juice-shop

1
/*
2
 * Copyright (c) 2014-2024 Bjoern Kimminich & the OWASP Juice Shop contributors.
3
 * SPDX-License-Identifier: MIT
4
 */
5

6
import frisby = require('frisby')
7
const Joi = frisby.Joi
8
const security = require('../../lib/insecurity')
9

10
const API_URL = 'http://localhost:3000/api'
11

12
const authHeader = { Authorization: 'Bearer ' + security.authorize(), 'content-type': 'application/json' }
13

14
describe('/api/Complaints', () => {
15
  it('POST new complaint', () => {
16
    return frisby.post(API_URL + '/Complaints', {
17
      headers: authHeader,
18
      body: {
19
        message: 'You have no clue what https://github.com/eslint/eslint-scope/issues/39 means, do you???'
20
      }
21
    })
22
      .expect('status', 201)
23
      .expect('header', 'content-type', /application\/json/)
24
      .expect('jsonTypes', 'data', {
25
        id: Joi.number(),
26
        createdAt: Joi.string(),
27
        updatedAt: Joi.string()
28
      })
29
  })
30

31
  it('GET all complaints is forbidden via public API', () => {
32
    return frisby.get(API_URL + '/Complaints')
33
      .expect('status', 401)
34
  })
35

36
  it('GET all complaints', () => {
37
    return frisby.get(API_URL + '/Complaints', { headers: authHeader })
38
      .expect('status', 200)
39
  })
40
})
41

42
describe('/api/Complaints/:id', () => {
43
  it('GET existing complaint by id is forbidden', () => {
44
    return frisby.get(API_URL + '/Complaints/1', { headers: authHeader })
45
      .expect('status', 401)
46
  })
47

48
  it('PUT update existing complaint is forbidden', () => {
49
    return frisby.put(API_URL + '/Complaints/1', {
50
      headers: authHeader,
51
      body: {
52
        message: 'Should not work...'
53
      }
54
    })
55
      .expect('status', 401)
56
  })
57

58
  it('DELETE existing complaint is forbidden', () => {
59
    return frisby.del(API_URL + '/Complaints/1', { headers: authHeader })
60
      .expect('status', 401)
61
  })
62
})
63