Add additional test for testing failure after delete

Refactor the api access token query. Fixes #2902"
3 changed files with 273 additions and 121 deletions
--- a/core/user/externalAPIUser.go
+++ b/core/user/externalAPIUser.go
@ -117,20 +117,73 @@ func GetExternalAPIUserForAccessTokenAndScope(token string, scope string) (*Exte
				@@ -117,20 +117,73 @@ func GetExternalAPIUserForAccessTokenAndScope(token string, scope string) (*Exte
 	// so we can efficiently find if a token supports a single scope.
 	// This is SQLite specific, so if we ever support other database
 	// backends we need to support other methods.
-	query := `SELECT id, scopes, display_name, display_color, created_at, last_used FROM user_access_tokens, (
-		WITH RECURSIVE split(id, scopes, display_name, display_color, created_at, last_used, disabled_at, scope, rest) AS (
-		  SELECT id, scopes, display_name, display_color, created_at, last_used, disabled_at, '', scopes || ',' FROM users
-		   UNION ALL
-		  SELECT id, scopes, display_name, display_color, created_at, last_used, disabled_at,
-				 substr(rest, 0, instr(rest, ',')),
-				 substr(rest, instr(rest, ',')+1)
-			FROM split
-		   WHERE rest <> '')
-		SELECT id, scopes, display_name, display_color, created_at, last_used, disabled_at, scope
-		  FROM split
-		 WHERE scope <> ''
-		 ORDER BY scope
-	  ) AS token WHERE user_access_tokens.token = ? AND token.scope = ?`
+	query := `SELECT
+  id,
+	scopes,
+  display_name,
+  display_color,
+  created_at,
+  last_used
+FROM
+  user_access_tokens
+  INNER JOIN (
+    WITH RECURSIVE split(
+      id,
+      scopes,
+      display_name,
+      display_color,
+      created_at,
+      last_used,
+      disabled_at,
+      scope,
+      rest
+    ) AS (
+      SELECT
+        id,
+        scopes,
+        display_name,
+        display_color,
+        created_at,
+        last_used,
+        disabled_at,
+        '',
+        scopes || ','
+      FROM
+        users AS u
+      UNION ALL
+      SELECT
+        id,
+        scopes,
+        display_name,
+        display_color,
+        created_at,
+        last_used,
+        disabled_at,
+        substr(rest, 0, instr(rest, ',')),
+        substr(rest, instr(rest, ',') + 1)
+      FROM
+        split
+      WHERE
+        rest <> ''
+    )
+    SELECT
+      id,
+      display_name,
+      display_color,
+      created_at,
+      last_used,
+      disabled_at,
+      scopes,
+      scope
+    FROM
+      split
+    WHERE
+      scope <> ''
+  ) ON user_access_tokens.user_id = id
+WHERE
+  disabled_at IS NULL
+  AND token = ?
+  AND scope = ?;`

 	row := _datastore.DB.QueryRow(query, token, scope)
 	integration, err := makeExternalAPIUserFromRow(row)
@ -150,7 +203,6 @@ func GetIntegrationNameForAccessToken(token string) *string {
				@@ -150,7 +203,6 @@ func GetIntegrationNameForAccessToken(token string) *string {

 // GetExternalAPIUser will return all API users with access tokens.
 func GetExternalAPIUser() ([]ExternalAPIUser, error) { //nolint
-	// Get all messages sent within the past day
 	query := "SELECT id, token, display_name, display_color, scopes, created_at, last_used FROM users, user_access_tokens WHERE user_access_tokens.user_id = id  AND type IS 'API' AND disabled_at IS NULL"

 	rows, err := _datastore.DB.Query(query)
@ -170,7 +222,6 @@ func SetExternalAPIUserAccessTokenAsUsed(token string) error {
				@@ -170,7 +222,6 @@ func SetExternalAPIUserAccessTokenAsUsed(token string) error {
 	if err != nil {
 		return err
 	}
-	// stmt, err := tx.Prepare("UPDATE users SET last_used = CURRENT_TIMESTAMP WHERE access_token = ?")
 	stmt, err := tx.Prepare("UPDATE users SET last_used = CURRENT_TIMESTAMP WHERE id = (SELECT user_id FROM user_access_tokens WHERE token = ?)")
 	if err != nil {
 		return err
--- a/core/user/externalAPIUser_test.go
+++ b/core/user/externalAPIUser_test.go
@ -0,0 +1,93 @@
				@@ -0,0 +1,93 @@
+package user
+
+import (
+	"testing"
+
+	"github.com/owncast/owncast/core/data"
+)
+
+const (
+	tokenName = "test token name"
+	token     = "test-token-123"
+)
+
+var testScopes = []string{"test-scope"}
+
+func TestMain(m *testing.M) {
+	if err := data.SetupPersistence(":memory:"); err != nil {
+		panic(err)
+	}
+
+	SetupUsers()
+
+	m.Run()
+}
+
+func TestCreateExternalAPIUser(t *testing.T) {
+	if err := InsertExternalAPIUser(token, tokenName, 0, testScopes); err != nil {
+		t.Fatal(err)
+	}
+
+	user := GetUserByToken(token)
+	if user == nil {
+		t.Fatal("api user not found after creating")
+	}
+
+	if user.DisplayName != tokenName {
+		t.Errorf("expected display name %q, got %q", tokenName, user.DisplayName)
+	}
+
+	if user.Scopes[0] != testScopes[0] {
+		t.Errorf("expected scopes %q, got %q", testScopes, user.Scopes)
+	}
+}
+
+func TestDeleteExternalAPIUser(t *testing.T) {
+	if err := DeleteExternalAPIUser(token); err != nil {
+		t.Fatal(err)
+	}
+}
+
+func TestVerifyTokenDisabled(t *testing.T) {
+	users, err := GetExternalAPIUser()
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	if len(users) > 0 {
+		t.Fatal("disabled user returned in list of all API users")
+	}
+}
+
+func TestVerifyGetUserTokenDisabled(t *testing.T) {
+	user := GetUserByToken(token)
+	if user == nil {
+		t.Fatal("user not returned in GetUserByToken after disabling")
+	}
+
+	if user.DisabledAt == nil {
+		t.Fatal("user returned in GetUserByToken after disabling")
+	}
+}
+
+func TestVerifyGetExternalAPIUserForAccessTokenAndScopeTokenDisabled(t *testing.T) {
+	user, _ := GetExternalAPIUserForAccessTokenAndScope(token, testScopes[0])
+
+	if user != nil {
+		t.Fatal("user returned in GetExternalAPIUserForAccessTokenAndScope after disabling")
+	}
+}
+
+func TestCreateAdditionalAPIUser(t *testing.T) {
+	if err := InsertExternalAPIUser("ignore-me", "token-to-be-ignored", 0, testScopes); err != nil {
+		t.Fatal(err)
+	}
+}
+
+func TestAgainVerifyGetExternalAPIUserForAccessTokenAndScopeTokenDisabled(t *testing.T) {
+	user, _ := GetExternalAPIUserForAccessTokenAndScope(token, testScopes[0])
+
+	if user != nil {
+		t.Fatal("user returned in TestAgainVerifyGetExternalAPIUserForAccessTokenAndScopeTokenDisabled after disabling")
+	}
+}
--- a/test/automated/api/integrations.test.js
+++ b/test/automated/api/integrations.test.js
@ -11,149 +11,157 @@ const webhook = 'https://super.duper.cool.thing.biz/owncast';
				@@ -11,149 +11,157 @@ const webhook = 'https://super.duper.cool.thing.biz/owncast';
 const events = ['CHAT'];

 test('create webhook', async (done) => {
-  const res = await sendAdminPayload('webhooks/create', {
-    url: webhook,
-    events: events,
-  });
-
-  expect(res.body.url).toBe(webhook);
-  expect(res.body.timestamp).toBeTruthy();
-  expect(res.body.events).toStrictEqual(events);
-  done();
+	const res = await sendAdminPayload('webhooks/create', {
+		url: webhook,
+		events: events,
+	});
+
+	expect(res.body.url).toBe(webhook);
+	expect(res.body.timestamp).toBeTruthy();
+	expect(res.body.events).toStrictEqual(events);
+	done();
 });

 test('check webhooks', (done) => {
-
-  getAdminResponse('webhooks')
-    .then((res) => {
-      expect(res.body).toHaveLength(1);
-      expect(res.body[0].url).toBe(webhook);
-      expect(res.body[0].events).toStrictEqual(events);
-      webhookID = res.body[0].id;
-      done();
-    });
+	getAdminResponse('webhooks').then((res) => {
+		expect(res.body).toHaveLength(1);
+		expect(res.body[0].url).toBe(webhook);
+		expect(res.body[0].events).toStrictEqual(events);
+		webhookID = res.body[0].id;
+		done();
+	});
 });

 test('delete webhook', async (done) => {
-  const res = await sendAdminPayload('webhooks/delete', {
-    id: webhookID,
-  });
-  expect(res.body.success).toBe(true);
-  done();
+	const res = await sendAdminPayload('webhooks/delete', {
+		id: webhookID,
+	});
+	expect(res.body.success).toBe(true);
+	done();
 });

 test('check that webhook was deleted', (done) => {
-  getAdminResponse('webhooks')
-    .then((res) => {
-      expect(res.body).toHaveLength(0);
-      done();
-    });
+	getAdminResponse('webhooks').then((res) => {
+		expect(res.body).toHaveLength(0);
+		done();
+	});
 });

 test('create access token', async (done) => {
-  const name = 'Automated integration test';
-  const scopes = [
-    'CAN_SEND_SYSTEM_MESSAGES',
-    'CAN_SEND_MESSAGES',
-    'HAS_ADMIN_ACCESS',
-  ];
-  const res = await sendAdminPayload('accesstokens/create', {
-    name: name,
-    scopes: scopes,
-  });
-
-  expect(res.body.accessToken).toBeTruthy();
-  expect(res.body.createdAt).toBeTruthy();
-  expect(res.body.displayName).toBe(name);
-  expect(res.body.scopes).toStrictEqual(scopes);
-  accessToken = res.body.accessToken;
-
-  done();
+	const name = 'Automated integration test';
+	const scopes = [
+		'CAN_SEND_SYSTEM_MESSAGES',
+		'CAN_SEND_MESSAGES',
+		'HAS_ADMIN_ACCESS',
+	];
+	const res = await sendAdminPayload('accesstokens/create', {
+		name: name,
+		scopes: scopes,
+	});
+
+	expect(res.body.accessToken).toBeTruthy();
+	expect(res.body.createdAt).toBeTruthy();
+	expect(res.body.displayName).toBe(name);
+	expect(res.body.scopes).toStrictEqual(scopes);
+	accessToken = res.body.accessToken;
+
+	done();
 });

 test('check access tokens', async (done) => {
-  const res = await getAdminResponse('accesstokens');
-  const tokenCheck = res.body.filter(
-    (token) => token.accessToken === accessToken
-  );
-  expect(tokenCheck).toHaveLength(1);
-  done();
+	const res = await getAdminResponse('accesstokens');
+	const tokenCheck = res.body.filter(
+		(token) => token.accessToken === accessToken
+	);
+	expect(tokenCheck).toHaveLength(1);
+	done();
 });

 test('send a system message using access token', async (done) => {
-  const payload = {
-    body: 'This is a test system message from the automated integration test',
-  };
-  const res = await request
-    .post('/api/integrations/chat/system')
-    .set('Authorization', 'Bearer ' + accessToken)
-    .send(payload)
-    .expect(200);
-  done();
+	const payload = {
+		body: 'This is a test system message from the automated integration test',
+	};
+	const res = await request
+		.post('/api/integrations/chat/system')
+		.set('Authorization', 'Bearer ' + accessToken)
+		.send(payload)
+		.expect(200);
+	done();
 });

 test('send an external integration message using access token', async (done) => {
-  const payload = {
-    body: 'This is a test external message from the automated integration test',
-  };
-  const res = await request
-    .post('/api/integrations/chat/send')
-    .set('Authorization', 'Bearer ' + accessToken)
-    .send(payload)
-    .expect(200);
-  done();
+	const payload = {
+		body: 'This is a test external message from the automated integration test',
+	};
+	const res = await request
+		.post('/api/integrations/chat/send')
+		.set('Authorization', 'Bearer ' + accessToken)
+		.send(payload)
+		.expect(200);
+	done();
 });

 test('send an external integration action using access token', async (done) => {
-  const payload = {
-    body: 'This is a test external action from the automated integration test',
-  };
-  await request
-    .post('/api/integrations/chat/action')
-    .set('Authorization', 'Bearer ' + accessToken)
-    .send(payload)
-    .expect(200);
-  done();
+	const payload = {
+		body: 'This is a test external action from the automated integration test',
+	};
+	await request
+		.post('/api/integrations/chat/action')
+		.set('Authorization', 'Bearer ' + accessToken)
+		.send(payload)
+		.expect(200);
+	done();
 });

 test('test fetch chat history using access token', async (done) => {
-  const res = await request
-    .get('/api/integrations/chat')
-    .set('Authorization', 'Bearer ' + accessToken)
-    .expect(200);
-  done();
+	const res = await request
+		.get('/api/integrations/chat')
+		.set('Authorization', 'Bearer ' + accessToken)
+		.expect(200);
+	done();
 });

 test('test fetch chat history failure using invalid access token', async (done) => {
-  const res = await request
-    .get('/api/integrations/chat')
-    .set('Authorization', 'Bearer ' + 'invalidToken')
-    .expect(401);
-  done();
+	const res = await request
+		.get('/api/integrations/chat')
+		.set('Authorization', 'Bearer ' + 'invalidToken')
+		.expect(401);
+	done();
 });

 test('test fetch chat history OPTIONS request', async (done) => {
-  const res = await request
-    .options('/api/integrations/chat')
-    .set('Authorization', 'Bearer ' + accessToken)
-    .expect(204);
-  done();
+	const res = await request
+		.options('/api/integrations/chat')
+		.set('Authorization', 'Bearer ' + accessToken)
+		.expect(204);
+	done();
 });

 test('delete access token', async (done) => {
-  const res = await sendAdminPayload('accesstokens/delete', {
-    token: accessToken,
-  });
-  expect(res.body.success).toBe(true);
-  done();
+	const res = await sendAdminPayload('accesstokens/delete', {
+		token: accessToken,
+	});
+	expect(res.body.success).toBe(true);
+	done();
 });

 test('check token delete was successful', async (done) => {
-  const res = await getAdminResponse('accesstokens');
-  const tokenCheck = res.body.filter(
-    (token) => token.accessToken === accessToken
-  );
-  expect(tokenCheck).toHaveLength(0);
-  done();
+	const res = await getAdminResponse('accesstokens');
+	const tokenCheck = res.body.filter(
+		(token) => token.accessToken === accessToken
+	);
+	expect(tokenCheck).toHaveLength(0);
+	done();
 });

+test('send an external integration action using access token expecting failure', async (done) => {
+	const payload = {
+		body: 'This is a test external action from the automated integration test',
+	};
+	await request
+		.post('/api/integrations/chat/action')
+		.set('Authorization', 'Bearer ' + accessToken)
+		.send(payload)
+		.expect(401);
+	done();
+});
Author	SHA1	Message	Date
Gabe Kangas	f28dd344bd	Add additional test for testing failure after delete	2 years ago
Gabe Kangas	26522bf26f	Refactor the api access token query. Fixes #2902"	2 years ago