authelia/server/test/routes/secondfactor/u2f/register_request/get.test.ts


import sinon = require("sinon");
import BluebirdPromise = require("bluebird");
import Assert = require("assert");
import U2FRegisterRequestGet = require("../../../../../src/lib/routes/secondfactor/u2f/register_request/get");
import ExpressMock = require("../../../../mocks/express");
import { UserDataStoreStub } from "../../../../mocks/storage/UserDataStoreStub";
import { ServerVariablesMockBuilder, ServerVariablesMock } from "../../../../mocks/ServerVariablesMockBuilder";
import { ServerVariables } from "../../../../../src/lib/ServerVariables";

describe("test u2f routes: register_request", function () {
  let req: ExpressMock.RequestMock;
  let res: ExpressMock.ResponseMock;
  let mocks: ServerVariablesMock;
  let vars: ServerVariables;

  beforeEach(function () {
    req = ExpressMock.RequestMock();
    req.originalUrl = "/api/xxxx";
    req.app = {};
    req.session = {
      auth: {
        userid: "user",
        first_factor: true,
        second_factor: false,
        identity_check: {
          challenge: "u2f-register",
          userid: "user"
        }
      }
    };
    req.headers = {};
    req.headers.host = "localhost";

    const s = ServerVariablesMockBuilder.build();
    mocks = s.mocks;
    vars = s.variables;

    const options = {
      inMemoryOnly: true
    };

    mocks.userDataStore.saveU2FRegistrationStub.returns(BluebirdPromise.resolve({}));
    mocks.userDataStore.retrieveU2FRegistrationStub.returns(BluebirdPromise.resolve({}));

    res = ExpressMock.ResponseMock();
    res.send = sinon.spy();
    res.json = sinon.spy();
    res.status = sinon.spy();
  });

  describe("test registration request", () => {
    it("should send back the registration request and save it in the session", function () {
      const expectedRequest = {
        test: "abc"
      };
      mocks.u2f.requestStub.returns(BluebirdPromise.resolve(expectedRequest));
      return U2FRegisterRequestGet.default(vars)(req as any, res as any)
        .then(function () {
          Assert.deepEqual(expectedRequest, res.json.getCall(0).args[0]);
        });
    });

    it("should return internal error on registration request", function () {
      res.send = sinon.spy();
      const user_key_container = {};
      mocks.u2f.requestStub.returns(BluebirdPromise.reject("Internal error"));
      return U2FRegisterRequestGet.default(vars)(req as any, res as any)
        .then(function () {
          Assert.equal(res.status.getCall(0).args[0], 200);
          Assert.deepEqual(res.send.getCall(0).args[0], {
            error: "Operation failed."
          });
        });
    });

    it("should return forbidden if identity has not been verified", function () {
      req.session.auth.identity_check = undefined;
      return U2FRegisterRequestGet.default(vars)(req as any, res as any)
        .then(function () {
          Assert.equal(403, res.status.getCall(0).args[0]);
        });
    });
  });
});
Refactor client to make it responsive and testable 2017-05-25 20:09:29 +07:00
			`import sinon = require("sinon");`
			`import BluebirdPromise = require("bluebird");`
Every public endpoints return 200 with harmonized error messages or 401 Now, /verify can return 401 or 403 depending on the user authentication. Every public API endpoints and pages return 200 with error message in JSON body or 401 if the user is not authorized. This policy makes it complicated for an attacker to know what is the source of the failure and hide server-side bugs (not returning 500), bugs being potential threats. 2017-10-11 04:03:30 +07:00			`import Assert = require("assert");`
Split client and server Client and server now have their own tsconfig so that the transpilation is only done on the part that is being modified. It also allows faster transpilation since tests are now excluded from tsconfig. They are compiled by ts-node during unit tests execution. 2017-10-07 05:09:42 +07:00			`import U2FRegisterRequestGet = require("../../../../../src/lib/routes/secondfactor/u2f/register_request/get");`
Refactor client to make it responsive and testable 2017-05-25 20:09:29 +07:00			`import ExpressMock = require("../../../../mocks/express");`
Add Mongo as scalable and resilient storage backend 2017-07-20 02:06:12 +07:00			`import { UserDataStoreStub } from "../../../../mocks/storage/UserDataStoreStub";`
Add default_redirection_url as configuration option This URL is used when user access the authentication domain without providing the 'redirect' query parameter. In that case, Authelia does not know where to redirect the user. If the parameter is defined, Authelia can redirect the user to a default page when no redirect parameter is provided. When user is already authenticated and tries to access the authentication domain, the "already logged in" page is rendered and it now tells the user he is to be redirected in few seconds and uses this URL to redirect. This parameter is optional. If it is not provided, there is only a notification message at the end of the authentication process, as before, and the user is not redirected when visiting the authentication domain while already authenticated. 2017-10-18 04:24:02 +07:00			`import { ServerVariablesMockBuilder, ServerVariablesMock } from "../../../../mocks/ServerVariablesMockBuilder";`
			`import { ServerVariables } from "../../../../../src/lib/ServerVariables";`
Refactor client to make it responsive and testable 2017-05-25 20:09:29 +07:00
			`describe("test u2f routes: register_request", function () {`
Add logs to detect redis connection issues earlier Before this fix, the application was simply crashing during execution when connection to redis was failing. Now, it is correctly handled with failing promises and logs have been enabled to clearly see the problem 2017-09-22 03:07:34 +07:00			`let req: ExpressMock.RequestMock;`
			`let res: ExpressMock.ResponseMock;`
Add default_redirection_url as configuration option This URL is used when user access the authentication domain without providing the 'redirect' query parameter. In that case, Authelia does not know where to redirect the user. If the parameter is defined, Authelia can redirect the user to a default page when no redirect parameter is provided. When user is already authenticated and tries to access the authentication domain, the "already logged in" page is rendered and it now tells the user he is to be redirected in few seconds and uses this URL to redirect. This parameter is optional. If it is not provided, there is only a notification message at the end of the authentication process, as before, and the user is not redirected when visiting the authentication domain while already authenticated. 2017-10-18 04:24:02 +07:00			`let mocks: ServerVariablesMock;`
			`let vars: ServerVariables;`
Add logs to detect redis connection issues earlier Before this fix, the application was simply crashing during execution when connection to redis was failing. Now, it is correctly handled with failing promises and logs have been enabled to clearly see the problem 2017-09-22 03:07:34 +07:00
			`beforeEach(function () {`
			`req = ExpressMock.RequestMock();`
Fix endpoints redirection on errors From this commit on, api endpoints reply with a 401 error code and non api endpoints redirect to /error/40X. This commit also fixes missing restrictions on /loggedin (the "already logged in page). This was not a security issue, though. The change also makes error pages automatically redirect the user after few seconds based on the referrer or the default_redirection_url if provided in the configuration. Warning: The old /verify endpoint of the REST API has moved to /api/verify. You will need to update your nginx configuration to take this change into account. 2017-11-01 20:24:18 +07:00			`req.originalUrl = "/api/xxxx";`
Add logs to detect redis connection issues earlier Before this fix, the application was simply crashing during execution when connection to redis was failing. Now, it is correctly handled with failing promises and logs have been enabled to clearly see the problem 2017-09-22 03:07:34 +07:00			`req.app = {};`
Add default_redirection_url as configuration option This URL is used when user access the authentication domain without providing the 'redirect' query parameter. In that case, Authelia does not know where to redirect the user. If the parameter is defined, Authelia can redirect the user to a default page when no redirect parameter is provided. When user is already authenticated and tries to access the authentication domain, the "already logged in" page is rendered and it now tells the user he is to be redirected in few seconds and uses this URL to redirect. This parameter is optional. If it is not provided, there is only a notification message at the end of the authentication process, as before, and the user is not redirected when visiting the authentication domain while already authenticated. 2017-10-18 04:24:02 +07:00			`req.session = {`
			`auth: {`
			`userid: "user",`
			`first_factor: true,`
			`second_factor: false,`
			`identity_check: {`
			`challenge: "u2f-register",`
			`userid: "user"`
			`}`
			`}`
			`};`
Add logs to detect redis connection issues earlier Before this fix, the application was simply crashing during execution when connection to redis was failing. Now, it is correctly handled with failing promises and logs have been enabled to clearly see the problem 2017-09-22 03:07:34 +07:00			`req.headers = {};`
			`req.headers.host = "localhost";`

Add default_redirection_url as configuration option This URL is used when user access the authentication domain without providing the 'redirect' query parameter. In that case, Authelia does not know where to redirect the user. If the parameter is defined, Authelia can redirect the user to a default page when no redirect parameter is provided. When user is already authenticated and tries to access the authentication domain, the "already logged in" page is rendered and it now tells the user he is to be redirected in few seconds and uses this URL to redirect. This parameter is optional. If it is not provided, there is only a notification message at the end of the authentication process, as before, and the user is not redirected when visiting the authentication domain while already authenticated. 2017-10-18 04:24:02 +07:00			`const s = ServerVariablesMockBuilder.build();`
			`mocks = s.mocks;`
			`vars = s.variables;`

Add logs to detect redis connection issues earlier Before this fix, the application was simply crashing during execution when connection to redis was failing. Now, it is correctly handled with failing promises and logs have been enabled to clearly see the problem 2017-09-22 03:07:34 +07:00			`const options = {`
			`inMemoryOnly: true`
			`};`

			`mocks.userDataStore.saveU2FRegistrationStub.returns(BluebirdPromise.resolve({}));`
			`mocks.userDataStore.retrieveU2FRegistrationStub.returns(BluebirdPromise.resolve({}));`

			`res = ExpressMock.ResponseMock();`
			`res.send = sinon.spy();`
			`res.json = sinon.spy();`
			`res.status = sinon.spy();`
			`});`

			`describe("test registration request", () => {`
			`it("should send back the registration request and save it in the session", function () {`
			`const expectedRequest = {`
			`test: "abc"`
			`};`
Add default_redirection_url as configuration option This URL is used when user access the authentication domain without providing the 'redirect' query parameter. In that case, Authelia does not know where to redirect the user. If the parameter is defined, Authelia can redirect the user to a default page when no redirect parameter is provided. When user is already authenticated and tries to access the authentication domain, the "already logged in" page is rendered and it now tells the user he is to be redirected in few seconds and uses this URL to redirect. This parameter is optional. If it is not provided, there is only a notification message at the end of the authentication process, as before, and the user is not redirected when visiting the authentication domain while already authenticated. 2017-10-18 04:24:02 +07:00			`mocks.u2f.requestStub.returns(BluebirdPromise.resolve(expectedRequest));`
			`return U2FRegisterRequestGet.default(vars)(req as any, res as any)`
Add logs to detect redis connection issues earlier Before this fix, the application was simply crashing during execution when connection to redis was failing. Now, it is correctly handled with failing promises and logs have been enabled to clearly see the problem 2017-09-22 03:07:34 +07:00			`.then(function () {`
Every public endpoints return 200 with harmonized error messages or 401 Now, /verify can return 401 or 403 depending on the user authentication. Every public API endpoints and pages return 200 with error message in JSON body or 401 if the user is not authorized. This policy makes it complicated for an attacker to know what is the source of the failure and hide server-side bugs (not returning 500), bugs being potential threats. 2017-10-11 04:03:30 +07:00			`Assert.deepEqual(expectedRequest, res.json.getCall(0).args[0]);`
Refactor client to make it responsive and testable 2017-05-25 20:09:29 +07:00			`});`
Add logs to detect redis connection issues earlier Before this fix, the application was simply crashing during execution when connection to redis was failing. Now, it is correctly handled with failing promises and logs have been enabled to clearly see the problem 2017-09-22 03:07:34 +07:00			`});`
Refactor client to make it responsive and testable 2017-05-25 20:09:29 +07:00
Every public endpoints return 200 with harmonized error messages or 401 Now, /verify can return 401 or 403 depending on the user authentication. Every public API endpoints and pages return 200 with error message in JSON body or 401 if the user is not authorized. This policy makes it complicated for an attacker to know what is the source of the failure and hide server-side bugs (not returning 500), bugs being potential threats. 2017-10-11 04:03:30 +07:00			`it("should return internal error on registration request", function () {`
			`res.send = sinon.spy();`
Add logs to detect redis connection issues earlier Before this fix, the application was simply crashing during execution when connection to redis was failing. Now, it is correctly handled with failing promises and logs have been enabled to clearly see the problem 2017-09-22 03:07:34 +07:00			`const user_key_container = {};`
Add default_redirection_url as configuration option This URL is used when user access the authentication domain without providing the 'redirect' query parameter. In that case, Authelia does not know where to redirect the user. If the parameter is defined, Authelia can redirect the user to a default page when no redirect parameter is provided. When user is already authenticated and tries to access the authentication domain, the "already logged in" page is rendered and it now tells the user he is to be redirected in few seconds and uses this URL to redirect. This parameter is optional. If it is not provided, there is only a notification message at the end of the authentication process, as before, and the user is not redirected when visiting the authentication domain while already authenticated. 2017-10-18 04:24:02 +07:00			`mocks.u2f.requestStub.returns(BluebirdPromise.reject("Internal error"));`
			`return U2FRegisterRequestGet.default(vars)(req as any, res as any)`
			`.then(function () {`
			`Assert.equal(res.status.getCall(0).args[0], 200);`
			`Assert.deepEqual(res.send.getCall(0).args[0], {`
			`error: "Operation failed."`
			`});`
Every public endpoints return 200 with harmonized error messages or 401 Now, /verify can return 401 or 403 depending on the user authentication. Every public API endpoints and pages return 200 with error message in JSON body or 401 if the user is not authorized. This policy makes it complicated for an attacker to know what is the source of the failure and hide server-side bugs (not returning 500), bugs being potential threats. 2017-10-11 04:03:30 +07:00			`});`
Add logs to detect redis connection issues earlier Before this fix, the application was simply crashing during execution when connection to redis was failing. Now, it is correctly handled with failing promises and logs have been enabled to clearly see the problem 2017-09-22 03:07:34 +07:00			`});`
Refactor client to make it responsive and testable 2017-05-25 20:09:29 +07:00
Add logs to detect redis connection issues earlier Before this fix, the application was simply crashing during execution when connection to redis was failing. Now, it is correctly handled with failing promises and logs have been enabled to clearly see the problem 2017-09-22 03:07:34 +07:00			`it("should return forbidden if identity has not been verified", function () {`
Add default_redirection_url as configuration option This URL is used when user access the authentication domain without providing the 'redirect' query parameter. In that case, Authelia does not know where to redirect the user. If the parameter is defined, Authelia can redirect the user to a default page when no redirect parameter is provided. When user is already authenticated and tries to access the authentication domain, the "already logged in" page is rendered and it now tells the user he is to be redirected in few seconds and uses this URL to redirect. This parameter is optional. If it is not provided, there is only a notification message at the end of the authentication process, as before, and the user is not redirected when visiting the authentication domain while already authenticated. 2017-10-18 04:24:02 +07:00			`req.session.auth.identity_check = undefined;`
			`return U2FRegisterRequestGet.default(vars)(req as any, res as any)`
Add logs to detect redis connection issues earlier Before this fix, the application was simply crashing during execution when connection to redis was failing. Now, it is correctly handled with failing promises and logs have been enabled to clearly see the problem 2017-09-22 03:07:34 +07:00			`.then(function () {`
Every public endpoints return 200 with harmonized error messages or 401 Now, /verify can return 401 or 403 depending on the user authentication. Every public API endpoints and pages return 200 with error message in JSON body or 401 if the user is not authorized. This policy makes it complicated for an attacker to know what is the source of the failure and hide server-side bugs (not returning 500), bugs being potential threats. 2017-10-11 04:03:30 +07:00			`Assert.equal(403, res.status.getCall(0).args[0]);`
Refactor client to make it responsive and testable 2017-05-25 20:09:29 +07:00			`});`
			`});`
Add logs to detect redis connection issues earlier Before this fix, the application was simply crashing during execution when connection to redis was failing. Now, it is correctly handled with failing promises and logs have been enabled to clearly see the problem 2017-09-22 03:07:34 +07:00			`});`
Refactor client to make it responsive and testable 2017-05-25 20:09:29 +07:00			`});`