daily-api/__tests__/urlShortener.ts at main · dailydotdev/daily-api · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
import { DataSource } from 'typeorm';
import { User } from '../src/entity';
import createOrGetConnection from '../src/db';
import {
  disposeGraphQLTesting,
  GraphQLTestClient,
  GraphQLTestingState,
  initializeGraphQLTesting,
  MockContext,
  saveFixtures,
  testQueryErrorCode,
} from './helpers';
import { usersFixture } from './fixture/user';
import nock from 'nock';

let con: DataSource;
let state: GraphQLTestingState;
let client: GraphQLTestClient;
let loggedUser: string = null;

const originalCommentsPrefix = process.env.COMMENTS_PREFIX;

beforeAll(async () => {
  con = await createOrGetConnection();
  state = await initializeGraphQLTesting(
    () => new MockContext(con, loggedUser),
  );
  client = state.client;
});

afterAll(() => {
  disposeGraphQLTesting(state);
  process.env.COMMENTS_PREFIX = originalCommentsPrefix;
});

beforeEach(async () => {
  loggedUser = null;
  process.env.COMMENTS_PREFIX = 'https://app.daily.dev';

  await saveFixtures(con, User, usersFixture);
});

describe('query getShortUrl', () => {
  const QUERY = `
    query GetShortUrl($url: String!) {
      getShortUrl(url: $url)
    }
  `;

  it('should return unauthenticated when not logged in', () =>
    testQueryErrorCode(
      client,
      { query: QUERY, variables: { url: 'https://app.daily.dev/posts/test' } },
      'UNAUTHENTICATED',
    ));

  it('should reject subdomain spoofing attempts', async () => {
    loggedUser = '1';
    const res = await client.query(QUERY, {
      variables: { url: 'https://app.daily.dev.attacker.com/posts/test' },
    });
    expect(res.errors).toBeDefined();
    expect(res.errors?.length).toBeGreaterThan(0);
    expect(res.errors?.[0].message).toEqual('Invalid url');
  });

  it('should reject subdomain spoofing with linkedin domain', async () => {
    loggedUser = '1';
    const res = await client.query(QUERY, {
      variables: { url: 'https://app.daily.dev.linkedin.com/posts/test' },
    });
    expect(res.errors).toBeDefined();
    expect(res.errors?.length).toBeGreaterThan(0);
    expect(res.errors?.[0].message).toEqual('Invalid url');
  });

  it('should reject unrelated domains', async () => {
    loggedUser = '1';
    const res = await client.query(QUERY, {
      variables: { url: 'https://evil.com/posts/test' },
    });
    expect(res.errors).toBeDefined();
    expect(res.errors?.length).toBeGreaterThan(0);
    expect(res.errors?.[0].message).toEqual('Invalid url');
  });

  it('should reject invalid URLs', async () => {
    loggedUser = '1';
    const res = await client.query(QUERY, {
      variables: { url: 'not-a-url' },
    });
    expect(res.errors).toBeDefined();
    expect(res.errors?.length).toBeGreaterThan(0);
    expect(res.errors?.[0].message).toEqual('Invalid url');
  });

  it('should accept valid daily.dev URLs', async () => {
    loggedUser = '1';

    // Mock the URL shortener service since we're not testing that here
    nock(process.env.URL_SHORTENER_BASE_URL || 'http://localhost')
      .post('/shorten')
      .reply(200, { url: 'https://dly.to/test123' });

    const res = await client.query(QUERY, {
      variables: { url: 'https://app.daily.dev/posts/test' },
    });

    // Should not throw validation error
    expect(res.errors?.some((e) => e.message === 'Invalid url')).toBeFalsy();
  });

  it('should accept valid daily.dev URLs with query parameters', async () => {
    loggedUser = '1';

    // Mock the URL shortener service
    nock(process.env.URL_SHORTENER_BASE_URL || 'http://localhost')
      .post('/shorten')
      .reply(200, { url: 'https://dly.to/test456' });

    const res = await client.query(QUERY, {
      variables: {
        url: 'https://app.daily.dev/posts/test?userid=123&cid=share_post',
      },
    });

    // Should not throw validation error
    expect(res.errors?.some((e) => e.message === 'Invalid url')).toBeFalsy();
  });
});