', () => {
|
||||
done();
|
||||
});
|
||||
});
|
||||
it('returns 404 for an unknown user', done => {
|
||||
supertest(server)
|
||||
.get('/user/unknown')
|
||||
.auth('admin', 'Abc123!#')
|
||||
.expect('Content-type', /json/)
|
||||
.expect(404)
|
||||
.end((err, res) => {
|
||||
if (err) done (err);
|
||||
should(res.body).be.eql({status: 'Not found'});
|
||||
done();
|
||||
});
|
||||
});
|
||||
});
|
||||
|
||||
|
||||
@ -184,7 +196,8 @@ describe('PUT /user/{name}', () => {
|
||||
});
|
||||
it('returns own user details', done => {
|
||||
supertest(server)
|
||||
.get('/user')
|
||||
.put('/user')
|
||||
.send({})
|
||||
.auth('janedoe', 'Xyz890*)')
|
||||
.expect('Content-type', /json/)
|
||||
.expect(200)
|
||||
@ -202,7 +215,8 @@ describe('PUT /user/{name}', () => {
|
||||
});
|
||||
it('returns other user details for admin', done => {
|
||||
supertest(server)
|
||||
.get('/user/janedoe')
|
||||
.put('/user/janedoe')
|
||||
.send({})
|
||||
.auth('admin', 'Abc123!#')
|
||||
.expect('Content-type', /json/)
|
||||
.expect(200)
|
||||
@ -218,9 +232,118 @@ describe('PUT /user/{name}', () => {
|
||||
done();
|
||||
});
|
||||
});
|
||||
it('changes user details as given', done => {
|
||||
supertest(server)
|
||||
.put('/user')
|
||||
.auth('admin', 'Abc123!#')
|
||||
.send({name: 'adminnew', email: 'adminnew@bosch.com', pass: 'Abc123##', location: 'Abt', device_name: 'test'})
|
||||
.expect(200)
|
||||
.end(err => {
|
||||
if (err) done (err);
|
||||
UserModel.find({name: 'adminnew'}).lean().exec( 'find', (err, data) => {
|
||||
if (err) return done(err);
|
||||
should(data).have.lengthOf(1);
|
||||
should(data[0]).have.only.keys('_id', 'name', 'pass', 'email', 'level', 'location', 'device_name', 'key', '__v');
|
||||
should(data[0]).have.property('_id');
|
||||
should(data[0]).have.property('name', 'adminnew');
|
||||
should(data[0]).have.property('email', 'adminnew@bosch.com');
|
||||
should(data[0]).have.property('pass').not.eql('Abc123##');
|
||||
should(data[0]).have.property('level', 'admin');
|
||||
should(data[0]).have.property('location', 'Abt');
|
||||
should(data[0]).have.property('device_name', 'test');
|
||||
done();
|
||||
});
|
||||
});
|
||||
});
|
||||
it('lets the admin change a user level', done => {
|
||||
supertest(server)
|
||||
.put('/user/janedoe')
|
||||
.auth('admin', 'Abc123!#')
|
||||
.send({level: 'read'})
|
||||
.expect(200)
|
||||
.end(err => {
|
||||
if (err) done (err);
|
||||
UserModel.find({name: 'janedoe'}).lean().exec( 'find', (err, data) => {
|
||||
if (err) return done(err);
|
||||
should(data).have.lengthOf(1);
|
||||
should(data[0]).have.property('level', 'read');
|
||||
done();
|
||||
});
|
||||
});
|
||||
});
|
||||
it('does not change the level', done => {
|
||||
supertest(server)
|
||||
.put('/user')
|
||||
.auth('janedoe', 'Xyz890*)')
|
||||
.send({level: 'read'})
|
||||
.expect(400)
|
||||
.end((err, res) => {
|
||||
if (err) done (err);
|
||||
should(res.body).be.eql({status: 'Invalid body format'});
|
||||
UserModel.find({name: 'janedoe'}).lean().exec( 'find', (err, data) => {
|
||||
if (err) return done(err);
|
||||
should(data).have.lengthOf(1);
|
||||
should(data[0]).have.property('level', 'write');
|
||||
done();
|
||||
});
|
||||
});
|
||||
});
|
||||
it('rejects a username already in use', done => {
|
||||
supertest(server)
|
||||
.put('/user')
|
||||
.auth('admin', 'Abc123!#')
|
||||
.send({name: 'janedoe'})
|
||||
.expect(400)
|
||||
.end((err, res) => {
|
||||
if (err) done (err);
|
||||
should(res.body).be.eql({status: 'Username already taken'});
|
||||
UserModel.find({name: 'janedoe'}).lean().exec( 'find', (err, data) => {
|
||||
if (err) return done(err);
|
||||
should(data).have.lengthOf(1);
|
||||
done();
|
||||
});
|
||||
});
|
||||
});
|
||||
it('rejects invalid user details', done => {
|
||||
supertest(server)
|
||||
.put('/user')
|
||||
.auth('admin', 'Abc123!#')
|
||||
.send({email: 'john.doe@bosch.com', name: 'johndoe', pass: 'Abc123!#', location: 44, device_name: 'Alpha II'})
|
||||
.expect(400)
|
||||
.end((err, res) => {
|
||||
if (err) done (err);
|
||||
should(res.body).be.eql({status: 'Invalid body format'});
|
||||
done();
|
||||
});
|
||||
});
|
||||
it('rejects an invalid email address', done => {
|
||||
supertest(server)
|
||||
.put('/user')
|
||||
.auth('admin', 'Abc123!#')
|
||||
.send({email: 'john.doe'})
|
||||
.expect(400)
|
||||
.end((err, res) => {
|
||||
if (err) done (err);
|
||||
should(res.body).be.eql({status: 'Invalid body format'});
|
||||
done();
|
||||
});
|
||||
});
|
||||
it('rejects an invalid password', done => {
|
||||
supertest(server)
|
||||
.put('/user')
|
||||
.auth('admin', 'Abc123!#')
|
||||
.send({pass: 'password'})
|
||||
.expect(400)
|
||||
.end((err, res) => {
|
||||
if (err) done (err);
|
||||
should(res.body).be.eql({status: 'Invalid body format'});
|
||||
done();
|
||||
});
|
||||
});
|
||||
it('rejects requests from non-admins for another user', done => {
|
||||
supertest(server)
|
||||
.get('/user/admin')
|
||||
.put('/user/admin')
|
||||
.send({})
|
||||
.auth('janedoe', 'Xyz890*)')
|
||||
.expect('Content-type', /json/)
|
||||
.expect(403)
|
||||
@ -232,7 +355,8 @@ describe('PUT /user/{name}', () => {
|
||||
});
|
||||
it('rejects requests from a user API key', done => {
|
||||
supertest(server)
|
||||
.get('/user?key=5ea0450ed851c30a90e70899')
|
||||
.put('/user?key=5ea0450ed851c30a90e70899')
|
||||
.send({})
|
||||
.expect('Content-type', /json/)
|
||||
.expect(401)
|
||||
.end((err, res) => {
|
||||
@ -243,7 +367,8 @@ describe('PUT /user/{name}', () => {
|
||||
});
|
||||
it('rejects requests from an admin API key', done => {
|
||||
supertest(server)
|
||||
.get('/user/janedoe?key=5ea131671feb9c2ee0aafc9a')
|
||||
.put('/user/janedoe?key=5ea131671feb9c2ee0aafc9a')
|
||||
.send({})
|
||||
.expect('Content-type', /json/)
|
||||
.expect(401)
|
||||
.end((err, res) => {
|
||||
@ -252,6 +377,18 @@ describe('PUT /user/{name}', () => {
|
||||
done();
|
||||
});
|
||||
});
|
||||
it('returns 404 for an unknown user', done => {
|
||||
supertest(server)
|
||||
.put('/user/unknown')
|
||||
.auth('admin', 'Abc123!#')
|
||||
.send({})
|
||||
.expect(404)
|
||||
.end((err, res) => {
|
||||
if (err) done (err);
|
||||
should(res.body).be.eql({status: 'Not found'});
|
||||
done();
|
||||
});
|
||||
});
|
||||
});
|
||||
|
||||
|
||||
@ -332,6 +469,54 @@ describe('POST /user/new', () => {
|
||||
});
|
||||
});
|
||||
});
|
||||
it('rejects invalid user details', done => {
|
||||
supertest(server)
|
||||
.post('/user/new')
|
||||
.auth('admin', 'Abc123!#')
|
||||
.send({email: 'john.doe@bosch.com', name: 'johndoe', pass: 'Abc123!#', level: 'read', location: 44, device_name: 'Alpha II'})
|
||||
.expect(400)
|
||||
.end((err, res) => {
|
||||
if (err) done (err);
|
||||
should(res.body).be.eql({status: 'Invalid body format'});
|
||||
done();
|
||||
});
|
||||
});
|
||||
it('rejects an invalid user level', done => {
|
||||
supertest(server)
|
||||
.post('/user/new')
|
||||
.auth('admin', 'Abc123!#')
|
||||
.send({email: 'john.doe@bosch.com', name: 'johndoe', pass: 'Abc123!#', level: 'xxx', location: 'Rng', device_name: 'Alpha II'})
|
||||
.expect(400)
|
||||
.end((err, res) => {
|
||||
if (err) done (err);
|
||||
should(res.body).be.eql({status: 'Invalid body format'});
|
||||
done();
|
||||
});
|
||||
});
|
||||
it('rejects an invalid email address', done => {
|
||||
supertest(server)
|
||||
.post('/user/new')
|
||||
.auth('admin', 'Abc123!#')
|
||||
.send({email: 'john.doe', name: 'johndoe', pass: 'Abc123!#', level: 'read', location: 'Rng', device_name: 'Alpha II'})
|
||||
.expect(400)
|
||||
.end((err, res) => {
|
||||
if (err) done (err);
|
||||
should(res.body).be.eql({status: 'Invalid body format'});
|
||||
done();
|
||||
});
|
||||
});
|
||||
it('rejects an invalid password', done => {
|
||||
supertest(server)
|
||||
.post('/user/new')
|
||||
.auth('admin', 'Abc123!#')
|
||||
.send({email: 'john.doe@bosch.com', name: 'johndoe', pass: 'password', level: 'read', location: 'Rng', device_name: 'Alpha II'})
|
||||
.expect(400)
|
||||
.end((err, res) => {
|
||||
if (err) done (err);
|
||||
should(res.body).be.eql({status: 'Invalid body format'});
|
||||
done();
|
||||
});
|
||||
});
|
||||
it('rejects requests from non-admins', done => {
|
||||
supertest(server)
|
||||
.post('/user/new')
|
||||
|
@ -15,7 +15,7 @@ router.get('/users', (req, res) => {
|
||||
});
|
||||
});
|
||||
|
||||
router.get('/user/:username*?', (req, res) => {
|
||||
router.get('/user/:username*?', (req, res, next) => {
|
||||
if (!req.auth(res, ['read', 'write', 'maintain', 'dev', 'admin'], 'basic')) return;
|
||||
let username = req.authDetails.username;
|
||||
if (req.params.username !== undefined) {
|
||||
@ -24,15 +24,74 @@ router.get('/user/:username*?', (req, res) => {
|
||||
}
|
||||
|
||||
UserModel.findOne({name: username}).lean().exec( (err, data:any) => {
|
||||
if (err) next(err);
|
||||
if (data) {
|
||||
res.json(UserValidate.output(data)); // validate all and filter null values from validation errors
|
||||
}
|
||||
else {
|
||||
res.status(404).json({status: 'Not found'});
|
||||
}
|
||||
});
|
||||
});
|
||||
|
||||
router.put('/user/:username*?', (req, res, next) => {
|
||||
console.log(req.authDetails);
|
||||
if (!req.auth(res, ['read', 'write', 'maintain', 'dev', 'admin'], 'basic')) return;
|
||||
let username = req.authDetails.username;
|
||||
if (req.params.username !== undefined) {
|
||||
if (!req.auth(res, ['admin'], 'basic')) return;
|
||||
username = req.params.username;
|
||||
}
|
||||
const {error, value: user} = UserValidate.input(req.body, 'change' + (req.authDetails.level === 'admin'? 'admin' : ''));
|
||||
console.log(error);
|
||||
console.log(user);
|
||||
if(error !== undefined) {
|
||||
res.status(400).json({status: 'Invalid body format'});
|
||||
return;
|
||||
}
|
||||
|
||||
if (user.hasOwnProperty('pass')) {
|
||||
user.pass = bcrypt.hashSync(user.pass, 10);
|
||||
}
|
||||
|
||||
// check that user does not already exist if new name was specified
|
||||
if (user.hasOwnProperty('name') && user.name !== username) {
|
||||
UserModel.find({name: user.name}).lean().exec( (err, data:any) => {
|
||||
if (err) next(err);
|
||||
if (data.length > 0) {
|
||||
res.status(400).json({status: 'Username already taken'});
|
||||
return;
|
||||
}
|
||||
|
||||
UserModel.findOneAndUpdate({name: username}, user, {new: true}).lean().exec( (err, data:any) => {
|
||||
if (err) next(err);
|
||||
if (data) {
|
||||
res.json(UserValidate.output(data)); // validate all and filter null values from validation errors
|
||||
}
|
||||
else {
|
||||
res.status(404).json({status: 'Not found'});
|
||||
}
|
||||
});
|
||||
});
|
||||
}
|
||||
else {
|
||||
UserModel.findOneAndUpdate({name: username}, user, {new: true}).lean().exec( (err, data:any) => {
|
||||
if (err) next(err);
|
||||
if (data) {
|
||||
res.json(UserValidate.output(data)); // validate all and filter null values from validation errors
|
||||
}
|
||||
else {
|
||||
res.status(404).json({status: 'Not found'});
|
||||
}
|
||||
});
|
||||
}
|
||||
});
|
||||
|
||||
router.post('/user/new', (req, res, next) => {
|
||||
if (!req.auth(res, ['admin'], 'basic')) return;
|
||||
|
||||
// validate input
|
||||
const {error, value: user} = UserValidate.input(req.body);
|
||||
const {error, value: user} = UserValidate.input(req.body, 'new');
|
||||
if(error !== undefined) {
|
||||
res.status(400).json({status: 'Invalid body format'});
|
||||
return;
|
||||
|
@ -2,35 +2,63 @@ import joi from '@hapi/joi';
|
||||
import globals from '../../globals';
|
||||
|
||||
export default class UserValidate { // validate input for user
|
||||
static input (data) {
|
||||
return joi.object({
|
||||
private static user = {
|
||||
_id: joi.any(),
|
||||
name: joi.string()
|
||||
.alphanum()
|
||||
.lowercase()
|
||||
.required(),
|
||||
.lowercase(),
|
||||
|
||||
email: joi.string()
|
||||
.email({minDomainSegments: 2})
|
||||
.lowercase()
|
||||
.required(),
|
||||
.lowercase(),
|
||||
|
||||
pass: joi.string()
|
||||
.pattern(new RegExp('^(?=.*[0-9])(?=.*[a-z])(?=.*[A-Z])(?=.*[!"#$%&\'()*+,-.\\/:;<=>?@[\\]^_`{|}~])(?=\\S+$).{8,}$'))
|
||||
.required(),
|
||||
.pattern(new RegExp('^(?=.*[0-9])(?=.*[a-z])(?=.*[A-Z])(?=.*[!"#%&\'()*+,-.\\/:;<=>?@[\\]^_`{|}~])(?=\\S+$).{8,}$')),
|
||||
|
||||
level: joi.string()
|
||||
.valid(...globals.levels)
|
||||
.required(),
|
||||
.valid(...globals.levels),
|
||||
|
||||
location: joi.string()
|
||||
.alphanum()
|
||||
.required(),
|
||||
.alphanum(),
|
||||
|
||||
device_name: joi.string()
|
||||
.allow('')
|
||||
.required()
|
||||
};
|
||||
|
||||
static input (data, param) {
|
||||
if (param === 'new') {
|
||||
return joi.object({
|
||||
name: this.user.name.required(),
|
||||
email: this.user.email.required(),
|
||||
pass: this.user.pass.required(),
|
||||
level: this.user.level.required(),
|
||||
location: this.user.location.required(),
|
||||
device_name: this.user.device_name.required()
|
||||
}).validate(data);
|
||||
}
|
||||
else if (param === 'change') {
|
||||
return joi.object({
|
||||
name: this.user.name,
|
||||
email: this.user.email,
|
||||
pass: this.user.pass,
|
||||
location: this.user.location,
|
||||
device_name: this.user.device_name
|
||||
}).validate(data);
|
||||
}
|
||||
else if (param === 'changeadmin') {
|
||||
return joi.object({
|
||||
name: this.user.name,
|
||||
email: this.user.email,
|
||||
pass: this.user.pass,
|
||||
level: this.user.level,
|
||||
location: this.user.location,
|
||||
device_name: this.user.device_name
|
||||
}).validate(data);
|
||||
}
|
||||
else {
|
||||
return{error: 'No parameter specified!', value: {}};
|
||||
}
|
||||
}
|
||||
|
||||
static output (data) { // validate output from database for needed properties, strip everything else
|
||||
const {value, error} = joi.object({
|
||||
|
Reference in New Issue
Block a user