neoris/openvidu
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

test: add new security test cases for getRecordingMedia endpoint and implement security tests for getRecordingUrl endpoint

Browse Source
This commit is contained in:
juancarmore 2025-06-09 21:05:30 +02:00
parent 7efe31f8f4
commit 979396aedd
2 changed files with 141 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
backend/tests/helpers/request-helpers.ts
View File

@ -471,6 +471,15 @@ export const getRecordingMedia = async (recordingId: string, range?: string) =>
return await req; return await req;
}; };
export const getRecordingUrl = async (recordingId: string, privateAccess = false) => {
checkAppIsRunning();
return await request(app)
.get(`${INTERNAL_CONFIG.API_BASE_PATH_V1}/recordings/${recordingId}/url`)
.query({ privateAccess })
.set(INTERNAL_CONFIG.API_KEY_HEADER, MEET_API_KEY);
};
export const deleteRecording = async (recordingId: string) => { export const deleteRecording = async (recordingId: string) => {
checkAppIsRunning(); checkAppIsRunning();

132
backend/tests/integration/api/security/recording-security.test.ts
View File

@ -10,6 +10,7 @@ import {
deleteAllRooms, deleteAllRooms,
disconnectFakeParticipants, disconnectFakeParticipants,
generateRecordingTokenCookie, generateRecordingTokenCookie,
getRecordingUrl,
loginUser, loginUser,
startTestServer, startTestServer,
stopAllRecordings, stopAllRecordings,
@ -517,5 +518,136 @@ describe('Recording API Security Tests', () => {
.set('Cookie', recordingCookie); .set('Cookie', recordingCookie);
expect(response.status).toBe(200); expect(response.status).toBe(200);
}); });
it('should succeed when using public access secret and user is not authenticated', async () => {
const recordingUrlResponse = await getRecordingUrl(recordingId);
expect(recordingUrlResponse.status).toBe(200);
const recordingUrl = recordingUrlResponse.body.url;
expect(recordingUrl).toBeDefined();
const response = await request(app).get(recordingUrl);
expect(response.status).toBe(200);
});
it('should fail when using private access secret and user is not authenticated', async () => {
const recordingUrlResponse = await getRecordingUrl(recordingId, true);
expect(recordingUrlResponse.status).toBe(200);
const recordingUrl = recordingUrlResponse.body.url;
expect(recordingUrl).toBeDefined();
const response = await request(app).get(recordingUrl);
expect(response.status).toBe(401);
});
it('should succeed when using private access secret and user is authenticated', async () => {
const recordingUrlResponse = await getRecordingUrl(recordingId, true);
expect(recordingUrlResponse.status).toBe(200);
const recordingUrl = recordingUrlResponse.body.url;
expect(recordingUrl).toBeDefined();
const response = await request(app).get(recordingUrl).set('Cookie', adminCookie);
expect(response.status).toBe(200);
});
it('should fail when using invalid access secret', async () => {
const invalidRecordingUrl = `${RECORDINGS_PATH}/${recordingId}/media?secret=invalidSecret`;
const response = await request(app).get(invalidRecordingUrl);
expect(response.status).toBe(400);
});
});
describe('Get Recording URL Tests', () => {
let roomData: RoomData;
let recordingId: string;
beforeAll(async () => {
roomData = await setupSingleRoomWithRecording(true);
recordingId = roomData.recordingId!;
});
it('should succeed when request includes API key', async () => {
const response = await request(app)
.get(`${RECORDINGS_PATH}/${recordingId}/url`)
.set(INTERNAL_CONFIG.API_KEY_HEADER, MEET_API_KEY);
expect(response.status).toBe(200);
});
it('should succeed when user is authenticated as admin', async () => {
const response = await request(app).get(`${RECORDINGS_PATH}/${recordingId}/url`).set('Cookie', adminCookie);
expect(response.status).toBe(200);
});
it('should succeed when recording access is public and participant is publisher', async () => {
await updateRecordingAccessPreferencesInRoom(roomData.room.roomId, MeetRecordingAccess.PUBLIC);
const recordingCookie = await generateRecordingTokenCookie(roomData.room.roomId, roomData.publisherSecret);
const response = await request(app)
.get(`${RECORDINGS_PATH}/${recordingId}/url`)
.set('Cookie', recordingCookie);
expect(response.status).toBe(200);
});
it('should succeed when recording access is public and participant is moderator', async () => {
await updateRecordingAccessPreferencesInRoom(roomData.room.roomId, MeetRecordingAccess.PUBLIC);
const recordingCookie = await generateRecordingTokenCookie(roomData.room.roomId, roomData.moderatorSecret);
const response = await request(app)
.get(`${RECORDINGS_PATH}/${recordingId}/url`)
.set('Cookie', recordingCookie);
expect(response.status).toBe(200);
});
it('should fail when recording access is public and user is not authenticated', async () => {
await updateRecordingAccessPreferencesInRoom(roomData.room.roomId, MeetRecordingAccess.PUBLIC);
const response = await request(app).get(`${RECORDINGS_PATH}/${recordingId}/url`);
expect(response.status).toBe(401);
});
it('should succeed when recording access is admin-moderator-publisher and participant is publisher', async () => {
await updateRecordingAccessPreferencesInRoom(
roomData.room.roomId,
MeetRecordingAccess.ADMIN_MODERATOR_PUBLISHER
);
const recordingCookie = await generateRecordingTokenCookie(roomData.room.roomId, roomData.publisherSecret);
const response = await request(app)
.get(`${RECORDINGS_PATH}/${recordingId}/url`)
.set('Cookie', recordingCookie);
expect(response.status).toBe(200);
});
it('should succeed when recording access is admin-moderator-publisher and participant is moderator', async () => {
await updateRecordingAccessPreferencesInRoom(
roomData.room.roomId,
MeetRecordingAccess.ADMIN_MODERATOR_PUBLISHER
);
const recordingCookie = await generateRecordingTokenCookie(roomData.room.roomId, roomData.moderatorSecret);
const response = await request(app)
.get(`${RECORDINGS_PATH}/${recordingId}/url`)
.set('Cookie', recordingCookie);
expect(response.status).toBe(200);
});
it('should fail when recording access is admin-moderator and participant is publisher', async () => {
await updateRecordingAccessPreferencesInRoom(roomData.room.roomId, MeetRecordingAccess.ADMIN_MODERATOR);
const recordingCookie = await generateRecordingTokenCookie(roomData.room.roomId, roomData.publisherSecret);
const response = await request(app)
.get(`${RECORDINGS_PATH}/${recordingId}/url`)
.set('Cookie', recordingCookie);
expect(response.status).toBe(403);
});
it('should succeed when recording access is admin-moderator and participant is moderator', async () => {
await updateRecordingAccessPreferencesInRoom(roomData.room.roomId, MeetRecordingAccess.ADMIN_MODERATOR);
const recordingCookie = await generateRecordingTokenCookie(roomData.room.roomId, roomData.moderatorSecret);
const response = await request(app)
.get(`${RECORDINGS_PATH}/${recordingId}/url`)
.set('Cookie', recordingCookie);
expect(response.status).toBe(200);
});
}); });
}); });