diff --git a/packages/core/admin/server/services/api-token.js b/packages/core/admin/server/services/api-token.js index 19ba613f10..28d3c9b235 100644 --- a/packages/core/admin/server/services/api-token.js +++ b/packages/core/admin/server/services/api-token.js @@ -48,6 +48,8 @@ const SELECT_FIELDS = [ /** @constant {Array} */ const POPULATE_FIELDS = ['permissions']; +// TODO: we need to ensure the permissions are actually valid registered permissions! + /** * Assert that a token's permissions attribute is valid for its type * diff --git a/packages/core/admin/server/tests/admin-api-token-usage.test.e2e.js b/packages/core/admin/server/tests/admin-api-token-usage.test.e2e.js new file mode 100644 index 0000000000..09ae788b7d --- /dev/null +++ b/packages/core/admin/server/tests/admin-api-token-usage.test.e2e.js @@ -0,0 +1,67 @@ +'use strict'; + +const { createStrapiInstance } = require('../../../../../test/helpers/strapi'); +const { createAuthRequest } = require('../../../../../test/helpers/request'); + +describe('Admin API Token v2 usage (e2e)', () => { + // let rq; + // let strapi; + + // const deleteAllTokens = async () => { + // const tokens = await strapi.admin.services['api-token'].list(); + // const promises = []; + // tokens.forEach(({ id }) => { + // promises.push(strapi.admin.services['api-token'].revoke(id)); + // }); + // await Promise.all(promises); + // }; + + // // Initialization Actions + // beforeAll(async () => { + // strapi = await createStrapiInstance(); + // rq = await createAuthRequest({ strapi }); + + // // delete tokens + // await deleteAllTokens(); + // }); + + // // Cleanup actions + // afterAll(async () => { + // await strapi.destroy(); + // }); + + // // create a predictable valid token that we can test with (delete, list, etc) + // let currentTokens = 0; + // const createValidToken = async (token = {}) => { + // const body = { + // type: 'read-only', + // // eslint-disable-next-line no-plusplus + // name: `token_${String(currentTokens++)}`, + // description: 'generic description', + // ...token, + // }; + + // const req = await rq({ + // url: '/admin/api-tokens', + // method: 'POST', + // body, + // }); + + // expect(req.status).toEqual(201); + // return req.body.data; + // }; + + // const makeRequest = async () => {}; + + // test('Token can be used to access resource it has permissions for', async () => { + // const token = await createValidToken({ type: 'read-only' }); + // }); + // test("Token can't access resource it doesn't have permission for", async () => { + // const token = await createValidToken({ type: 'read-only' }); + // }); + + test.todo('Regenerated access key works'); + test.todo('Custom tokens access content for which they are authorized'); + test.todo('Custom tokens fail to access content for which they are not authorized'); + test.todo("Expired token can't be used"); +});