diff --git a/lib/request.js b/lib/request.js index a1d29e5..8c2e459 100644 --- a/lib/request.js +++ b/lib/request.js @@ -100,7 +100,7 @@ class Request { * @name Request#_auth * @readonly */ - writable('_auth', null); + writable('_auth', options._auth || null); /** * HTTP request object (if available) diff --git a/lib/url-parser.js b/lib/url-parser.js index 031712f..e594e5e 100644 --- a/lib/url-parser.js +++ b/lib/url-parser.js @@ -30,6 +30,7 @@ function httpToFloraRequest(httpRequest, { postTimeout } = {}) { */ const opts = { resource: matches[1], + _auth: null, _status: httpRequest.flora.status, _httpRequest: httpRequest }; diff --git a/test/api.spec.js b/test/api.spec.js index fc28411..bca80e3 100644 --- a/test/api.spec.js +++ b/test/api.spec.js @@ -288,6 +288,40 @@ describe('Api', () => { done(); }); }); + + it('should clone the Request', async () => { + const api = new Api(); + await api.init({ + log, + resourcesPath: path.join(__dirname, 'fixtures', 'extensions', 'resources'), + dataSources: { + empty: { + constructor: testDataSource + } + } + }); + + const r = new Request({ resource: 'simple-js' }); + const { request } = await api.execute(r); + expect(r).to.not.equal(request); + }); + + it('should pass through _auth property', async () => { + const api = new Api(); + await api.init({ + log, + resourcesPath: path.join(__dirname, 'fixtures', 'extensions', 'resources'), + dataSources: { + empty: { + constructor: testDataSource + } + } + }); + + const r = new Request({ resource: 'simple-js', _auth: 'AUTH' }); + const { request } = await api.execute(r); + expect(request._auth).to.equal('AUTH'); + }); }); describe('formats', () => { diff --git a/test/url-parser.spec.js b/test/url-parser.spec.js index 61a2836..93fc9a5 100644 --- a/test/url-parser.spec.js +++ b/test/url-parser.spec.js @@ -233,5 +233,42 @@ describe('HTTP request parsing', () => { done(); }); }); + + it('should remove protected properties (GET)', (done) => { + httpRequest.url = 'http://api.example.com/user/1337.jpg?_auth=FOO'; + parseRequest(httpRequest) + .then((request) => { + expect(request._auth).to.equal(null); + done(); + }) + .catch(done); + }); + + it('should remove protected properties (urlencoded)', (done) => { + httpRequest.url = 'http://api.example.com/user/'; + httpRequest.headers['content-type'] = 'application/x-www-form-urlencoded'; + httpRequest.payload = '_auth=FOO'; + httpRequest.method = 'POST'; + httpRequest.headers['content-length'] = httpRequest.payload.length; + parseRequest(httpRequest) + .then((request) => { + expect(request._auth).to.equal(null); + done(); + }) + .catch(done); + }); + + it('should remove protected properties (JSON)', (done) => { + httpRequest.url = 'http://api.example.com/user/'; + httpRequest.payload = '{"_auth": "FOO"}'; + httpRequest.method = 'POST'; + httpRequest.headers['content-length'] = httpRequest.payload.length; + parseRequest(httpRequest) + .then((request) => { + expect(request._auth).to.equal(null); + done(); + }) + .catch(done); + }); }); });