From 25b4ef6c1d5c5a5c1bef4641c1257461c54f911e Mon Sep 17 00:00:00 2001
From: juancarmore <juancar_more2@hotmail.com>
Date: Sun, 11 May 2025 19:23:24 +0200
Subject: [PATCH] tests: Add global preferences API security tests

---
 .../api/security/preferences-security.test.ts | 184 ++++++++++++++++++
 1 file changed, 184 insertions(+)
 create mode 100644 backend/tests/integration/api/security/preferences-security.test.ts

diff --git a/backend/tests/integration/api/security/preferences-security.test.ts b/backend/tests/integration/api/security/preferences-security.test.ts
new file mode 100644
index 0000000..d920d03
--- /dev/null
+++ b/backend/tests/integration/api/security/preferences-security.test.ts
@@ -0,0 +1,184 @@
+import { beforeAll, describe, expect, it } from '@jest/globals';
+import { Express } from 'express';
+import request from 'supertest';
+import INTERNAL_CONFIG from '../../../../src/config/internal-config.js';
+import { MEET_API_KEY } from '../../../../src/environment.js';
+import { UserRole } from '../../../../src/typings/ce/index.js';
+import { loginUserAsRole, startTestServer } from '../../../helpers/request-helpers.js';
+
+const PREFERENCES_PATH = `${INTERNAL_CONFIG.INTERNAL_API_BASE_PATH_V1}/preferences`;
+
+describe('Global Preferences API Security Tests', () => {
+	let app: Express;
+
+	let userCookie: string;
+	let adminCookie: string;
+
+	beforeAll(async () => {
+		app = startTestServer();
+
+		// Get cookies for admin and user
+		userCookie = await loginUserAsRole(UserRole.USER);
+		adminCookie = await loginUserAsRole(UserRole.ADMIN);
+	});
+
+	describe('Update Webhook Preferences Tests', () => {
+		const webhookPreferences = {
+			enabled: true,
+			url: 'https://example.com/webhook'
+		};
+
+		it('should fail when request includes API key', async () => {
+			const response = await request(app)
+				.put(`${PREFERENCES_PATH}/webhooks`)
+				.set(INTERNAL_CONFIG.API_KEY_HEADER, MEET_API_KEY)
+				.send(webhookPreferences);
+			expect(response.status).toBe(401);
+		});
+
+		it('should succeed when user is authenticated as admin', async () => {
+			const response = await request(app)
+				.put(`${PREFERENCES_PATH}/webhooks`)
+				.set('Cookie', adminCookie)
+				.send(webhookPreferences);
+			expect(response.status).toBe(200);
+		});
+
+		it('should fail when user is authenticated as user', async () => {
+			const response = await request(app)
+				.put(`${PREFERENCES_PATH}/webhooks`)
+				.set('Cookie', userCookie)
+				.send(webhookPreferences);
+			expect(response.status).toBe(403);
+		});
+
+		it('should fail when user is not authenticated', async () => {
+			const response = await request(app).put(`${PREFERENCES_PATH}/webhooks`).send(webhookPreferences);
+			expect(response.status).toBe(401);
+		});
+	});
+
+	describe('Get Webhook Preferences Tests', () => {
+		it('should fail when request includes API key', async () => {
+			const response = await request(app)
+				.get(`${PREFERENCES_PATH}/webhooks`)
+				.set(INTERNAL_CONFIG.API_KEY_HEADER, MEET_API_KEY);
+			expect(response.status).toBe(401);
+		});
+
+		it('should succeed when user is authenticated as admin', async () => {
+			const response = await request(app).get(`${PREFERENCES_PATH}/webhooks`).set('Cookie', adminCookie);
+			expect(response.status).toBe(200);
+		});
+
+		it('should fail when user is authenticated as user', async () => {
+			const response = await request(app).get(`${PREFERENCES_PATH}/webhooks`).set('Cookie', userCookie);
+			expect(response.status).toBe(403);
+		});
+
+		it('should fail when user is not authenticated', async () => {
+			const response = await request(app).get(`${PREFERENCES_PATH}/webhooks`);
+			expect(response.status).toBe(401);
+		});
+	});
+
+	describe('Update Security Preferences Tests', () => {
+		const securityPreferences = {
+			roomCreationPolicy: {
+				allowRoomCreation: true,
+				requireAuthentication: true
+			}
+		};
+
+		it('should fail when request includes API key', async () => {
+			const response = await request(app)
+				.put(`${PREFERENCES_PATH}/security`)
+				.set(INTERNAL_CONFIG.API_KEY_HEADER, MEET_API_KEY)
+				.send(securityPreferences);
+			expect(response.status).toBe(401);
+		});
+
+		it('should succeed when user is authenticated as admin', async () => {
+			const response = await request(app)
+				.put(`${PREFERENCES_PATH}/security`)
+				.set('Cookie', adminCookie)
+				.send(securityPreferences);
+			expect(response.status).toBe(200);
+		});
+
+		it('should fail when user is authenticated as user', async () => {
+			const response = await request(app)
+				.put(`${PREFERENCES_PATH}/security`)
+				.set('Cookie', userCookie)
+				.send(securityPreferences);
+			expect(response.status).toBe(403);
+		});
+
+		it('should fail when user is not authenticated', async () => {
+			const response = await request(app).put(`${PREFERENCES_PATH}/security`).send(securityPreferences);
+			expect(response.status).toBe(401);
+		});
+	});
+
+	describe('Get Security Preferences Tests', () => {
+		it('should succeed when user is not authenticated', async () => {
+			const response = await request(app).get(`${PREFERENCES_PATH}/security`);
+			expect(response.status).toBe(200);
+		});
+	});
+
+	describe('Update Appearance Preferences Tests', () => {
+		it('should fail when request includes API key', async () => {
+			const response = await request(app)
+				.put(`${PREFERENCES_PATH}/appearance`)
+				.set(INTERNAL_CONFIG.API_KEY_HEADER, MEET_API_KEY)
+				.send({});
+			expect(response.status).toBe(401);
+		});
+
+		it('should succeed when user is authenticated as admin', async () => {
+			const response = await request(app)
+				.put(`${PREFERENCES_PATH}/appearance`)
+				.set('Cookie', adminCookie)
+				.send({});
+			expect(response.status).toBe(402); // Assuming 402 is the expected status code for this case
+		});
+
+		it('should fail when user is authenticated as user', async () => {
+			const response = await request(app)
+				.put(`${PREFERENCES_PATH}/appearance`)
+				.set('Cookie', userCookie)
+				.send({});
+			expect(response.status).toBe(403);
+		});
+
+		it('should fail when user is not authenticated', async () => {
+			const response = await request(app).put(`${PREFERENCES_PATH}/appearance`).send({});
+			expect(response.status).toBe(401);
+		});
+	});
+
+	describe('Get Appearance Preferences Tests', () => {
+		it('should fail when request includes API key', async () => {
+			const response = await request(app)
+				.get(`${PREFERENCES_PATH}/appearance`)
+				.set(INTERNAL_CONFIG.API_KEY_HEADER, MEET_API_KEY);
+			expect(response.status).toBe(401);
+		});
+
+		it('should succeed when user is authenticated as admin', async () => {
+			const response = await request(app).get(`${PREFERENCES_PATH}/appearance`).set('Cookie', adminCookie);
+			expect(response.status).toBe(402); // Assuming 402 is the expected status code for this case
+		});
+
+		it('should fail when user is authenticated as user', async () => {
+			const response = await request(app).get(`${PREFERENCES_PATH}/appearance`).set('Cookie', userCookie);
+			expect(response.status).toBe(403);
+		});
+
+		it('should fail when user is not authenticated', async () => {
+			const response = await request(app).get(`${PREFERENCES_PATH}/appearance`);
+			expect(response.status).toBe(401);
+		});
+	});
+});