You cannot select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
489 lines
17 KiB
489 lines
17 KiB
5 years ago
'use strict';
const assert = require('assert');
const path = require('path');
4 years ago
const fs = require('fs');
5 years ago
const SwaggerParser = require('@apidevtools/swagger-parser');
5 years ago
const request = require('request-promise-native');
const nconf = require('nconf');
5 years ago
const util = require('util');
const wait = util.promisify(setTimeout);
5 years ago
5 years ago
const db = require('./mocks/databasemock');
const helpers = require('./helpers');
4 years ago
const meta = require('../src/meta');
5 years ago
const user = require('../src/user');
const groups = require('../src/groups');
const categories = require('../src/categories');
const topics = require('../src/topics');
const plugins = require('../src/plugins');
const flags = require('../src/flags');
const messaging = require('../src/messaging');
4 years ago
const utils = require('../src/utils');
5 years ago
4 years ago
describe('API', async () => {
5 years ago
let readApi = false;
4 years ago
let writeApi = false;
const readApiPath = path.resolve(__dirname, '../public/openapi/read.yaml');
const writeApiPath = path.resolve(__dirname, '../public/openapi/write.yaml');
5 years ago
let jar;
4 years ago
let csrfToken;
5 years ago
let setup = false;
const unauthenticatedRoutes = ['/api/login', '/api/register']; // Everything else will be called with the admin user
4 years ago
const mocks = {
4 years ago
head: {},
4 years ago
get: {},
post: {},
put: {},
delete: {
'/users/{uid}/tokens/{token}': [
in: 'path',
name: 'uid',
example: 1,
in: 'path',
name: 'token',
example: utils.generateUUID(),
4 years ago
'/users/{uid}/sessions/{uuid}': [
in: 'path',
name: 'uid',
example: 1,
in: 'path',
name: 'uuid',
example: '', // to be defined below...
4 years ago
5 years ago
async function dummySearchHook(data) {
return [1];
after(async function () {
plugins.unregisterHook('core', 'filter:search.query', dummySearchHook);
async function setupData() {
if (setup) {
// Create sample users
const adminUid = await user.create({ username: 'admin', password: '123456', email: '[email protected]' });
const unprivUid = await user.create({ username: 'unpriv', password: '123456', email: '[email protected]' });
4 years ago
for (let x = 0; x < 4; x++) {
4 years ago
// eslint-disable-next-line no-await-in-loop
4 years ago
await user.create({ username: 'deleteme', password: '123456' }); // for testing of DELETE /users (uids 5, 6) and DELETE /user/:uid/account (uid 7)
4 years ago
5 years ago
await groups.join('administrators', adminUid);
4 years ago
// Create sample group
await groups.create({
name: 'Test Group',
await meta.settings.set('core.api', {
tokens: [{
token: mocks.delete['/users/{uid}/tokens/{token}'][1].example,
uid: 1,
4 years ago
description: 'for testing of token deletion route',
4 years ago
4 years ago
meta.config.allowTopicsThumbnail = 1;
4 years ago
5 years ago
// Create a category
const testCategory = await categories.create({ name: 'test' });
// Post a new topic
const testTopic = await{
uid: adminUid,
cid: testCategory.cid,
title: 'Test Topic',
content: 'Test topic content',
4 years ago
const unprivTopic = await{
uid: unprivUid,
cid: testCategory.cid,
title: 'Test Topic 2',
content: 'Test topic 2 content',
5 years ago
// Create a sample flag
await flags.create('post', 1, unprivUid, 'sample reasons',;
// Create a new chat room
await messaging.newRoom(1, [2]);
4 years ago
// Create an empty file to test DELETE /files and thumb deletion
4 years ago
fs.closeSync(fs.openSync(path.resolve(nconf.get('upload_path'), 'files/test.txt'), 'w'));
4 years ago
fs.closeSync(fs.openSync(path.resolve(nconf.get('upload_path'), 'files/test.png'), 'w'));
4 years ago
4 years ago
const socketUser = require('../src/');
4 years ago
const socketAdmin = require('../src/');
5 years ago
// export data for admin user
await socketUser.exportProfile({ uid: adminUid }, { uid: adminUid });
await socketUser.exportPosts({ uid: adminUid }, { uid: adminUid });
await socketUser.exportUploads({ uid: adminUid }, { uid: adminUid });
4 years ago
await socketAdmin.user.exportUsersCSV({ uid: adminUid }, {});
5 years ago
// wait for export child process to complete
4 years ago
await wait(5000);
5 years ago
5 years ago
// Attach a search hook so /api/search is enabled
plugins.registerHook('core', {
hook: 'filter:search.query',
method: dummySearchHook,
jar = await helpers.loginUser('admin', '123456');
4 years ago
// Retrieve CSRF token using cookie, to test Write API
const config = await request({
url: nconf.get('url') + '/api/config',
json: true,
jar: jar,
csrfToken = config.csrf_token;
5 years ago
setup = true;
5 years ago
it('should pass OpenAPI v3 validation', async () => {
try {
4 years ago
await SwaggerParser.validate(readApiPath);
await SwaggerParser.validate(writeApiPath);
5 years ago
} catch (e) {
5 years ago
4 years ago
readApi = await SwaggerParser.dereference(readApiPath);
writeApi = await SwaggerParser.dereference(writeApiPath);
5 years ago
4 years ago
it('should grab all mounted routes and ensure a schema exists', async () => {
const webserver = require('../src/webserver');
const buildPaths = function (stack, prefix) {
4 years ago
const paths = => {
if (dispatch.route && dispatch.route.path && typeof dispatch.route.path === 'string') {
if (!prefix && !dispatch.route.path.startsWith('/api/')) {
return null;
return {
method: Object.keys(dispatch.route.methods)[0],
path: (prefix || '') + dispatch.route.path,
} else if ( === 'router') {
const prefix = dispatch.regexp.toString().replace('/^', '').replace('\\/?(?=\\/|$)/i', '').replace(/\\\//g, '/');
return buildPaths(dispatch.handle.stack, prefix);
4 years ago
4 years ago
// Drop any that aren't actual routes (middlewares, error handlers, etc.)
return null;
return paths.flat();
4 years ago
4 years ago
let paths = buildPaths( normalize(pathObj) {
4 years ago
pathObj.path = pathObj.path.replace(/\/:([^\\/]+)/g, '/{$1}');
return pathObj;
4 years ago
const exclusionPrefixes = ['/api/admin/plugins', '/api/compose'];
4 years ago
paths = paths.filter(function filterExclusions(path) {
4 years ago
return path.method !== '_all' && !exclusionPrefixes.some(prefix => path.path.startsWith(prefix));
4 years ago
4 years ago
// For each express path, query for existence in read and write api schemas
paths.forEach((pathObj) => {
describe(`${pathObj.method.toUpperCase()} ${pathObj.path}`, () => {
it('should be defined in schema docs', () => {
4 years ago
let schema = readApi;
if (pathObj.path.startsWith('/api/v3')) {
schema = writeApi;
pathObj.path = pathObj.path.replace('/api/v3', '');
4 years ago
// Don't check non-GET routes in Read API
if (schema === readApi && pathObj.method !== 'get') {
4 years ago
const normalizedPath = pathObj.path.replace(/\/:([^\\/]+)/g, '/{$1}').replace(/\?/g, '');
// generateTests(readApi, Object.keys(readApi.paths));
// generateTests(writeApi, Object.keys(writeApi.paths), writeApi.servers[0].url);
4 years ago
function generateTests(api, paths, prefix) {
// Iterate through all documented paths, make a call to it, and compare the result body with what is defined in the spec
4 years ago
const pathLib = path; // for calling path module from inside this forEach
4 years ago
paths.forEach((path) => {
const context = api.paths[path];
let schema;
let response;
let url;
let method;
const headers = {};
const qs = {};
Object.keys(context).forEach((_method) => {
4 years ago
// Only test GET routes in the Read API
4 years ago
if ( === 'NodeBB Read API' && _method !== 'get') {
4 years ago
4 years ago
it('should have each path parameter defined in its context', () => {
4 years ago
method = _method;
4 years ago
if (!context[method].parameters) {
4 years ago
const names = (path.match(/{[\w\-_*]+}?/g) || []).map(match => match.slice(1, -1));
4 years ago
assert(context[method] => ( === 'path' ? : null)).filter(Boolean).every(name => names.includes(name)), `${method.toUpperCase()} ${path} has parameter(s) in path that are not defined in schema`);
it('should have examples when parameters are present', () => {
4 years ago
let parameters = context[method].parameters;
let testPath = path;
if (parameters) {
// Use mock data if provided
parameters = mocks[method][path] || parameters;
parameters.forEach((param) => {
assert(param.example !== null && param.example !== undefined, `${method.toUpperCase()} ${path} has parameters without examples`);
switch ( {
case 'path':
testPath = testPath.replace('{' + + '}', param.example);
case 'header':
headers[] = param.example;
case 'query':
qs[] = param.example;
4 years ago
url = nconf.get('url') + (prefix || '') + testPath;
4 years ago
4 years ago
it('should contain a valid request body (if present) with application/json or multipart/form-data type if POST/PUT/DELETE', () => {
4 years ago
if (['post', 'put', 'delete'].includes(method) && context[method].hasOwnProperty('requestBody')) {
4 years ago
const failMessage = `${method.toUpperCase()} ${path} has a malformed request body`;
assert(context[method].requestBody, failMessage);
assert(context[method].requestBody.content, failMessage);
4 years ago
if (context[method].requestBody.content.hasOwnProperty('application/json')) {
4 years ago
assert(context[method].requestBody.content['application/json'], failMessage);
assert(context[method].requestBody.content['application/json'].schema, failMessage);
assert(context[method].requestBody.content['application/json'], failMessage);
4 years ago
} else if (context[method].requestBody.content.hasOwnProperty('multipart/form-data')) {
4 years ago
assert(context[method].requestBody.content['multipart/form-data'], failMessage);
assert(context[method].requestBody.content['multipart/form-data'].schema, failMessage);
assert(context[method].requestBody.content['multipart/form-data'], failMessage);
4 years ago
4 years ago
it('should resolve with a 200 when called', async () => {
await setupData();
if (csrfToken) {
headers['x-csrf-token'] = csrfToken;
let body = {};
4 years ago
let type = 'json';
if (context[method].hasOwnProperty('requestBody') && context[method].requestBody.content['application/json']) {
4 years ago
body = buildBody(context[method].requestBody.content['application/json'];
4 years ago
} else if (context[method].hasOwnProperty('requestBody') && context[method].requestBody.content['multipart/form-data']) {
type = 'form';
4 years ago
try {
4 years ago
if (type === 'json') {
// console.log(`calling ${method} ${url} with`, body);
response = await request(url, {
method: method,
jar: !unauthenticatedRoutes.includes(path) ? jar : undefined,
json: true,
4 years ago
followRedirect: false, // all responses are significant (e.g. 302)
simple: false, // don't throw on non-200 (e.g. 302)
resolveWithFullResponse: true, // send full request back (to check statusCode)
4 years ago
headers: headers,
qs: qs,
body: body,
} else if (type === 'form') {
response = await new Promise((resolve, reject) => {
helpers.uploadFile(url, pathLib.join(__dirname, './files/test.png'), {}, jar, csrfToken, function (err, res, body) {
if (err) {
return reject(err);
4 years ago
} catch (e) {
assert(!e, `${method.toUpperCase()} ${path} resolved with ${e.message}`);
4 years ago
it('response status code should match one of the schema defined responses', () => {
// HACK: allow HTTP 418 I am a teapot, for now 👇
assert(context[method].responses.hasOwnProperty('418') || Object.keys(context[method].responses).includes(String(response.statusCode)), `${method.toUpperCase()} ${path} sent back unexpected HTTP status code: ${response.statusCode}`);
4 years ago
// Recursively iterate through schema properties, comparing type
4 years ago
it('response body should match schema definition', () => {
const http302 = context[method].responses['302'];
if (http302 && response.statusCode === 302) {
// Compare headers instead
const expectedHeaders = Object.keys(http302.headers).reduce((memo, name) => {
memo[name] = http302.headers[name].schema.example;
return memo;
}, {});
for (const header in expectedHeaders) {
if (expectedHeaders.hasOwnProperty(header)) {
assert(response.headers[header.toLowerCase()] === expectedHeaders[header]);
const http200 = context[method].responses['200'];
if (!http200) {
4 years ago
4 years ago
const hasJSON = http200.content && http200.content['application/json'];
4 years ago
if (hasJSON) {
schema = context[method].responses['200'].content['application/json'].schema;
4 years ago
compare(schema, response.body, method.toUpperCase(), path, 'root');
4 years ago
// TODO someday: text/csv, binary file type checking?
it('should successfully re-login if needed', async () => {
4 years ago
const reloginPaths = ['PUT /users/{uid}/password', 'DELETE /users/{uid}/sessions/{uuid}'];
if (reloginPaths.includes(`${method.toUpperCase()} ${path}`)) {
4 years ago
jar = await helpers.loginUser('admin', '123456');
4 years ago
const sessionUUIDs = await db.getObject('uid:1:sessionUUID:sessionId');
mocks.delete['/users/{uid}/sessions/{uuid}'][1].example = Object.keys(sessionUUIDs).pop();
4 years ago
// Retrieve CSRF token using cookie, to test Write API
const config = await request({
url: nconf.get('url') + '/api/config',
json: true,
jar: jar,
csrfToken = config.csrf_token;
4 years ago
5 years ago
4 years ago
function buildBody(schema) {
return Object.keys(schema).reduce((memo, cur) => {
memo[cur] = schema[cur].example;
return memo;
}, {});
5 years ago
4 years ago
function compare(schema, response, method, path, context) {
4 years ago
let required = [];
const additionalProperties = schema.hasOwnProperty('additionalProperties');
if (schema.allOf) {
schema = schema.allOf.reduce((memo, obj) => {
required = required.concat(obj.required ? obj.required : Object.keys(;
memo = { ...memo, };
return memo;
}, {});
} else if ( {
required = schema.required || Object.keys(;
schema =;
} else {
// If schema contains no properties, check passes
5 years ago
5 years ago
4 years ago
// Compare the schema to the response
required.forEach((prop) => {
if (schema.hasOwnProperty(prop)) {
4 years ago
assert(response.hasOwnProperty(prop), '"' + prop + '" is a required property (path: ' + method + ' ' + path + ', context: ' + context + ')');
4 years ago
// Don't proceed with type-check if the value could possibly be unset (nullable: true, in spec)
if (response[prop] === null && schema[prop].nullable === true) {
// Therefore, if the value is actually null, that's a problem (nullable is probably missing)
4 years ago
assert(response[prop] !== null, '"' + prop + '" was null, but schema does not specify it to be a nullable property (path: ' + method + ' ' + path + ', context: ' + context + ')');
4 years ago
switch (schema[prop].type) {
case 'string':
4 years ago
assert.strictEqual(typeof response[prop], 'string', '"' + prop + '" was expected to be a string, but was ' + typeof response[prop] + ' instead (path: ' + method + ' ' + path + ', context: ' + context + ')');
4 years ago
case 'boolean':
4 years ago
assert.strictEqual(typeof response[prop], 'boolean', '"' + prop + '" was expected to be a boolean, but was ' + typeof response[prop] + ' instead (path: ' + method + ' ' + path + ', context: ' + context + ')');
4 years ago
case 'object':
4 years ago
assert.strictEqual(typeof response[prop], 'object', '"' + prop + '" was expected to be an object, but was ' + typeof response[prop] + ' instead (path: ' + method + ' ' + path + ', context: ' + context + ')');
compare(schema[prop], response[prop], method, path, context ? [context, prop].join('.') : prop);
4 years ago
case 'array':
4 years ago
assert.strictEqual(Array.isArray(response[prop]), true, '"' + prop + '" was expected to be an array, but was ' + typeof response[prop] + ' instead (path: ' + method + ' ' + path + ', context: ' + context + ')');
4 years ago
if (schema[prop].items) {
4 years ago
// Ensure the array items have a schema defined
4 years ago
assert(schema[prop].items.type || schema[prop].items.allOf, '"' + prop + '" is defined to be an array, but its items have no schema defined (path: ' + method + ' ' + path + ', context: ' + context + ')');
4 years ago
// Compare types
if (schema[prop].items.type === 'object' || Array.isArray(schema[prop].items.allOf)) {
response[prop].forEach((res) => {
4 years ago
compare(schema[prop].items, res, method, path, context ? [context, prop].join('.') : prop);
4 years ago
} else if (response[prop].length) { // for now
response[prop].forEach((item) => {
4 years ago
assert.strictEqual(typeof item, schema[prop].items.type, '"' + prop + '" should have ' + schema[prop].items.type + ' items, but found ' + typeof items + ' instead (path: ' + method + ' ' + path + ', context: ' + context + ')');
4 years ago
// Compare the response to the schema
Object.keys(response).forEach((prop) => {
if (additionalProperties) { // All bets are off
4 years ago
assert(schema[prop], '"' + prop + '" was found in response, but is not defined in schema (path: ' + method + ' ' + path + ', context: ' + context + ')');
4 years ago
5 years ago