debian-mirror-gitlab/spec/requests/api/graphql_spec.rb

# frozen_string_literal: true
require 'spec_helper'

describe 'GraphQL' do
  include GraphqlHelpers

  let(:query) { graphql_query_for('echo', 'text' => 'Hello world' ) }

  context 'graphql is disabled by feature flag' do
    before do
      stub_feature_flags(graphql: false)
    end

    it 'does not generate a route for GraphQL' do
      expect { post_graphql(query) }.to raise_error(ActionController::RoutingError)
    end
  end

  context 'invalid variables' do
    it 'returns an error' do
      post_graphql(query, variables: "This is not JSON")

      expect(response).to have_gitlab_http_status(422)
      expect(json_response['errors'].first['message']).not_to be_nil
    end
  end

  context 'authentication', :allow_forgery_protection do
    let(:user) { create(:user) }

    it 'allows access to public data without authentication' do
      post_graphql(query)

      expect(graphql_data['echo']).to eq('nil says: Hello world')
    end

    it 'does not authenticate a user with an invalid CSRF' do
      login_as(user)

      post_graphql(query, headers: { 'X-CSRF-Token' => 'invalid' })

      expect(graphql_data['echo']).to eq('nil says: Hello world')
    end

    it 'authenticates a user with a valid session token' do
      # Create a session to get a CSRF token from
      login_as(user)
      get('/')

      post '/api/graphql', params: { query: query }, headers: { 'X-CSRF-Token' => response.session['_csrf_token'] }

      expect(graphql_data['echo']).to eq("\"#{user.username}\" says: Hello world")
    end

    context 'token authentication' do
      let(:token) { create(:personal_access_token) }

      before do
        stub_authentication_activity_metrics(debug: false)
      end

      it 'Authenticates users with a PAT' do
        expect(authentication_metrics)
          .to increment(:user_authenticated_counter)
          .and increment(:user_session_override_counter)
          .and increment(:user_sessionless_authentication_counter)

        post_graphql(query, headers: { 'PRIVATE-TOKEN' => token.token })

        expect(graphql_data['echo']).to eq("\"#{token.user.username}\" says: Hello world")
      end

      context 'when the personal access token has no api scope' do
        it 'does not log the user in' do
          token.update(scopes: [:read_user])

          post_graphql(query, headers: { 'PRIVATE-TOKEN' => token.token })

          expect(response).to have_gitlab_http_status(200)

          expect(graphql_data['echo']).to eq('nil says: Hello world')
        end
      end
    end
  end
end
New upstream version 11.10.8+dfsg 2019-07-07 11:18:12 +05:30			`# frozen_string_literal: true`
			`require 'spec_helper'`

			`describe 'GraphQL' do`
			`include GraphqlHelpers`

			`let(:query) { graphql_query_for('echo', 'text' => 'Hello world' ) }`

			`context 'graphql is disabled by feature flag' do`
			`before do`
			`stub_feature_flags(graphql: false)`
			`end`

			`it 'does not generate a route for GraphQL' do`
			`expect { post_graphql(query) }.to raise_error(ActionController::RoutingError)`
			`end`
			`end`

			`context 'invalid variables' do`
			`it 'returns an error' do`
			`post_graphql(query, variables: "This is not JSON")`

			`expect(response).to have_gitlab_http_status(422)`
			`expect(json_response['errors'].first['message']).not_to be_nil`
			`end`
			`end`

			`context 'authentication', :allow_forgery_protection do`
			`let(:user) { create(:user) }`

			`it 'allows access to public data without authentication' do`
			`post_graphql(query)`

			`expect(graphql_data['echo']).to eq('nil says: Hello world')`
			`end`

			`it 'does not authenticate a user with an invalid CSRF' do`
			`login_as(user)`

			`post_graphql(query, headers: { 'X-CSRF-Token' => 'invalid' })`

			`expect(graphql_data['echo']).to eq('nil says: Hello world')`
			`end`

			`it 'authenticates a user with a valid session token' do`
			`# Create a session to get a CSRF token from`
			`login_as(user)`
			`get('/')`

			`post '/api/graphql', params: { query: query }, headers: { 'X-CSRF-Token' => response.session['_csrf_token'] }`

			`expect(graphql_data['echo']).to eq("\"#{user.username}\" says: Hello world")`
			`end`

			`context 'token authentication' do`
			`let(:token) { create(:personal_access_token) }`

			`before do`
			`stub_authentication_activity_metrics(debug: false)`
			`end`

			`it 'Authenticates users with a PAT' do`
			`expect(authentication_metrics)`
			`.to increment(:user_authenticated_counter)`
			`.and increment(:user_session_override_counter)`
			`.and increment(:user_sessionless_authentication_counter)`

			`post_graphql(query, headers: { 'PRIVATE-TOKEN' => token.token })`

			`expect(graphql_data['echo']).to eq("\"#{token.user.username}\" says: Hello world")`
			`end`

			`context 'when the personal access token has no api scope' do`
			`it 'does not log the user in' do`
			`token.update(scopes: [:read_user])`

			`post_graphql(query, headers: { 'PRIVATE-TOKEN' => token.token })`

			`expect(response).to have_gitlab_http_status(200)`

			`expect(graphql_data['echo']).to eq('nil says: Hello world')`
			`end`
			`end`
			`end`
			`end`
			`end`