Skip to content

Commit

Permalink
fix: reading a listing shouldn't be protected (#4085)
Browse files Browse the repository at this point in the history
* fix: reading a listing shouldn't be protected

* fix: test updates

* fix: update to test
  • Loading branch information
YazeedLoonat authored May 14, 2024
1 parent 2fcb5a6 commit d5ab5cb
Show file tree
Hide file tree
Showing 2 changed files with 37 additions and 6 deletions.
9 changes: 6 additions & 3 deletions api/src/controllers/listing.controller.ts
Original file line number Diff line number Diff line change
Expand Up @@ -64,7 +64,7 @@ import { ApiKeyGuard } from '../guards/api-key.guard';
PaginationAllowsAllQueryParams,
IdDTO,
)
@UseGuards(ApiKeyGuard, OptionalAuthGuard)
@UseGuards(OptionalAuthGuard)
@PermissionTypeDecorator('listing')
@ActivityLogMetadata([{ targetPropertyName: 'status', propertyPath: 'status' }])
@UseInterceptors(ActivityLogInterceptor)
Expand Down Expand Up @@ -92,7 +92,7 @@ export class ListingController {
operationId: 'listAsCsv',
})
@Header('Content-Type', 'application/zip')
@UseGuards(OptionalAuthGuard, PermissionGuard)
@UseGuards(ApiKeyGuard, OptionalAuthGuard, PermissionGuard)
@UseInterceptors(ExportLogInterceptor)
async listAsCsv(
@Request() req: ExpressRequest,
Expand Down Expand Up @@ -145,6 +145,7 @@ export class ListingController {
@UseInterceptors(ClassSerializerInterceptor)
@UsePipes(new ListingCreateUpdateValidationPipe(defaultValidationPipeOptions))
@ApiOkResponse({ type: Listing })
@UseGuards(ApiKeyGuard)
async create(
@Request() req: ExpressRequest,
@Body() listingDto: ListingCreate,
Expand All @@ -158,6 +159,7 @@ export class ListingController {
@Delete()
@ApiOperation({ summary: 'Delete listing by id', operationId: 'delete' })
@UsePipes(new ValidationPipe(defaultValidationPipeOptions))
@UseGuards(ApiKeyGuard)
async delete(
@Body() dto: IdDTO,
@Request() req: ExpressRequest,
Expand All @@ -173,14 +175,15 @@ export class ListingController {
@ApiOkResponse({ type: SuccessDTO })
@PermissionAction(permissionActions.submit)
@UseInterceptors(ActivityLogInterceptor)
@UseGuards(OptionalAuthGuard, AdminOrJurisdictionalAdminGuard)
@UseGuards(ApiKeyGuard, OptionalAuthGuard, AdminOrJurisdictionalAdminGuard)
async process(): Promise<SuccessDTO> {
return await this.listingService.process();
}

@Put(':id')
@ApiOperation({ summary: 'Update listing by id', operationId: 'update' })
@UsePipes(new ListingCreateUpdateValidationPipe(defaultValidationPipeOptions))
@UseGuards(ApiKeyGuard)
async update(
@Request() req: ExpressRequest,
@Param('id') listingId: string,
Expand Down
34 changes: 31 additions & 3 deletions api/test/integration/api-key-guard.e2e-spec.ts
Original file line number Diff line number Diff line change
@@ -1,12 +1,16 @@
import { Test, TestingModule } from '@nestjs/testing';
import { INestApplication } from '@nestjs/common';
import request from 'supertest';
import cookieParser from 'cookie-parser';
import { AppModule } from '../../src/modules/app.module';
import { PrismaService } from '../../src/services/prisma.service';
import { Login } from '../../src/dtos/auth/login.dto';
import { userFactory } from '../../prisma/seed-helpers/user-factory';

describe('API Key Guard Tests', () => {
let app: INestApplication;
let prisma: PrismaService;
let cookies = '';

beforeAll(async () => {
const moduleFixture: TestingModule = await Test.createTestingModule({
Expand All @@ -15,7 +19,26 @@ describe('API Key Guard Tests', () => {

app = moduleFixture.createNestApplication();
prisma = moduleFixture.get<PrismaService>(PrismaService);
app.use(cookieParser());
await app.init();

const storedUser = await prisma.userAccounts.create({
data: await userFactory({
roles: { isAdmin: true },
mfaEnabled: false,
confirmedAt: new Date(),
}),
});
const resLogIn = await request(app.getHttpServer())
.post('/auth/login')
.set({ passkey: process.env.API_PASS_KEY || '' })
.send({
email: storedUser.email,
password: 'abcdef',
} as Login)
.expect(201);

cookies = resLogIn.headers['set-cookie'];
});

afterAll(async () => {
Expand All @@ -25,21 +48,26 @@ describe('API Key Guard Tests', () => {

it('should succeed when correct header is present', async () => {
await request(app.getHttpServer())
.get('/jurisdictions')
.get('/reservedCommunityTypes')
.set('Cookie', cookies)
.set({ passkey: process.env.API_PASS_KEY || '' })
.expect(200);
});

it('should error when incorrect header is present', async () => {
const res = await request(app.getHttpServer())
.get('/listings')
.get('/reservedCommunityTypes')
.set({ passkey: 'the wrong key' })
.set('Cookie', cookies)
.expect(401);
expect(res.body.message).toBe('Traffic not from a known source');
});

it('should error when no header is present', async () => {
const res = await request(app.getHttpServer()).get('/listings').expect(401);
const res = await request(app.getHttpServer())
.get('/reservedCommunityTypes')
.set('Cookie', cookies)
.expect(401);
expect(res.body.message).toBe('Traffic not from a known source');
});
});

0 comments on commit d5ab5cb

Please sign in to comment.