Added session tests.

Author: adsnaider

src/controllers/user/session.rs

@@ -16,7 +16,7 @@ use crate::Env;
 
 pub const SESSION_COOKIE_NAME: &str = "crates_auth";
 
-fn session_cookie(token: &NewSecureToken, secure: bool) -> Cookie<'static> {
+pub fn session_cookie(token: &NewSecureToken, secure: bool) -> Cookie<'static> {
     Cookie::build(SESSION_COOKIE_NAME, token.plaintext().to_string())
         .http_only(true)
         .secure(secure)

src/tests/authentication.rs

@@ -2,13 +2,51 @@ use crate::util::{RequestHelper, Response};
 use crate::TestApp;
 
 use crate::util::encode_session_header;
+use cargo_registry::controllers::user::session::session_cookie;
+use cargo_registry::util::token::SecureToken;
+use cargo_registry::util::token::SecureTokenKind;
 use conduit::{header, Body, Method, StatusCode};
 
 static URL: &str = "/api/v1/me/updates";
 static MUST_LOGIN: &[u8] = br#"{"errors":[{"detail":"must be logged in to perform that action"}]}"#;
 static INTERNAL_ERROR_NO_USER: &str =
     "user_id from cookie not found in database caused by NotFound";
 
+#[test]
+fn persistent_session_user() {
+    let (app, _) = TestApp::init().empty();
+    let user = app.db_new_user("user1").with_session();
+    let request = user.request_builder(Method::GET, URL);
+    let response: Response<Body> = user.run(request);
+    assert_eq!(response.status(), StatusCode::OK);
+}
+
+#[test]
+fn incorrect_session_is_forbidden() {
+    let (_, anon) = TestApp::init().empty();
+
+    let token = SecureToken::generate(SecureTokenKind::Session);
+    // Create a cookie that isn't in the database.
+    let cookie = session_cookie(&token, false).to_string();
+    let mut request = anon.request_builder(Method::GET, URL);
+    request.header(header::COOKIE, &cookie);
+    let response: Response<Body> = anon.run(request);
+    assert_eq!(response.status(), StatusCode::FORBIDDEN);
+    assert_eq!(
+        response.into_json(),
+        json!({"errors": [{"detail": "must be logged in to perform that action"}]})
+    );
+}
+
+#[test]
+fn cookie_user() {
+    let (_, _, cookie_user) = TestApp::init().with_user();
+    let request = cookie_user.request_builder(Method::GET, URL);
+
+    let response: Response<Body> = cookie_user.run(request);
+    assert_eq!(response.status(), StatusCode::OK);
+}
+
 #[test]
 fn anonymous_user_unauthorized() {
     let (_, anon) = TestApp::init().empty();

src/tests/util.rs

@@ -23,7 +23,12 @@ use crate::{
     builders::PublishBuilder, CategoryListResponse, CategoryResponse, CrateList, CrateResponse,
     GoodCrate, OkBool, OwnersResponse, VersionResponse,
 };
+use cargo_registry::controllers::user::session::session_cookie;
+use cargo_registry::models::PersistentSession;
 use cargo_registry::models::{ApiToken, CreatedApiToken, User};
+use cargo_registry::util::token::NewSecureToken;
+use cargo_registry::util::token::SecureToken;
+use cargo_registry::util::token::SecureTokenKind;
 
 use conduit::{BoxError, Handler, Method};
 use conduit_cookie::SessionMiddleware;
@@ -270,6 +275,43 @@ impl MockCookieUser {
             token,
         }
     }
+
+    pub fn with_session(&self) -> MockSessionUser {
+        let ip_addr = "192.168.0.42";
+        let user_agent = "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.103 Safari/537.36";
+
+        let token = SecureToken::generate(SecureTokenKind::Session);
+
+        self.app.db(|conn| {
+            PersistentSession::create(self.user.id, &token, ip_addr.parse().unwrap(), user_agent)
+                .insert(&conn)
+                .unwrap()
+        });
+
+        MockSessionUser {
+            app: self.app.clone(),
+            token,
+        }
+    }
+}
+
+pub struct MockSessionUser {
+    app: TestApp,
+    token: NewSecureToken,
+}
+
+impl RequestHelper for MockSessionUser {
+    fn request_builder(&self, method: Method, path: &str) -> MockRequest {
+        let cookie = session_cookie(&self.token, false).to_string();
+
+        let mut request = req(method, path);
+        request.header(header::COOKIE, &cookie);
+        request
+    }
+
+    fn app(&self) -> &TestApp {
+        &self.app
+    }
 }
 
 /// A type that can generate token authenticated requests

src/util.rs

@@ -12,7 +12,7 @@ mod io_util;
 mod request_helpers;
 mod request_proxy;
 pub mod rfc3339;
-pub(crate) mod token;
+pub mod token;
 
 pub type AppResponse = Response<conduit::Body>;
 pub type EndpointResult = Result<AppResponse, Box<dyn errors::AppError>>;

src/util/token.rs

@@ -12,7 +12,7 @@ pub struct SecureToken {
 }
 
 impl SecureToken {
-    pub(crate) fn generate(kind: SecureTokenKind) -> NewSecureToken {
+    pub fn generate(kind: SecureTokenKind) -> NewSecureToken {
         let plaintext = format!(
             "{}{}",
             kind.prefix(),
@@ -26,7 +26,7 @@ impl SecureToken {
         }
     }
 
-    pub(crate) fn parse(kind: SecureTokenKind, plaintext: &str) -> Option<Self> {
+    pub fn parse(kind: SecureTokenKind, plaintext: &str) -> Option<Self> {
         // This will both reject tokens without a prefix and tokens of the wrong kind.
         if SecureTokenKind::from_token(plaintext) != Some(kind) {
             return None;
@@ -60,18 +60,18 @@ impl FromSql<Bytea, Pg> for SecureToken {
     }
 }
 
-pub(crate) struct NewSecureToken {
+pub struct NewSecureToken {
     plaintext: String,
     inner: SecureToken,
 }
 
 impl NewSecureToken {
-    pub(crate) fn plaintext(&self) -> &str {
+    pub fn plaintext(&self) -> &str {
         &self.plaintext
     }
 
     #[cfg(test)]
-    pub(crate) fn into_inner(self) -> SecureToken {
+    pub fn into_inner(self) -> SecureToken {
         self.inner
     }
 }
@@ -120,7 +120,7 @@ secure_token_kind! {
     /// NEVER CHANGE THE PREFIX OF EXISTING TOKEN TYPES!!! Doing so will implicitly revoke all the
     /// tokens of that kind, distrupting production users.
     #[derive(Debug, Copy, Clone, Eq, PartialEq, Hash)]
-    pub(crate) enum SecureTokenKind {
+    pub enum SecureTokenKind {
         Api => "cio", // Crates.IO
         Session => "ses", // Session tokens.
     }