neoris/openvidu
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

tests: Refactor recording security tests to use helper functions

Browse Source
This commit is contained in:
juancarmore 2025-04-11 11:19:54 +02:00
parent b31a53e6d9
commit e0d155b8c2
1 changed files with 83 additions and 139 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

222
backend/tests/integration/api/security/recording-security.test.ts
View File

@ -1,17 +1,21 @@
import request from 'supertest'; import request from 'supertest';
import { describe, it, expect, beforeAll, afterAll } from '@jest/globals'; import { describe, it, expect, beforeAll, afterAll } from '@jest/globals';
import { Express } from 'express'; import { Express } from 'express';
import { startTestServer, stopTestServer } from '../../../utils/helpers.js'; import {
import { AuthMode, AuthType } from '../../../../src/typings/ce/index.js'; API_KEY_HEADER,
createRoom,
deleteAllRooms,
generateParticipantToken,
loginUserAsRole,
startTestServer,
stopTestServer
} from '../../../utils/helpers.js';
import { MEET_API_BASE_PATH_V1, MEET_INTERNAL_API_BASE_PATH_V1, MEET_API_KEY } from '../../../../src/environment.js';
import { UserRole } from '../../../../src/typings/ce/index.js';
import { MeetRoomHelper } from '../../../../src/helpers/room.helper.js';
const BASE_URL = '/meet/api/v1'; const RECORDINGS_PATH = `${MEET_API_BASE_PATH_V1}/recordings`;
const INTERNAL_BASE_URL = '/meet/internal-api/v1'; const INTERNAL_RECORDINGS_PATH = `${MEET_INTERNAL_API_BASE_PATH_V1}/recordings`;
const RECORDINGS_URL = `${BASE_URL}/recordings`;
const API_KEY_HEADER = 'X-API-Key';
const API_KEY = 'meet-api-key';
const EXPIRATION_DATE = 1772129829000;
describe('Room API Security Tests', () => { describe('Room API Security Tests', () => {
let app: Express; let app: Express;
@ -25,128 +29,57 @@ describe('Room API Security Tests', () => {
let moderatorCookie: string; let moderatorCookie: string;
let publisherCookie: string; let publisherCookie: string;
const loginUser = async (username: string, password: string): Promise<string> => {
const response = await request(app)
.post(`${INTERNAL_BASE_URL}/auth/login`)
.send({
username,
password
})
.expect(200);
const cookies = response.headers['set-cookie'] as unknown as string[];
const accessTokenCookie = cookies.find((cookie) => cookie.startsWith('OvMeetAccessToken=')) as string;
return accessTokenCookie;
};
const extractSecretByRoomUrl = (urlString: string, type: string): string => {
const url = new URL(urlString);
const secret = url.searchParams.get('secret');
if (!secret) throw new Error(`${type} secret not found`);
return secret;
};
const changeSecurityPreferences = async (authMode: AuthMode) => {
await request(app)
.put(`${BASE_URL}/preferences/security`)
.set(API_KEY_HEADER, API_KEY)
.send({
authentication: {
authMode: authMode,
method: {
type: AuthType.SINGLE_USER
}
}
});
};
const generateParticipantToken = async (
roomId: string,
participantName: string,
secret: string
): Promise<string> => {
// Disable authentication to generate the token
await changeSecurityPreferences(AuthMode.NONE);
// Generate the participant token
const response = await request(app)
.post(`${INTERNAL_BASE_URL}/participants/token`)
.send({
roomId,
participantName,
secret
})
.expect(200);
// Return the participant token cookie
const cookies = response.headers['set-cookie'] as unknown as string[];
const participantTokenCookie = cookies.find((cookie) => cookie.startsWith('OvMeetParticipantToken=')) as string;
return participantTokenCookie;
};
beforeAll(async () => { beforeAll(async () => {
app = await startTestServer(); app = await startTestServer();
// Get cookies for admin and user // Get cookies for admin and user
userCookie = await loginUser('user', 'user'); userCookie = await loginUserAsRole(UserRole.USER);
adminCookie = await loginUser('admin', 'admin'); adminCookie = await loginUserAsRole(UserRole.ADMIN);
// Create a room and extract the roomId // Create a room and extract the roomId
const response = await request(app).post(`${BASE_URL}/rooms`).set(API_KEY_HEADER, API_KEY).send({ const room = await createRoom();
autoDeletionDate: EXPIRATION_DATE roomId = room.roomId;
});
roomId = response.body.roomId;
recordingId = `${roomId}--recordingId--uid`; recordingId = `${roomId}--recordingId--uid`;
// Extract the moderator and publisher secrets from the room URL // Extract the room secrets and generate participant tokens, saved as cookies
const { moderatorRoomUrl, publisherRoomUrl } = response.body; const { moderatorSecret, publisherSecret } = MeetRoomHelper.extractSecretsFromRoom(room);
const moderatorSecret = extractSecretByRoomUrl(moderatorRoomUrl, 'Moderator'); moderatorCookie = await generateParticipantToken(adminCookie, roomId, 'Moderator', moderatorSecret);
const publisherSecret = extractSecretByRoomUrl(publisherRoomUrl, 'Publisher'); publisherCookie = await generateParticipantToken(adminCookie, roomId, 'Publisher', publisherSecret);
// Generate participant tokens for the room and extract the cookies
moderatorCookie = await generateParticipantToken(roomId, 'Moderator', moderatorSecret);
publisherCookie = await generateParticipantToken(roomId, 'Publisher', publisherSecret);
}); });
afterAll(async () => { afterAll(async () => {
// Clean up created rooms await deleteAllRooms();
const roomsResponse = await request(app).get(`${BASE_URL}/rooms`).set(API_KEY_HEADER, API_KEY);
for (const room of roomsResponse.body) {
await request(app).delete(`${BASE_URL}/rooms/${room.roomId}`).set(API_KEY_HEADER, API_KEY);
}
await stopTestServer(); await stopTestServer();
}, 20000); }, 20000);
describe('Start Recording Tests', () => { describe('Start Recording Tests', () => {
it('should succeed when participant is moderator', async () => { it('should succeed when participant is moderator', async () => {
const response = await request(app) const response = await request(app)
.post(`${RECORDINGS_URL}`) .post(INTERNAL_RECORDINGS_PATH)
.send({ roomId }) .send({ roomId })
.set('Cookie', moderatorCookie); .set('Cookie', moderatorCookie);
// The response code should be 500 to consider a success // The response code should be 409 to consider a success
// This is because there is no real participant inside the room and the recording will fail // This is because there is no real participant inside the room and the recording will fail
expect(response.status).toBe(500); expect(response.status).toBe(409);
expect(response.body).toHaveProperty('message', 'Failed to start recording'); });
}, 40000); // Increase timeout for this test because of the timeout until the recording fails to start
it('should fail when participant is moderator of a different room', async () => { it('should fail when participant is moderator of a different room', async () => {
// Create a new room to get a different roomId // Create a new room to get a different roomId
const roomResponse = await request(app).post(`${BASE_URL}/rooms`).set(API_KEY_HEADER, API_KEY).send({ const newRoom = await createRoom();
autoDeletionDate: EXPIRATION_DATE const newRoomId = newRoom.roomId;
});
const newRoomId = roomResponse.body.roomId;
// Extract the moderator secret and generate a participant token for the new room // Extract the moderator secret and generate a participant token for the new room
const newModeratorSecret = extractSecretByRoomUrl(roomResponse.body.moderatorRoomUrl, 'Moderator'); const { moderatorSecret } = MeetRoomHelper.extractSecretsFromRoom(newRoom);
const newModeratorCookie = await generateParticipantToken(newRoomId, 'Moderator', newModeratorSecret); const newModeratorCookie = await generateParticipantToken(
adminCookie,
newRoomId,
'Moderator',
moderatorSecret
);
const response = await request(app) const response = await request(app)
.post(`${RECORDINGS_URL}`) .post(INTERNAL_RECORDINGS_PATH)
.send({ roomId }) .send({ roomId })
.set('Cookie', newModeratorCookie); .set('Cookie', newModeratorCookie);
expect(response.status).toBe(403); expect(response.status).toBe(403);
@ -154,7 +87,7 @@ describe('Room API Security Tests', () => {
it('should fail when participant is publisher', async () => { it('should fail when participant is publisher', async () => {
const response = await request(app) const response = await request(app)
.post(`${RECORDINGS_URL}`) .post(INTERNAL_RECORDINGS_PATH)
.send({ roomId }) .send({ roomId })
.set('Cookie', publisherCookie); .set('Cookie', publisherCookie);
expect(response.status).toBe(403); expect(response.status).toBe(403);
@ -163,100 +96,111 @@ describe('Room API Security Tests', () => {
describe('Stop Recording Tests', () => { describe('Stop Recording Tests', () => {
it('should succeed when participant is moderator', async () => { it('should succeed when participant is moderator', async () => {
const response = await request(app).put(`${RECORDINGS_URL}/${recordingId}`).set('Cookie', moderatorCookie); const response = await request(app)
.post(`${INTERNAL_RECORDINGS_PATH}/${recordingId}/stop`)
.set('Cookie', moderatorCookie);
// The response code should be 404 to consider a success because the recording does not exist // The response code should be 404 to consider a success because the recording does not exist
expect(response.status).toBe(404); expect(response.status).toBe(404);
}); });
it('should fail when participant is moderator of a different room', async () => { it('should fail when participant is moderator of a different room', async () => {
// Create a new room to get a different roomId // Create a new room to get a different roomId
const roomResponse = await request(app).post(`${BASE_URL}/rooms`).set(API_KEY_HEADER, API_KEY).send({ const newRoom = await createRoom();
autoDeletionDate: EXPIRATION_DATE const newRoomId = newRoom.roomId;
});
const newRoomId = roomResponse.body.roomId;
// Extract the moderator secret and generate a participant token for the new room // Extract the moderator secret and generate a participant token for the new room
const newModeratorSecret = extractSecretByRoomUrl(roomResponse.body.moderatorRoomUrl, 'Moderator'); const { moderatorSecret } = MeetRoomHelper.extractSecretsFromRoom(newRoom);
const newModeratorCookie = await generateParticipantToken(newRoomId, 'Moderator', newModeratorSecret); const newModeratorCookie = await generateParticipantToken(
adminCookie,
newRoomId,
'Moderator',
moderatorSecret
);
const response = await request(app) const response = await request(app)
.put(`${RECORDINGS_URL}/${recordingId}`) .post(`${INTERNAL_RECORDINGS_PATH}/${recordingId}/stop`)
.set('Cookie', newModeratorCookie); .set('Cookie', newModeratorCookie);
expect(response.status).toBe(403); expect(response.status).toBe(403);
}); });
it('should fail when participant is publisher', async () => { it('should fail when participant is publisher', async () => {
const response = await request(app).put(`${RECORDINGS_URL}/${recordingId}`).set('Cookie', publisherCookie); const response = await request(app)
.post(`${INTERNAL_RECORDINGS_PATH}/${recordingId}/stop`)
.set('Cookie', publisherCookie);
expect(response.status).toBe(403); expect(response.status).toBe(403);
}); });
}); });
describe('Get Recordings Tests', () => { describe('Get Recordings Tests', () => {
it('should succeed when request includes API key', async () => { it('should succeed when request includes API key', async () => {
const response = await request(app).get(RECORDINGS_URL).set(API_KEY_HEADER, API_KEY); const response = await request(app).get(RECORDINGS_PATH).set(API_KEY_HEADER, MEET_API_KEY);
expect(response.status).toBe(200); expect(response.status).toBe(200);
}); });
it('should succeed when user is authenticated as admin', async () => { it('should succeed when user is authenticated as admin', async () => {
const response = await request(app).get(RECORDINGS_URL).set('Cookie', adminCookie); const response = await request(app).get(RECORDINGS_PATH).set('Cookie', adminCookie);
expect(response.status).toBe(200); expect(response.status).toBe(200);
}); });
it('should fail when user is authenticated as user', async () => { it('should fail when user is authenticated as user', async () => {
const response = await request(app).get(RECORDINGS_URL).set('Cookie', userCookie); const response = await request(app).get(RECORDINGS_PATH).set('Cookie', userCookie);
expect(response.status).toBe(403); expect(response.status).toBe(403);
}); });
it('should fail when user is not authenticated', async () => { it('should fail when user is not authenticated', async () => {
const response = await request(app).get(RECORDINGS_URL); const response = await request(app).get(RECORDINGS_PATH);
expect(response.status).toBe(401); expect(response.status).toBe(401);
}); });
}); });
describe('Get Recording Tests', () => { describe('Get Recording Tests', () => {
it('should succeed when request includes API key', async () => { it('should succeed when request includes API key', async () => {
const response = await request(app).get(`${RECORDINGS_URL}/${recordingId}`).set(API_KEY_HEADER, API_KEY); const response = await request(app)
.get(`${RECORDINGS_PATH}/${recordingId}`)
.set(API_KEY_HEADER, MEET_API_KEY);
// The response code should be 404 to consider a success because the recording does not exist // The response code should be 404 to consider a success because the recording does not exist
expect(response.status).toBe(404); expect(response.status).toBe(404);
}); });
it('should succeed when user is authenticated as admin', async () => { it('should succeed when user is authenticated as admin', async () => {
const response = await request(app).get(`${RECORDINGS_URL}/${recordingId}`).set('Cookie', adminCookie); const response = await request(app).get(`${RECORDINGS_PATH}/${recordingId}`).set('Cookie', adminCookie);
// The response code should be 404 to consider a success because the recording does not exist // The response code should be 404 to consider a success because the recording does not exist
expect(response.status).toBe(404); expect(response.status).toBe(404);
}); });
it('should fail when user is authenticated as user', async () => { it('should fail when user is authenticated as user', async () => {
const response = await request(app).get(`${RECORDINGS_URL}/${recordingId}`).set('Cookie', userCookie); const response = await request(app).get(`${RECORDINGS_PATH}/${recordingId}`).set('Cookie', userCookie);
expect(response.status).toBe(403); expect(response.status).toBe(403);
}); });
it('should fail when user is not authenticated', async () => { it('should fail when user is not authenticated', async () => {
const response = await request(app).get(`${RECORDINGS_URL}/${recordingId}`); const response = await request(app).get(`${RECORDINGS_PATH}/${recordingId}`);
expect(response.status).toBe(401); expect(response.status).toBe(401);
}); });
}); });
describe('Delete Recording Tests', () => { describe('Delete Recording Tests', () => {
it('should succeed when request includes API key', async () => { it('should succeed when request includes API key', async () => {
const response = await request(app).delete(`${RECORDINGS_URL}/${recordingId}`).set(API_KEY_HEADER, API_KEY); const response = await request(app)
.delete(`${RECORDINGS_PATH}/${recordingId}`)
.set(API_KEY_HEADER, MEET_API_KEY);
// The response code should be 404 to consider a success because the recording does not exist // The response code should be 404 to consider a success because the recording does not exist
expect(response.status).toBe(404); expect(response.status).toBe(404);
}); });
it('should succeed when user is authenticated as admin', async () => { it('should succeed when user is authenticated as admin', async () => {
const response = await request(app).delete(`${RECORDINGS_URL}/${recordingId}`).set('Cookie', adminCookie); const response = await request(app).delete(`${RECORDINGS_PATH}/${recordingId}`).set('Cookie', adminCookie);
// The response code should be 404 to consider a success because the recording does not exist // The response code should be 404 to consider a success because the recording does not exist
expect(response.status).toBe(404); expect(response.status).toBe(404);
}); });
it('should fail when user is authenticated as user', async () => { it('should fail when user is authenticated as user', async () => {
const response = await request(app).delete(`${RECORDINGS_URL}/${recordingId}`).set('Cookie', userCookie); const response = await request(app).delete(`${RECORDINGS_PATH}/${recordingId}`).set('Cookie', userCookie);
expect(response.status).toBe(403); expect(response.status).toBe(403);
}); });
it('should fail when user is not authenticated', async () => { it('should fail when user is not authenticated', async () => {
const response = await request(app).delete(`${RECORDINGS_URL}/${recordingId}`); const response = await request(app).delete(`${RECORDINGS_PATH}/${recordingId}`);
expect(response.status).toBe(401); expect(response.status).toBe(401);
}); });
}); });
@ -264,31 +208,31 @@ describe('Room API Security Tests', () => {
describe('Bulk Delete Recordings Tests', () => { describe('Bulk Delete Recordings Tests', () => {
it('should succeed when request includes API key', async () => { it('should succeed when request includes API key', async () => {
const response = await request(app) const response = await request(app)
.delete(RECORDINGS_URL) .delete(RECORDINGS_PATH)
.set(API_KEY_HEADER, API_KEY) .query({ recordingIds: [recordingId] })
.query({ recordingIds: [recordingId] }); .set(API_KEY_HEADER, MEET_API_KEY);
expect(response.status).toBe(200); expect(response.status).toBe(200);
}); });
it('should succeed when user is authenticated as admin', async () => { it('should succeed when user is authenticated as admin', async () => {
const response = await request(app) const response = await request(app)
.delete(RECORDINGS_URL) .delete(RECORDINGS_PATH)
.set('Cookie', adminCookie) .query({ recordingIds: [recordingId] })
.query({ recordingIds: [recordingId] }); .set('Cookie', adminCookie);
expect(response.status).toBe(200); expect(response.status).toBe(200);
}); });
it('should fail when user is authenticated as user', async () => { it('should fail when user is authenticated as user', async () => {
const response = await request(app) const response = await request(app)
.delete(RECORDINGS_URL) .delete(RECORDINGS_PATH)
.set('Cookie', userCookie) .query({ recordingIds: [recordingId] })
.query({ recordingIds: [recordingId] }); .set('Cookie', userCookie);
expect(response.status).toBe(403); expect(response.status).toBe(403);
}); });
it('should fail when user is not authenticated', async () => { it('should fail when user is not authenticated', async () => {
const response = await request(app) const response = await request(app)
.delete(RECORDINGS_URL) .delete(RECORDINGS_PATH)
.query({ recordingIds: [recordingId] }); .query({ recordingIds: [recordingId] });
expect(response.status).toBe(401); expect(response.status).toBe(401);
}); });
@ -297,7 +241,7 @@ describe('Room API Security Tests', () => {
describe('Stream Recording Tests', () => { describe('Stream Recording Tests', () => {
it('should succeed when user is authenticated as admin', async () => { it('should succeed when user is authenticated as admin', async () => {
const response = await request(app) const response = await request(app)
.get(`${INTERNAL_BASE_URL}/recordings/${recordingId}/stream`) .get(`${RECORDINGS_PATH}/${recordingId}/media`)
.set('Cookie', adminCookie); .set('Cookie', adminCookie);
// The response code should be 404 to consider a success because the recording does not exist // The response code should be 404 to consider a success because the recording does not exist
expect(response.status).toBe(404); expect(response.status).toBe(404);
@ -305,13 +249,13 @@ describe('Room API Security Tests', () => {
it('should fail when user is authenticated as user', async () => { it('should fail when user is authenticated as user', async () => {
const response = await request(app) const response = await request(app)
.get(`${INTERNAL_BASE_URL}/recordings/${recordingId}/stream`) .get(`${RECORDINGS_PATH}/${recordingId}/media`)
.set('Cookie', userCookie); .set('Cookie', userCookie);
expect(response.status).toBe(403); expect(response.status).toBe(403);
}); });
it('should fail when user is not authenticated', async () => { it('should fail when user is not authenticated', async () => {
const response = await request(app).get(`${INTERNAL_BASE_URL}/recordings/${recordingId}/stream`); const response = await request(app).get(`${RECORDINGS_PATH}/${recordingId}/media`);
expect(response.status).toBe(401); expect(response.status).toBe(401);
}); });
}); });