Merge branch 'solution'

client.js

@@ -1,6 +1,7 @@
 const express = require("express")
 const bodyParser = require("body-parser")
 const axios = require("axios").default
+const { randomString, timeout } = require("./utils")
 
 const config = {
 	port: 9000,
@@ -18,6 +19,7 @@ let state = ""
 const app = express()
 app.set("view engine", "ejs")
 app.set("views", "assets/client")
+app.use(timeout)
 app.use(bodyParser.json())
 app.use(bodyParser.urlencoded({ extended: true }))
 
@@ -29,3 +31,16 @@ const server = app.listen(config.port, "localhost", function () {
 	var host = server.address().address
 	var port = server.address().port
 })
+
+// for testing purposes
+
+module.exports = {
+	app,
+	server,
+	getState() {
+		return state
+	},
+	setState(s) {
+		state = s
+	},
+}

package.json

@@ -24,6 +24,7 @@
 		"express": "^4.17.1",
 		"jsonwebtoken": "^8.5.1",
 		"mocha": "^7.1.2",
+		"moxios": "^0.4.0",
 		"sinon": "^9.0.2",
 		"supertest": "^4.0.2"
 	}

protected-resource.js

@@ -37,6 +37,8 @@ const server = app.listen(config.port, "localhost", function () {
 	var port = server.address().port
 })
 
+// for testing purposes
+
 module.exports = {
 	app,
 	server,

test/module3/01-create-authorization-route.js

@@ -0,0 +1,20 @@
+const assert = require("assert")
+const request = require("supertest")
+
+const { app, server } = require("../../client")
+
+it("serves an empty authorization route @client-create-authorization-route", () => {
+	return request(app)
+		.get("/authorize")
+		.then((res) => {
+			assert.notEqual(
+				res.status,
+				404,
+				"The `/authorize` route doesn't exist"
+			)
+		})
+})
+
+afterEach(() => {
+	server.close()
+})

test/module3/02-declare-state.js

@@ -0,0 +1,32 @@
+const assert = require("assert")
+const request = require("supertest")
+
+const { app, server, getState, setState } = require("../../client")
+
+it("assigns a random value to the state @client-declare-state", () => {
+	setState("")
+	return request(app)
+		.get("/authorize")
+		.then((res) => {
+			assert.equal(
+				[408, 302].indexOf(res.status) >= 0,
+				true,
+				"The `/user-info` route should not return an error status code"
+			)
+			const state = getState()
+			assert.strictEqual(
+				typeof state,
+				"string",
+				"/authorize should assign a random string to state"
+			)
+			assert.strictEqual(
+				state.length > 0,
+				true,
+				"/authorize should assign a non-empty string to state"
+			)
+		})
+})
+
+afterEach(() => {
+	server.close()
+})

test/module3/03-redirect-user.js

@@ -0,0 +1,55 @@
+const assert = require("assert")
+const request = require("supertest")
+const url = require("url")
+const querystring = require("querystring")
+
+const { app, server, getState, setState } = require("../../client")
+
+it("redirects user to authorization endpoint @client-redirect-user-to-authorization-endpoint", () => {
+	setState("")
+	return request(app)
+		.get("/authorize")
+		.then((res) => {
+			assert.equal(
+				res.status,
+				302,
+				"The `/user-info` route should return a redirect status code"
+			)
+			const redirectUrl = url.parse(res.headers.location)
+			const query = querystring.parse(redirectUrl.query)
+			assert.equal(
+				query.response_type,
+				"code",
+				'redirect URL response_type should be "code"'
+			)
+			assert.equal(
+				query.client_id,
+				"my-client",
+				"redirect URL should contain the correct client_id param"
+			)
+			assert.equal(
+				query.client_secret,
+				"zETqHgl0d7ThysUqPnaFuLOmG1E=",
+				"redirect URL should contain the correct client_secret param"
+			)
+			assert.equal(
+				query.redirect_uri,
+				"http://localhost:9000/callback",
+				"redirect URL should contain the correct redirect_uri param"
+			)
+			assert.equal(
+				query.scope,
+				"permission:name permission:date_of_birth",
+				"redirect URL should contain the correct scope param"
+			)
+			assert.equal(
+				query.state,
+				getState(),
+				"redirect URL should contain the correct state param"
+			)
+		})
+})
+
+afterEach(() => {
+	server.close()
+})

test/module3/04-create-callback-route.js

@@ -0,0 +1,20 @@
+const assert = require("assert")
+const request = require("supertest")
+
+const { app, server } = require("../../client")
+
+it("serves an empty callback route @client-create-callback-route", () => {
+	return request(app)
+		.get("/callback")
+		.then((res) => {
+			assert.notEqual(
+				res.status,
+				404,
+				"The `/callback` route doesn't exist"
+			)
+		})
+})
+
+afterEach(() => {
+	server.close()
+})

test/module3/05-verify-state.js

@@ -0,0 +1,65 @@
+const assert = require("assert")
+const request = require("supertest")
+const sinon = require("sinon")
+const axios = require("axios")
+const moxios = require("moxios")
+
+const { app, server, getState, setState } = require("../../client")
+
+before(function () {
+	moxios.install()
+})
+
+it("verifies state with current stored state @client-callback-verify-state", () => {
+	setState("mystate")
+
+	moxios.wait(() => {
+		moxios.wait(() => {
+			const req = moxios.requests.mostRecent()
+			if (!req) {
+				return
+			}
+			req.respondWith({
+				status: 200,
+				response: {
+					access_token: "mytoken",
+				},
+			})
+		})
+
+		const req = moxios.requests.mostRecent()
+		if (!req) {
+			return
+		}
+		req.respondWith({
+			status: 200,
+			response: {
+				access_token: "mytoken",
+			},
+		})
+	})
+
+	return request(app)
+		.get("/callback?code=mycode&state=mystate")
+		.then((res) => {
+			assert.equal(
+				[408, 200].indexOf(res.status) >= 0,
+				true,
+				"The `/callback` route should not return an error status code"
+			)
+
+			return request(app).get("/callback?code=mycode&state=fakestate")
+		})
+		.then((res) => {
+			assert.equal(
+				res.status,
+				403,
+				"/callback should return a 403 status if the states don't match"
+			)
+		})
+})
+
+after(() => {
+	moxios.uninstall()
+	server.close()
+})

test/module3/06-request-access-token.js

@@ -0,0 +1,82 @@
+const assert = require("assert")
+const request = require("supertest")
+const sinon = require("sinon")
+const axios = require("axios")
+const moxios = require("moxios")
+
+const { app, server, getState, setState } = require("../../client")
+
+before(function () {
+	moxios.install()
+})
+
+it("/callback requests access token from the token endpoint @client-callback-request-access-token", () => {
+	setState("mystate")
+	let called = false
+	moxios.wait(() => {
+		moxios.wait(() => {
+			const req = moxios.requests.mostRecent()
+			if (!req) {
+				return
+			}
+			req.respondWith({
+				status: 200,
+				response: {
+					access_token: "mytoken",
+				},
+			})
+		})
+
+		const req = moxios.requests.mostRecent()
+		if (!req) {
+			return
+		}
+		called = true
+		assert.equal(
+			req.config.url,
+			"http://localhost:9001/token",
+			"the request to the token endpoint should be made to the correct URL"
+		)
+		assert.equal(
+			req.config.data,
+			'{"code":"mycode"}',
+			"the request made to the token endpoint should contain the correct authorization code in the request body"
+		)
+		assert.equal(
+			req.config.method,
+			"post",
+			"the request made to the token endpoint should be a POST request"
+		)
+		assert.equal(
+			req.config.headers.Authorization,
+			"Basic bXktY2xpZW50OnpFVHFIZ2wwZDdUaHlzVXFQbmFGdUxPbUcxRT0=",
+			"the request made to the token endpoint should contain the correct auth credentials"
+		)
+		req.respondWith({
+			status: 200,
+			response: {
+				access_token: "mytoken",
+			},
+		})
+	})
+
+	return request(app)
+		.get("/callback?code=mycode&state=mystate")
+		.then((res) => {
+			assert.equal(
+				[408, 200].indexOf(res.status) >= 0,
+				true,
+				"The `/callback` route should not return an error status code"
+			)
+			assert.equal(
+				called,
+				true,
+				"/callback needs to make an HTTP call to request for the access token"
+			)
+		})
+})
+
+after(() => {
+	moxios.uninstall()
+	server.close()
+})