test(user): added more specs to user api

src/controllers/user.ts

@@ -174,7 +174,14 @@ const updateUser = async (
 ): Promise<UserDetailsResponse> => {
   const { displayName, username, password, isAdmin, isActive } = data
 
-  const params: any = { displayName, username, isAdmin, isActive }
+  const params: any = { displayName, isAdmin, isActive }
+
+  if (username) {
+    // Checking if user is already in the database
+    const usernameExist = await User.findOne({ username })
+    if (usernameExist?.id != id) throw new Error('Username already exists.')
+    params.username = username
+  }
 
   if (password) {
     // Hash passwords

src/routes/api/spec/user.spec.ts

@@ -22,10 +22,11 @@ const user = {
   isActive: true
 }
 
+const controller = new UserController()
+
 describe('user', () => {
   let con: Mongoose
   let mongoServer: MongoMemoryServer
-  const controller = new UserController()
 
   beforeAll(async () => {
     mongoServer = await MongoMemoryServer.create()
@@ -42,23 +43,11 @@ describe('user', () => {
     let adminAccessToken: string
 
     beforeEach(async () => {
-      const dbUser = await controller.createUser(adminUser)
-      adminAccessToken = generateAccessToken({
-        clientId,
-        userId: dbUser.id
-      })
-      await saveTokensInDB(
-        dbUser.id,
-        clientId,
-        adminAccessToken,
-        'refreshToken'
-      )
+      adminAccessToken = await generateSaveTokenAndCreateUser()
     })
 
     afterEach(async () => {
-      const collections = mongoose.connection.collections
-      const collection = collections['users']
-      await collection.deleteMany({})
+      await deleteAllUsers()
     })
 
     it('should respond with new user', async () => {
@@ -84,7 +73,7 @@ describe('user', () => {
       expect(res.body).toEqual({})
     })
 
-    it('should respond with Forbideen if access token is not of an admin account', async () => {
+    it('should respond with Unauthorized if access token is not of an admin account', async () => {
       const dbUser = await controller.createUser(user)
       const accessToken = generateAccessToken({
         clientId,
@@ -157,4 +146,369 @@ describe('user', () => {
       expect(res.body).toEqual({})
     })
   })
+
+  describe('update', () => {
+    let adminAccessToken: string
+
+    beforeEach(async () => {
+      adminAccessToken = await generateSaveTokenAndCreateUser()
+    })
+
+    afterEach(async () => {
+      await deleteAllUsers()
+    })
+
+    it('should respond with updated user when admin user requests', async () => {
+      const dbUser = await controller.createUser(user)
+      const newDisplayName = 'My new display Name'
+
+      const res = await request(app)
+        .patch(`/SASjsApi/user/${dbUser.id}`)
+        .auth(adminAccessToken, { type: 'bearer' })
+        .send({ ...user, displayName: newDisplayName })
+        .expect(200)
+
+      expect(res.body.username).toEqual(user.username)
+      expect(res.body.displayName).toEqual(newDisplayName)
+      expect(res.body.isAdmin).toEqual(user.isAdmin)
+      expect(res.body.isActive).toEqual(user.isActive)
+    })
+
+    it('should respond with updated user when user himself requests', async () => {
+      const dbUser = await controller.createUser(user)
+      const accessToken = await generateAndSaveToken(dbUser.id)
+      const newDisplayName = 'My new display Name'
+
+      const res = await request(app)
+        .patch(`/SASjsApi/user/${dbUser.id}`)
+        .auth(accessToken, { type: 'bearer' })
+        .send({
+          displayName: newDisplayName,
+          username: user.username,
+          password: user.password
+        })
+        .expect(200)
+
+      expect(res.body.username).toEqual(user.username)
+      expect(res.body.displayName).toEqual(newDisplayName)
+      expect(res.body.isAdmin).toEqual(user.isAdmin)
+      expect(res.body.isActive).toEqual(user.isActive)
+    })
+
+    it('should respond with Bad Request, only admin can update isAdmin/isActive', async () => {
+      const dbUser = await controller.createUser(user)
+      const accessToken = await generateAndSaveToken(dbUser.id)
+      const newDisplayName = 'My new display Name'
+
+      await request(app)
+        .patch(`/SASjsApi/user/${dbUser.id}`)
+        .auth(accessToken, { type: 'bearer' })
+        .send({ ...user, displayName: newDisplayName })
+        .expect(400)
+    })
+
+    it('should respond with Unauthorized if access token is not present', async () => {
+      const res = await request(app)
+        .patch('/SASjsApi/user/1234')
+        .send(user)
+        .expect(401)
+
+      expect(res.text).toEqual('Unauthorized')
+      expect(res.body).toEqual({})
+    })
+
+    it('should respond with Unauthorized when access token is not of an admin account or himself', async () => {
+      const dbUser1 = await controller.createUser(user)
+      const dbUser2 = await controller.createUser({
+        ...user,
+        username: 'randomUser'
+      })
+      const accessToken = await generateAndSaveToken(dbUser2.id)
+
+      const res = await request(app)
+        .patch(`/SASjsApi/user/${dbUser1.id}`)
+        .auth(accessToken, { type: 'bearer' })
+        .send(user)
+        .expect(401)
+
+      expect(res.text).toEqual('Admin account required')
+      expect(res.body).toEqual({})
+    })
+
+    it('should respond with Forbidden if username is already present', async () => {
+      const dbUser1 = await controller.createUser(user)
+      const dbUser2 = await controller.createUser({
+        ...user,
+        username: 'randomUser'
+      })
+
+      const res = await request(app)
+        .patch(`/SASjsApi/user/${dbUser1.id}`)
+        .auth(adminAccessToken, { type: 'bearer' })
+        .send({ username: dbUser2.username })
+        .expect(403)
+
+      expect(res.text).toEqual('Error: Username already exists.')
+      expect(res.body).toEqual({})
+    })
+  })
+
+  describe('delete', () => {
+    let adminAccessToken: string
+
+    beforeEach(async () => {
+      adminAccessToken = await generateSaveTokenAndCreateUser()
+    })
+
+    afterEach(async () => {
+      await deleteAllUsers()
+    })
+
+    it('should respond with OK when admin user requests', async () => {
+      const dbUser = await controller.createUser(user)
+
+      const res = await request(app)
+        .delete(`/SASjsApi/user/${dbUser.id}`)
+        .auth(adminAccessToken, { type: 'bearer' })
+        .send()
+        .expect(200)
+
+      expect(res.body).toEqual({})
+    })
+
+    it('should respond with OK when user himself requests', async () => {
+      const dbUser = await controller.createUser(user)
+      const accessToken = await generateAndSaveToken(dbUser.id)
+
+      const res = await request(app)
+        .delete(`/SASjsApi/user/${dbUser.id}`)
+        .auth(accessToken, { type: 'bearer' })
+        .send({ password: user.password })
+        .expect(200)
+
+      expect(res.body).toEqual({})
+    })
+
+    it('should respond with Bad Request when user himself requests and password is missing', async () => {
+      const dbUser = await controller.createUser(user)
+      const accessToken = await generateAndSaveToken(dbUser.id)
+
+      const res = await request(app)
+        .delete(`/SASjsApi/user/${dbUser.id}`)
+        .auth(accessToken, { type: 'bearer' })
+        .send()
+        .expect(400)
+
+      expect(res.text).toEqual(`"password" is required`)
+      expect(res.body).toEqual({})
+    })
+
+    it('should respond with Unauthorized when access token is not present', async () => {
+      const res = await request(app)
+        .delete('/SASjsApi/user/1234')
+        .send(user)
+        .expect(401)
+
+      expect(res.text).toEqual('Unauthorized')
+      expect(res.body).toEqual({})
+    })
+
+    it('should respond with Unauthorized when access token is not of an admin account or himself', async () => {
+      const dbUser1 = await controller.createUser(user)
+      const dbUser2 = await controller.createUser({
+        ...user,
+        username: 'randomUser'
+      })
+      const accessToken = await generateAndSaveToken(dbUser2.id)
+
+      const res = await request(app)
+        .delete(`/SASjsApi/user/${dbUser1.id}`)
+        .auth(accessToken, { type: 'bearer' })
+        .send(user)
+        .expect(401)
+
+      expect(res.text).toEqual('Admin account required')
+      expect(res.body).toEqual({})
+    })
+
+    it('should respond with Forbidden when user himself requests and password is incorrect', async () => {
+      const dbUser = await controller.createUser(user)
+      const accessToken = await generateAndSaveToken(dbUser.id)
+
+      const res = await request(app)
+        .delete(`/SASjsApi/user/${dbUser.id}`)
+        .auth(accessToken, { type: 'bearer' })
+        .send({ password: 'incorrectpassword' })
+        .expect(403)
+
+      expect(res.text).toEqual('Error: Invalid password.')
+      expect(res.body).toEqual({})
+    })
+  })
+
+  describe('get', () => {
+    let adminAccessToken: string
+
+    beforeEach(async () => {
+      adminAccessToken = await generateSaveTokenAndCreateUser()
+    })
+
+    afterEach(async () => {
+      await deleteAllUsers()
+    })
+
+    it('should respond with user', async () => {
+      const dbUser = await controller.createUser(user)
+      const userId = dbUser.id
+
+      const res = await request(app)
+        .get(`/SASjsApi/user/${userId}`)
+        .auth(adminAccessToken, { type: 'bearer' })
+        .send(user)
+        .expect(200)
+
+      expect(res.body.username).toEqual(user.username)
+      expect(res.body.displayName).toEqual(user.displayName)
+      expect(res.body.isAdmin).toEqual(user.isAdmin)
+      expect(res.body.isActive).toEqual(user.isActive)
+    })
+
+    it('should respond with user when access token is not of an admin account', async () => {
+      const accessToken = await generateSaveTokenAndCreateUser({
+        ...user,
+        username: 'randomUser'
+      })
+
+      const dbUser = await controller.createUser(user)
+      const userId = dbUser.id
+
+      const res = await request(app)
+        .get(`/SASjsApi/user/${userId}`)
+        .auth(accessToken, { type: 'bearer' })
+        .send(user)
+        .expect(200)
+
+      expect(res.body.username).toEqual(user.username)
+      expect(res.body.displayName).toEqual(user.displayName)
+      expect(res.body.isAdmin).toEqual(user.isAdmin)
+      expect(res.body.isActive).toEqual(user.isActive)
+    })
+
+    it('should respond with Unauthorized if access token is not present', async () => {
+      const res = await request(app)
+        .get('/SASjsApi/user/1234')
+        .send(user)
+        .expect(401)
+
+      expect(res.text).toEqual('Unauthorized')
+      expect(res.body).toEqual({})
+    })
+
+    it('should respond with Forbidden if userId is incorrect', async () => {
+      await controller.createUser(user)
+
+      const res = await request(app)
+        .get('/SASjsApi/user/1234')
+        .auth(adminAccessToken, { type: 'bearer' })
+        .send(user)
+        .expect(403)
+
+      expect(res.text).toEqual('Error: User is not found.')
+      expect(res.body).toEqual({})
+    })
+  })
+
+  describe('getAll', () => {
+    let adminAccessToken: string
+
+    beforeEach(async () => {
+      adminAccessToken = await generateSaveTokenAndCreateUser()
+    })
+
+    afterEach(async () => {
+      await deleteAllUsers()
+    })
+
+    it('should respond with all users', async () => {
+      await controller.createUser(user)
+
+      const res = await request(app)
+        .get('/SASjsApi/user')
+        .auth(adminAccessToken, { type: 'bearer' })
+        .send(user)
+        .expect(200)
+
+      expect(res.body).toEqual([
+        {
+          id: expect.anything(),
+          username: adminUser.username,
+          displayName: adminUser.displayName
+        },
+        {
+          id: expect.anything(),
+          username: user.username,
+          displayName: user.displayName
+        }
+      ])
+    })
+
+    it('should respond with all users when access token is not of an admin account', async () => {
+      const accessToken = await generateSaveTokenAndCreateUser({
+        ...user,
+        username: 'randomUser'
+      })
+
+      const res = await request(app)
+        .get('/SASjsApi/user')
+        .auth(accessToken, { type: 'bearer' })
+        .send(user)
+        .expect(200)
+
+      expect(res.body).toEqual([
+        {
+          id: expect.anything(),
+          username: adminUser.username,
+          displayName: adminUser.displayName
+        },
+        {
+          id: expect.anything(),
+          username: 'randomUser',
+          displayName: user.displayName
+        }
+      ])
+    })
+
+    it('should respond with Unauthorized if access token is not present', async () => {
+      const res = await request(app)
+        .get('/SASjsApi/user')
+        .send(user)
+        .expect(401)
+
+      expect(res.text).toEqual('Unauthorized')
+      expect(res.body).toEqual({})
+    })
+  })
 })
+
+const generateSaveTokenAndCreateUser = async (
+  someUser?: any
+): Promise<string> => {
+  const dbUser = await controller.createUser(someUser ?? adminUser)
+
+  return generateAndSaveToken(dbUser.id)
+}
+
+const generateAndSaveToken = async (userId: number) => {
+  const adminAccessToken = generateAccessToken({
+    clientId,
+    userId
+  })
+  await saveTokensInDB(userId, clientId, adminAccessToken, 'refreshToken')
+  return adminAccessToken
+}
+
+const deleteAllUsers = async () => {
+  const { collections } = mongoose.connection
+  const collection = collections['users']
+  await collection.deleteMany({})
+}