neoris/openvidu
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

tests: Refactor room security tests to use updated helper functions and improve API integration

Browse Source
This commit is contained in:
juancarmore 2025-04-10 18:51:39 +02:00
parent 7182870625
commit 8f7624eecd
1 changed files with 134 additions and 188 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

322
backend/tests/integration/api/security/room-security.test.ts
View File

@ -1,188 +1,154 @@
import request from 'supertest'; import request from 'supertest';
import { describe, it, expect, beforeAll, beforeEach, afterAll } from '@jest/globals'; import { describe, it, expect, beforeAll, beforeEach, afterAll } from '@jest/globals';
import { Express } from 'express'; import { Express } from 'express';
import { startTestServer, stopTestServer } from '../../../utils/helpers.js'; import { createRoom, generateParticipantToken, startTestServer, stopTestServer } from '../../../utils/helpers.js';
import { AuthMode, AuthType } from '../../../../src/typings/ce/index.js'; import { AuthMode, UserRole } from '../../../../src/typings/ce/index.js';
import { MEET_API_BASE_PATH_V1, MEET_INTERNAL_API_BASE_PATH_V1, MEET_API_KEY } from '../../../../src/environment.js';
import { MeetRoomHelper } from '../../../../src/helpers/room.helper.js';
import { API_KEY_HEADER, changeSecurityPreferences, deleteAllRooms, loginUserAsRole } from '../../../utils/helpers.js';
const BASE_URL = '/meet/api/v1'; const ROOMS_PATH = `${MEET_API_BASE_PATH_V1}/rooms`;
const INTERNAL_BASE_URL = '/meet/internal-api/v1';
const ROOMS_URL = `${BASE_URL}/rooms`;
const API_KEY_HEADER = 'X-API-Key';
const API_KEY = 'meet-api-key';
const EXPIRATION_DATE = 1772129829000;
describe('Room API Security Tests', () => { describe('Room API Security Tests', () => {
let app: Express; let app: Express;
let userCookie: string; let userCookie: string;
let adminCookie: string; let adminCookie: string;
const changeSecurityPreferences = async ({
usersCanCreateRooms = true,
authRequired = true,
authMode = AuthMode.NONE
}) => {
await request(app)
.put(`${BASE_URL}/preferences/security`)
.set(API_KEY_HEADER, API_KEY)
.send({
roomCreationPolicy: {
allowRoomCreation: usersCanCreateRooms,
requireAuthentication: authRequired
},
authentication: {
authMode: authMode,
method: {
type: AuthType.SINGLE_USER
}
}
});
};
const loginUser = async (username: string, password: string): Promise<string> => {
const response = await request(app)
.post(`${INTERNAL_BASE_URL}/auth/login`)
.send({
username,
password
})
.expect(200);
const cookies = response.headers['set-cookie'] as unknown as string[];
const accessTokenCookie = cookies.find((cookie) => cookie.startsWith('OvMeetAccessToken=')) as string;
return accessTokenCookie;
};
const extractSecretByRoomUrl = (urlString: string, type: string): string => {
const url = new URL(urlString);
const secret = url.searchParams.get('secret');
if (!secret) throw new Error(`${type} secret not found`);
return secret;
};
beforeAll(async () => { beforeAll(async () => {
app = await startTestServer(); app = await startTestServer();
// Get cookies for admin and user // Get cookies for admin and user
userCookie = await loginUser('user', 'user'); userCookie = await loginUserAsRole(UserRole.USER);
adminCookie = await loginUser('admin', 'admin'); adminCookie = await loginUserAsRole(UserRole.ADMIN);
}); });
afterAll(async () => { afterAll(async () => {
// Clean up created rooms await deleteAllRooms();
const roomsResponse = await request(app).get(ROOMS_URL).set(API_KEY_HEADER, API_KEY);
for (const room of roomsResponse.body) {
await request(app).delete(`${ROOMS_URL}/${room.roomId}`).set(API_KEY_HEADER, API_KEY);
}
await stopTestServer(); await stopTestServer();
}, 20000); }, 20000);
describe('Create Room Tests', () => { describe('Create Room Tests', () => {
it('should succeed when users cannot create rooms, and request includes API key', async () => { it('should succeed when users cannot create rooms, and request includes API key', async () => {
await changeSecurityPreferences({ await changeSecurityPreferences(adminCookie, {
usersCanCreateRooms: false usersCanCreateRooms: false
}); });
const response = await request(app).post(ROOMS_URL).set(API_KEY_HEADER, API_KEY).send({ const response = await request(app).post(ROOMS_PATH).set(API_KEY_HEADER, MEET_API_KEY).send({});
autoDeletionDate: EXPIRATION_DATE
});
expect(response.status).toBe(200); expect(response.status).toBe(200);
}); });
it('should succeed when users cannot create rooms, and user is authenticated as admin', async () => { it('should succeed when users cannot create rooms, and user is authenticated as admin', async () => {
await changeSecurityPreferences({ await changeSecurityPreferences(adminCookie, {
usersCanCreateRooms: false usersCanCreateRooms: false
}); });
const response = await request(app).post(ROOMS_URL).set('Cookie', adminCookie).send({ const response = await request(app).post(ROOMS_PATH).set('Cookie', adminCookie).send({});
autoDeletionDate: EXPIRATION_DATE
});
expect(response.status).toBe(200); expect(response.status).toBe(200);
}); });
it('should fail when users cannot create rooms, and user is authenticated as user', async () => { it('should fail when users cannot create rooms, and user is authenticated as user', async () => {
await changeSecurityPreferences({ await changeSecurityPreferences(adminCookie, {
usersCanCreateRooms: false usersCanCreateRooms: false
}); });
const response = await request(app).post(ROOMS_URL).set('Cookie', userCookie).send({ const response = await request(app).post(ROOMS_PATH).set('Cookie', userCookie).send({});
autoDeletionDate: EXPIRATION_DATE
});
expect(response.status).toBe(403); expect(response.status).toBe(403);
}); });
it('should fail when users cannot create rooms, and user is not authenticated', async () => { it('should fail when users cannot create rooms, and user is not authenticated', async () => {
await changeSecurityPreferences({ await changeSecurityPreferences(adminCookie, {
usersCanCreateRooms: false usersCanCreateRooms: false
}); });
const response = await request(app).post(ROOMS_URL).send({ const response = await request(app).post(ROOMS_PATH).send({});
autoDeletionDate: EXPIRATION_DATE
});
expect(response.status).toBe(401); expect(response.status).toBe(401);
}); });
it('should succeed when users can create rooms and auth is not required, and user is not authenticated', async () => { it('should succeed when users can create rooms and auth is not required, and user is not authenticated', async () => {
await changeSecurityPreferences({ await changeSecurityPreferences(adminCookie, {
usersCanCreateRooms: true, usersCanCreateRooms: true,
authRequired: false authRequired: false
}); });
const response = await request(app).post(ROOMS_URL).send({ const response = await request(app).post(ROOMS_PATH).send({});
autoDeletionDate: EXPIRATION_DATE
});
expect(response.status).toBe(200); expect(response.status).toBe(200);
}); });
it('should succeed when users can create rooms and auth is required, and user is authenticated', async () => { it('should succeed when users can create rooms and auth is required, and user is authenticated', async () => {
await changeSecurityPreferences({ await changeSecurityPreferences(adminCookie, {
usersCanCreateRooms: true, usersCanCreateRooms: true,
authRequired: true authRequired: true
}); });
const response = await request(app).post(ROOMS_URL).set('Cookie', userCookie).send({ const response = await request(app).post(ROOMS_PATH).set('Cookie', userCookie).send({});
autoDeletionDate: EXPIRATION_DATE
});
expect(response.status).toBe(200); expect(response.status).toBe(200);
}); });
it('should fail when users can create rooms and auth is required, and user is not authenticated', async () => { it('should fail when users can create rooms and auth is required, and user is not authenticated', async () => {
await changeSecurityPreferences({ await changeSecurityPreferences(adminCookie, {
usersCanCreateRooms: true, usersCanCreateRooms: true,
authRequired: true authRequired: true
}); });
const response = await request(app).post(ROOMS_URL).send({ const response = await request(app).post(ROOMS_PATH).send({});
autoDeletionDate: EXPIRATION_DATE
});
expect(response.status).toBe(401); expect(response.status).toBe(401);
}); });
}); });
describe('Get Rooms Tests', () => { describe('Get Rooms Tests', () => {
it('should succeed when request includes API key', async () => { it('should succeed when request includes API key', async () => {
const response = await request(app).get(ROOMS_URL).set(API_KEY_HEADER, API_KEY); const response = await request(app).get(ROOMS_PATH).set(API_KEY_HEADER, MEET_API_KEY);
expect(response.status).toBe(200); expect(response.status).toBe(200);
}); });
it('should succeed when user is authenticated as admin', async () => { it('should succeed when user is authenticated as admin', async () => {
const response = await request(app).get(ROOMS_URL).set('Cookie', adminCookie); const response = await request(app).get(ROOMS_PATH).set('Cookie', adminCookie);
expect(response.status).toBe(200); expect(response.status).toBe(200);
}); });
it('should fail when user is authenticated as user', async () => { it('should fail when user is authenticated as user', async () => {
const response = await request(app).get(ROOMS_URL).set('Cookie', userCookie); const response = await request(app).get(ROOMS_PATH).set('Cookie', userCookie);
expect(response.status).toBe(403); expect(response.status).toBe(403);
}); });
it('should fail when user is not authenticated', async () => { it('should fail when user is not authenticated', async () => {
const response = await request(app).get(ROOMS_URL); const response = await request(app).get(ROOMS_PATH);
expect(response.status).toBe(401);
});
});
describe('Bulk Delete Rooms Tests', () => {
let roomId: string;
beforeEach(async () => {
// Create a room and extract the roomId
const response = await request(app).post(ROOMS_PATH).set(API_KEY_HEADER, MEET_API_KEY).send({});
roomId = response.body.roomId;
});
it('should succeed when request includes API key', async () => {
const response = await request(app)
.delete(ROOMS_PATH)
.query({ roomIds: roomId })
.set(API_KEY_HEADER, MEET_API_KEY);
expect(response.status).toBe(204);
});
it('should succeed when user is authenticated as admin', async () => {
const response = await request(app)
.delete(ROOMS_PATH)
.query({ roomIds: roomId })
.set('Cookie', adminCookie);
expect(response.status).toBe(204);
});
it('should fail when user is authenticated as user', async () => {
const response = await request(app).delete(ROOMS_PATH).query({ roomIds: roomId }).set('Cookie', userCookie);
expect(response.status).toBe(403);
});
it('should fail when user is not authenticated', async () => {
const response = await request(app).delete(ROOMS_PATH).query({ roomIds: roomId });
expect(response.status).toBe(401); expect(response.status).toBe(401);
}); });
}); });
@ -192,137 +158,105 @@ describe('Room API Security Tests', () => {
let moderatorCookie: string; let moderatorCookie: string;
let publisherCookie: string; let publisherCookie: string;
const generateParticipantToken = async (
roomId: string,
participantName: string,
secret: string
): Promise<string> => {
// Disable authentication to generate the token
await changeSecurityPreferences({
authMode: AuthMode.NONE
});
// Generate the participant token
const response = await request(app)
.post(`${INTERNAL_BASE_URL}/participants/token`)
.send({
roomId,
participantName,
secret
})
.expect(200);
// Return the participant token cookie
const cookies = response.headers['set-cookie'] as unknown as string[];
const participantTokenCookie = cookies.find((cookie) =>
cookie.startsWith('OvMeetParticipantToken=')
) as string;
return participantTokenCookie;
};
beforeAll(async () => { beforeAll(async () => {
// Create a room and extract the roomId to test the get room endpoint const room = await createRoom();
const response = await request(app).post(ROOMS_URL).set(API_KEY_HEADER, API_KEY).send({ roomId = room.roomId;
autoDeletionDate: EXPIRATION_DATE
});
roomId = response.body.roomId;
// Extract the moderator and publisher secrets from the room URL // Extract the room secrets and generate participant tokens, saved as cookies
const { moderatorRoomUrl, publisherRoomUrl } = response.body; const { moderatorSecret, publisherSecret } = MeetRoomHelper.extractSecretsFromRoom(room);
const moderatorSecret = extractSecretByRoomUrl(moderatorRoomUrl, 'Moderator'); moderatorCookie = await generateParticipantToken(adminCookie, roomId, 'Moderator', moderatorSecret);
const publisherSecret = extractSecretByRoomUrl(publisherRoomUrl, 'Publisher'); publisherCookie = await generateParticipantToken(adminCookie, roomId, 'Publisher', publisherSecret);
// Generate participant tokens for the room and extract the cookies
moderatorCookie = await generateParticipantToken(roomId, 'Moderator', moderatorSecret);
publisherCookie = await generateParticipantToken(roomId, 'Publisher', publisherSecret);
}); });
it('should succeed when request includes API key', async () => { it('should succeed when request includes API key', async () => {
const response = await request(app).get(`${ROOMS_URL}/${roomId}`).set(API_KEY_HEADER, API_KEY); const response = await request(app).get(`${ROOMS_PATH}/${roomId}`).set(API_KEY_HEADER, MEET_API_KEY);
expect(response.status).toBe(200); expect(response.status).toBe(200);
}); });
it('should succeed when user is authenticated as admin', async () => { it('should succeed when user is authenticated as admin', async () => {
const response = await request(app).get(`${ROOMS_URL}/${roomId}`).set('Cookie', adminCookie); const response = await request(app).get(`${ROOMS_PATH}/${roomId}`).set('Cookie', adminCookie);
expect(response.status).toBe(200); expect(response.status).toBe(200);
}); });
it('should fail when user is authenticated as user', async () => { it('should fail when user is authenticated as user', async () => {
const response = await request(app).get(`${ROOMS_URL}/${roomId}`).set('Cookie', userCookie); const response = await request(app).get(`${ROOMS_PATH}/${roomId}`).set('Cookie', userCookie);
expect(response.status).toBe(401); expect(response.status).toBe(401);
}); });
it('should fail when user is not authenticated', async () => { it('should fail when user is not authenticated', async () => {
const response = await request(app).get(`${ROOMS_URL}/${roomId}`); const response = await request(app).get(`${ROOMS_PATH}/${roomId}`);
expect(response.status).toBe(401); expect(response.status).toBe(401);
}); });
it('should fail when participant is publisher', async () => { it('should fail when participant is publisher', async () => {
const response = await request(app).get(`${ROOMS_URL}/${roomId}`).set('Cookie', publisherCookie); const response = await request(app).get(`${ROOMS_PATH}/${roomId}`).set('Cookie', publisherCookie);
expect(response.status).toBe(403); expect(response.status).toBe(403);
}); });
it('should fail when participant is moderator of a different room', async () => { it('should fail when participant is moderator of a different room', async () => {
// Create a new room to get a different roomId // Create a new room to get a different roomId
const roomResponse = await request(app).post(ROOMS_URL).set(API_KEY_HEADER, API_KEY).send({ const newRoom = await createRoom();
autoDeletionDate: EXPIRATION_DATE const newRoomId = newRoom.roomId;
});
const newRoomId = roomResponse.body.roomId;
// Extract the moderator secret and generate a participant token for the new room // Extract the moderator secret and generate a participant token for the new room
const newModeratorSecret = extractSecretByRoomUrl(roomResponse.body.moderatorRoomUrl, 'Moderator'); const { moderatorSecret } = MeetRoomHelper.extractSecretsFromRoom(newRoom);
const newModeratorCookie = await generateParticipantToken(newRoomId, 'Moderator', newModeratorSecret); const newModeratorCookie = await generateParticipantToken(
adminCookie,
newRoomId,
'Moderator',
moderatorSecret
);
const response = await request(app).get(`${ROOMS_URL}/${roomId}`).set('Cookie', newModeratorCookie); const response = await request(app).get(`${ROOMS_PATH}/${roomId}`).set('Cookie', newModeratorCookie);
expect(response.status).toBe(403); expect(response.status).toBe(403);
}); });
it('should succeed when no authentication is required and participant is moderator', async () => { it('should succeed when no authentication is required and participant is moderator', async () => {
await changeSecurityPreferences({ await changeSecurityPreferences(adminCookie, {
authMode: AuthMode.NONE authMode: AuthMode.NONE
}); });
const response = await request(app).get(`${ROOMS_URL}/${roomId}`).set('Cookie', moderatorCookie); const response = await request(app).get(`${ROOMS_PATH}/${roomId}`).set('Cookie', moderatorCookie);
expect(response.status).toBe(200); expect(response.status).toBe(200);
}); });
it('should succeed when authentication is required for moderators, participant is moderator and user is authenticated', async () => { it('should succeed when authentication is required for moderators, participant is moderator and user is authenticated', async () => {
await changeSecurityPreferences({ await changeSecurityPreferences(adminCookie, {
authMode: AuthMode.MODERATORS_ONLY authMode: AuthMode.MODERATORS_ONLY
}); });
const response = await request(app) const response = await request(app)
.get(`${ROOMS_URL}/${roomId}`) .get(`${ROOMS_PATH}/${roomId}`)
.set('Cookie', [moderatorCookie, userCookie]); .set('Cookie', [moderatorCookie, userCookie]);
expect(response.status).toBe(200); expect(response.status).toBe(200);
}); });
it('should fail when authentication is required for moderators, participant is moderator and user is not authenticated', async () => { it('should fail when authentication is required for moderators, participant is moderator and user is not authenticated', async () => {
await changeSecurityPreferences({ await changeSecurityPreferences(adminCookie, {
authMode: AuthMode.MODERATORS_ONLY authMode: AuthMode.MODERATORS_ONLY
}); });
const response = await request(app).get(`${ROOMS_URL}/${roomId}`).set('Cookie', moderatorCookie); const response = await request(app).get(`${ROOMS_PATH}/${roomId}`).set('Cookie', moderatorCookie);
expect(response.status).toBe(401); expect(response.status).toBe(401);
}); });
it('should succeed when authentication is required for all participants, participant is moderator and user is authenticated', async () => { it('should succeed when authentication is required for all participants, participant is moderator and user is authenticated', async () => {
await changeSecurityPreferences({ await changeSecurityPreferences(adminCookie, {
authMode: AuthMode.ALL_USERS authMode: AuthMode.ALL_USERS
}); });
const response = await request(app) const response = await request(app)
.get(`${ROOMS_URL}/${roomId}`) .get(`${ROOMS_PATH}/${roomId}`)
.set('Cookie', [moderatorCookie, userCookie]); .set('Cookie', [moderatorCookie, userCookie]);
expect(response.status).toBe(200); expect(response.status).toBe(200);
}); });
it('should fail when authentication is required for all participants, participant is moderator and user is not authenticated', async () => { it('should fail when authentication is required for all participants, participant is moderator and user is not authenticated', async () => {
await changeSecurityPreferences({ await changeSecurityPreferences(adminCookie, {
authMode: AuthMode.ALL_USERS authMode: AuthMode.ALL_USERS
}); });
const response = await request(app).get(`${ROOMS_URL}/${roomId}`).set('Cookie', moderatorCookie); const response = await request(app).get(`${ROOMS_PATH}/${roomId}`).set('Cookie', moderatorCookie);
expect(response.status).toBe(401); expect(response.status).toBe(401);
}); });
}); });
@ -331,52 +265,65 @@ describe('Room API Security Tests', () => {
let roomId: string; let roomId: string;
beforeEach(async () => { beforeEach(async () => {
// Create a room and extract the roomId to test the delete room endpoint const room = await createRoom();
const response = await request(app).post(ROOMS_URL).set(API_KEY_HEADER, API_KEY).send({ roomId = room.roomId;
autoDeletionDate: EXPIRATION_DATE
});
roomId = response.body.roomId;
}); });
it('should succeed when request includes API key', async () => { it('should succeed when request includes API key', async () => {
const response = await request(app).delete(`${ROOMS_URL}/${roomId}`).set(API_KEY_HEADER, API_KEY); const response = await request(app).delete(`${ROOMS_PATH}/${roomId}`).set(API_KEY_HEADER, MEET_API_KEY);
expect(response.status).toBe(200); expect(response.status).toBe(204);
}); });
it('should succeed when user is authenticated as admin', async () => { it('should succeed when user is authenticated as admin', async () => {
const response = await request(app).delete(`${ROOMS_URL}/${roomId}`).set('Cookie', adminCookie); const response = await request(app).delete(`${ROOMS_PATH}/${roomId}`).set('Cookie', adminCookie);
expect(response.status).toBe(200); expect(response.status).toBe(204);
}); });
it('should fail when user is authenticated as user', async () => { it('should fail when user is authenticated as user', async () => {
const response = await request(app).delete(`${ROOMS_URL}/${roomId}`).set('Cookie', userCookie); const response = await request(app).delete(`${ROOMS_PATH}/${roomId}`).set('Cookie', userCookie);
expect(response.status).toBe(403); expect(response.status).toBe(403);
}); });
it('should fail when user is not authenticated', async () => { it('should fail when user is not authenticated', async () => {
const response = await request(app).delete(`${ROOMS_URL}/${roomId}`); const response = await request(app).delete(`${ROOMS_PATH}/${roomId}`);
expect(response.status).toBe(401); expect(response.status).toBe(401);
}); });
}); });
describe.skip('Update Room Preferences Tests', () => { describe('Update Room Preferences Tests', () => {
it('should succeed when request includes API key', async () => { const roomPreferences = {
const response = await request(app).put(ROOMS_URL).set(API_KEY_HEADER, API_KEY).send({}); recordingPreferences: { enabled: true },
expect(response.status).toBe(200); chatPreferences: { enabled: true },
virtualBackgroundPreferences: { enabled: true }
};
let roomId: string;
beforeAll(async () => {
const room = await createRoom();
roomId = room.roomId;
}); });
it('should succeed when user is authenticated as admin', async () => { it('should succeed when user is authenticated as admin', async () => {
const response = await request(app).put(ROOMS_URL).set('Cookie', adminCookie).send({}); const response = await request(app)
.put(`${MEET_INTERNAL_API_BASE_PATH_V1}/rooms/${roomId}`)
.set('Cookie', adminCookie)
.send(roomPreferences);
expect(response.status).toBe(200); expect(response.status).toBe(200);
}); });
it('should fail when user is authenticated as user', async () => { it('should fail when user is authenticated as user', async () => {
const response = await request(app).put(ROOMS_URL).set('Cookie', userCookie).send({}); const response = await request(app)
.put(`${MEET_INTERNAL_API_BASE_PATH_V1}/rooms/${roomId}`)
.set('Cookie', userCookie)
.send(roomPreferences);
expect(response.status).toBe(403); expect(response.status).toBe(403);
}); });
it('should fail when user is not authenticated', async () => { it('should fail when user is not authenticated', async () => {
const response = await request(app).put(ROOMS_URL).send({}); const response = await request(app)
.put(`${MEET_INTERNAL_API_BASE_PATH_V1}/rooms/${roomId}`)
.send(roomPreferences);
expect(response.status).toBe(401); expect(response.status).toBe(401);
}); });
}); });
@ -386,20 +333,19 @@ describe('Room API Security Tests', () => {
let moderatorSecret: string; let moderatorSecret: string;
beforeAll(async () => { beforeAll(async () => {
// Create a room and extract the roomId to test the get participant role endpoint const room = await createRoom();
const response = await request(app).post(ROOMS_URL).set(API_KEY_HEADER, API_KEY).send({ roomId = room.roomId;
autoDeletionDate: EXPIRATION_DATE
});
roomId = response.body.roomId;
// Extract the moderator secret from the room URL // Extract the moderator secret
moderatorSecret = extractSecretByRoomUrl(response.body.moderatorRoomUrl, 'Moderator'); ({ moderatorSecret } = MeetRoomHelper.extractSecretsFromRoom(room));
}); });
it('should succeed if user is not authenticated', async () => { it('should succeed if user is not authenticated', async () => {
const response = await request(app).get(`${INTERNAL_BASE_URL}/rooms/${roomId}/participant-role`).query({ const response = await request(app)
secret: moderatorSecret .get(`${MEET_INTERNAL_API_BASE_PATH_V1}/rooms/${roomId}/participant-role`)
}); .query({
secret: moderatorSecret
});
expect(response.status).toBe(200); expect(response.status).toBe(200);
}); });
}); });