Expose /api/SecurityQuestions for GET only

qauni · May 30, 2017 · 040e724 · 040e724
1 parent 3eaaee4
commit 040e724
Show file tree

Hide file tree

Showing 3 changed files with 76 additions and 2 deletions.
diff --git a/data/datacreator.js b/data/datacreator.js
@@ -608,7 +608,34 @@ module.exports = function () {
 
   function createSecurityQuestions () {
     models.SecurityQuestion.create({
-      question: 'What is your eldest siblings middle name?'
+      question: 'Your eldest siblings middle name?'
+    })
+    models.SecurityQuestion.create({
+      question: 'Mother\'s maiden name?'
+    })
+    models.SecurityQuestion.create({
+      question: 'Mother\'s birth date? (MM/DD/YY)'
+    })
+    models.SecurityQuestion.create({
+      question: 'Father\'s birth date? (MM/DD/YY)'
+    })
+    models.SecurityQuestion.create({
+      question: 'Maternal grandmother\'s first name?'
+    })
+    models.SecurityQuestion.create({
+      question: 'Paternal grandmother\'s first name?'
+    })
+    models.SecurityQuestion.create({
+      question: 'Name of your favorite pet?'
+    })
+    models.SecurityQuestion.create({
+      question: 'Last name of dentist when you were a teenager? (Do not include \'Dr.\')'
+    })
+    models.SecurityQuestion.create({
+      question: 'Your ZIP/postal code when you were a teenager?'
+    })
+    models.SecurityQuestion.create({
+      question: 'Company you first work for as an adult?'
     })
   }
 

diff --git a/server.js b/server.js
@@ -136,6 +136,9 @@ app.use('/api/Complaints/:id', insecurity.denyAll())
 app.get('/api/Recycles', insecurity.isAuthorized())
 app.post('/api/Recycles', insecurity.isAuthorized())
 app.use('/api/Recycles/:id', insecurity.denyAll())
+/* SecurityQuestions: Only GET list of questions allowed. */
+app.post('/api/SecurityQuestions', insecurity.denyAll())
+app.use('/api/SecurityQuestions/:id', insecurity.denyAll())
 /* REST API */
 app.use('/rest/user/authentication-details', insecurity.isAuthorized())
 app.use('/rest/basket/:id', insecurity.isAuthorized())
@@ -149,7 +152,7 @@ app.use(verify.databaseRelatedChallenges())
 /* Sequelize Restful APIs */
 app.use(restful(models.sequelize, {
   endpoint: '/api',
-  allowed: [ 'Users', 'Products', 'Feedbacks', 'BasketItems', 'Challenges', 'Complaints', 'Recycles' ]
+  allowed: [ 'Users', 'Products', 'Feedbacks', 'BasketItems', 'Challenges', 'Complaints', 'Recycles', 'SecurityQuestions' ]
 }))
 /* Custom Restful API */
 app.post('/rest/user/login', login())

diff --git a/test/server/securityQuestionApiSpec.js b/test/server/securityQuestionApiSpec.js
@@ -0,0 +1,44 @@
+var frisby = require('frisby')
+var insecurity = require('../../lib/insecurity')
+
+var API_URL = 'http://localhost:3000/api'
+
+var authHeader = { 'Authorization': 'Bearer ' + insecurity.authorize() }
+
+frisby.create('GET all security questions ')
+  .get(API_URL + '/SecurityQuestions')
+  .expectStatus(200)
+  .expectHeaderContains('content-type', 'application/json')
+  .expectJSONTypes('data.*', {
+    id: Number,
+    question: String
+  })
+  .toss()
+
+frisby.create('GET existing security question by id is forbidden via public API even when authenticated')
+  .addHeaders(authHeader)
+  .get(API_URL + '/SecurityQuestions/1')
+  .expectStatus(401)
+  .toss()
+
+frisby.create('POST new security question is forbidden via public API even when authenticated')
+  .addHeaders(authHeader)
+  .post(API_URL + '/SecurityQuestions', {
+    question: 'Your own first name?'
+  })
+  .expectStatus(401)
+  .toss()
+
+frisby.create('PUT update existing security question is forbidden via public API even when authenticated')
+  .addHeaders(authHeader)
+  .put(API_URL + '/SecurityQuestions/1', {
+    question: 'Your own first name?'
+  }, { json: true })
+  .expectStatus(401)
+  .toss()
+
+frisby.create('DELETE existing security question is forbidden via public API even when authenticated')
+  .addHeaders(authHeader)
+  .delete(API_URL + '/SecurityQuestions/1')
+  .expectStatus(401)
+  .toss()