neoris/openvidu
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Fix tests (#6)

Browse Source 
* Adds TODO for API key rejection

Adds a TODO comment in the recording routes to reject requests that include an API key.

Adds FIXME comments to recording security tests, indicating that the tests do not need to start a recording to check the fail case.

* backend: remove TODO comments for API key rejection in recording routes

* test: enhace recording security tests by only creating necessary recordings

---------

Co-authored-by: Carlos Santos <4a.santos@gmail.com>
This commit is contained in:
Juan Carlos Moreno García 2025-07-17 16:28:14 +02:00 committed by GitHub
parent 4d13eb94a8
commit 7464ef3c6f
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
1 changed files with 621 additions and 544 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

277
backend/tests/integration/api/security/recording-security.test.ts
View File

@ -1,4 +1,4 @@
import { afterAll, afterEach, beforeAll, beforeEach, describe, expect, it } from '@jest/globals';
import { afterAll, beforeAll, describe, expect, it } from '@jest/globals';
import { Express } from 'express';
import request from 'supertest';
import INTERNAL_CONFIG from '../../../../src/config/internal-config.js';
@ -97,11 +97,11 @@ describe('Recording API Security Tests', () => {
describe('Stop Recording Tests', () => {
let roomData: RoomData;
beforeEach(async () => {
beforeAll(async () => {
roomData = await setupSingleRoomWithRecording();
});
afterEach(async () => {
afterAll(async () => {
await stopAllRecordings(roomData.moderatorCookie);
});
@ -109,6 +109,7 @@ describe('Recording API Security Tests', () => {
const response = await request(app)
.post(`${INTERNAL_RECORDINGS_PATH}/${roomData.recordingId}/stop`)
.set(INTERNAL_CONFIG.API_KEY_HEADER, MEET_API_KEY);
expect(response.status).toBe(401);
});
@ -146,15 +147,20 @@ describe('Recording API Security Tests', () => {
});
});
describe('Get Recordings Tests', () => {
describe('Recording Resource Operations', () => {
let roomData: RoomData;
let recordingId: string;
beforeAll(async () => {
roomData = await setupSingleRoomWithRecording(true);
recordingId = roomData.recordingId!;
});
describe('Get Recordings Tests', () => {
it('should succeed when request includes API key', async () => {
const response = await request(app).get(RECORDINGS_PATH).set(INTERNAL_CONFIG.API_KEY_HEADER, MEET_API_KEY);
const response = await request(app)
.get(RECORDINGS_PATH)
.set(INTERNAL_CONFIG.API_KEY_HEADER, MEET_API_KEY);
expect(response.status).toBe(200);
});
@ -168,7 +174,10 @@ describe('Recording API Security Tests', () => {
roomData.room.roomId,
MeetRecordingAccess.ADMIN_MODERATOR_PUBLISHER
);
const recordingCookie = await generateRecordingTokenCookie(roomData.room.roomId, roomData.publisherSecret);
const recordingCookie = await generateRecordingTokenCookie(
roomData.room.roomId,
roomData.publisherSecret
);
const response = await request(app).get(RECORDINGS_PATH).set('Cookie', recordingCookie);
expect(response.status).toBe(200);
@ -179,7 +188,10 @@ describe('Recording API Security Tests', () => {
roomData.room.roomId,
MeetRecordingAccess.ADMIN_MODERATOR_PUBLISHER
);
const recordingCookie = await generateRecordingTokenCookie(roomData.room.roomId, roomData.moderatorSecret);
const recordingCookie = await generateRecordingTokenCookie(
roomData.room.roomId,
roomData.moderatorSecret
);
const response = await request(app).get(RECORDINGS_PATH).set('Cookie', recordingCookie);
expect(response.status).toBe(200);
@ -187,7 +199,10 @@ describe('Recording API Security Tests', () => {
it('should fail when recording access is admin-moderator and participant is publisher', async () => {
await updateRecordingAccessPreferencesInRoom(roomData.room.roomId, MeetRecordingAccess.ADMIN_MODERATOR);
const recordingCookie = await generateRecordingTokenCookie(roomData.room.roomId, roomData.publisherSecret);
const recordingCookie = await generateRecordingTokenCookie(
roomData.room.roomId,
roomData.publisherSecret
);
const response = await request(app).get(RECORDINGS_PATH).set('Cookie', recordingCookie);
expect(response.status).toBe(403);
@ -195,7 +210,10 @@ describe('Recording API Security Tests', () => {
it('should succeed when recording access is admin-moderator and participant is moderator', async () => {
await updateRecordingAccessPreferencesInRoom(roomData.room.roomId, MeetRecordingAccess.ADMIN_MODERATOR);
const recordingCookie = await generateRecordingTokenCookie(roomData.room.roomId, roomData.moderatorSecret);
const recordingCookie = await generateRecordingTokenCookie(
roomData.room.roomId,
roomData.moderatorSecret
);
const response = await request(app).get(RECORDINGS_PATH).set('Cookie', recordingCookie);
expect(response.status).toBe(200);
@ -203,14 +221,6 @@ describe('Recording API Security Tests', () => {
});
describe('Get Recording Tests', () => {
let roomData: RoomData;
let recordingId: string;
beforeAll(async () => {
roomData = await setupSingleRoomWithRecording(true);
recordingId = roomData.recordingId!;
});
it('should succeed when request includes API key', async () => {
const response = await request(app)
.get(`${RECORDINGS_PATH}/${recordingId}`)
@ -228,9 +238,14 @@ describe('Recording API Security Tests', () => {
roomData.room.roomId,
MeetRecordingAccess.ADMIN_MODERATOR_PUBLISHER
);
const recordingCookie = await generateRecordingTokenCookie(roomData.room.roomId, roomData.publisherSecret);
const recordingCookie = await generateRecordingTokenCookie(
roomData.room.roomId,
roomData.publisherSecret
);
const response = await request(app).get(`${RECORDINGS_PATH}/${recordingId}`).set('Cookie', recordingCookie);
const response = await request(app)
.get(`${RECORDINGS_PATH}/${recordingId}`)
.set('Cookie', recordingCookie);
expect(response.status).toBe(200);
});
@ -239,25 +254,40 @@ describe('Recording API Security Tests', () => {
roomData.room.roomId,
MeetRecordingAccess.ADMIN_MODERATOR_PUBLISHER
);
const recordingCookie = await generateRecordingTokenCookie(roomData.room.roomId, roomData.moderatorSecret);
const recordingCookie = await generateRecordingTokenCookie(
roomData.room.roomId,
roomData.moderatorSecret
);
const response = await request(app).get(`${RECORDINGS_PATH}/${recordingId}`).set('Cookie', recordingCookie);
const response = await request(app)
.get(`${RECORDINGS_PATH}/${recordingId}`)
.set('Cookie', recordingCookie);
expect(response.status).toBe(200);
});
it('should fail when recording access is admin-moderator and participant is publisher', async () => {
await updateRecordingAccessPreferencesInRoom(roomData.room.roomId, MeetRecordingAccess.ADMIN_MODERATOR);
const recordingCookie = await generateRecordingTokenCookie(roomData.room.roomId, roomData.publisherSecret);
const recordingCookie = await generateRecordingTokenCookie(
roomData.room.roomId,
roomData.publisherSecret
);
const response = await request(app).get(`${RECORDINGS_PATH}/${recordingId}`).set('Cookie', recordingCookie);
const response = await request(app)
.get(`${RECORDINGS_PATH}/${recordingId}`)
.set('Cookie', recordingCookie);
expect(response.status).toBe(403);
});
it('should succeed when recording access is admin-moderator and participant is moderator', async () => {
await updateRecordingAccessPreferencesInRoom(roomData.room.roomId, MeetRecordingAccess.ADMIN_MODERATOR);
const recordingCookie = await generateRecordingTokenCookie(roomData.room.roomId, roomData.moderatorSecret);
const recordingCookie = await generateRecordingTokenCookie(
roomData.room.roomId,
roomData.moderatorSecret
);
const response = await request(app).get(`${RECORDINGS_PATH}/${recordingId}`).set('Cookie', recordingCookie);
const response = await request(app)
.get(`${RECORDINGS_PATH}/${recordingId}`)
.set('Cookie', recordingCookie);
expect(response.status).toBe(200);
});
@ -307,24 +337,29 @@ describe('Recording API Security Tests', () => {
});
describe('Delete Recording Tests', () => {
let roomData: RoomData;
let recordingId: string;
let fakeRecordingId: string;
beforeEach(async () => {
roomData = await setupSingleRoomWithRecording(true);
recordingId = roomData.recordingId!;
beforeAll(async () => {
/*
Use a simulated recording ID matching the API's expected format.
This allows testing the delete endpoint logic without deleting a real recording.
As a result, all successful delete tests will expect a 404 Not Found response.
*/
fakeRecordingId = `${roomData.room.roomId}--EG_xxx--uid`;
});
it('should succeed when request includes API key', async () => {
const response = await request(app)
.delete(`${RECORDINGS_PATH}/${recordingId}`)
.delete(`${RECORDINGS_PATH}/${fakeRecordingId}`)
.set(INTERNAL_CONFIG.API_KEY_HEADER, MEET_API_KEY);
expect(response.status).toBe(204);
expect(response.status).toBe(404);
});
it('should succeed when user is authenticated as admin', async () => {
const response = await request(app).delete(`${RECORDINGS_PATH}/${recordingId}`).set('Cookie', adminCookie);
expect(response.status).toBe(204);
const response = await request(app)
.delete(`${RECORDINGS_PATH}/${fakeRecordingId}`)
.set('Cookie', adminCookie);
expect(response.status).toBe(404);
});
it('should fail when recording access is admin-moderator-publisher and participant is publisher', async () => {
@ -332,10 +367,13 @@ describe('Recording API Security Tests', () => {
roomData.room.roomId,
MeetRecordingAccess.ADMIN_MODERATOR_PUBLISHER
);
const recordingCookie = await generateRecordingTokenCookie(roomData.room.roomId, roomData.publisherSecret);
const recordingCookie = await generateRecordingTokenCookie(
roomData.room.roomId,
roomData.publisherSecret
);
const response = await request(app)
.delete(`${RECORDINGS_PATH}/${recordingId}`)
.delete(`${RECORDINGS_PATH}/${fakeRecordingId}`)
.set('Cookie', recordingCookie);
expect(response.status).toBe(403);
});
@ -345,58 +383,70 @@ describe('Recording API Security Tests', () => {
roomData.room.roomId,
MeetRecordingAccess.ADMIN_MODERATOR_PUBLISHER
);
const recordingCookie = await generateRecordingTokenCookie(roomData.room.roomId, roomData.moderatorSecret);
const recordingCookie = await generateRecordingTokenCookie(
roomData.room.roomId,
roomData.moderatorSecret
);
const response = await request(app)
.delete(`${RECORDINGS_PATH}/${recordingId}`)
.delete(`${RECORDINGS_PATH}/${fakeRecordingId}`)
.set('Cookie', recordingCookie);
expect(response.status).toBe(204);
expect(response.status).toBe(404);
});
it('should fail when recording access is admin-moderator and participant is publisher', async () => {
await updateRecordingAccessPreferencesInRoom(roomData.room.roomId, MeetRecordingAccess.ADMIN_MODERATOR);
const recordingCookie = await generateRecordingTokenCookie(roomData.room.roomId, roomData.publisherSecret);
const recordingCookie = await generateRecordingTokenCookie(
roomData.room.roomId,
roomData.publisherSecret
);
const response = await request(app)
.delete(`${RECORDINGS_PATH}/${recordingId}`)
.delete(`${RECORDINGS_PATH}/${fakeRecordingId}`)
.set('Cookie', recordingCookie);
expect(response.status).toBe(403);
});
it('should succeed when recording access is admin-moderator and participant is moderator', async () => {
await updateRecordingAccessPreferencesInRoom(roomData.room.roomId, MeetRecordingAccess.ADMIN_MODERATOR);
const recordingCookie = await generateRecordingTokenCookie(roomData.room.roomId, roomData.moderatorSecret);
const recordingCookie = await generateRecordingTokenCookie(
roomData.room.roomId,
roomData.moderatorSecret
);
const response = await request(app)
.delete(`${RECORDINGS_PATH}/${recordingId}`)
.delete(`${RECORDINGS_PATH}/${fakeRecordingId}`)
.set('Cookie', recordingCookie);
expect(response.status).toBe(204);
expect(response.status).toBe(404);
});
});
describe('Bulk Delete Recordings Tests', () => {
let roomData: RoomData;
let recordingId: string;
let fakeRecordingId: string;
beforeEach(async () => {
roomData = await setupSingleRoomWithRecording(true);
recordingId = roomData.recordingId!;
beforeAll(async () => {
/*
Use a simulated recording ID matching the API's expected format.
This allows testing the delete endpoint logic without deleting a real recording.
As a result, all successful delete tests will expect a 404 Not Found response.
*/
fakeRecordingId = `${roomData.room.roomId}--EG_xxx--uid`;
});
it('should succeed when request includes API key', async () => {
const response = await request(app)
.delete(RECORDINGS_PATH)
.query({ recordingIds: recordingId })
.query({ recordingIds: fakeRecordingId })
.set(INTERNAL_CONFIG.API_KEY_HEADER, MEET_API_KEY);
expect(response.status).toBe(204);
expect(response.status).toBe(200);
});
it('should succeed when user is authenticated as admin', async () => {
const response = await request(app)
.delete(RECORDINGS_PATH)
.query({ recordingIds: recordingId })
.query({ recordingIds: fakeRecordingId })
.set('Cookie', adminCookie);
expect(response.status).toBe(204);
expect(response.status).toBe(200);
});
it('should fail when recording access is admin-moderator-publisher and participant is publisher', async () => {
@ -404,11 +454,14 @@ describe('Recording API Security Tests', () => {
roomData.room.roomId,
MeetRecordingAccess.ADMIN_MODERATOR_PUBLISHER
);
const recordingCookie = await generateRecordingTokenCookie(roomData.room.roomId, roomData.publisherSecret);
const recordingCookie = await generateRecordingTokenCookie(
roomData.room.roomId,
roomData.publisherSecret
);
const response = await request(app)
.delete(RECORDINGS_PATH)
.query({ recordingIds: recordingId })
.query({ recordingIds: fakeRecordingId })
.set('Cookie', recordingCookie);
expect(response.status).toBe(403);
});
@ -418,47 +471,48 @@ describe('Recording API Security Tests', () => {
roomData.room.roomId,
MeetRecordingAccess.ADMIN_MODERATOR_PUBLISHER
);
const recordingCookie = await generateRecordingTokenCookie(roomData.room.roomId, roomData.moderatorSecret);
const recordingCookie = await generateRecordingTokenCookie(
roomData.room.roomId,
roomData.moderatorSecret
);
const response = await request(app)
.delete(RECORDINGS_PATH)
.query({ recordingIds: recordingId })
.query({ recordingIds: fakeRecordingId })
.set('Cookie', recordingCookie);
expect(response.status).toBe(204);
expect(response.status).toBe(200);
});
it('should fail when recording access is admin-moderator and participant is publisher', async () => {
await updateRecordingAccessPreferencesInRoom(roomData.room.roomId, MeetRecordingAccess.ADMIN_MODERATOR);
const recordingCookie = await generateRecordingTokenCookie(roomData.room.roomId, roomData.publisherSecret);
const recordingCookie = await generateRecordingTokenCookie(
roomData.room.roomId,
roomData.publisherSecret
);
const response = await request(app)
.delete(RECORDINGS_PATH)
.query({ recordingIds: recordingId })
.query({ recordingIds: fakeRecordingId })
.set('Cookie', recordingCookie);
expect(response.status).toBe(403);
});
it('should succeed when recording access is admin-moderator and participant is moderator', async () => {
await updateRecordingAccessPreferencesInRoom(roomData.room.roomId, MeetRecordingAccess.ADMIN_MODERATOR);
const recordingCookie = await generateRecordingTokenCookie(roomData.room.roomId, roomData.moderatorSecret);
const recordingCookie = await generateRecordingTokenCookie(
roomData.room.roomId,
roomData.moderatorSecret
);
const response = await request(app)
.delete(RECORDINGS_PATH)
.query({ recordingIds: recordingId })
.query({ recordingIds: fakeRecordingId })
.set('Cookie', recordingCookie);
expect(response.status).toBe(204);
expect(response.status).toBe(200);
});
});
describe('Get Recording Media Tests', () => {
let roomData: RoomData;
let recordingId: string;
beforeAll(async () => {
roomData = await setupSingleRoomWithRecording(true);
recordingId = roomData.recordingId!;
});
it('should succeed when request includes API key', async () => {
const response = await request(app)
.get(`${RECORDINGS_PATH}/${recordingId}/media`)
@ -478,7 +532,10 @@ describe('Recording API Security Tests', () => {
roomData.room.roomId,
MeetRecordingAccess.ADMIN_MODERATOR_PUBLISHER
);
const recordingCookie = await generateRecordingTokenCookie(roomData.room.roomId, roomData.publisherSecret);
const recordingCookie = await generateRecordingTokenCookie(
roomData.room.roomId,
roomData.publisherSecret
);
const response = await request(app)
.get(`${RECORDINGS_PATH}/${recordingId}/media`)
@ -491,7 +548,10 @@ describe('Recording API Security Tests', () => {
roomData.room.roomId,
MeetRecordingAccess.ADMIN_MODERATOR_PUBLISHER
);
const recordingCookie = await generateRecordingTokenCookie(roomData.room.roomId, roomData.moderatorSecret);
const recordingCookie = await generateRecordingTokenCookie(
roomData.room.roomId,
roomData.moderatorSecret
);
const response = await request(app)
.get(`${RECORDINGS_PATH}/${recordingId}/media`)
@ -501,7 +561,10 @@ describe('Recording API Security Tests', () => {
it('should fail when recording access is admin-moderator and participant is publisher', async () => {
await updateRecordingAccessPreferencesInRoom(roomData.room.roomId, MeetRecordingAccess.ADMIN_MODERATOR);
const recordingCookie = await generateRecordingTokenCookie(roomData.room.roomId, roomData.publisherSecret);
const recordingCookie = await generateRecordingTokenCookie(
roomData.room.roomId,
roomData.publisherSecret
);
const response = await request(app)
.get(`${RECORDINGS_PATH}/${recordingId}/media`)
@ -511,7 +574,10 @@ describe('Recording API Security Tests', () => {
it('should succeed when recording access is admin-moderator and participant is moderator', async () => {
await updateRecordingAccessPreferencesInRoom(roomData.room.roomId, MeetRecordingAccess.ADMIN_MODERATOR);
const recordingCookie = await generateRecordingTokenCookie(roomData.room.roomId, roomData.moderatorSecret);
const recordingCookie = await generateRecordingTokenCookie(
roomData.room.roomId,
roomData.moderatorSecret
);
const response = await request(app)
.get(`${RECORDINGS_PATH}/${recordingId}/media`)
@ -571,14 +637,6 @@ describe('Recording API Security Tests', () => {
});
describe('Get Recording URL Tests', () => {
let roomData: RoomData;
let recordingId: string;
beforeAll(async () => {
roomData = await setupSingleRoomWithRecording(true);
recordingId = roomData.recordingId!;
});
it('should succeed when request includes API key', async () => {
const response = await request(app)
.get(`${RECORDINGS_PATH}/${recordingId}/url`)
@ -587,7 +645,9 @@ describe('Recording API Security Tests', () => {
});
it('should succeed when user is authenticated as admin', async () => {
const response = await request(app).get(`${RECORDINGS_PATH}/${recordingId}/url`).set('Cookie', adminCookie);
const response = await request(app)
.get(`${RECORDINGS_PATH}/${recordingId}/url`)
.set('Cookie', adminCookie);
expect(response.status).toBe(200);
});
@ -596,7 +656,10 @@ describe('Recording API Security Tests', () => {
roomData.room.roomId,
MeetRecordingAccess.ADMIN_MODERATOR_PUBLISHER
);
const recordingCookie = await generateRecordingTokenCookie(roomData.room.roomId, roomData.publisherSecret);
const recordingCookie = await generateRecordingTokenCookie(
roomData.room.roomId,
roomData.publisherSecret
);
const response = await request(app)
.get(`${RECORDINGS_PATH}/${recordingId}/url`)
@ -609,7 +672,10 @@ describe('Recording API Security Tests', () => {
roomData.room.roomId,
MeetRecordingAccess.ADMIN_MODERATOR_PUBLISHER
);
const recordingCookie = await generateRecordingTokenCookie(roomData.room.roomId, roomData.moderatorSecret);
const recordingCookie = await generateRecordingTokenCookie(
roomData.room.roomId,
roomData.moderatorSecret
);
const response = await request(app)
.get(`${RECORDINGS_PATH}/${recordingId}/url`)
@ -619,7 +685,10 @@ describe('Recording API Security Tests', () => {
it('should fail when recording access is admin-moderator and participant is publisher', async () => {
await updateRecordingAccessPreferencesInRoom(roomData.room.roomId, MeetRecordingAccess.ADMIN_MODERATOR);
const recordingCookie = await generateRecordingTokenCookie(roomData.room.roomId, roomData.publisherSecret);
const recordingCookie = await generateRecordingTokenCookie(
roomData.room.roomId,
roomData.publisherSecret
);
const response = await request(app)
.get(`${RECORDINGS_PATH}/${recordingId}/url`)
@ -629,7 +698,10 @@ describe('Recording API Security Tests', () => {
it('should succeed when recording access is admin-moderator and participant is moderator', async () => {
await updateRecordingAccessPreferencesInRoom(roomData.room.roomId, MeetRecordingAccess.ADMIN_MODERATOR);
const recordingCookie = await generateRecordingTokenCookie(roomData.room.roomId, roomData.moderatorSecret);
const recordingCookie = await generateRecordingTokenCookie(
roomData.room.roomId,
roomData.moderatorSecret
);
const response = await request(app)
.get(`${RECORDINGS_PATH}/${recordingId}/url`)
@ -639,14 +711,6 @@ describe('Recording API Security Tests', () => {
});
describe('Download Recordings as ZIP Tests', () => {
let roomData: RoomData;
let recordingId: string;
beforeAll(async () => {
roomData = await setupSingleRoomWithRecording(true);
recordingId = roomData.recordingId!;
});
it('should succeed when request includes API key', async () => {
const response = await request(app)
.get(`${RECORDINGS_PATH}/download`)
@ -668,7 +732,10 @@ describe('Recording API Security Tests', () => {
roomData.room.roomId,
MeetRecordingAccess.ADMIN_MODERATOR_PUBLISHER
);
const recordingCookie = await generateRecordingTokenCookie(roomData.room.roomId, roomData.publisherSecret);
const recordingCookie = await generateRecordingTokenCookie(
roomData.room.roomId,
roomData.publisherSecret
);
const response = await request(app)
.get(`${RECORDINGS_PATH}/download`)
@ -682,7 +749,10 @@ describe('Recording API Security Tests', () => {
roomData.room.roomId,
MeetRecordingAccess.ADMIN_MODERATOR_PUBLISHER
);
const recordingCookie = await generateRecordingTokenCookie(roomData.room.roomId, roomData.moderatorSecret);
const recordingCookie = await generateRecordingTokenCookie(
roomData.room.roomId,
roomData.moderatorSecret
);
const response = await request(app)
.get(`${RECORDINGS_PATH}/download`)
@ -693,7 +763,10 @@ describe('Recording API Security Tests', () => {
it('should fail when recording access is admin-moderator and participant is publisher', async () => {
await updateRecordingAccessPreferencesInRoom(roomData.room.roomId, MeetRecordingAccess.ADMIN_MODERATOR);
const recordingCookie = await generateRecordingTokenCookie(roomData.room.roomId, roomData.publisherSecret);
const recordingCookie = await generateRecordingTokenCookie(
roomData.room.roomId,
roomData.publisherSecret
);
const response = await request(app)
.get(`${RECORDINGS_PATH}/download`)
@ -704,7 +777,10 @@ describe('Recording API Security Tests', () => {
it('should succeed when recording access is admin-moderator and participant is moderator', async () => {
await updateRecordingAccessPreferencesInRoom(roomData.room.roomId, MeetRecordingAccess.ADMIN_MODERATOR);
const recordingCookie = await generateRecordingTokenCookie(roomData.room.roomId, roomData.moderatorSecret);
const recordingCookie = await generateRecordingTokenCookie(
roomData.room.roomId,
roomData.moderatorSecret
);
const response = await request(app)
.get(`${RECORDINGS_PATH}/download`)
@ -713,4 +789,5 @@ describe('Recording API Security Tests', () => {
expect(response.status).toBe(200);
});
});
});
});