pinchflat/test/pinchflat_web/plugs_test.exs

defmodule PinchflatWeb.PlugsTest do
  use PinchflatWeb.ConnCase

  alias PinchflatWeb.Plugs
  alias Pinchflat.Settings

  describe "maybe_basic_auth/2" do
    setup do
      old_username = Application.get_env(:pinchflat, :basic_auth_username)
      old_password = Application.get_env(:pinchflat, :basic_auth_password)
      old_expose_feed_endpoints = Application.get_env(:pinchflat, :expose_feed_endpoints)

      on_exit(fn ->
        Application.put_env(:pinchflat, :basic_auth_username, old_username)
        Application.put_env(:pinchflat, :basic_auth_password, old_password)
        Application.put_env(:pinchflat, :expose_feed_endpoints, old_expose_feed_endpoints)
      end)

      :ok
    end

    test "uses basic auth when expose_feed_endpoints is false" do
      Application.put_env(:pinchflat, :basic_auth_username, "user")
      Application.put_env(:pinchflat, :basic_auth_password, "pass")
      Application.put_env(:pinchflat, :expose_feed_endpoints, false)

      conn = Plugs.maybe_basic_auth(build_conn(), [])

      assert conn.status == 401
      assert {"www-authenticate", "Basic realm=\"Pinchflat\""} in conn.resp_headers
    end

    test "supplying the correct username and password allows access" do
      Application.put_env(:pinchflat, :basic_auth_username, "user")
      Application.put_env(:pinchflat, :basic_auth_password, "pass")
      Application.put_env(:pinchflat, :expose_feed_endpoints, false)

      encoded_auth = Plug.BasicAuth.encode_basic_auth("user", "pass")

      conn =
        build_conn()
        |> put_req_header("authorization", encoded_auth)
        |> Plugs.maybe_basic_auth([])

      # nil here means the response is unset, but that's good. It just means we're moving to the next stage
      assert conn.status == nil
    end

    test "does not use basic auth when expose_feed_endpoints is true" do
      Application.put_env(:pinchflat, :basic_auth_username, "user")
      Application.put_env(:pinchflat, :basic_auth_password, "pass")
      Application.put_env(:pinchflat, :expose_feed_endpoints, true)

      conn = Plugs.maybe_basic_auth(build_conn(), [])

      assert conn.status == nil
    end

    test "does not use basic auth when username/password aren't set" do
      Application.put_env(:pinchflat, :basic_auth_username, nil)
      Application.put_env(:pinchflat, :basic_auth_password, nil)
      Application.put_env(:pinchflat, :expose_feed_endpoints, false)

      conn = Plugs.maybe_basic_auth(build_conn(), [])

      # nil here means the response is unset, but that's good. It just means we're moving to the next stage
      assert conn.status == nil
    end
  end

  describe "basic_auth/2" do
    setup do
      old_username = Application.get_env(:pinchflat, :basic_auth_username)
      old_password = Application.get_env(:pinchflat, :basic_auth_password)

      on_exit(fn ->
        Application.put_env(:pinchflat, :basic_auth_username, old_username)
        Application.put_env(:pinchflat, :basic_auth_password, old_password)
      end)

      :ok
    end

    test "uses basic auth when both username and password are set", %{conn: conn} do
      Application.put_env(:pinchflat, :basic_auth_username, "user")
      Application.put_env(:pinchflat, :basic_auth_password, "pass")

      conn = Plugs.basic_auth(conn, [])

      assert conn.status == 401
      assert {"www-authenticate", "Basic realm=\"Pinchflat\""} in conn.resp_headers
    end

    test "providing the username and password allows access", %{conn: conn} do
      Application.put_env(:pinchflat, :basic_auth_username, "user")
      Application.put_env(:pinchflat, :basic_auth_password, "pass")

      conn =
        conn
        |> put_req_header("authorization", Plug.BasicAuth.encode_basic_auth("user", "pass"))
        |> Plugs.basic_auth([])

      # nil here means the response is unset, but that's good. It just means we're moving to the next stage
      assert conn.status == nil
    end

    test "does not use basic auth when either username or password is not set", %{conn: conn} do
      Application.put_env(:pinchflat, :basic_auth_username, nil)
      Application.put_env(:pinchflat, :basic_auth_password, "pass")

      conn = Plugs.basic_auth(conn, [])

      assert conn.status == nil
    end

    test "treats empty strings as not being set when using basic auth", %{conn: conn} do
      Application.put_env(:pinchflat, :basic_auth_username, "")
      Application.put_env(:pinchflat, :basic_auth_password, "pass")

      conn = Plugs.basic_auth(conn, [])

      assert conn.status == nil
    end
  end

  describe "allow_iframe_embed/2" do
    test "deletes the x-frame-options header", %{conn: conn} do
      conn = put_resp_header(conn, "x-frame-options", "DENY")
      assert ["DENY"] = get_resp_header(conn, "x-frame-options")

      conn = Plugs.allow_iframe_embed(conn, [])

      assert [] = get_resp_header(conn, "x-frame-options")
    end
  end

  describe "token_protected_route/2" do
    test "allows access when the route token is correct", %{conn: conn} do
      route_token = Settings.get!(:route_token)
      conn = %{conn | query_params: %{"route_token" => route_token}}

      conn = Plugs.token_protected_route(conn, [])

      # nil here means the response is unset, but that's good. It just means we're moving to the next stage
      assert conn.status == nil
    end

    test "does not allow access when the route token is incorrect", %{conn: conn} do
      conn = %{conn | query_params: %{"route_token" => "incorrect"}}

      conn = Plugs.token_protected_route(conn, [])

      assert conn.status == 401
      assert conn.resp_body == "Unauthorized"
    end

    test "does not allow access when the route token is missing", %{conn: conn} do
      conn = %{conn | query_params: %{}}

      conn = Plugs.token_protected_route(conn, [])

      assert conn.status == 401
      assert conn.resp_body == "Unauthorized"
    end
  end
end