more auth tests

This commit is contained in:
Dave Horton
2019-12-05 15:33:18 -05:00
parent c95a9ebaf7
commit 37cec3a133
2 changed files with 85 additions and 3 deletions
+18 -2
View File
@@ -1,6 +1,7 @@
const router = require('express').Router();
const {DbErrorBadRequest} = require('../../utils/errors');
const ApiKey = require('../../models/api-key');
const Account = require('../../models/account');
const decorate = require('./decorate');
const uuidv4 = require('uuid/v4');
const assert = require('assert');
@@ -10,17 +11,32 @@ const preconditions = {
'delete': validateDeleteToken
};
function validateAddToken(req) {
async function validateAddToken(req) {
req.body.token = uuidv4();
if (req.user.hasAdminAuth) return;
if (req.user.hasServiceProviderAuth) {
if (!req.body.service_provider_sid && !req.body.account_sid) {
throw new DbErrorBadRequest('service provider token may not be used to create admin token');
}
else if (req.body.service_provider_sid && req.body.service_provider_sid !== req.user.service_provider_sid) {
throw new DbErrorBadRequest(
'a service provider token can only be used to create tokens for the same service provider');
}
else if (req.body.account_sid) {
const result = await Account.retrieve(req.body.account_sid);
if (result.length === 1 && result[0].service_provider_sid != req.user.service_provider_sid) {
throw new DbErrorBadRequest(
'a service provider token can only be used to create tokens for the same service provider');
}
}
if (req.body.account_sid) delete req.body.service_provider_sid;
else req.body.service_provider_sid = req.user.service_provider_sid;
}
if (req.user.hasAccountAuth) {
if (req.body.account_sid !== req.user.account_sid) {
throw new DbErrorBadRequest('an account level token may not be used to create a token for a different account');
throw new DbErrorBadRequest(
'an account level token can only be used to create account level tokens for the same account');
}
delete req.body['service_provider_sid'];
req.body['account_sid'] = req.user.account_sid;