path: root/1.1.x/share/www/script/test/cookie_auth.js
diff options
Diffstat (limited to '1.1.x/share/www/script/test/cookie_auth.js')
1 files changed, 256 insertions, 0 deletions
diff --git a/1.1.x/share/www/script/test/cookie_auth.js b/1.1.x/share/www/script/test/cookie_auth.js
new file mode 100644
index 00000000..8ad993cc
--- /dev/null
+++ b/1.1.x/share/www/script/test/cookie_auth.js
@@ -0,0 +1,256 @@
+// Licensed under the Apache License, Version 2.0 (the "License"); you may not
+// use this file except in compliance with the License. You may obtain a copy
+// of the License at
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+// WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+// License for the specific language governing permissions and limitations under
+// the License.
+couchTests.cookie_auth = function(debug) {
+ // This tests cookie-based authentication.
+ var db = new CouchDB("test_suite_db", {"X-Couch-Full-Commit":"false"});
+ db.deleteDb();
+ db.createDb();
+ if (debug) debugger;
+ // Simple secret key generator
+ function generateSecret(length) {
+ var tab = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/";
+ var secret = '';
+ for (var i=0; i<length; i++) {
+ secret += tab.charAt(Math.floor(Math.random() * 64));
+ }
+ return secret;
+ }
+ // this function will be called on the modified server
+ var testFun = function () {
+ try {
+ // try using an invalid cookie
+ var usersDb = new CouchDB("test_suite_users", {"X-Couch-Full-Commit":"false"});
+ usersDb.deleteDb();
+ usersDb.createDb();
+ // test that the users db is born with the auth ddoc
+ var ddoc ="_design/_auth");
+ T(ddoc.validate_doc_update);
+ // TODO test that changing the config so an existing db becomes the users db installs the ddoc also
+ var password = "3.141592653589";
+ // Create a user
+ var jasonUserDoc = CouchDB.prepareUserDoc({
+ name: "Jason Davies",
+ roles: ["dev"]
+ }, password);
+ T(;
+ var checkDoc =;
+ T( == "Jason Davies");
+ var jchrisUserDoc = CouchDB.prepareUserDoc({
+ name: ""
+ }, "funnybone");
+ T(;
+ // make sure we cant create duplicate users
+ var duplicateJchrisDoc = CouchDB.prepareUserDoc({
+ name: ""
+ }, "eh, Boo-Boo?");
+ try {
+ T(false && "Can't create duplicate user names. Should have thrown an error.");
+ } catch (e) {
+ T(e.error == "conflict");
+ T(usersDb.last_req.status == 409);
+ }
+ // we can't create _names
+ var underscoreUserDoc = CouchDB.prepareUserDoc({
+ name: "_why"
+ }, "copperfield");
+ try {
+ T(false && "Can't create underscore user names. Should have thrown an error.");
+ } catch (e) {
+ T(e.error == "forbidden");
+ T(usersDb.last_req.status == 403);
+ }
+ // we can't create docs with malformed ids
+ var badIdDoc = CouchDB.prepareUserDoc({
+ name: "foo"
+ }, "bar");
+ badIdDoc._id = "org.apache.couchdb:w00x";
+ try {
+ T(false && "Can't create malformed docids. Should have thrown an error.");
+ } catch (e) {
+ T(e.error == "forbidden");
+ T(usersDb.last_req.status == 403);
+ }
+ // login works
+ T(CouchDB.login('Jason Davies', password).ok);
+ T(CouchDB.session() == 'Jason Davies');
+ // JSON login works
+ var xhr = CouchDB.request("POST", "/_session", {
+ headers: {"Content-Type": "application/json"},
+ body: JSON.stringify({
+ name: 'Jason Davies',
+ password: password
+ })
+ });
+ T(JSON.parse(xhr.responseText).ok);
+ T(CouchDB.session() == 'Jason Davies');
+ // update one's own credentials document
+ T(;
+ T(CouchDB.session().userCtx.roles.indexOf("_admin") == -1);
+ // can't delete another users doc unless you are admin
+ try {
+ usersDb.deleteDoc(jchrisUserDoc);
+ T(false && "Can't delete other users docs. Should have thrown an error.");
+ } catch (e) {
+ T(e.error == "forbidden");
+ T(usersDb.last_req.status == 403);
+ }
+ // TODO should login() throw an exception here?
+ T(!CouchDB.login('Jason Davies', "2.71828").ok);
+ T(!CouchDB.login('Robert Allen Zimmerman', 'd00d').ok);
+ // a failed login attempt should log you out
+ T(CouchDB.session() != 'Jason Davies');
+ // test redirect
+ xhr = CouchDB.request("POST", "/_session?next=/", {
+ headers: {"Content-Type": "application/x-www-form-urlencoded"},
+ body: "name=Jason%20Davies&password="+encodeURIComponent(password)
+ });
+ // should this be a redirect code instead of 200?
+ // The cURL adapter is returning the expected 302 here.
+ // I imagine this has to do with whether the client is willing
+ // to follow the redirect, ie, the browser follows and does a
+ // GET on the returned Location
+ if (xhr.status == 200) {
+ T(/Welcome/.test(xhr.responseText));
+ } else {
+ T(xhr.status == 302);
+ T(xhr.getResponseHeader("Location"));
+ }
+ // test users db validations
+ //
+ // test that you can't update docs unless you are logged in as the user (or are admin)
+ T(CouchDB.login("", "funnybone").ok);
+ T(CouchDB.session() == "");
+ T(CouchDB.session().userCtx.roles.length == 0);
+ try {
+ T(false && "Can't update someone else's user doc. Should have thrown an error.");
+ } catch (e) {
+ T(e.error == "forbidden");
+ T(usersDb.last_req.status == 403);
+ }
+ // test that you can't edit roles unless you are admin
+ jchrisUserDoc.roles = ["foo"];
+ try {
+ T(false && "Can't set roles unless you are admin. Should have thrown an error.");
+ } catch (e) {
+ T(e.error == "forbidden");
+ T(usersDb.last_req.status == 403);
+ }
+ T(CouchDB.logout().ok);
+ T(CouchDB.session().userCtx.roles[0] == "_admin");
+ = ["foo"];
+ T(;
+ // test that you can't save system (underscore) roles even if you are admin
+ jchrisUserDoc.roles = ["_bar"];
+ try {
+ T(false && "Can't add system roles to user's db. Should have thrown an error.");
+ } catch (e) {
+ T(e.error == "forbidden");
+ T(usersDb.last_req.status == 403);
+ }
+ // make sure the foo role has been applied
+ T(CouchDB.login("", "funnybone").ok);
+ T(CouchDB.session() == "");
+ T(CouchDB.session().userCtx.roles.indexOf("_admin") == -1);
+ T(CouchDB.session().userCtx.roles.indexOf("foo") != -1);
+ // now let's make jchris a server admin
+ T(CouchDB.logout().ok);
+ T(CouchDB.session().userCtx.roles[0] == "_admin");
+ T(CouchDB.session() == null);
+ // set the -hashed- password so the salt matches
+ // todo ask on the ML about this
+ run_on_modified_server([{section: "admins",
+ key: "", value: "funnybone"}], function() {
+ T(CouchDB.login("", "funnybone").ok);
+ T(CouchDB.session() == "");
+ T(CouchDB.session().userCtx.roles.indexOf("_admin") != -1);
+ // test that jchris still has the foo role
+ T(CouchDB.session().userCtx.roles.indexOf("foo") != -1);
+ // should work even when user doc has no password
+ jchrisUserDoc =;
+ delete jchrisUserDoc.salt;
+ delete jchrisUserDoc.password_sha;
+ T(;
+ T(CouchDB.logout().ok);
+ T(CouchDB.login("", "funnybone").ok);
+ var s = CouchDB.session();
+ T( == "");
+ T(s.userCtx.roles.indexOf("_admin") != -1);
+ // test session info
+ T( == "cookie");
+ T( == "test_suite_users");
+ // test that jchris still has the foo role
+ T(CouchDB.session().userCtx.roles.indexOf("foo") != -1);
+ });
+ } finally {
+ // Make sure we erase any auth cookies so we don't affect other tests
+ T(CouchDB.logout().ok);
+ }
+ };
+ run_on_modified_server(
+ [{section: "httpd",
+ key: "authentication_handlers",
+ value: "{couch_httpd_auth, cookie_authentication_handler}, {couch_httpd_auth, default_authentication_handler}"},
+ {section: "couch_httpd_auth",
+ key: "secret", value: generateSecret(64)},
+ {section: "couch_httpd_auth",
+ key: "authentication_db", value: "test_suite_users"}],
+ testFun
+ );