Skip to content

Commit 2720e75

Browse files
mtrezzamtrezza
committed
tests
1 parent 3b03955 commit 2720e75

File tree

1 file changed

+184
-0
lines changed

1 file changed

+184
-0
lines changed

spec/RouteAllowList.spec.js

Lines changed: 184 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -600,5 +600,189 @@ describe('routeAllowList', () => {
600600
expect(e.data.code).toBe(Parse.Error.OPERATION_FORBIDDEN);
601601
}
602602
});
603+
it_id('60466f80-27af-456c-a05d-8f5ceaf95451')(it)('should allow read-only master key requests to bypass', async () => {
604+
await reconfigureServer({ routeAllowList: [] });
605+
const request = require('../lib/request');
606+
const res = await request({
607+
headers: {
608+
'X-Parse-Application-Id': 'test',
609+
'X-Parse-Master-Key': 'read-only-test',
610+
},
611+
method: 'GET',
612+
url: 'http://localhost:8378/1/classes/GameScore',
613+
});
614+
expect(res.data.results).toEqual([]);
615+
});
616+
617+
it_id('4fe57cc2-f104-491c-843b-64afc11c6fa3')(it)('should block all routes when routeAllowList is empty array and no key provided', async () => {
618+
await reconfigureServer({ routeAllowList: [] });
619+
const request = require('../lib/request');
620+
try {
621+
await request({
622+
headers: {
623+
'X-Parse-Application-Id': 'test',
624+
'X-Parse-REST-API-Key': 'rest',
625+
},
626+
method: 'GET',
627+
url: 'http://localhost:8378/1/classes/GameScore',
628+
});
629+
fail('should have thrown');
630+
} catch (e) {
631+
expect(e.data.code).toBe(Parse.Error.OPERATION_FORBIDDEN);
632+
}
633+
});
634+
635+
it_id('f3dd5622-036c-45bf-ab76-c31b59028642')(it)('should block health endpoint even when routeAllowList is empty array', async () => {
636+
await reconfigureServer({ routeAllowList: [] });
637+
const request = require('../lib/request');
638+
try {
639+
await request({
640+
method: 'GET',
641+
url: 'http://localhost:8378/1/health',
642+
});
643+
fail('should have thrown');
644+
} catch (e) {
645+
expect(e.data.code).toBe(Parse.Error.OPERATION_FORBIDDEN);
646+
}
647+
});
648+
649+
it_id('ed3797f6-38ee-4bf0-806f-a7242ae14b5c')(it)('should block logout route', async () => {
650+
await reconfigureServer({ routeAllowList: ['classes/GameScore'] });
651+
const request = require('../lib/request');
652+
try {
653+
await request({
654+
headers: {
655+
'Content-Type': 'application/json',
656+
'X-Parse-Application-Id': 'test',
657+
'X-Parse-REST-API-Key': 'rest',
658+
},
659+
method: 'POST',
660+
url: 'http://localhost:8378/1/logout',
661+
});
662+
fail('should have thrown');
663+
} catch (e) {
664+
expect(e.data.code).toBe(Parse.Error.OPERATION_FORBIDDEN);
665+
}
666+
});
667+
668+
it_id('2d7ce7cd-7d61-418f-8255-451304e18f11')(it)('should block loginAs route', async () => {
669+
await reconfigureServer({ routeAllowList: ['classes/GameScore'] });
670+
const request = require('../lib/request');
671+
try {
672+
await request({
673+
headers: {
674+
'Content-Type': 'application/json',
675+
'X-Parse-Application-Id': 'test',
676+
'X-Parse-REST-API-Key': 'rest',
677+
},
678+
method: 'POST',
679+
url: 'http://localhost:8378/1/loginAs',
680+
body: JSON.stringify({}),
681+
});
682+
fail('should have thrown');
683+
} catch (e) {
684+
expect(e.data.code).toBe(Parse.Error.OPERATION_FORBIDDEN);
685+
}
686+
});
687+
688+
it_id('808c7f7e-3918-4851-915c-205b1f807965')(it)('should block upgradeToRevocableSession route', async () => {
689+
await reconfigureServer({ routeAllowList: ['classes/GameScore'] });
690+
const request = require('../lib/request');
691+
try {
692+
await request({
693+
headers: {
694+
'Content-Type': 'application/json',
695+
'X-Parse-Application-Id': 'test',
696+
'X-Parse-REST-API-Key': 'rest',
697+
},
698+
method: 'POST',
699+
url: 'http://localhost:8378/1/upgradeToRevocableSession',
700+
body: JSON.stringify({}),
701+
});
702+
fail('should have thrown');
703+
} catch (e) {
704+
expect(e.data.code).toBe(Parse.Error.OPERATION_FORBIDDEN);
705+
}
706+
});
707+
708+
it_id('ad06367e-b220-4f9f-9ee6-8756bea36937')(it)('should block verificationEmailRequest route', async () => {
709+
await reconfigureServer({ routeAllowList: ['classes/GameScore'] });
710+
const request = require('../lib/request');
711+
try {
712+
await request({
713+
headers: {
714+
'Content-Type': 'application/json',
715+
'X-Parse-Application-Id': 'test',
716+
'X-Parse-REST-API-Key': 'rest',
717+
},
718+
method: 'POST',
719+
url: 'http://localhost:8378/1/verificationEmailRequest',
720+
body: JSON.stringify({}),
721+
});
722+
fail('should have thrown');
723+
} catch (e) {
724+
expect(e.data.code).toBe(Parse.Error.OPERATION_FORBIDDEN);
725+
}
726+
});
727+
728+
it_id('a14df8c8-a09a-47fa-a208-74f8e429f060')(it)('should block verifyPassword route', async () => {
729+
await reconfigureServer({ routeAllowList: ['classes/GameScore'] });
730+
const request = require('../lib/request');
731+
try {
732+
await request({
733+
headers: {
734+
'Content-Type': 'application/json',
735+
'X-Parse-Application-Id': 'test',
736+
'X-Parse-REST-API-Key': 'rest',
737+
},
738+
method: 'POST',
739+
url: 'http://localhost:8378/1/verifyPassword',
740+
body: JSON.stringify({}),
741+
});
742+
fail('should have thrown');
743+
} catch (e) {
744+
expect(e.data.code).toBe(Parse.Error.OPERATION_FORBIDDEN);
745+
}
746+
});
747+
748+
it_id('acb37217-ab57-42f5-86b3-f81c61b28003')(it)('should block requestPasswordReset route', async () => {
749+
await reconfigureServer({ routeAllowList: ['classes/GameScore'] });
750+
const request = require('../lib/request');
751+
try {
752+
await request({
753+
headers: {
754+
'Content-Type': 'application/json',
755+
'X-Parse-Application-Id': 'test',
756+
'X-Parse-REST-API-Key': 'rest',
757+
},
758+
method: 'POST',
759+
url: 'http://localhost:8378/1/requestPasswordReset',
760+
body: JSON.stringify({}),
761+
});
762+
fail('should have thrown');
763+
} catch (e) {
764+
expect(e.data.code).toBe(Parse.Error.OPERATION_FORBIDDEN);
765+
}
766+
});
767+
768+
it_id('4b67e9cc-8068-4848-a536-229818d0c0ed')(it)('should block challenge route', async () => {
769+
await reconfigureServer({ routeAllowList: ['classes/GameScore'] });
770+
const request = require('../lib/request');
771+
try {
772+
await request({
773+
headers: {
774+
'Content-Type': 'application/json',
775+
'X-Parse-Application-Id': 'test',
776+
'X-Parse-REST-API-Key': 'rest',
777+
},
778+
method: 'POST',
779+
url: 'http://localhost:8378/1/challenge',
780+
body: JSON.stringify({}),
781+
});
782+
fail('should have thrown');
783+
} catch (e) {
784+
expect(e.data.code).toBe(Parse.Error.OPERATION_FORBIDDEN);
785+
}
786+
});
603787
});
604788
});

0 commit comments

Comments
 (0)