Respond with 403 on non-owner/admin mutation

Author: hussein-m-kandil

src/middlewares/validators.ts

@@ -4,48 +4,40 @@ import { PublicUser } from '../types';
 import passport from '../lib/passport';
 
 export const createOwnerValidator = (
-  getOwnerId: (req: Request, res: Response) => unknown
+  getOwnerId: (req: Request, res: Response) => unknown,
 ): RequestHandler => {
   return async (req: Request, res: Response, next: NextFunction) => {
     const reqUser = req.user as PublicUser | undefined;
     const owner = reqUser?.id === (await getOwnerId(req, res));
     if (owner) next();
-    else res.status(401).end();
+    else res.status(403).end();
   };
 };
 
 export const createAdminOrOwnerValidator = (
-  getOwnerId: (req: Request, res: Response) => unknown
+  getOwnerId: (req: Request, res: Response) => unknown,
 ): RequestHandler => {
   return async (req: Request, res: Response, next: NextFunction) => {
     const reqUser = req.user as PublicUser | undefined;
     const admin = reqUser?.isAdmin;
     const owner = reqUser?.id === (await getOwnerId(req, res));
     if (admin || owner) next();
-    else res.status(401).end();
+    else res.status(403).end();
   };
 };
 
-export const adminValidator = (
-  req: Request,
-  res: Response,
-  next: NextFunction
-) => {
+export const adminValidator = (req: Request, res: Response, next: NextFunction) => {
   const reqUser = req.user as PublicUser | undefined;
   const admin = reqUser?.isAdmin;
   if (admin) next();
-  else res.status(401).end();
+  else res.status(403).end();
 };
 
 export const authValidator = passport.authenticate('jwt', {
   session: false,
 }) as RequestHandler;
 
-export const optionalAuthValidator = async (
-  req: Request,
-  res: Response,
-  next: NextFunction
-) => {
+export const optionalAuthValidator = async (req: Request, res: Response, next: NextFunction) => {
   if (req.headers.authorization) {
     // The purpose of this middleware is to optionally retrieve user info
     // if applicable, thereby preventing a 401 error on an invalid token

src/tests/api/setup.ts

@@ -283,6 +283,7 @@ export const setup = async (signinUrl: string, expApp: App = app) => {
     assertErrorRes: TestUtils.assertErrorRes,
     assertNotFoundErrorRes: TestUtils.assertNotFoundErrorRes,
     assertInvalidIdErrorRes: TestUtils.assertInvalidIdErrorRes,
+    assertForbiddenErrorRes: TestUtils.assertForbiddenErrorRes,
     assertUnauthorizedErrorRes: TestUtils.assertUnauthorizedErrorRes,
     assertResponseWithValidationError: TestUtils.assertResponseWithValidationError,
   };

src/tests/api/v1/images.int.test.ts

@@ -1,12 +1,4 @@
-import {
-  vi,
-  it,
-  expect,
-  describe,
-  afterAll,
-  afterEach,
-  beforeEach,
-} from 'vitest';
+import { vi, it, expect, describe, afterAll, afterEach, beforeEach } from 'vitest';
 import { AppErrorResponse } from '@/types';
 import { IMAGES_URL, SIGNIN_URL } from './utils';
 import { Image } from 'prisma/client';
@@ -34,6 +26,7 @@ describe('Image endpoints', async () => {
     prepForAuthorizedTest,
     assertNotFoundErrorRes,
     assertInvalidIdErrorRes,
+    assertForbiddenErrorRes,
     assertUnauthorizedErrorRes,
     assertResponseWithValidationError,
   } = await setup(SIGNIN_URL);
@@ -42,9 +35,7 @@ describe('Image endpoints', async () => {
     storage: { upload, remove },
   } = storageData;
 
-  const { authorizedApi, signedInUserData } = await prepForAuthorizedTest(
-    userOneData
-  );
+  const { authorizedApi, signedInUserData } = await prepForAuthorizedTest(userOneData);
 
   let url: string;
   const prepImageUrl = async () => {
@@ -68,10 +59,10 @@ describe('Image endpoints', async () => {
       assertUnauthorizedErrorRes(res);
     });
 
-    it('should respond with 401 on a request with user token', async () => {
+    it('should respond with 403 on a request with user token', async () => {
       const { authorizedApi } = await prepForAuthorizedTest(userOneData);
       const res = await authorizedApi.get(IMAGES_URL);
-      assertUnauthorizedErrorRes(res);
+      assertForbiddenErrorRes(res);
     });
 
     it('should respond with an empty array on a request with admin token', async () => {
@@ -160,10 +151,7 @@ describe('Image endpoints', async () => {
 
     it('should upload the image with data', async () => {
       stream = fs.createReadStream('src/tests/files/good.jpg');
-      const res = await authorizedApi
-        .post(IMAGES_URL)
-        .field(imagedata)
-        .attach('image', stream);
+      const res = await authorizedApi.post(IMAGES_URL).field(imagedata).attach('image', stream);
       expect(res.statusCode).toBe(201);
       assertImageData(res, imgData);
       expect(upload).toHaveBeenCalledOnce();
@@ -186,10 +174,7 @@ describe('Image endpoints', async () => {
     it('should upload the image with extra info', async () => {
       const info = 'Extra info...';
       stream = fs.createReadStream('src/tests/files/good.jpg');
-      const res = await authorizedApi
-        .post(IMAGES_URL)
-        .field('info', info)
-        .attach('image', stream);
+      const res = await authorizedApi.post(IMAGES_URL).field('info', info).attach('image', stream);
       expect(res.statusCode).toBe(201);
       assertImageData(res, { ...imgOne, info });
       expect(upload).toHaveBeenCalledOnce();
@@ -280,16 +265,14 @@ describe('Image endpoints', async () => {
       assertUnauthorizedErrorRes(res);
     });
 
-    it('should respond with 401 if the current user is not the image owner', async () => {
+    it('should respond with 403 if the current user is not the image owner', async () => {
       const { authorizedApi } = await prepForAuthorizedTest(userTwoData);
       const res = await authorizedApi.put(url).send();
-      assertUnauthorizedErrorRes(res);
+      assertForbiddenErrorRes(res);
     });
 
     it('should respond with 404', async () => {
-      const res = await authorizedApi
-        .put(`${IMAGES_URL}/${crypto.randomUUID()}`)
-        .send();
+      const res = await authorizedApi.put(`${IMAGES_URL}/${crypto.randomUUID()}`).send();
       assertNotFoundErrorRes(res);
     });
 
@@ -316,10 +299,7 @@ describe('Image endpoints', async () => {
 
     it('should update the image with data', async () => {
       stream = fs.createReadStream('src/tests/files/good.jpg');
-      const res = await authorizedApi
-        .put(url)
-        .field(imagedata)
-        .attach('image', stream);
+      const res = await authorizedApi.put(url).field(imagedata).attach('image', stream);
       expect(res.statusCode).toBe(200);
       assertImageData(res, imgData);
       expect(upload).toHaveBeenCalledOnce();
@@ -365,41 +345,29 @@ describe('Image endpoints', async () => {
 
     it('should not update the image with invalid `xPos` type', async () => {
       stream = fs.createReadStream('src/tests/files/good.jpg');
-      const res = await authorizedApi
-        .put(url)
-        .field('xPos', '25px')
-        .attach('image', stream);
+      const res = await authorizedApi.put(url).field('xPos', '25px').attach('image', stream);
       assertResponseWithValidationError(res, 'xPos');
       expect(upload).not.toHaveBeenCalledOnce();
     });
 
     it('should not update the image with invalid `yPos` type', async () => {
       stream = fs.createReadStream('src/tests/files/good.jpg');
-      const res = await authorizedApi
-        .put(url)
-        .field('yPos', '25px')
-        .attach('image', stream);
+      const res = await authorizedApi.put(url).field('yPos', '25px').attach('image', stream);
       assertResponseWithValidationError(res, 'yPos');
       expect(upload).not.toHaveBeenCalledOnce();
     });
 
     it('should not update the image with invalid `scale` type', async () => {
       stream = fs.createReadStream('src/tests/files/good.jpg');
-      const res = await authorizedApi
-        .put(url)
-        .field('scale', '125%')
-        .attach('image', stream);
+      const res = await authorizedApi.put(url).field('scale', '125%').attach('image', stream);
       assertResponseWithValidationError(res, 'scale');
       expect(upload).not.toHaveBeenCalledOnce();
     });
 
     it('should update the avatar image and connect it to the current user', async () => {
       const userId = signedInUserData.user.id;
       stream = fs.createReadStream('src/tests/files/good.jpg');
-      const res = await authorizedApi
-        .put(url)
-        .field('isAvatar', true)
-        .attach('image', stream);
+      const res = await authorizedApi.put(url).field('isAvatar', true).attach('image', stream);
       const dbAvatar = (await db.avatar.findMany({})).at(-1)!;
       expect((res.body as Image).id).toBe(dbAvatar.imageId);
       expect(res.statusCode).toBe(200);
@@ -418,16 +386,14 @@ describe('Image endpoints', async () => {
       assertUnauthorizedErrorRes(res);
     });
 
-    it('should respond with 401 if the current user is not the image owner', async () => {
+    it('should respond with 403 if the current user is not the image owner', async () => {
       const { authorizedApi } = await prepForAuthorizedTest(userTwoData);
       const res = await authorizedApi.delete(url).send();
-      assertUnauthorizedErrorRes(res);
+      assertForbiddenErrorRes(res);
     });
 
     it('should respond with 404', async () => {
-      const res = await authorizedApi
-        .delete(`${IMAGES_URL}/${crypto.randomUUID()}`)
-        .send();
+      const res = await authorizedApi.delete(`${IMAGES_URL}/${crypto.randomUUID()}`).send();
       assertNotFoundErrorRes(res);
     });
 

src/tests/api/v1/posts.int.test.ts

@@ -37,6 +37,7 @@ describe('Post endpoints', async () => {
     prepForAuthorizedTest,
     assertNotFoundErrorRes,
     assertInvalidIdErrorRes,
+    assertForbiddenErrorRes,
     assertResponseWithValidationError,
   } = await setup(SIGNIN_URL);
 
@@ -352,14 +353,13 @@ describe('Post endpoints', async () => {
           assertInvalidIdErrorRes(res);
         });
 
-        it('should respond with 401 with non-owner credentials', async () => {
+        it('should respond with 403 with non-owner credentials', async () => {
           const dbPost = await createPost({
             ...postDataToUpdate,
             authorId: dbUserTwo.id,
           });
           const res = await authorizedApi.put(`${POSTS_URL}/${dbPost.id}`).send(postDataInput);
-          expect(res.statusCode).toBe(401);
-          expect(res.body).toStrictEqual({});
+          assertForbiddenErrorRes(res);
         });
 
         it('should update the tags', async () => {
@@ -588,7 +588,7 @@ describe('Post endpoints', async () => {
         expect(res.body).toStrictEqual({});
       });
 
-      it(`should respond with 401 on request with non-post${
+      it(`should respond with 403 on request with non-post${
         forComment ? '/comment' : ''
       }-owner JWT`, async () => {
         const xUserSigninData = await signin(xUserData.username, xUserData.password);
@@ -600,8 +600,7 @@ describe('Post endpoints', async () => {
               : `${POSTS_URL}/${dbPost.id}`,
           )
           .set('Authorization', xUserSigninData.token);
-        expect(res.statusCode).toBe(401);
-        expect(res.body).toStrictEqual({});
+        assertForbiddenErrorRes(res);
       });
 
       it(`should admin be able delete a normal user ${
@@ -1227,7 +1226,7 @@ describe('Post endpoints', async () => {
       assertNotFoundErrorRes(res);
     });
 
-    it('should respond with 401 on a non-comment-owner JWT', async () => {
+    it('should respond with 403 on a non-comment-owner JWT', async () => {
       const { signedInUserData, authorizedApi } = await prepForAuthorizedTest(xUserData);
       const dbPost = await createPost(postDataToComment);
       const res = await authorizedApi
@@ -1238,8 +1237,7 @@ describe('Post endpoints', async () => {
         )
         .set('authorization', signedInUserData.token)
         .send(commentData);
-      expect(res.statusCode).toBe(401);
-      expect(res.body).toStrictEqual({});
+      assertForbiddenErrorRes(res);
     });
 
     it('should respond with 400 on a comment without content field', async () => {