loopbackio · austin047 · Mar 30, 2019 · Apr 5, 2019 · Apr 9, 2019 · Apr 29, 2019
@@ -9,6 +9,8 @@ import {OrderRepository, UserRepository} from '../../repositories';
 import {MongoDataSource} from '../../datasources';
 import {User, Order} from '../../models';
 import {setupApplication} from './helper';
+import {JWTAuthenticationService} from '../../services/JWT.authentication.service';
+import {PasswordHasherBindings, JWTAuthenticationBindings} from '../../keys';
 
 describe('UserOrderController acceptance tests', () => {
   let app: ShoppingApplication;
@@ -26,42 +28,139 @@ describe('UserOrderController acceptance tests', () => {
     await app.stop();
   });
 
-  it('creates an order for a user with a given orderId', async () => {
-    const user = await givenAUser();
-    const userId = user.id.toString();
-    const order = givenAOrder({userId: userId, orderId: '1'});
+  describe('Creating new orders for authenticated users', () => {
+    let plainPassword: string;
+    let jwtAuthService: JWTAuthenticationService;
 
-    await client
-      .post(`/users/${userId}/orders`)
-      .send(order)
-      .expect(200, order);
-  });
+    const user = {
+      email: 'loopback@example.com',
+      password: 'p4ssw0rd',
+      firstname: 'Example',
+      surname: 'User',
+    };
 
-  it('creates an order for a user without a given orderId', async () => {
-    const user = await givenAUser();
-    const userId = user.id.toString();
-    const order = givenAOrder({userId: userId});
+    before('create new user for user orders', async () => {
+      app.bind(PasswordHasherBindings.ROUNDS).to(4);
 
-    const res = await client
-      .post(`/users/${userId}/orders`)
-      .send(order)
-      .expect(200);
+      const passwordHasher = await app.get(
+        PasswordHasherBindings.PASSWORD_HASHER,
+      );
+      plainPassword = user.password;
+      user.password = await passwordHasher.hashPassword(user.password);
+      jwtAuthService = await app.get(JWTAuthenticationBindings.SERVICE);
+    });
 
-    expect(res.body.orderId).to.be.a.String();
-    delete res.body.orderId;
-    expect(res.body).to.deepEqual(order);
-  });
+    it('creates an order for a user with a given orderId', async () => {
+      const newUser = await userRepo.create(user);
+      const userId = newUser.id.toString();
+      const order = givenAOrder({userId: userId, orderId: '1'});
+
+      const token = await jwtAuthService.getAccessTokenForUser({
+        email: newUser.email,
+        password: plainPassword,
+      });
+
+      await client
+        .post(`/users/${userId}/orders`)
+        .send(order)
+        .set('Authorization', 'Bearer ' + token)
+        .expect(200, order);
+    });
+
+    it('creates an order for a user without a given orderId', async () => {
+      const newUser = await userRepo.create(user);
+      const userId = newUser.id.toString();
+
+      const token = await jwtAuthService.getAccessTokenForUser({
+        email: newUser.email,
+        password: plainPassword,
+      });
+
+      const order = givenAOrder({userId: userId});
+
+      const res = await client
+        .post(`/users/${userId}/orders`)
+        .send(order)
+        .set('Authorization', 'Bearer ' + token)
+        .expect(200);
+
+      expect(res.body.orderId).to.be.a.String();
+      delete res.body.orderId;
+      expect(res.body).to.deepEqual(order);
+    });
+
+    it('creates an order for a user without a userId in the body', async () => {
+      const newUser = await userRepo.create(user);
+      const userId = newUser.id.toString();
+
+      const token = await jwtAuthService.getAccessTokenForUser({
+        email: newUser.email,
+        password: plainPassword,
+      });
 
-  it('throws an error when a userId in path does not match body', async () => {
-    const user = await givenAUser();
-    const userId = user.id.toString();
-    const order = givenAOrder({userId: 'hello'});
+      const order = givenAOrder();
 
-    await client
-      .post(`/users/${userId}/orders`)
-      .set('Content-Type', 'application/json')
-      .send(order)
-      .expect(400);
+      const res = await client
+        .post(`/users/${userId}/orders`)
+        .send(order)
+        .set('Authorization', 'Bearer ' + token)
+        .expect(200);
+      expect(res.body.orderId).to.be.a.String();
+      expect(res.body.userId).to.equal(userId);
+
+      delete res.body.orderId;
+      delete res.body.userId;
+      delete order.userId;
+
+      expect(res.body).to.deepEqual(order);
+    });
+
+    it('throws an error when a userId in path does not match body', async () => {
+      const newUser = await userRepo.create(user);
+      const userId = newUser.id.toString();
+
+      const token = await jwtAuthService.getAccessTokenForUser({
+        email: newUser.email,
+        password: plainPassword,
+      });
+
+      const order = givenAOrder({userId: 'hello'});
+
+      await client
+        .post(`/users/${userId}/orders`)
+        .set('Content-Type', 'application/json')
+        .set('Authorization', 'Bearer ' + token)
+        .send(order)
+        .expect(400);
+    });
+
+    it('throws an error when a user is not authenticated', async () => {
+      const newUser = await userRepo.create(user);
+      const userId = newUser.id.toString();
+
+      const order = givenAOrder({userId: userId});
+
+      await client
+        .post(`/users/${userId}/orders`)
+        .send(order)
+        .expect(401);
+    });
+
+    it('throws an error when a user with wrong token is provided', async () => {
+      const newUser = await userRepo.create(user);
+      const userId = newUser.id.toString();
+
+      const order = givenAOrder({userId: userId});
+
+      await client
+        .post(`/users/${userId}/orders`)
+        .send(order)
+        .set(
+          'Authorization',
+          'Bearer ' + 'Wrong token - IjoidGVzdEBsb29wYmFjay5p',
+        )
+        .expect(401);
+    });
   });
 
   // TODO(virkt25): Implement after issue below is fixed.
@@ -128,7 +227,6 @@ describe('UserOrderController acceptance tests', () => {
       firstname: 'Example',
       surname: 'User',
     };
-
     return await userRepo.create(user);
   }
 

@@ -15,6 +15,8 @@ import {
   HttpErrors,
 } from '@loopback/rest';
 import {Order} from '../models';
+import {authenticate, UserProfile} from '@loopback/authentication';
+import {inject} from '@loopback/core';
 
 /**
  * Controller for User's Orders
@@ -35,13 +37,29 @@ export class UserOrderController {
       },
     },
   })
+  @authenticate('jwt')
   async createOrder(
     @param.path.string('userId') userId: string,
+    @inject('authentication.currentUser') currentUser: UserProfile,
     @requestBody() order: Order,
   ): Promise<Order> {
-    if (userId !== order.userId) {
+    if (order.userId) {
+      if (currentUser.id !== order.userId) {
+        throw new HttpErrors.BadRequest(
+          `User id does not match looged in user: ${order.userId} !== ${
+            currentUser.id
+          }`,
+        );
+      }
+      delete order.userId;
+      return await this.userRepo.orders(userId).create(order);
+    }
+
+    if (currentUser.id !== userId) {
       throw new HttpErrors.BadRequest(
-        `User id does not match: ${userId} !== ${order.userId}`,
+        `User id does not match looged in user: ${userId} !== ${
+          currentUser.id
+        }`,
       );
     }
     delete order.userId;