juice-shop
269 строк · 7.2 Кб
1/*
2* Copyright (c) 2014-2024 Bjoern Kimminich & the OWASP Juice Shop contributors.
3* SPDX-License-Identifier: MIT
4*/
5
6import frisby = require('frisby')
7import { expect } from '@jest/globals'
8import config from 'config'
9
10const API_URL = 'http://localhost:3000/api'
11const REST_URL = 'http://localhost:3000/rest'
12
13const jsonHeader = { 'content-type': 'application/json' }
14let authHeader: { Authorization: string, 'content-type': string }
15
16beforeAll(() => {
17return frisby.post(REST_URL + '/user/login', {
18headers: jsonHeader,
19body: {
20email: 'jim@' + config.get<string>('application.domain'),
21password: 'ncc-1701'
22}
23})
24.expect('status', 200)
25.then(({ json }) => {
26authHeader = { Authorization: 'Bearer ' + json.authentication.token, 'content-type': 'application/json' }
27})
28})
29
30describe('/api/BasketItems', () => {
31it('GET all basket items is forbidden via public API', () => {
32return frisby.get(API_URL + '/BasketItems')
33.expect('status', 401)
34})
35
36it('POST new basket item is forbidden via public API', () => {
37return frisby.post(API_URL + '/BasketItems', {
38BasketId: 2,
39ProductId: 1,
40quantity: 1
41})
42.expect('status', 401)
43})
44
45it('GET all basket items', () => {
46return frisby.get(API_URL + '/BasketItems', { headers: authHeader })
47.expect('status', 200)
48})
49
50it('POST new basket item', () => {
51return frisby.post(API_URL + '/BasketItems', {
52headers: authHeader,
53body: {
54BasketId: 2,
55ProductId: 2,
56quantity: 1
57}
58})
59.expect('status', 200)
60})
61
62it('POST new basket item with more than available quantity is forbidden', () => {
63return frisby.post(API_URL + '/BasketItems', {
64headers: authHeader,
65body: {
66BasketId: 2,
67ProductId: 2,
68quantity: 101
69}
70})
71.expect('status', 400)
72})
73
74it('POST new basket item with more than allowed quantity is forbidden', () => {
75return frisby.post(API_URL + '/BasketItems', {
76headers: authHeader,
77body: {
78BasketId: 2,
79ProductId: 1,
80quantity: 6
81}
82})
83.expect('status', 400)
84.expect('json', 'error', 'You can order only up to 5 items of this product.')
85})
86})
87
88describe('/api/BasketItems/:id', () => {
89it('GET basket item by id is forbidden via public API', () => {
90return frisby.get(API_URL + '/BasketItems/1')
91.expect('status', 401)
92})
93
94it('PUT update basket item is forbidden via public API', () => {
95return frisby.put(API_URL + '/BasketItems/1', {
96quantity: 2
97}, { json: true })
98.expect('status', 401)
99})
100
101it('DELETE basket item is forbidden via public API', () => {
102return frisby.del(API_URL + '/BasketItems/1')
103.expect('status', 401)
104})
105
106it('GET newly created basket item by id', () => {
107return frisby.post(API_URL + '/BasketItems', {
108headers: authHeader,
109body: {
110BasketId: 2,
111ProductId: 6,
112quantity: 3
113}
114})
115.expect('status', 200)
116.then(({ json }) => {
117return frisby.get(API_URL + '/BasketItems/' + json.data.id, { headers: authHeader })
118.expect('status', 200)
119})
120})
121
122it('PUT update newly created basket item', () => {
123return frisby.post(API_URL + '/BasketItems', {
124headers: authHeader,
125body: {
126BasketId: 2,
127ProductId: 3,
128quantity: 3
129}
130})
131.expect('status', 200)
132.then(({ json }) => {
133return frisby.put(API_URL + '/BasketItems/' + json.data.id, {
134headers: authHeader,
135body: {
136quantity: 20
137}
138})
139.expect('status', 200)
140.expect('json', 'data', { quantity: 20 })
141})
142})
143
144it('PUT update basket ID of basket item is forbidden', () => {
145return frisby.post(API_URL + '/BasketItems', {
146headers: authHeader,
147body: {
148BasketId: 2,
149ProductId: 8,
150quantity: 8
151}
152})
153.expect('status', 200)
154.then(({ json }) => {
155return frisby.put(API_URL + '/BasketItems/' + json.data.id, {
156headers: authHeader,
157body: {
158BasketId: 42
159}
160})
161.expect('status', 400)
162.expect('json', { message: 'null: `BasketId` cannot be updated due `noUpdate` constraint', errors: [{ field: 'BasketId', message: '`BasketId` cannot be updated due `noUpdate` constraint' }] })
163})
164})
165
166it('PUT update basket ID of basket item without basket ID', () => {
167return frisby.post(API_URL + '/BasketItems', {
168headers: authHeader,
169body: {
170ProductId: 8,
171quantity: 8
172}
173})
174.expect('status', 200)
175.then(({ json }) => {
176expect(json.data.BasketId).toBeUndefined()
177return frisby.put(API_URL + '/BasketItems/' + json.data.id, {
178headers: authHeader,
179body: {
180BasketId: 3
181}
182})
183.expect('status', 200)
184.expect('json', 'data', { BasketId: 3 })
185})
186})
187
188it('PUT update product ID of basket item is forbidden', () => {
189return frisby.post(API_URL + '/BasketItems', {
190headers: authHeader,
191body: {
192BasketId: 2,
193ProductId: 9,
194quantity: 9
195}
196})
197.expect('status', 200)
198.then(({ json }) => {
199return frisby.put(API_URL + '/BasketItems/' + json.data.id, {
200headers: authHeader,
201body: {
202ProductId: 42
203}
204})
205.expect('status', 400)
206.expect('json',
207{ message: 'null: `ProductId` cannot be updated due `noUpdate` constraint', errors: [{ field: 'ProductId', message: '`ProductId` cannot be updated due `noUpdate` constraint' }] })
208})
209})
210
211it('PUT update newly created basket item with more than available quantity is forbidden', () => {
212return frisby.post(API_URL + '/BasketItems', {
213headers: authHeader,
214body: {
215BasketId: 2,
216ProductId: 12,
217quantity: 12
218}
219})
220.expect('status', 200)
221.then(({ json }) => {
222return frisby.put(API_URL + '/BasketItems/' + json.data.id, {
223headers: authHeader,
224body: {
225quantity: 100
226}
227})
228.expect('status', 400)
229})
230})
231
232it('PUT update basket item with more than allowed quantity is forbidden', () => {
233return frisby.post(API_URL + '/BasketItems', {
234headers: authHeader,
235body: {
236BasketId: 2,
237ProductId: 1,
238quantity: 1
239}
240})
241.expect('status', 200)
242.then(({ json }) => {
243return frisby.put(API_URL + '/BasketItems/' + json.data.id, {
244headers: authHeader,
245body: {
246quantity: 6
247}
248})
249.expect('status', 400)
250.expect('json', 'error', 'You can order only up to 5 items of this product.')
251})
252})
253
254it('DELETE newly created basket item', () => {
255return frisby.post(API_URL + '/BasketItems', {
256headers: authHeader,
257body: {
258BasketId: 2,
259ProductId: 10,
260quantity: 10
261}
262})
263.expect('status', 200)
264.then(({ json }) => {
265return frisby.del(API_URL + '/BasketItems/' + json.data.id, { headers: authHeader })
266.expect('status', 200)
267})
268})
269})
270