From 7434cbf66f5fe815e1883f90880ab708100c8214 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Bar=C4=B1=C5=9F=20Soner=20U=C5=9Fakl=C4=B1?=
 <barisusakli@gmail.com>
Date: Fri, 26 Nov 2021 18:59:29 -0500
Subject: [PATCH] test: add api token tests

---
 src/middleware/user.js |  2 +-
 test/authentication.js | 82 ++++++++++++++++++++++++++++++++++++++++++
 2 files changed, 83 insertions(+), 1 deletion(-)

diff --git a/src/middleware/user.js b/src/middleware/user.js
index c70d4f21d9..6b4377fb51 100644
--- a/src/middleware/user.js
+++ b/src/middleware/user.js
@@ -44,7 +44,6 @@ module.exports = function (middleware) {
 			const user = await passportAuthenticateAsync(req, res);
 			if (!user) { return true; }
 
-			// If the token received was a master token, a _uid must also be present for all calls
 			if (user.hasOwnProperty('uid')) {
 				await loginAsync(user);
 				await controllers.authentication.onSuccessfulLogin(req, user.uid);
@@ -52,6 +51,7 @@ module.exports = function (middleware) {
 				req.loggedIn = req.uid > 0;
 				return true;
 			} else if (user.hasOwnProperty('master') && user.master === true) {
+				// If the token received was a master token, a _uid must also be present for all calls
 				if (req.body.hasOwnProperty('_uid') || req.query.hasOwnProperty('_uid')) {
 					user.uid = req.body._uid || req.query._uid;
 					delete user.master;
diff --git a/test/authentication.js b/test/authentication.js
index a152c2239c..7e69e04b8f 100644
--- a/test/authentication.js
+++ b/test/authentication.js
@@ -529,4 +529,86 @@ describe('authentication', () => {
 		const valid = await user.reset.validate(code);
 		assert.strictEqual(valid, false);
 	});
+
+	describe('api tokens', () => {
+		let newUid;
+		let userToken;
+		let masterToken;
+		before(async () => {
+			newUid = await user.create({ username: 'apiUserTarget' });
+			const settings = await meta.settings.get('core.api');
+			settings.tokens = settings.tokens || [];
+			userToken = {
+				token: utils.generateUUID(),
+				uid: newUid,
+				description: `api token for uid ${newUid}`,
+				timestamp: Date.now(),
+			};
+			settings.tokens.push(userToken);
+			masterToken = {
+				token: utils.generateUUID(),
+				uid: 0,
+				description: 'api master token',
+				timestamp: Date.now(),
+			};
+			settings.tokens.push(masterToken);
+
+			await meta.settings.set('core.api', settings);
+		});
+
+		it('should fail with invalid token', async () => {
+			const { res, body } = await helpers.request('get', `/api/self`, {
+				form: {
+					_uid: newUid,
+				},
+				json: true,
+				jar: jar,
+				headers: {
+					Authorization: `Bearer sdfhaskfdja-jahfdaksdf`,
+				},
+			});
+			assert.strictEqual(res.statusCode, 401);
+			assert.strictEqual(body, 'not-authorized');
+		});
+
+		it('should use a token tied to an uid', async () => {
+			const { res, body } = await helpers.request('get', `/api/self`, {
+				json: true,
+				headers: {
+					Authorization: `Bearer ${userToken.token}`,
+				},
+			});
+
+			assert.strictEqual(res.statusCode, 200);
+			assert.strictEqual(body.username, 'apiUserTarget');
+		});
+
+		it('should fail if _uid is not passed in with master token', async () => {
+			const { res, body } = await helpers.request('get', `/api/self`, {
+				form: {},
+				json: true,
+				headers: {
+					Authorization: `Bearer ${masterToken.token}`,
+				},
+			});
+
+			assert.strictEqual(res.statusCode, 500);
+			assert.strictEqual(body.error, '[[error:api.master-token-no-uid]]');
+		});
+
+		it('should use master api token and _uid', async () => {
+			const { res, body } = await helpers.request('get', `/api/self`, {
+				form: {
+					_uid: newUid,
+				},
+				json: true,
+				headers: {
+					Authorization: `Bearer ${masterToken.token}`,
+				},
+			});
+
+			assert.strictEqual(res.statusCode, 200);
+			assert.strictEqual(body.username, 'apiUserTarget');
+		});
+	});
 });