diff --git a/src/ZGoBackend.hs b/src/ZGoBackend.hs index f63cae6..6bb9fc7 100644 --- a/src/ZGoBackend.hs +++ b/src/ZGoBackend.hs @@ -1100,7 +1100,7 @@ routes pipe config = do , "orders" .= toJSON pOrders ]) --Get order by id for receipts - get "/api/order/:id" $ do + get "/order/:id" $ do oId <- param "id" let r = mkRegex "^[a-f0-9]{24}$" if matchTest r oId @@ -1119,7 +1119,7 @@ routes pipe config = do [ "message" .= ("Order found!" :: String) , "order" .= toJSON (pOrder :: ZGoOrder) ]) - else status noContent204 + else status badRequest400 --Get order by session get "/api/order" $ do sess <- param "session" @@ -1162,8 +1162,16 @@ routes pipe config = do post "/api/order" $ do newOrder <- jsonData let q = payload (newOrder :: Payload ZGoOrder) - _ <- liftAndCatchIO $ run (upsertOrder q) - status created201 + session <- param "session" + user <- liftAndCatchIO $ run (findUser session) + case cast' . Doc =<< user of + Nothing -> status unauthorized401 + Just u -> do + if uaddress u == qaddress q + then do + _ <- liftAndCatchIO $ run (upsertOrder q) + status created201 + else status forbidden403 --Delete order Web.Scotty.delete "/api/order/:id" $ do oId <- param "id" diff --git a/test/Spec.hs b/test/Spec.hs index 463c3bf..0aeb496 100644 --- a/test/Spec.hs +++ b/test/Spec.hs @@ -326,8 +326,87 @@ main = do ] res <- httpLBS req getResponseStatus res `shouldBe` ok200 - describe "Order endpoints" $ do - prop "upsert order" testOrderAdd + describe "Order endpoints" $ + --prop "upsert order" testOrderAdd + do + it "adding order with bad session fails with 401" $ do + myTs <- liftIO getCurrentTime + let testOrder = + ZGoOrder + (Just (read "627ab3ea2b05a76be3000011")) + "zs1w6nkameazc5gujm69350syl5w8tgvyaphums3pw8eytzy5ym08x7dvskmykkatmwrucmgv3er8e" + "35bfb9c2-9ad2-4fe5-adda-99d63b8dcdcd" + myTs + False + "usd" + 102.0 + 0 + 0 + [] + False + "" + "" + req <- + testPostJson "/api/order" $ + A.object ["payload" A..= A.toJSON testOrder] + res <- + httpLBS $ + setRequestQueryString + [("session", Just "35bfb9c2-9ad2-fake-adda-99d63b8dcdcd")] + req + getResponseStatus res `shouldBe` unauthorized401 + it "adding order with mismatched session fails with 403" $ do + myTs <- liftIO getCurrentTime + let testOrder = + ZGoOrder + (Just (read "627ab3ea2b05a76be3000011")) + "zs1w6nkameazc5gujm69350syl5w8tgvyaphums3pw8eytzy5ym08x7dvskmykkatmwrucmgv3er8e" + "35bfb9c2-9ad2-4fe5-adda-99d63b8dcdcd" + myTs + False + "usd" + 102.0 + 0 + 0 + [] + False + "" + "" + req <- + testPostJson "/api/order" $ + A.object ["payload" A..= A.toJSON testOrder] + res <- + httpLBS $ + setRequestQueryString + [("session", Just "35bfb9c2-9ad2-4fe5-adda-99d63b8dfake")] + req + getResponseStatus res `shouldBe` forbidden403 + it "adding order with correct session succeeds" $ do + myTs <- liftIO getCurrentTime + let testOrder = + ZGoOrder + (Just (read "627ab3ea2b05a76be3000011")) + "zs1w6nkameazc5gujm69350syl5w8tgvyaphums3pw8eytzy5ym08x7dvskmykkatmwrucmgv3er8e" + "35bfb9c2-9ad2-4fe5-adda-99d63b8dcdcd" + myTs + False + "usd" + 102.0 + 0 + 0 + [] + False + "" + "" + req <- + testPostJson "/api/order" $ + A.object ["payload" A..= A.toJSON testOrder] + res <- + httpLBS $ + setRequestQueryString + [("session", Just "35bfb9c2-9ad2-4fe5-adda-99d63b8dcdcd")] + req + getResponseStatus res `shouldBe` created201 it "get order by session" $ do req <- testGet @@ -335,7 +414,7 @@ main = do [("session", Just "35bfb9c2-9ad2-4fe5-adda-99d63b8dcdcd")] res <- httpJSON req getResponseStatus (res :: Response A.Value) `shouldBe` ok200 - it "get order by session fails when invalid" $ do + it "get order by session fails with bad session" $ do req <- testGet "/api/order" @@ -343,24 +422,15 @@ main = do res <- httpLBS req getResponseStatus res `shouldBe` unauthorized401 it "get order by id" $ do - req <- - testGet - "/api/order/627ab3ea2b05a76be3000000" - [("session", Just "35bfb9c2-9ad2-4fe5-adda-99d63b8dcdcd")] + req <- testGet "/order/627ab3ea2b05a76be3000000" [] res <- httpJSON req getResponseStatus (res :: Response A.Value) `shouldBe` ok200 - it "get order with wrong id" $ do - req <- - testGet - "/api/order/6273hrb" - [("session", Just "35bfb9c2-9ad2-4fe5-adda-99d63b8dcdcd")] + it "get order with invalid id fails with 400" $ do + req <- testGet "/order/6273hrb" [] res <- httpLBS req - getResponseStatus res `shouldBe` noContent204 - it "get order by id fails with bad session" $ do - req <- - testGet - "/api/order/627ab3ea2b05a76be3000000" - [("session", Just "35bfb9c2-9ad2-4fe5-fake-99d63b8dcdcd")] + getResponseStatus res `shouldBe` badRequest400 + it "get order by id fails with bad token" $ do + req <- testGet "/order/627ab3ea2b05a76be3000000" [] res <- httpLBS req getResponseStatus res `shouldBe` unauthorized401 it "get all orders for owner" $ do @@ -397,6 +467,14 @@ main = do [("session", Just "35bfb9c2-9ad2-4fe5-fake-99d63b8dcdcd")] res <- httpLBS req getResponseStatus res `shouldBe` unauthorized401 + it "delete order by id fails with mismatched session" $ do + req <- + testDelete + "/api/order/" + "627ab3ea2b05a76be3000000" + [("session", Just "35bfb9c2-9ad2-4fe5-adda-99d63b8dfake")] + res <- httpLBS req + getResponseStatus res `shouldBe` forbidden403 describe "Item endpoint" $ do it "adding item with bad session fails" $ do let item =