budibase/packages/core/test/authApi.createUser.spec.js

import {setupApphierarchy, 
    basicAppHierarchyCreator_WithFields} from "./specHelpers";
import { userAuthFile,
    USERS_LOCK_FILE} from "../src/authApi/authCommon";
import {getLock} from "../src/common/lock";
import {getNewUserAuth} from "../src/authApi/getNewUser";
import {permission} from "../src/authApi/permissions";

describe("getNewUser", () => {
    it("should create correct fields", async () => {
        const {authApi} = await setupApphierarchy(basicAppHierarchyCreator_WithFields);
        const user = authApi.getNewUser();
        expect(user.name).toBe("");
        expect(user.accessLevels).toEqual([]);
        expect(user.enabled).toBe(true);
        expect(user.temporaryAccessId).toBe("");
    });
})

describe("getNewUser", () => {
    it("should create correct fields", async () => {
        const {app} = await setupApphierarchy(basicAppHierarchyCreator_WithFields);
        const userAuth = getNewUserAuth(app)();
        expect(userAuth.passwordHash).toBe("");
        expect(userAuth.temporaryAccessHash).toEqual("");
        expect(userAuth.temporaryAccessExpiryEpoch).toBe(0);
    });
});

describe("validateUsers", () => {

    it("should not return errors for valid user", async () => {
        const {authApi, app} = await setupApphierarchy(basicAppHierarchyCreator_WithFields);
        const user = validUser(app, authApi);
        const errs = authApi.validateUser([user], user);
        expect(errs).toEqual([]);
    });

    it("should have error when username is not set", async () => {
        const {authApi, app} = await setupApphierarchy(basicAppHierarchyCreator_WithFields);
        const user = validUser(app, authApi);
        user.name = "";
        const errs = authApi.validateUser([user], user);
        expect(errs.length).toBe(1);
        expect(errs[0].field).toBe("name");
    });

    it("should have error when duplicate usernames", async () => {
        const {authApi, app} = await setupApphierarchy(basicAppHierarchyCreator_WithFields);
        const user1 = validUser(app, authApi);
        const user2 = validUser(app, authApi);
        const errs = authApi.validateUser([user1, user2], user1);
        expect(errs.length).toBe(1);
        expect(errs[0].field).toBe("name");
    });

    it("should have error when no access levels", async () => {
        const {authApi, app} = await setupApphierarchy(basicAppHierarchyCreator_WithFields);
        const user = validUser(app, authApi);
        user.accessLevels = [];
        const errs = authApi.validateUser([user], user);
        expect(errs.length).toBe(1);
        expect(errs[0].field).toBe("accessLevels");
    });
    
});

describe("create and list users", () => {

    it("should create and load a valid user", async () => {
        const {authApi, app} = await setupApphierarchy(basicAppHierarchyCreator_WithFields);
        const user = validUser(app, authApi);
        await authApi.createUser(user);
        const users = await authApi.getUsers();
        expect(users.length).toBe(1);
        expect(users[0].name).toBe(user.name);
    });

    it("should not save an invalid user", async () => {
        const {authApi, app} = await setupApphierarchy(basicAppHierarchyCreator_WithFields);
        const user = validUser(app, authApi);
        user.name = "";
        let e;
        try {
            await authApi.createUser(user);
        } catch(ex) {
            e=ex;
        }
        expect(e).toBeDefined();
        const users = await authApi.getUsers();
        expect(users.length).toBe(0);
    });

    it("should not save when users file is locked", async () => {
        const {authApi, app} = await setupApphierarchy(basicAppHierarchyCreator_WithFields);
        const user = validUser(app, authApi);
        await getLock(
            app, USERS_LOCK_FILE, 10000,
            0,0);
        let e;
        try {
            await authApi.createUser(user);
        } catch(ex) {
            e=ex;
        }
        expect(e).toBeDefined();
        const users = await authApi.getUsers();
        expect(users.length).toBe(0);
    });

    it("should create temporary access when no password supplied", async () => {
        const {authApi, app} = await setupApphierarchy(basicAppHierarchyCreator_WithFields);
        const user = validUser(app, authApi);
        const returnedUser = await authApi.createUser(user);
        expect(returnedUser.tempCode.length).toBeGreaterThan(0);
        expect(returnedUser.temporaryAccessId.length).toBeGreaterThan(0);
    });

    it("should not store tempCode when temp access created", async () => {
        const {authApi, app} = await setupApphierarchy(basicAppHierarchyCreator_WithFields);
        const user = validUser(app, authApi);
        await authApi.createUser(user);
        const storedUser = (await authApi.getUsers())[0];
        expect(storedUser.tempCode).toBeUndefined();
    });

    it("should create user auth file with password hash, when password supplied", async () => {
        const {authApi, app} = await setupApphierarchy(basicAppHierarchyCreator_WithFields);
        const user = validUser(app, authApi);
        const returnedUser = await authApi.createUser(user, "password");
        expect(returnedUser.tempCode).toBeUndefined();
        expect(returnedUser.temporaryAccessId).toBeUndefined();

        const userAuth = await app.datastore.loadJson(
            userAuthFile(user.name)
        );
        expect(userAuth.passwordHash.length).toBeGreaterThan(0);
    });

    it("should not create user when user with same name already exists", async () => {
        const {authApi, app} = await setupApphierarchy(basicAppHierarchyCreator_WithFields);
        const user = validUser(app, authApi);
        await authApi.createUser(user);

        let e;
        try {
            await authApi.createUser(user);
        } catch(ex) {
            e=ex;
        }
        expect(e).toBeDefined();
        const users = await authApi.getUsers();
        expect(users.length).toBe(1);
    });

    it("create should throw error when user user does not have permission", async () => {
        const {authApi, app} = await setupApphierarchy(basicAppHierarchyCreator_WithFields);
        const user = validUser(app, authApi);
        app.removePermission(permission.createUser.get());
        expect(authApi.createUser(user)).rejects.toThrow(/Unauthorized/);
    });

    it("create should not depend on having any other permissions", async () => {
        const {authApi, app} = await setupApphierarchy(basicAppHierarchyCreator_WithFields);
        const user = validUser(app, authApi);
        app.withOnlyThisPermission(permission.createUser.get());
        await authApi.createUser(user);
    });

    it("list should throw error when user user does not have permission", async () => {
        const {authApi, app} = await setupApphierarchy(basicAppHierarchyCreator_WithFields);
        app.removePermission(permission.listUsers.get());
        expect(authApi.getUsers()).rejects.toThrow(/Unauthorized/);
    });

    it("list should not depend on having any other permissions", async () => {
        const {authApi, app} = await setupApphierarchy(basicAppHierarchyCreator_WithFields);
        app.withOnlyThisPermission(permission.listUsers.get());
        await authApi.getUsers();
    });

});

const validUser = (app, authApi) => {
    const u = authApi.getNewUser(app);
    u.name = "bob";
    u.accessLevels = ["admin"];
    u.enabled = true;
    return u;
};