From f7d84bc15b5e9937eac8c338255eef5348107814 Mon Sep 17 00:00:00 2001 From: Gabe Kangas Date: Fri, 10 Mar 2023 12:16:28 -0800 Subject: [PATCH] Fix HTML scaffolding of admin pages rendering without auth. Closes #2789 --- router/router.go | 2 +- test/automated/api/auth.test.js | 51 +++++++++++++++++++++++++++++++++ 2 files changed, 52 insertions(+), 1 deletion(-) create mode 100644 test/automated/api/auth.test.js diff --git a/router/router.go b/router/router.go index 63bd17401..3001cf43e 100644 --- a/router/router.go +++ b/router/router.go @@ -32,7 +32,7 @@ func Start() error { http.HandleFunc("/", controllers.IndexHandler) // The admin web app. - http.HandleFunc("/admin", middleware.RequireAdminAuth(controllers.IndexHandler)) + http.HandleFunc("/admin/", middleware.RequireAdminAuth(controllers.IndexHandler)) // Images http.HandleFunc("/thumbnail.jpg", controllers.GetThumbnail) diff --git a/test/automated/api/auth.test.js b/test/automated/api/auth.test.js new file mode 100644 index 000000000..ad03e867a --- /dev/null +++ b/test/automated/api/auth.test.js @@ -0,0 +1,51 @@ +var request = require('supertest'); +request = request('http://127.0.0.1:8080'); + +test('main page requires no auth', async (done) => { + await request.get('/').expect(200); + done(); +}); + +test('admin without trailing slash redirects', async (done) => { + await request.get('/admin').expect(301); + done(); +}); + +test('admin with trailing slash requires auth', async (done) => { + await request.get('/admin/').expect(401); + done(); +}); + +const paths = [ + '/admin/config/general/', + '/admin/config/server/', + '/admin/config-video', + '/admin/config-chat/', + '/admin/config-federation/', + '/admin/config-notify', + '/admin/federation/followers/', + '/admin/chat/messages', + '/admin/viewer-info/', + '/admin/chat/users/', + '/admin/stream-health', + '/admin/hardware-info/', +]; + +// Test a bunch of paths to make sure random different pages don't slip by for some reason. +// Technically this shouldn't be possible but it's a sanity check anyway. +paths.forEach((path) => { + test(`admin path ${path} requires auth and should fail`, async (done) => { + await request.get(path).expect(401); + done(); + }); +}); + +// Try them again with auth. Some with trailing slashes some without. +// Allow redirects. +paths.forEach((path) => { + test(`admin path ${path} requires auth and should pass`, async (done) => { + const r = await request.get(path).auth('admin', 'abc123'); + expect([200, 301]).toContain(r.status); + done(); + }); +});