mirage: Add authentication checks to add/remove owner endpoints

Author: Turbo87

mirage/route-handlers/crates.js

@@ -227,6 +227,11 @@ export function register(server) {
   });
 
   server.put('/api/v1/crates/:name/owners', (schema, request) => {
+    let { user } = getSession(schema);
+    if (!user) {
+      return new Response(403, {}, { errors: [{ detail: 'must be logged in to perform that action' }] });
+    }
+
     let { name } = request.params;
     let crate = schema.crates.findBy({ name });
 
@@ -236,16 +241,21 @@ export function register(server) {
 
     const body = JSON.parse(request.requestBody);
     const [ownerId] = body.owners;
-    const user = schema.users.findBy({ login: ownerId });
+    const invitee = schema.users.findBy({ login: ownerId });
 
-    if (!user) {
+    if (!invitee) {
       return { errors: [{ detail: `could not find user with login \`${ownerId}\`` }] };
     }
 
     return { ok: true };
   });
 
   server.delete('/api/v1/crates/:name/owners', (schema, request) => {
+    let { user } = getSession(schema);
+    if (!user) {
+      return new Response(403, {}, { errors: [{ detail: 'must be logged in to perform that action' }] });
+    }
+
     let { name } = request.params;
     let crate = schema.crates.findBy({ name });
 

tests/models/crate-test.js

@@ -15,17 +15,23 @@ module('Model | Crate', function (hooks) {
   module('inviteOwner()', function () {
     test('happy path', async function (assert) {
       let user = this.server.create('user');
+      this.authenticateAs(user);
 
       let crate = this.server.create('crate');
       this.server.create('version', { crate });
 
+      let user2 = this.server.create('user');
+
       let crateRecord = await this.store.findRecord('crate', crate.name);
 
-      let result = await crateRecord.inviteOwner(user.login);
+      let result = await crateRecord.inviteOwner(user2.login);
       assert.deepEqual(result, { ok: true });
     });
 
     test('error handling', async function (assert) {
+      let user = this.server.create('user');
+      this.authenticateAs(user);
+
       let crate = this.server.create('crate');
       this.server.create('version', { crate });
 
@@ -41,17 +47,23 @@ module('Model | Crate', function (hooks) {
   module('removeOwner()', function () {
     test('happy path', async function (assert) {
       let user = this.server.create('user');
+      this.authenticateAs(user);
 
       let crate = this.server.create('crate');
       this.server.create('version', { crate });
 
+      let user2 = this.server.create('user');
+
       let crateRecord = await this.store.findRecord('crate', crate.name);
 
-      let result = await crateRecord.removeOwner(user.login);
+      let result = await crateRecord.removeOwner(user2.login);
       assert.deepEqual(result, { ok: true, msg: 'owners successfully removed' });
     });
 
     test('error handling', async function (assert) {
+      let user = this.server.create('user');
+      this.authenticateAs(user);
+
       let crate = this.server.create('crate');
       this.server.create('version', { crate });