diff --git a/test/api/v3/integration/tasks/POST-create_task.test.js b/test/api/v3/integration/tasks/POST-create_task.test.js new file mode 100644 index 0000000000..ebf3936ad3 --- /dev/null +++ b/test/api/v3/integration/tasks/POST-create_task.test.js @@ -0,0 +1,31 @@ +import { + generateUser, + requester, + translate as t, +} from '../../../../helpers/api-integration.helper'; +import { v4 as generateRandomUserName } from 'uuid'; +import { each } from 'lodash'; + +describe('POST /tasks', () => { + let user; + let api; + + before(() => { + return generateUser().then((generatedUser) => { + user = generatedUser; + api = requester(user); + }); + }); + + context('checks "type" is present and a valid value', () => { + it('returns an error if req.body.type is absent', () => { + expect(api.post('/tasks', { + notType: 'habit', + })).to.eventually.be.rejected.and.eql({ + code: 400, + error: 'BadRequest', + message: t('invalidReqParams'), + }); + }); + }); +}); diff --git a/website/src/controllers/api-v3/auth.js b/website/src/controllers/api-v3/auth.js index 7e7668ff9a..7a818d9877 100644 --- a/website/src/controllers/api-v3/auth.js +++ b/website/src/controllers/api-v3/auth.js @@ -44,7 +44,6 @@ api.registerLocal = { }); let validationErrors = req.validationErrors(); - if (validationErrors) return next(validationErrors); let { email, username, password } = req.body; @@ -152,7 +151,6 @@ api.loginLocal = { }); let validationErrors = req.validationErrors(); - if (validationErrors) return next(validationErrors); req.sanitizeBody('username').trim(); diff --git a/website/src/controllers/api-v3/tasks.js b/website/src/controllers/api-v3/tasks.js index bbe050f141..41177e3ad0 100644 --- a/website/src/controllers/api-v3/tasks.js +++ b/website/src/controllers/api-v3/tasks.js @@ -25,6 +25,9 @@ api.createTask = { handler (req, res, next) { req.checkBody('type', res.t('invalidTaskType')).notEmpty().isIn(Tasks.tasksTypes); + let validationErrors = req.validationErrors(); + if (validationErrors) return next(validationErrors); + let user = res.locals.user; let taskType = req.body.type; @@ -60,6 +63,9 @@ api.getTasks = { handler (req, res, next) { req.checkQuery('type', res.t('invalidTaskType')).isIn(Tasks.tasksTypes); + let validationErrors = req.validationErrors(); + if (validationErrors) return next(validationErrors); + let user = res.locals.user; let query = {userId: user._id}; let type = req.query.type; @@ -115,6 +121,9 @@ api.getTask = { req.checkParams('taskId', res.t('taskIdRequired')).notEmpty().isUUID(); + let validationErrors = req.validationErrors(); + if (validationErrors) return next(validationErrors); + Tasks.Task.findOne({ _id: req.params.taskId, userId: user._id, @@ -147,6 +156,9 @@ api.updateTask = { req.checkParams('taskId', res.t('taskIdRequired')).notEmpty().isUUID(); // TODO check that req.body isn't empty + let validationErrors = req.validationErrors(); + if (validationErrors) return next(validationErrors); + Tasks.Task.findOne({ _id: req.params.taskId, userId: user._id, @@ -188,6 +200,9 @@ api.scoreTask = { req.checkParams('taskId', res.t('taskIdRequired')).notEmpty().isUUID(); req.checkParams('direction', res.t('directionUpDown')).notEmpty().isIn(['up', 'down']); + let validationErrors = req.validationErrors(); + if (validationErrors) return next(validationErrors); + let user = res.locals.user; Tasks.Task.findOne({ @@ -223,6 +238,9 @@ api.moveTask = { req.checkParams('taskId', res.t('taskIdRequired')).notEmpty().isUUID(); req.checkParams('position', res.t('positionRequired')).notEmpty().isNumeric(); + let validationErrors = req.validationErrors(); + if (validationErrors) return next(validationErrors); + let user = res.locals.user; let to = Number(req.params.position); @@ -274,6 +292,9 @@ api.addChecklistItem = { req.checkParams('taskId', res.t('taskIdRequired')).notEmpty().isUUID(); // TODO check that req.body isn't empty and is an array + let validationErrors = req.validationErrors(); + if (validationErrors) return next(validationErrors); + Tasks.Task.findOne({ _id: req.params.taskId, userId: user._id, @@ -311,6 +332,9 @@ api.scoreCheckListItem = { req.checkParams('taskId', res.t('taskIdRequired')).notEmpty().isUUID(); req.checkParams('itemId', res.t('itemIdRequired')).notEmpty().isUUID(); + let validationErrors = req.validationErrors(); + if (validationErrors) return next(validationErrors); + Tasks.Task.findOne({ _id: req.params.taskId, userId: user._id, @@ -351,6 +375,9 @@ api.updateChecklistItem = { req.checkParams('taskId', res.t('taskIdRequired')).notEmpty().isUUID(); req.checkParams('itemId', res.t('itemIdRequired')).notEmpty().isUUID(); + let validationErrors = req.validationErrors(); + if (validationErrors) return next(validationErrors); + Tasks.Task.findOne({ _id: req.params.taskId, userId: user._id, @@ -392,6 +419,9 @@ api.removeChecklistItem = { req.checkParams('taskId', res.t('taskIdRequired')).notEmpty().isUUID(); req.checkParams('itemId', res.t('itemIdRequired')).notEmpty().isUUID(); + let validationErrors = req.validationErrors(); + if (validationErrors) return next(validationErrors); + Tasks.Task.findOne({ _id: req.params.taskId, userId: user._id, @@ -446,6 +476,9 @@ api.deleteTask = { req.checkParams('taskId', res.t('taskIdRequired')).notEmpty().isUUID(); + let validationErrors = req.validationErrors(); + if (validationErrors) return next(validationErrors); + Tasks.Task.findOne({ _id: req.params.taskId, userId: user._id, diff --git a/website/src/middlewares/api-v3/auth.js b/website/src/middlewares/api-v3/auth.js index f2158278bf..6c1991f460 100644 --- a/website/src/middlewares/api-v3/auth.js +++ b/website/src/middlewares/api-v3/auth.js @@ -11,8 +11,8 @@ import { // If optional is true, don't error on missing authentication export function authWithHeaders (optional = false) { return function authWithHeadersHandler (req, res, next) { - let userId = req.header['x-api-user']; - let apiToken = req.header['x-api-key']; + let userId = req.header('x-api-user'); + let apiToken = req.header('x-api-key'); if (!userId || !apiToken) { if (optional) return next(); @@ -30,6 +30,7 @@ export function authWithHeaders (optional = false) { res.locals.user = user; // TODO use either session/cookie or headers, not both + req.session = req.session || {}; req.session.userId = user._id; next(); })