From 8f7624eecdb882937bc6c34f6db84f1e02eda0b2 Mon Sep 17 00:00:00 2001 From: juancarmore Date: Thu, 10 Apr 2025 18:51:39 +0200 Subject: [PATCH] tests: Refactor room security tests to use updated helper functions and improve API integration --- .../api/security/room-security.test.ts | 322 ++++++++---------- 1 file changed, 134 insertions(+), 188 deletions(-) diff --git a/backend/tests/integration/api/security/room-security.test.ts b/backend/tests/integration/api/security/room-security.test.ts index da84599..5ed4775 100644 --- a/backend/tests/integration/api/security/room-security.test.ts +++ b/backend/tests/integration/api/security/room-security.test.ts @@ -1,188 +1,154 @@ import request from 'supertest'; import { describe, it, expect, beforeAll, beforeEach, afterAll } from '@jest/globals'; import { Express } from 'express'; -import { startTestServer, stopTestServer } from '../../../utils/helpers.js'; -import { AuthMode, AuthType } from '../../../../src/typings/ce/index.js'; +import { createRoom, generateParticipantToken, startTestServer, stopTestServer } from '../../../utils/helpers.js'; +import { AuthMode, UserRole } from '../../../../src/typings/ce/index.js'; +import { MEET_API_BASE_PATH_V1, MEET_INTERNAL_API_BASE_PATH_V1, MEET_API_KEY } from '../../../../src/environment.js'; +import { MeetRoomHelper } from '../../../../src/helpers/room.helper.js'; +import { API_KEY_HEADER, changeSecurityPreferences, deleteAllRooms, loginUserAsRole } from '../../../utils/helpers.js'; -const BASE_URL = '/meet/api/v1'; -const INTERNAL_BASE_URL = '/meet/internal-api/v1'; -const ROOMS_URL = `${BASE_URL}/rooms`; - -const API_KEY_HEADER = 'X-API-Key'; -const API_KEY = 'meet-api-key'; - -const EXPIRATION_DATE = 1772129829000; +const ROOMS_PATH = `${MEET_API_BASE_PATH_V1}/rooms`; describe('Room API Security Tests', () => { let app: Express; - let userCookie: string; let adminCookie: string; - const changeSecurityPreferences = async ({ - usersCanCreateRooms = true, - authRequired = true, - authMode = AuthMode.NONE - }) => { - await request(app) - .put(`${BASE_URL}/preferences/security`) - .set(API_KEY_HEADER, API_KEY) - .send({ - roomCreationPolicy: { - allowRoomCreation: usersCanCreateRooms, - requireAuthentication: authRequired - }, - authentication: { - authMode: authMode, - method: { - type: AuthType.SINGLE_USER - } - } - }); - }; - - const loginUser = async (username: string, password: string): Promise => { - const response = await request(app) - .post(`${INTERNAL_BASE_URL}/auth/login`) - .send({ - username, - password - }) - .expect(200); - - const cookies = response.headers['set-cookie'] as unknown as string[]; - const accessTokenCookie = cookies.find((cookie) => cookie.startsWith('OvMeetAccessToken=')) as string; - return accessTokenCookie; - }; - - const extractSecretByRoomUrl = (urlString: string, type: string): string => { - const url = new URL(urlString); - const secret = url.searchParams.get('secret'); - - if (!secret) throw new Error(`${type} secret not found`); - - return secret; - }; - beforeAll(async () => { app = await startTestServer(); // Get cookies for admin and user - userCookie = await loginUser('user', 'user'); - adminCookie = await loginUser('admin', 'admin'); + userCookie = await loginUserAsRole(UserRole.USER); + adminCookie = await loginUserAsRole(UserRole.ADMIN); }); afterAll(async () => { - // Clean up created rooms - const roomsResponse = await request(app).get(ROOMS_URL).set(API_KEY_HEADER, API_KEY); - - for (const room of roomsResponse.body) { - await request(app).delete(`${ROOMS_URL}/${room.roomId}`).set(API_KEY_HEADER, API_KEY); - } - + await deleteAllRooms(); await stopTestServer(); }, 20000); describe('Create Room Tests', () => { it('should succeed when users cannot create rooms, and request includes API key', async () => { - await changeSecurityPreferences({ + await changeSecurityPreferences(adminCookie, { usersCanCreateRooms: false }); - const response = await request(app).post(ROOMS_URL).set(API_KEY_HEADER, API_KEY).send({ - autoDeletionDate: EXPIRATION_DATE - }); + const response = await request(app).post(ROOMS_PATH).set(API_KEY_HEADER, MEET_API_KEY).send({}); expect(response.status).toBe(200); }); it('should succeed when users cannot create rooms, and user is authenticated as admin', async () => { - await changeSecurityPreferences({ + await changeSecurityPreferences(adminCookie, { usersCanCreateRooms: false }); - const response = await request(app).post(ROOMS_URL).set('Cookie', adminCookie).send({ - autoDeletionDate: EXPIRATION_DATE - }); + const response = await request(app).post(ROOMS_PATH).set('Cookie', adminCookie).send({}); expect(response.status).toBe(200); }); it('should fail when users cannot create rooms, and user is authenticated as user', async () => { - await changeSecurityPreferences({ + await changeSecurityPreferences(adminCookie, { usersCanCreateRooms: false }); - const response = await request(app).post(ROOMS_URL).set('Cookie', userCookie).send({ - autoDeletionDate: EXPIRATION_DATE - }); + const response = await request(app).post(ROOMS_PATH).set('Cookie', userCookie).send({}); expect(response.status).toBe(403); }); it('should fail when users cannot create rooms, and user is not authenticated', async () => { - await changeSecurityPreferences({ + await changeSecurityPreferences(adminCookie, { usersCanCreateRooms: false }); - const response = await request(app).post(ROOMS_URL).send({ - autoDeletionDate: EXPIRATION_DATE - }); + const response = await request(app).post(ROOMS_PATH).send({}); expect(response.status).toBe(401); }); it('should succeed when users can create rooms and auth is not required, and user is not authenticated', async () => { - await changeSecurityPreferences({ + await changeSecurityPreferences(adminCookie, { usersCanCreateRooms: true, authRequired: false }); - const response = await request(app).post(ROOMS_URL).send({ - autoDeletionDate: EXPIRATION_DATE - }); + const response = await request(app).post(ROOMS_PATH).send({}); expect(response.status).toBe(200); }); it('should succeed when users can create rooms and auth is required, and user is authenticated', async () => { - await changeSecurityPreferences({ + await changeSecurityPreferences(adminCookie, { usersCanCreateRooms: true, authRequired: true }); - const response = await request(app).post(ROOMS_URL).set('Cookie', userCookie).send({ - autoDeletionDate: EXPIRATION_DATE - }); + const response = await request(app).post(ROOMS_PATH).set('Cookie', userCookie).send({}); expect(response.status).toBe(200); }); it('should fail when users can create rooms and auth is required, and user is not authenticated', async () => { - await changeSecurityPreferences({ + await changeSecurityPreferences(adminCookie, { usersCanCreateRooms: true, authRequired: true }); - const response = await request(app).post(ROOMS_URL).send({ - autoDeletionDate: EXPIRATION_DATE - }); + const response = await request(app).post(ROOMS_PATH).send({}); expect(response.status).toBe(401); }); }); describe('Get Rooms Tests', () => { it('should succeed when request includes API key', async () => { - const response = await request(app).get(ROOMS_URL).set(API_KEY_HEADER, API_KEY); + const response = await request(app).get(ROOMS_PATH).set(API_KEY_HEADER, MEET_API_KEY); expect(response.status).toBe(200); }); it('should succeed when user is authenticated as admin', async () => { - const response = await request(app).get(ROOMS_URL).set('Cookie', adminCookie); + const response = await request(app).get(ROOMS_PATH).set('Cookie', adminCookie); expect(response.status).toBe(200); }); it('should fail when user is authenticated as user', async () => { - const response = await request(app).get(ROOMS_URL).set('Cookie', userCookie); + const response = await request(app).get(ROOMS_PATH).set('Cookie', userCookie); expect(response.status).toBe(403); }); it('should fail when user is not authenticated', async () => { - const response = await request(app).get(ROOMS_URL); + const response = await request(app).get(ROOMS_PATH); + expect(response.status).toBe(401); + }); + }); + + describe('Bulk Delete Rooms Tests', () => { + let roomId: string; + + beforeEach(async () => { + // Create a room and extract the roomId + const response = await request(app).post(ROOMS_PATH).set(API_KEY_HEADER, MEET_API_KEY).send({}); + roomId = response.body.roomId; + }); + + it('should succeed when request includes API key', async () => { + const response = await request(app) + .delete(ROOMS_PATH) + .query({ roomIds: roomId }) + .set(API_KEY_HEADER, MEET_API_KEY); + expect(response.status).toBe(204); + }); + + it('should succeed when user is authenticated as admin', async () => { + const response = await request(app) + .delete(ROOMS_PATH) + .query({ roomIds: roomId }) + .set('Cookie', adminCookie); + expect(response.status).toBe(204); + }); + + it('should fail when user is authenticated as user', async () => { + const response = await request(app).delete(ROOMS_PATH).query({ roomIds: roomId }).set('Cookie', userCookie); + expect(response.status).toBe(403); + }); + + it('should fail when user is not authenticated', async () => { + const response = await request(app).delete(ROOMS_PATH).query({ roomIds: roomId }); expect(response.status).toBe(401); }); }); @@ -192,137 +158,105 @@ describe('Room API Security Tests', () => { let moderatorCookie: string; let publisherCookie: string; - const generateParticipantToken = async ( - roomId: string, - participantName: string, - secret: string - ): Promise => { - // Disable authentication to generate the token - await changeSecurityPreferences({ - authMode: AuthMode.NONE - }); - - // Generate the participant token - const response = await request(app) - .post(`${INTERNAL_BASE_URL}/participants/token`) - .send({ - roomId, - participantName, - secret - }) - .expect(200); - - // Return the participant token cookie - const cookies = response.headers['set-cookie'] as unknown as string[]; - const participantTokenCookie = cookies.find((cookie) => - cookie.startsWith('OvMeetParticipantToken=') - ) as string; - return participantTokenCookie; - }; - beforeAll(async () => { - // Create a room and extract the roomId to test the get room endpoint - const response = await request(app).post(ROOMS_URL).set(API_KEY_HEADER, API_KEY).send({ - autoDeletionDate: EXPIRATION_DATE - }); - roomId = response.body.roomId; + const room = await createRoom(); + roomId = room.roomId; - // Extract the moderator and publisher secrets from the room URL - const { moderatorRoomUrl, publisherRoomUrl } = response.body; - const moderatorSecret = extractSecretByRoomUrl(moderatorRoomUrl, 'Moderator'); - const publisherSecret = extractSecretByRoomUrl(publisherRoomUrl, 'Publisher'); - - // Generate participant tokens for the room and extract the cookies - moderatorCookie = await generateParticipantToken(roomId, 'Moderator', moderatorSecret); - publisherCookie = await generateParticipantToken(roomId, 'Publisher', publisherSecret); + // Extract the room secrets and generate participant tokens, saved as cookies + const { moderatorSecret, publisherSecret } = MeetRoomHelper.extractSecretsFromRoom(room); + moderatorCookie = await generateParticipantToken(adminCookie, roomId, 'Moderator', moderatorSecret); + publisherCookie = await generateParticipantToken(adminCookie, roomId, 'Publisher', publisherSecret); }); it('should succeed when request includes API key', async () => { - const response = await request(app).get(`${ROOMS_URL}/${roomId}`).set(API_KEY_HEADER, API_KEY); + const response = await request(app).get(`${ROOMS_PATH}/${roomId}`).set(API_KEY_HEADER, MEET_API_KEY); expect(response.status).toBe(200); }); it('should succeed when user is authenticated as admin', async () => { - const response = await request(app).get(`${ROOMS_URL}/${roomId}`).set('Cookie', adminCookie); + const response = await request(app).get(`${ROOMS_PATH}/${roomId}`).set('Cookie', adminCookie); expect(response.status).toBe(200); }); it('should fail when user is authenticated as user', async () => { - const response = await request(app).get(`${ROOMS_URL}/${roomId}`).set('Cookie', userCookie); + const response = await request(app).get(`${ROOMS_PATH}/${roomId}`).set('Cookie', userCookie); expect(response.status).toBe(401); }); it('should fail when user is not authenticated', async () => { - const response = await request(app).get(`${ROOMS_URL}/${roomId}`); + const response = await request(app).get(`${ROOMS_PATH}/${roomId}`); expect(response.status).toBe(401); }); it('should fail when participant is publisher', async () => { - const response = await request(app).get(`${ROOMS_URL}/${roomId}`).set('Cookie', publisherCookie); + const response = await request(app).get(`${ROOMS_PATH}/${roomId}`).set('Cookie', publisherCookie); expect(response.status).toBe(403); }); it('should fail when participant is moderator of a different room', async () => { // Create a new room to get a different roomId - const roomResponse = await request(app).post(ROOMS_URL).set(API_KEY_HEADER, API_KEY).send({ - autoDeletionDate: EXPIRATION_DATE - }); - const newRoomId = roomResponse.body.roomId; + const newRoom = await createRoom(); + const newRoomId = newRoom.roomId; // Extract the moderator secret and generate a participant token for the new room - const newModeratorSecret = extractSecretByRoomUrl(roomResponse.body.moderatorRoomUrl, 'Moderator'); - const newModeratorCookie = await generateParticipantToken(newRoomId, 'Moderator', newModeratorSecret); + const { moderatorSecret } = MeetRoomHelper.extractSecretsFromRoom(newRoom); + const newModeratorCookie = await generateParticipantToken( + adminCookie, + newRoomId, + 'Moderator', + moderatorSecret + ); - const response = await request(app).get(`${ROOMS_URL}/${roomId}`).set('Cookie', newModeratorCookie); + const response = await request(app).get(`${ROOMS_PATH}/${roomId}`).set('Cookie', newModeratorCookie); expect(response.status).toBe(403); }); it('should succeed when no authentication is required and participant is moderator', async () => { - await changeSecurityPreferences({ + await changeSecurityPreferences(adminCookie, { authMode: AuthMode.NONE }); - const response = await request(app).get(`${ROOMS_URL}/${roomId}`).set('Cookie', moderatorCookie); + const response = await request(app).get(`${ROOMS_PATH}/${roomId}`).set('Cookie', moderatorCookie); expect(response.status).toBe(200); }); it('should succeed when authentication is required for moderators, participant is moderator and user is authenticated', async () => { - await changeSecurityPreferences({ + await changeSecurityPreferences(adminCookie, { authMode: AuthMode.MODERATORS_ONLY }); const response = await request(app) - .get(`${ROOMS_URL}/${roomId}`) + .get(`${ROOMS_PATH}/${roomId}`) .set('Cookie', [moderatorCookie, userCookie]); expect(response.status).toBe(200); }); it('should fail when authentication is required for moderators, participant is moderator and user is not authenticated', async () => { - await changeSecurityPreferences({ + await changeSecurityPreferences(adminCookie, { authMode: AuthMode.MODERATORS_ONLY }); - const response = await request(app).get(`${ROOMS_URL}/${roomId}`).set('Cookie', moderatorCookie); + const response = await request(app).get(`${ROOMS_PATH}/${roomId}`).set('Cookie', moderatorCookie); expect(response.status).toBe(401); }); it('should succeed when authentication is required for all participants, participant is moderator and user is authenticated', async () => { - await changeSecurityPreferences({ + await changeSecurityPreferences(adminCookie, { authMode: AuthMode.ALL_USERS }); const response = await request(app) - .get(`${ROOMS_URL}/${roomId}`) + .get(`${ROOMS_PATH}/${roomId}`) .set('Cookie', [moderatorCookie, userCookie]); expect(response.status).toBe(200); }); it('should fail when authentication is required for all participants, participant is moderator and user is not authenticated', async () => { - await changeSecurityPreferences({ + await changeSecurityPreferences(adminCookie, { authMode: AuthMode.ALL_USERS }); - const response = await request(app).get(`${ROOMS_URL}/${roomId}`).set('Cookie', moderatorCookie); + const response = await request(app).get(`${ROOMS_PATH}/${roomId}`).set('Cookie', moderatorCookie); expect(response.status).toBe(401); }); }); @@ -331,52 +265,65 @@ describe('Room API Security Tests', () => { let roomId: string; beforeEach(async () => { - // Create a room and extract the roomId to test the delete room endpoint - const response = await request(app).post(ROOMS_URL).set(API_KEY_HEADER, API_KEY).send({ - autoDeletionDate: EXPIRATION_DATE - }); - roomId = response.body.roomId; + const room = await createRoom(); + roomId = room.roomId; }); it('should succeed when request includes API key', async () => { - const response = await request(app).delete(`${ROOMS_URL}/${roomId}`).set(API_KEY_HEADER, API_KEY); - expect(response.status).toBe(200); + const response = await request(app).delete(`${ROOMS_PATH}/${roomId}`).set(API_KEY_HEADER, MEET_API_KEY); + expect(response.status).toBe(204); }); it('should succeed when user is authenticated as admin', async () => { - const response = await request(app).delete(`${ROOMS_URL}/${roomId}`).set('Cookie', adminCookie); - expect(response.status).toBe(200); + const response = await request(app).delete(`${ROOMS_PATH}/${roomId}`).set('Cookie', adminCookie); + expect(response.status).toBe(204); }); it('should fail when user is authenticated as user', async () => { - const response = await request(app).delete(`${ROOMS_URL}/${roomId}`).set('Cookie', userCookie); + const response = await request(app).delete(`${ROOMS_PATH}/${roomId}`).set('Cookie', userCookie); expect(response.status).toBe(403); }); it('should fail when user is not authenticated', async () => { - const response = await request(app).delete(`${ROOMS_URL}/${roomId}`); + const response = await request(app).delete(`${ROOMS_PATH}/${roomId}`); expect(response.status).toBe(401); }); }); - describe.skip('Update Room Preferences Tests', () => { - it('should succeed when request includes API key', async () => { - const response = await request(app).put(ROOMS_URL).set(API_KEY_HEADER, API_KEY).send({}); - expect(response.status).toBe(200); + describe('Update Room Preferences Tests', () => { + const roomPreferences = { + recordingPreferences: { enabled: true }, + chatPreferences: { enabled: true }, + virtualBackgroundPreferences: { enabled: true } + }; + + let roomId: string; + + beforeAll(async () => { + const room = await createRoom(); + roomId = room.roomId; }); it('should succeed when user is authenticated as admin', async () => { - const response = await request(app).put(ROOMS_URL).set('Cookie', adminCookie).send({}); + const response = await request(app) + .put(`${MEET_INTERNAL_API_BASE_PATH_V1}/rooms/${roomId}`) + .set('Cookie', adminCookie) + .send(roomPreferences); expect(response.status).toBe(200); }); it('should fail when user is authenticated as user', async () => { - const response = await request(app).put(ROOMS_URL).set('Cookie', userCookie).send({}); + const response = await request(app) + .put(`${MEET_INTERNAL_API_BASE_PATH_V1}/rooms/${roomId}`) + .set('Cookie', userCookie) + .send(roomPreferences); expect(response.status).toBe(403); }); it('should fail when user is not authenticated', async () => { - const response = await request(app).put(ROOMS_URL).send({}); + const response = await request(app) + .put(`${MEET_INTERNAL_API_BASE_PATH_V1}/rooms/${roomId}`) + .send(roomPreferences); expect(response.status).toBe(401); }); }); @@ -386,20 +333,19 @@ describe('Room API Security Tests', () => { let moderatorSecret: string; beforeAll(async () => { - // Create a room and extract the roomId to test the get participant role endpoint - const response = await request(app).post(ROOMS_URL).set(API_KEY_HEADER, API_KEY).send({ - autoDeletionDate: EXPIRATION_DATE - }); - roomId = response.body.roomId; + const room = await createRoom(); + roomId = room.roomId; - // Extract the moderator secret from the room URL - moderatorSecret = extractSecretByRoomUrl(response.body.moderatorRoomUrl, 'Moderator'); + // Extract the moderator secret + ({ moderatorSecret } = MeetRoomHelper.extractSecretsFromRoom(room)); }); it('should succeed if user is not authenticated', async () => { - const response = await request(app).get(`${INTERNAL_BASE_URL}/rooms/${roomId}/participant-role`).query({ - secret: moderatorSecret - }); + const response = await request(app) + .get(`${MEET_INTERNAL_API_BASE_PATH_V1}/rooms/${roomId}/participant-role`) + .query({ + secret: moderatorSecret + }); expect(response.status).toBe(200); }); });