fix tests that require session authentication

test/api/v3/integration/dataexport/GET-export_history.csv.test.js

@@ -1,4 +1,3 @@
-// TODO how to test this route since it uses session authentication?
 import {
   generateUser,
 } from '../../../../helpers/api-v3-integration.helper';

test/api/v3/integration/dataexport/GET-export_userdata.json.test.js

@@ -1,4 +1,3 @@
-// TODO how to test this route since it uses session authentication?
 import {
   generateUser,
 } from '../../../../helpers/api-v3-integration.helper';

test/api/v3/integration/dataexport/GET-export_userdata.xml.test.js

@@ -1,4 +1,3 @@
-// TODO how to test this route since it uses session authentication?
 import {
   generateUser,
 } from '../../../../helpers/api-v3-integration.helper';

test/helpers/api-integration/requester.js

@@ -22,6 +22,10 @@ requester.setApiVersion = (version) => {
   apiVersion = version;
 };
 
+// save the last cookie so that it's resent with every request
+// should be safe since every time a user is generated this will be overwritten
+let cookie;
+
 function _requestMaker (user, method, additionalSets) {
   if (!apiVersion) throw new Error('apiVersion not set');
 
@@ -36,6 +40,11 @@ function _requestMaker (user, method, additionalSets) {
           .set('x-api-key', user.apiToken);
       }
 
+      // if we previously saved a cookie, send it along the request
+      if (cookie) {
+        request.set('Cookie', cookie);
+      }
+
       if (additionalSets) {
         request.set(additionalSets);
       }
@@ -52,6 +61,13 @@ function _requestMaker (user, method, additionalSets) {
             reject(parsedError);
           }
 
+          // if any cookies was sent, save it for the next request
+          if (response.headers['set-cookie']) {
+            cookie = response.headers['set-cookie'].map(cookieString => {
+              return cookieString.split(';')[0];
+            }).join('; ');
+          }
+
           let contentType = response.headers['content-type'] || '';
           resolve(contentType.indexOf('json') !== -1 ? response.body : response.text);
         });

website/src/middlewares/api-v3/auth.js

@@ -30,7 +30,6 @@ export function authWithHeaders (optional = false) {
 
       res.locals.user = user;
       // TODO use either session/cookie or headers, not both
-      req.session = req.session || {};
       req.session.userId = user._id;
       next();
     })
@@ -41,7 +40,7 @@ export function authWithHeaders (optional = false) {
 // Authenticate a request through a valid session
 // TODO should use json web token
 export function authWithSession (req, res, next) {
-  let userId = req.session && req.session.userId;
+  let userId = req.session.userId;
 
   if (!userId) return next(new NotAuthorized(i18n.t('invalidCredentials')));
 

website/src/middlewares/api-v3/index.js

@@ -10,10 +10,14 @@ import nconf from 'nconf';
 import morgan from 'morgan';
 import responseHandler from './response';
 import setupBody from './setupBody';
+import cookieSession from 'cookie-session';
 
 const IS_PROD = nconf.get('IS_PROD');
 const DISABLE_LOGGING = nconf.get('DISABLE_REQUEST_LOGGING');
 
+const SESSION_SECRET = nconf.get('SESSION_SECRET');
+const TWO_WEEKS = 1000 * 60 * 60 * 24 * 14;
+
 export default function attachMiddlewares (app) {
   if (!IS_PROD && !DISABLE_LOGGING) app.use(morgan('dev'));
 
@@ -22,6 +26,12 @@ export default function attachMiddlewares (app) {
     extended: true, // Uses 'qs' library as old connect middleware
   }));
   app.use(bodyParser.json());
+  app.use(cookieSession({
+    name: 'connect:sess', // Used to keep backward compatibility with Express 3 cookies
+    secret: SESSION_SECRET,
+    httpOnly: false, // TODO this should be true for security, what about https only?
+    maxAge: TWO_WEEKS,
+  }));
   app.use(expressValidator());
   app.use(analytics);
   app.use(setupBody);