From f0db46bbcacb51df98824ca9f4cc3caece826eb7 Mon Sep 17 00:00:00 2001
From: izzy lyseggen <izzy.lyseggen@gmail.com>
Date: Fri, 21 Aug 2020 15:36:49 +0100
Subject: [PATCH] test(subs): more auth tests for subs

confirm you can't receive updates if you're not authorised for stream
---
 modules/core/graph/resolvers/streams.js |  8 +---
 modules/core/tests/graphSubs.spec.js    | 57 +++++++++++++++++++++++--
 2 files changed, 55 insertions(+), 10 deletions(-)

diff --git a/modules/core/graph/resolvers/streams.js b/modules/core/graph/resolvers/streams.js
index 5c22800a9..bdde82f18 100644
--- a/modules/core/graph/resolvers/streams.js
+++ b/modules/core/graph/resolvers/streams.js
@@ -169,17 +169,13 @@ module.exports = {
     },
     streamPermissionGranted: {
       subscribe: withFilter( () => pubsub.asyncIterator( [ STREAM_PERMISSION_GRANTED ] ),
-        async ( payload, variables, context ) => {
-          await authorizeResolver( context.userId, payload.streamId, 'stream:reviewer' )
-
+        ( payload, variables ) => {
           return payload.userId === variables.userId
         } )
     },
     streamPermissionRevoked: {
       subscribe: withFilter( () => pubsub.asyncIterator( [ STREAM_PERMISSION_REVOKED ] ),
-        async ( payload, variables, context ) => {
-          await authorizeResolver( context.userId, payload.streamId, 'stream:reviewer' )
-
+        ( payload, variables ) => {
           return payload.userId === variables.userId
         } )
     }
diff --git a/modules/core/tests/graphSubs.spec.js b/modules/core/tests/graphSubs.spec.js
index 5fb018703..3b2f5825a 100644
--- a/modules/core/tests/graphSubs.spec.js
+++ b/modules/core/tests/graphSubs.spec.js
@@ -200,7 +200,7 @@ describe( 'GraphQL API Subscriptions', ( ) => {
       const streamId = resSC.body.data.streamCreate
 
       let eventNum = 0
-      const query = gql`subscription permissionRevoked { streamPermissionRevoked(userId: "${userB.id}") }`
+      const query = gql`subscription permissionRevoked { streamPermissionRevoked( userId: "${userB.id}" ) }`
       const client = createSubscriptionObservable( wsAddr, userB.token, query )
       const consumer = client.subscribe( eventData => {
         expect( eventData.data.streamPermissionRevoked ).to.exist
@@ -213,11 +213,10 @@ describe( 'GraphQL API Subscriptions', ( ) => {
         query: `mutation { streamGrantPermission( streamId: "${streamId}", userId: "${userB.id}", role: "stream:contributor" ) }`
       } )
       expect( sg.body.errors ).to.not.exist
-
       let sr = await sendRequest( userA.token, {
-        query: `mutation { streamRevokePermission( streamId: "${streamId}", userId: "${userB.id}" ) } `
+        query: `mutation { streamRevokePermission( streamId: "${streamId}", userId: "${userB.id}" ) }`
       } )
-      expect( sr.body.errors ).to.not.exist
+      expect( sr.body.error ).to.not.exist
 
       await sleep( 1000 ) // we need to wait up a second here
       expect( eventNum ).to.equal( 1 )
@@ -375,6 +374,30 @@ describe( 'GraphQL API Subscriptions', ( ) => {
       expect( eventNum ).to.equal( 2 )
       consumer.unsubscribe( )
     } )
+
+    it( `Should *not* be notified when a branch is created for a stream you're not authorised for`, async () => {
+      const resSC = await sendRequest( userA.token, { query: `mutation { streamCreate(stream: { name: "Subs Test (u A) Private", description: "Hello World", isPublic:false } ) }` } )
+      const streamId = resSC.body.data.streamCreate
+
+      let eventNum = 0
+      const query = gql`subscription { branchCreated( streamId: "${streamId}" ) }`
+      const client = createSubscriptionObservable( wsAddr, userB.token, query )
+      const consumer = client.subscribe( eventData => {
+        expect( eventData.data.branchCreated ).to.not.exist
+        eventNum++
+      } )
+
+      await sleep( 500 )
+
+      let bc = await sendRequest( userA.token, {
+        query: `mutation { branchCreate ( branch: { streamId: "${streamId}", name: "new branch 🌿", description: "this is a test branch 🌳" } ) }`
+      } )
+      expect( bc.body.errors ).to.not.exist
+
+      await sleep( 1000 ) // we need to wait up a second here
+      expect( eventNum ).to.equal( 0 )
+      consumer.unsubscribe()
+    } )
   } )
 
   describe( 'Commits', ( ) => {
@@ -469,6 +492,32 @@ describe( 'GraphQL API Subscriptions', ( ) => {
       expect( eventNum ).to.equal( 1 )
       consumer.unsubscribe( )
     } )
+
+    it( `Should *not* be notified when a commit is created on a stream you're not authorised for`, async () => {
+      const resSC = await sendRequest( userA.token, { query: `mutation { streamCreate(stream: { name: "Subs Test (u A) Private", description: "Hello World", isPublic:false } ) }` } )
+      const streamId = resSC.body.data.streamCreate
+      const resOC = await sendRequest( userA.token, { query: `mutation { objectCreate(streamId: "${streamId}", objects: {hello: "goodbye 🌊"} ) }` } )
+      const objId = resOC.body.data.objectCreate
+
+      let eventNum = 0
+      const query = gql`subscription { commitCreated( streamId: "${streamId}" ) }`
+      const client = createSubscriptionObservable( wsAddr, userB.token, query )
+      const consumer = client.subscribe( eventData => {
+        expect( eventData.data.commitCreated ).to.not.exist
+        eventNum++
+      } )
+
+      await sleep( 500 )
+
+      let cc = await sendRequest( userA.token, {
+        query: `mutation { commitCreate ( commit: { streamId: "${streamId}", branchName: "master", objectId: "${objId}" } ) }`
+      } )
+      expect( cc.body.errors ).to.not.exist
+
+      await sleep( 1000 ) // we need to wait up a second here
+      expect( eventNum ).to.equal( 0 )
+      consumer.unsubscribe()
+    } )
   } )
 } )