feat(core): Add GET /users endpoints to public API (#6360)

2025-12-22 12:19:09 +00:00 · 2023-06-21 07:22:00 -04:00
parent 25b92169ae
commit 6ab350209d
20 changed files with 679 additions and 39 deletions
--- a/packages/cli/test/integration/publicApi/users.ee.test.ts
+++ b/packages/cli/test/integration/publicApi/users.ee.test.ts
@@ -0,0 +1,343 @@
+import type express from 'express';
+import validator from 'validator';
+import { v4 as uuid } from 'uuid';
+
+import config from '@/config';
+import type { Role } from '@/databases/entities/Role';
+import { randomApiKey } from '../shared/random';
+
+import * as utils from '../shared/utils';
+import * as testDb from '../shared/testDb';
+
+import { License } from '@/License';
+
+let app: express.Application;
+let globalOwnerRole: Role;
+let globalMemberRole: Role;
+
+const licenseLike = {
+	getUsersLimit: jest.fn().mockReturnValue(-1),
+};
+
+utils.mockInstance(License, licenseLike);
+
+beforeAll(async () => {
+	app = await utils.initTestServer({
+		endpointGroups: ['publicApi'],
+		applyAuth: false,
+		enablePublicAPI: true,
+	});
+
+	await testDb.init();
+
+	const [fetchedGlobalOwnerRole, fetchedGlobalMemberRole] = await testDb.getAllRoles();
+
+	globalOwnerRole = fetchedGlobalOwnerRole;
+	globalMemberRole = fetchedGlobalMemberRole;
+});
+
+beforeEach(async () => {
+	// do not combine calls - shared tables must be cleared first and separately
+	await testDb.truncate(['SharedCredentials', 'SharedWorkflow']);
+	await testDb.truncate(['User', 'Workflow', 'Credentials']);
+
+	config.set('userManagement.disabled', false);
+	config.set('userManagement.isInstanceOwnerSetUp', true);
+	config.set('userManagement.emails.mode', 'smtp');
+});
+
+afterAll(async () => {
+	await testDb.terminate();
+});
+
+describe('With license unlimited quota:users', () => {
+	test('GET /users should fail due to missing API Key', async () => {
+		const owner = await testDb.createUser({ globalRole: globalOwnerRole });
+
+		const authOwnerAgent = utils.createAgent(app, {
+			apiPath: 'public',
+			version: 1,
+			auth: true,
+			user: owner,
+		});
+
+		await testDb.createUser();
+
+		const response = await authOwnerAgent.get('/users');
+
+		expect(response.statusCode).toBe(401);
+	});
+
+	test('GET /users should fail due to invalid API Key', async () => {
+		const owner = await testDb.createUser({ globalRole: globalOwnerRole, apiKey: randomApiKey() });
+
+		owner.apiKey = null;
+
+		const authOwnerAgent = utils.createAgent(app, {
+			apiPath: 'public',
+			version: 1,
+			auth: true,
+			user: owner,
+		});
+
+		const response = await authOwnerAgent.get('/users');
+
+		expect(response.statusCode).toBe(401);
+	});
+
+	test('GET /users should fail due to member trying to access owner only endpoint', async () => {
+		const member = await testDb.createUser({ apiKey: randomApiKey() });
+
+		const authOwnerAgent = utils.createAgent(app, {
+			apiPath: 'public',
+			version: 1,
+			auth: true,
+			user: member,
+		});
+
+		const response = await authOwnerAgent.get('/users');
+
+		expect(response.statusCode).toBe(403);
+	});
+
+	test('GET /users should return all users', async () => {
+		const owner = await testDb.createUser({ globalRole: globalOwnerRole, apiKey: randomApiKey() });
+
+		const authOwnerAgent = utils.createAgent(app, {
+			apiPath: 'public',
+			version: 1,
+			auth: true,
+			user: owner,
+		});
+
+		await testDb.createUser();
+
+		const response = await authOwnerAgent.get('/users');
+
+		expect(response.statusCode).toBe(200);
+		expect(response.body.data.length).toBe(2);
+		expect(response.body.nextCursor).toBeNull();
+
+		for (const user of response.body.data) {
+			const {
+				id,
+				email,
+				firstName,
+				lastName,
+				personalizationAnswers,
+				globalRole,
+				password,
+				resetPasswordToken,
+				isPending,
+				createdAt,
+				updatedAt,
+			} = user;
+
+			expect(validator.isUUID(id)).toBe(true);
+			expect(email).toBeDefined();
+			expect(firstName).toBeDefined();
+			expect(lastName).toBeDefined();
+			expect(personalizationAnswers).toBeUndefined();
+			expect(password).toBeUndefined();
+			expect(resetPasswordToken).toBeUndefined();
+			expect(isPending).toBe(false);
+			expect(globalRole).toBeUndefined();
+			expect(createdAt).toBeDefined();
+			expect(updatedAt).toBeDefined();
+		}
+	});
+
+	test('GET /users/:identifier should fail due to missing API Key', async () => {
+		const owner = await testDb.createUser({ globalRole: globalOwnerRole });
+
+		const authOwnerAgent = utils.createAgent(app, {
+			apiPath: 'public',
+			version: 1,
+			auth: true,
+			user: owner,
+		});
+
+		await testDb.createUser();
+
+		const response = await authOwnerAgent.get(`/users/${owner.id}`);
+
+		expect(response.statusCode).toBe(401);
+	});
+
+	test('GET /users/:identifier should fail due to invalid API Key', async () => {
+		const owner = await testDb.createUser({ globalRole: globalOwnerRole, apiKey: randomApiKey() });
+
+		owner.apiKey = null;
+
+		const authOwnerAgent = utils.createAgent(app, {
+			apiPath: 'public',
+			version: 1,
+			auth: true,
+			user: owner,
+		});
+
+		const response = await authOwnerAgent.get(`/users/${owner.id}`);
+
+		expect(response.statusCode).toBe(401);
+	});
+
+	test('GET /users/:identifier should fail due to member trying to access owner only endpoint', async () => {
+		const member = await testDb.createUser({ apiKey: randomApiKey() });
+
+		const authOwnerAgent = utils.createAgent(app, {
+			apiPath: 'public',
+			version: 1,
+			auth: true,
+			user: member,
+		});
+
+		const response = await authOwnerAgent.get(`/users/${member.id}`);
+
+		expect(response.statusCode).toBe(403);
+	});
+
+	test('GET /users/:email with non-existing email should return 404', async () => {
+		const owner = await testDb.createUser({ globalRole: globalOwnerRole, apiKey: randomApiKey() });
+
+		const authOwnerAgent = utils.createAgent(app, {
+			apiPath: 'public',
+			version: 1,
+			auth: true,
+			user: owner,
+		});
+
+		const response = await authOwnerAgent.get('/users/jhondoe@gmail.com');
+
+		expect(response.statusCode).toBe(404);
+	});
+
+	test('GET /users/:id with non-existing id should return 404', async () => {
+		const owner = await testDb.createUser({ globalRole: globalOwnerRole, apiKey: randomApiKey() });
+
+		const authOwnerAgent = utils.createAgent(app, {
+			apiPath: 'public',
+			version: 1,
+			auth: true,
+			user: owner,
+		});
+
+		const response = await authOwnerAgent.get(`/users/${uuid()}`);
+
+		expect(response.statusCode).toBe(404);
+	});
+
+	test('GET /users/:email should return a user', async () => {
+		const owner = await testDb.createUser({ globalRole: globalOwnerRole, apiKey: randomApiKey() });
+
+		const authOwnerAgent = utils.createAgent(app, {
+			apiPath: 'public',
+			version: 1,
+			auth: true,
+			user: owner,
+		});
+
+		const response = await authOwnerAgent.get(`/users/${owner.email}`);
+
+		expect(response.statusCode).toBe(200);
+
+		const {
+			id,
+			email,
+			firstName,
+			lastName,
+			personalizationAnswers,
+			globalRole,
+			password,
+			resetPasswordToken,
+			isPending,
+			createdAt,
+			updatedAt,
+		} = response.body;
+
+		expect(validator.isUUID(id)).toBe(true);
+		expect(email).toBeDefined();
+		expect(firstName).toBeDefined();
+		expect(lastName).toBeDefined();
+		expect(personalizationAnswers).toBeUndefined();
+		expect(password).toBeUndefined();
+		expect(resetPasswordToken).toBeUndefined();
+		expect(isPending).toBe(false);
+		expect(globalRole).toBeUndefined();
+		expect(createdAt).toBeDefined();
+		expect(updatedAt).toBeDefined();
+	});
+
+	test('GET /users/:id should return a pending user', async () => {
+		const owner = await testDb.createUser({ globalRole: globalOwnerRole, apiKey: randomApiKey() });
+
+		const { id: memberId } = await testDb.createUserShell(globalMemberRole);
+
+		const authOwnerAgent = utils.createAgent(app, {
+			apiPath: 'public',
+			version: 1,
+			auth: true,
+			user: owner,
+		});
+
+		const response = await authOwnerAgent.get(`/users/${memberId}`);
+
+		expect(response.statusCode).toBe(200);
+
+		const {
+			id,
+			email,
+			firstName,
+			lastName,
+			personalizationAnswers,
+			globalRole,
+			password,
+			resetPasswordToken,
+			isPending,
+			createdAt,
+			updatedAt,
+		} = response.body;
+
+		expect(validator.isUUID(id)).toBe(true);
+		expect(email).toBeDefined();
+		expect(firstName).toBeDefined();
+		expect(lastName).toBeDefined();
+		expect(personalizationAnswers).toBeUndefined();
+		expect(password).toBeUndefined();
+		expect(resetPasswordToken).toBeUndefined();
+		expect(globalRole).toBeUndefined();
+		expect(createdAt).toBeDefined();
+		expect(isPending).toBeDefined();
+		expect(isPending).toBeTruthy();
+		expect(updatedAt).toBeDefined();
+	});
+});
+
+describe('With license without quota:users', () => {
+	beforeEach(async () => {
+		utils.mockInstance(License, { getUsersLimit: jest.fn().mockReturnValue(null) });
+	});
+
+	test('GET /users should fail due to invalid license', async () => {
+		const member = await testDb.createUser({ apiKey: randomApiKey() });
+		const authOwnerAgent = utils.createAgent(app, {
+			apiPath: 'public',
+			version: 1,
+			auth: true,
+			user: member,
+		});
+		const response = await authOwnerAgent.get('/users');
+		expect(response.statusCode).toBe(403);
+	});
+
+	test('GET /users/:id should fail due to invalid license', async () => {
+		const member = await testDb.createUser({ apiKey: randomApiKey() });
+		const authOwnerAgent = utils.createAgent(app, {
+			apiPath: 'public',
+			version: 1,
+			auth: true,
+			user: member,
+		});
+		const response = await authOwnerAgent.get(`/users/${member.id}`);
+		expect(response.statusCode).toBe(403);
+	});
+});