juice-shop
163 строки · 5.6 Кб
1/*
2* Copyright (c) 2014-2024 Bjoern Kimminich & the OWASP Juice Shop contributors.
3* SPDX-License-Identifier: MIT
4*/
5
6import frisby = require('frisby')
7import { expect } from '@jest/globals'
8import config from 'config'
9
10const jsonHeader = { 'content-type': 'application/json' }
11const REST_URL = 'http://localhost:3000/rest'
12
13describe('/rest/order-history', () => {
14it('GET own previous orders', () => {
15return frisby.post(REST_URL + '/user/login', {
16headers: jsonHeader,
17body: {
18email: 'admin@' + config.get<string>('application.domain'),
19password: 'admin123'
20}
21})
22.expect('status', 200)
23.then(({ json: jsonLogin }) => {
24return frisby.get(REST_URL + '/order-history', {
25headers: { Authorization: 'Bearer ' + jsonLogin.authentication.token, 'content-type': 'application/json' }
26})
27.expect('status', 200)
28.then(({ json }) => {
29expect(json.data[0].totalPrice).toBe(8.96)
30expect(json.data[0].delivered).toBe(false)
31expect(json.data[0].products[0].quantity).toBe(3)
32expect(json.data[0].products[0].name).toBe('Apple Juice (1000ml)')
33expect(json.data[0].products[0].price).toBe(1.99)
34expect(json.data[0].products[0].total).toBe(5.97)
35expect(json.data[0].products[1].quantity).toBe(1)
36expect(json.data[0].products[1].name).toBe('Orange Juice (1000ml)')
37expect(json.data[0].products[1].price).toBe(2.99)
38expect(json.data[0].products[1].total).toBe(2.99)
39expect(json.data[1].totalPrice).toBe(26.97)
40expect(json.data[1].delivered).toBe(true)
41expect(json.data[1].products[0].quantity).toBe(3)
42expect(json.data[1].products[0].name).toBe('Eggfruit Juice (500ml)')
43expect(json.data[1].products[0].price).toBe(8.99)
44expect(json.data[1].products[0].total).toBe(26.97)
45})
46})
47})
48})
49
50describe('/rest/order-history/orders', () => {
51it('GET all orders is forbidden for customers', () => {
52return frisby.post(REST_URL + '/user/login', {
53headers: jsonHeader,
54body: {
55email: 'jim@' + config.get<string>('application.domain'),
56password: 'ncc-1701'
57}
58})
59.expect('status', 200)
60.then(({ json: jsonLogin }) => {
61return frisby.get(REST_URL + '/order-history/orders', {
62headers: { Authorization: 'Bearer ' + jsonLogin.authentication.token, 'content-type': 'application/json' }
63})
64.expect('status', 403)
65})
66})
67
68it('GET all orders is forbidden for admin', () => {
69return frisby.post(REST_URL + '/user/login', {
70headers: jsonHeader,
71body: {
72email: 'admin@' + config.get<string>('application.domain'),
73password: 'admin123'
74}
75})
76.expect('status', 200)
77.then(({ json: jsonLogin }) => {
78return frisby.get(REST_URL + '/order-history/orders', {
79headers: { Authorization: 'Bearer ' + jsonLogin.authentication.token, 'content-type': 'application/json' }
80})
81.expect('status', 403)
82})
83})
84
85it('GET all orders for accountant', () => {
86return frisby.post(REST_URL + '/user/login', {
87headers: jsonHeader,
88body: {
89email: 'accountant@' + config.get<string>('application.domain'),
90password: 'i am an awesome accountant'
91}
92})
93.expect('status', 200)
94.then(({ json: jsonLogin }) => {
95return frisby.get(REST_URL + '/order-history/orders', {
96headers: { Authorization: 'Bearer ' + jsonLogin.authentication.token, 'content-type': 'application/json' }
97})
98.expect('status', 200)
99})
100})
101})
102
103describe('/rest/order-history/:id/delivery-status', () => {
104it('PUT delivery status is forbidden for admin', () => {
105return frisby.post(REST_URL + '/user/login', {
106headers: jsonHeader,
107body: {
108email: 'admin@' + config.get<string>('application.domain'),
109password: 'admin123'
110}
111})
112.expect('status', 200)
113.then(({ json: jsonLogin }) => {
114return frisby.put(REST_URL + '/order-history/1/delivery-status', {
115headers: { Authorization: 'Bearer ' + jsonLogin.authentication.token, 'content-type': 'application/json' },
116body: {
117delivered: false
118}
119})
120.expect('status', 403)
121})
122})
123
124it('PUT delivery status is forbidden for customer', () => {
125return frisby.post(REST_URL + '/user/login', {
126headers: jsonHeader,
127body: {
128email: 'jim@' + config.get<string>('application.domain'),
129password: 'ncc-1701'
130}
131})
132.expect('status', 200)
133.then(({ json: jsonLogin }) => {
134return frisby.put(REST_URL + '/order-history/1/delivery-status', {
135headers: { Authorization: 'Bearer ' + jsonLogin.authentication.token, 'content-type': 'application/json' },
136body: {
137delivered: false
138}
139})
140.expect('status', 403)
141})
142})
143
144it('PUT delivery status is allowed for accountant', () => {
145return frisby.post(REST_URL + '/user/login', {
146headers: jsonHeader,
147body: {
148email: 'accountant@' + config.get<string>('application.domain'),
149password: 'i am an awesome accountant'
150}
151})
152.expect('status', 200)
153.then(({ json: jsonLogin }) => {
154return frisby.put(REST_URL + '/order-history/1/delivery-status', {
155headers: { Authorization: 'Bearer ' + jsonLogin.authentication.token, 'content-type': 'application/json' },
156body: {
157delivered: false
158}
159})
160.expect('status', 200)
161})
162})
163})
164