fix: allow _auth parameter to be passed through

florajs · Nov 17, 2022 · 06079fe · 06079fe
1 parent 7453c81
commit 06079fe
Show file tree

Hide file tree

Showing 4 changed files with 73 additions and 1 deletion.
diff --git a/lib/request.js b/lib/request.js
@@ -100,7 +100,7 @@ class Request {
          * @name Request#_auth
          * @readonly
          */
-        writable('_auth', null);
+        writable('_auth', options._auth || null);
 
         /**
          * HTTP request object (if available)

diff --git a/lib/url-parser.js b/lib/url-parser.js
@@ -30,6 +30,7 @@ function httpToFloraRequest(httpRequest, { postTimeout } = {}) {
          */
         const opts = {
             resource: matches[1],
+            _auth: null,
             _status: httpRequest.flora.status,
             _httpRequest: httpRequest
         };

diff --git a/test/api.spec.js b/test/api.spec.js
@@ -288,6 +288,40 @@ describe('Api', () => {
                 done();
             });
         });
+
+        it('should clone the Request', async () => {
+            const api = new Api();
+            await api.init({
+                log,
+                resourcesPath: path.join(__dirname, 'fixtures', 'extensions', 'resources'),
+                dataSources: {
+                    empty: {
+                        constructor: testDataSource
+                    }
+                }
+            });
+
+            const r = new Request({ resource: 'simple-js' });
+            const { request } = await api.execute(r);
+            expect(r).to.not.equal(request);
+        });
+
+        it('should pass through _auth property', async () => {
+            const api = new Api();
+            await api.init({
+                log,
+                resourcesPath: path.join(__dirname, 'fixtures', 'extensions', 'resources'),
+                dataSources: {
+                    empty: {
+                        constructor: testDataSource
+                    }
+                }
+            });
+
+            const r = new Request({ resource: 'simple-js', _auth: 'AUTH' });
+            const { request } = await api.execute(r);
+            expect(request._auth).to.equal('AUTH');
+        });
     });
 
     describe('formats', () => {

diff --git a/test/url-parser.spec.js b/test/url-parser.spec.js
@@ -233,5 +233,42 @@ describe('HTTP request parsing', () => {
                     done();
                 });
         });
+
+        it('should remove protected properties (GET)', (done) => {
+            httpRequest.url = 'http://api.example.com/user/1337.jpg?_auth=FOO';
+            parseRequest(httpRequest)
+                .then((request) => {
+                    expect(request._auth).to.equal(null);
+                    done();
+                })
+                .catch(done);
+        });
+
+        it('should remove protected properties (urlencoded)', (done) => {
+            httpRequest.url = 'http://api.example.com/user/';
+            httpRequest.headers['content-type'] = 'application/x-www-form-urlencoded';
+            httpRequest.payload = '_auth=FOO';
+            httpRequest.method = 'POST';
+            httpRequest.headers['content-length'] = httpRequest.payload.length;
+            parseRequest(httpRequest)
+                .then((request) => {
+                    expect(request._auth).to.equal(null);
+                    done();
+                })
+                .catch(done);
+        });
+
+        it('should remove protected properties (JSON)', (done) => {
+            httpRequest.url = 'http://api.example.com/user/';
+            httpRequest.payload = '{"_auth": "FOO"}';
+            httpRequest.method = 'POST';
+            httpRequest.headers['content-length'] = httpRequest.payload.length;
+            parseRequest(httpRequest)
+                .then((request) => {
+                    expect(request._auth).to.equal(null);
+                    done();
+                })
+                .catch(done);
+        });
     });
 });