├── .eslintignore
├── Procfile
├── .gitignore
├── test
    ├── unit
    │   ├── mock
    │   │   ├── model
    │   │   │   ├── site.mock.js
    │   │   │   ├── url.mock.js
    │   │   │   ├── setting.mock.js
    │   │   │   ├── key.mock.js
    │   │   │   └── user.mock.js
    │   │   ├── controller
    │   │   │   ├── api-v1.mock.js
    │   │   │   └── front-end.mock.js
    │   │   ├── nocache.mock.js
    │   │   ├── log.mock.js
    │   │   ├── get-app-url.mock.js
    │   │   ├── compression.mock.js
    │   │   ├── adaro.mock.js
    │   │   ├── knex.mock.js
    │   │   ├── bookshelf.mock.js
    │   │   ├── bind-logger.mock.js
    │   │   ├── morgan.mock.js
    │   │   ├── dashboard.mock.js
    │   │   └── express.mock.js
    │   ├── setup.test.js
    │   └── lib
    │   │   ├── middleware
    │   │       ├── not-found.test.js
    │   │       ├── require-auth.test.js
    │   │       ├── require-permission.test.js
    │   │       ├── flash.test.js
    │   │       ├── get-app-url.test.js
    │   │       └── auth-with-cookie.test.js
    │   │   └── util
    │   │       ├── bind-logger.test.js
    │   │       └── validation-error.test.js
    └── integration
    │   ├── .eslintrc.js
    │   ├── seed
    │       ├── basic
    │       │   ├── settings.js
    │       │   ├── sites.js
    │       │   └── auth.js
    │       └── no-auth
    │       │   ├── settings.js
    │       │   ├── auth.js
    │       │   └── sites.js
    │   ├── helpers
    │       ├── auth.js
    │       └── database.js
    │   ├── routes
    │       ├── api-v1
    │       │   ├── index.test.js
    │       │   └── me-keys.test.js
    │       └── front-end
    │       │   ├── 404.test.js
    │       │   ├── docs-api-v1.test.js
    │       │   ├── index.test.js
    │       │   ├── settings-keys.test.js
    │       │   └── settings-profile.test.js
    │   └── setup.test.js
├── .eslintrc.js
├── view
    ├── template
    │   ├── home.dust
    │   ├── login.dust
    │   ├── sites
    │   │   ├── edit-url.dust
    │   │   ├── new-site.dust
    │   │   ├── new-url.dust
    │   │   ├── sites.dust
    │   │   ├── delete-url.dust
    │   │   └── site.dust
    │   ├── settings
    │   │   ├── edit-key.dust
    │   │   ├── new-key.dust
    │   │   ├── profile.dust
    │   │   ├── password.dust
    │   │   ├── delete-key.dust
    │   │   └── keys.dust
    │   ├── admin
    │   │   ├── edit-user.dust
    │   │   ├── new-user.dust
    │   │   ├── settings.dust
    │   │   ├── delete-user.dust
    │   │   └── users.dust
    │   ├── setup.dust
    │   ├── error.dust
    │   └── docs
    │   │   └── api-v1.dust
    ├── partial
    │   ├── form
    │   │   ├── logout.dust
    │   │   ├── key.dust
    │   │   ├── login.dust
    │   │   ├── app-settings.dust
    │   │   ├── password.dust
    │   │   ├── url.dust
    │   │   ├── setup.dust
    │   │   ├── site.dust
    │   │   └── user.dust
    │   ├── alert
    │   │   ├── error.dust
    │   │   └── success.dust
    │   └── nav
    │   │   ├── footer.dust
    │   │   ├── admin.dust
    │   │   ├── settings.dust
    │   │   ├── api-docs.dust
    │   │   └── main.dust
    ├── helper
    │   ├── index.js
    │   ├── current-year.js
    │   ├── current-url.js
    │   └── code-block.js
    └── layout
    │   ├── base.dust
    │   └── full.dust
├── data
    ├── seed
    │   └── demo
    │   │   ├── settings.js
    │   │   ├── site-pa11y-github.js
    │   │   ├── site-pa11y.js
    │   │   └── auth.js
    └── migration
    │   ├── 20180221234637_urls.js
    │   ├── 20180217203355_sites.js
    │   ├── 20191021121104_update_version_columns_jsonb.js
    │   └── 20171117142417_setup.js
├── lib
    ├── middleware
    │   ├── not-found.js
    │   ├── require-auth.js
    │   ├── require-permission.js
    │   ├── get-app-url.js
    │   ├── auth-with-cookie.js
    │   ├── flash.js
    │   └── auth-with-key.js
    ├── util
    │   ├── validation-error.js
    │   └── bind-logger.js
    └── dashboard.js
├── public
    ├── pa11y.svg
    └── main.css
├── .dustmiterc
├── controller
    ├── api-v1
    │   ├── docs.js
    │   ├── index.js
    │   ├── urls.js
    │   ├── sites.js
    │   ├── users.js
    │   ├── keys.js
    │   └── me.js
    └── front-end
    │   ├── home.js
    │   ├── docs.js
    │   ├── auth.js
    │   ├── setup.js
    │   ├── index.js
    │   └── settings.js
├── app.json
├── env.sample
├── script
    ├── seed.js
    ├── migrate-up.js
    ├── migrate-down.js
    └── create-migration.js
├── CONTRIBUTING.md
├── index.js
├── .travis.yml
├── Makefile
├── package.json
├── model
    ├── setting.js
    ├── key.js
    ├── site.js
    ├── url.js
    └── user.js
└── docs
    └── deploy
        └── heroku.md


/.eslintignore:
--------------------------------------------------------------------------------
1 | coverage
2 | 


--------------------------------------------------------------------------------
/Procfile:
--------------------------------------------------------------------------------
1 | release: make db-migrate-up
2 | web: node index.js
3 | 


--------------------------------------------------------------------------------
/.gitignore:
--------------------------------------------------------------------------------
1 | .env
2 | .nyc_output
3 | coverage
4 | node_modules
5 | npm-debug.log
6 | 


--------------------------------------------------------------------------------
/test/unit/mock/model/site.mock.js:
--------------------------------------------------------------------------------
1 | 'use strict';
2 | 
3 | const sinon = require('sinon');
4 | 
5 | module.exports = sinon.stub();
6 | 


--------------------------------------------------------------------------------
/test/unit/mock/model/url.mock.js:
--------------------------------------------------------------------------------
1 | 'use strict';
2 | 
3 | const sinon = require('sinon');
4 | 
5 | module.exports = sinon.stub();
6 | 


--------------------------------------------------------------------------------
/test/unit/mock/controller/api-v1.mock.js:
--------------------------------------------------------------------------------
1 | 'use strict';
2 | 
3 | const sinon = require('sinon');
4 | 
5 | module.exports = sinon.stub();
6 | 


--------------------------------------------------------------------------------
/test/unit/mock/controller/front-end.mock.js:
--------------------------------------------------------------------------------
1 | 'use strict';
2 | 
3 | const sinon = require('sinon');
4 | 
5 | module.exports = sinon.stub();
6 | 


--------------------------------------------------------------------------------
/test/integration/.eslintrc.js:
--------------------------------------------------------------------------------
1 | 'use strict';
2 | 
3 | module.exports = {
4 | 	globals: {
5 | 		dashboard: true,
6 | 		request: true
7 | 	}
8 | };
9 | 


--------------------------------------------------------------------------------
/.eslintrc.js:
--------------------------------------------------------------------------------
1 | 'use strict';
2 | 
3 | module.exports = {
4 | 	extends: '@rowanmanning/eslint-config/es2017',
5 | 	rules: {
6 | 		camelcase: 'off'
7 | 	}
8 | };
9 | 


--------------------------------------------------------------------------------
/test/unit/mock/model/setting.mock.js:
--------------------------------------------------------------------------------
1 | 'use strict';
2 | 
3 | const sinon = require('sinon');
4 | 
5 | const Setting = module.exports = sinon.stub();
6 | Setting.get = sinon.stub();
7 | 


--------------------------------------------------------------------------------
/view/template/home.dust:
--------------------------------------------------------------------------------
 1 | {>"layout/full"/}
 2 | 
 3 | {<title}
 4 | 	Home - Sidekick
 5 | {/title}
 6 | 
 7 | {<content}
 8 | 
 9 | 	<h1>Sidekick</h1>
10 | 
11 | 	<p>Hello World!</p>
12 | 
13 | {/content}
14 | 


--------------------------------------------------------------------------------
/view/template/login.dust:
--------------------------------------------------------------------------------
 1 | {>"layout/full"/}
 2 | 
 3 | {<title}
 4 | 	Login - Sidekick
 5 | {/title}
 6 | 
 7 | {<content}
 8 | 
 9 | 	<h1>Login</h1>
10 | 
11 | 	{>"partial/form/login"/}
12 | 
13 | {/content}
14 | 


--------------------------------------------------------------------------------
/test/unit/mock/nocache.mock.js:
--------------------------------------------------------------------------------
1 | 'use strict';
2 | 
3 | const sinon = require('sinon');
4 | 
5 | const nocache = module.exports = sinon.stub();
6 | const mockMiddleware = nocache.mockMiddleware = sinon.stub();
7 | 
8 | nocache.returns(mockMiddleware);
9 | 


--------------------------------------------------------------------------------
/test/unit/mock/log.mock.js:
--------------------------------------------------------------------------------
 1 | 'use strict';
 2 | 
 3 | const sinon = require('sinon');
 4 | 
 5 | module.exports = {
 6 | 	debug: sinon.spy(),
 7 | 	error: sinon.spy(),
 8 | 	info: sinon.spy(),
 9 | 	verbose: sinon.spy(),
10 | 	warn: sinon.spy()
11 | };
12 | 


--------------------------------------------------------------------------------
/view/partial/form/logout.dust:
--------------------------------------------------------------------------------
1 | 
2 | <form data-test="logout-form" action="/logout" method="post" enctype="application/x-www-form-urlencoded">
3 | 	<input type="submit" value="Logout" {?inNavigation}class="navigation__item"{/inNavigation}/>
4 | </form>
5 | 


--------------------------------------------------------------------------------
/test/unit/mock/get-app-url.mock.js:
--------------------------------------------------------------------------------
1 | 'use strict';
2 | 
3 | const sinon = require('sinon');
4 | 
5 | const getAppUrl = module.exports = sinon.stub();
6 | const mockMiddleware = getAppUrl.mockMiddleware = sinon.stub();
7 | 
8 | getAppUrl.returns(mockMiddleware);
9 | 


--------------------------------------------------------------------------------
/view/template/sites/edit-url.dust:
--------------------------------------------------------------------------------
 1 | {>"layout/full"/}
 2 | 
 3 | {<title}
 4 | 	Editing URL - Sidekick
 5 | {/title}
 6 | 
 7 | {<content}
 8 | 
 9 | 	<h1>Edit URL</h1>
10 | 
11 | 	{>"partial/form/url" action=requestPath cta="Save changes"/}
12 | 
13 | {/content}
14 | 


--------------------------------------------------------------------------------
/test/unit/mock/compression.mock.js:
--------------------------------------------------------------------------------
1 | 'use strict';
2 | 
3 | const sinon = require('sinon');
4 | 
5 | const compression = module.exports = sinon.stub();
6 | const mockMiddleware = compression.mockMiddleware = sinon.stub();
7 | 
8 | compression.returns(mockMiddleware);
9 | 


--------------------------------------------------------------------------------
/view/template/sites/new-site.dust:
--------------------------------------------------------------------------------
 1 | {>"layout/full"/}
 2 | 
 3 | {<title}
 4 | 	Creating Site - Sidekick
 5 | {/title}
 6 | 
 7 | {<content}
 8 | 
 9 | 	<h1>Create a new site</h1>
10 | 
11 | 	{>"partial/form/site" action=requestPath cta="Create site"/}
12 | 
13 | {/content}
14 | 


--------------------------------------------------------------------------------
/view/template/sites/new-url.dust:
--------------------------------------------------------------------------------
 1 | {>"layout/full"/}
 2 | 
 3 | {<title}
 4 | 	Creating URLs - Sidekick
 5 | {/title}
 6 | 
 7 | {<content}
 8 | 
 9 | 	<h1>Add a new URL</h1>
10 | 
11 | 	{>"partial/form/url" action=requestPath cta="Add to URL list"/}
12 | 
13 | {/content}
14 | 


--------------------------------------------------------------------------------
/test/unit/mock/adaro.mock.js:
--------------------------------------------------------------------------------
 1 | 'use strict';
 2 | 
 3 | const sinon = require('sinon');
 4 | 
 5 | const adaro = module.exports = {
 6 | 	dust: sinon.stub()
 7 | };
 8 | 
 9 | const mockRenderer = module.exports.mockRenderer = {};
10 | 
11 | adaro.dust.returns(mockRenderer);
12 | 


--------------------------------------------------------------------------------
/test/unit/mock/knex.mock.js:
--------------------------------------------------------------------------------
 1 | 'use strict';
 2 | 
 3 | const sinon = require('sinon');
 4 | 
 5 | const knex = module.exports = sinon.stub();
 6 | 
 7 | const mockInstance = module.exports.mockInstance = {
 8 | 	isMockKnexInstance: true
 9 | };
10 | 
11 | knex.returns(mockInstance);
12 | 


--------------------------------------------------------------------------------
/view/partial/alert/error.dust:
--------------------------------------------------------------------------------
 1 | 
 2 | {?errors}
 3 | 	<div class="alert alert--error">
 4 | 		<p><strong>The following errors occurred:</strong></p>
 5 | 		<ul>
 6 | 			{#errors}
 7 | 				<li data-test="alert-error">{.}</li>
 8 | 			{/errors}
 9 | 		</ul>
10 | 	</div>
11 | {/errors}
12 | 


--------------------------------------------------------------------------------
/test/unit/mock/bookshelf.mock.js:
--------------------------------------------------------------------------------
 1 | 'use strict';
 2 | 
 3 | const sinon = require('sinon');
 4 | 
 5 | const bookshelf = module.exports = sinon.stub();
 6 | 
 7 | const mockInstance = module.exports.mockInstance = {
 8 | 	isMockBookshelfInstance: true
 9 | };
10 | 
11 | bookshelf.returns(mockInstance);
12 | 


--------------------------------------------------------------------------------
/view/helper/index.js:
--------------------------------------------------------------------------------
 1 | 'use strict';
 2 | 
 3 | // Load all view helpers, this needs to be exported
 4 | // as an array which includes the built-in ones
 5 | module.exports = [
 6 | 	require('./code-block'),
 7 | 	require('./current-year'),
 8 | 	require('./current-url'),
 9 | 	'dustjs-helpers'
10 | ];
11 | 


--------------------------------------------------------------------------------
/test/unit/mock/bind-logger.mock.js:
--------------------------------------------------------------------------------
 1 | 'use strict';
 2 | 
 3 | const sinon = require('sinon');
 4 | 
 5 | const bindLogger = module.exports = sinon.stub();
 6 | 
 7 | const mockLogger = module.exports.mockLogger = {
 8 | 	error: sinon.spy(),
 9 | 	info: sinon.spy()
10 | };
11 | 
12 | bindLogger.returns(mockLogger);
13 | 


--------------------------------------------------------------------------------
/test/unit/mock/morgan.mock.js:
--------------------------------------------------------------------------------
 1 | 'use strict';
 2 | 
 3 | const sinon = require('sinon');
 4 | 
 5 | const morgan = module.exports = sinon.stub();
 6 | const mockMiddleware = morgan.mockMiddleware = sinon.stub();
 7 | 
 8 | morgan.token = sinon.stub();
 9 | morgan.combined = 'mock-morgan-combined-format';
10 | 
11 | morgan.returns(mockMiddleware);
12 | 


--------------------------------------------------------------------------------
/view/layout/base.dust:
--------------------------------------------------------------------------------
 1 | <!DOCTYPE html>
 2 | <html lang="en-GB">
 3 | <head>
 4 | 	<meta charset="utf-8"/>
 5 | 	<title>{+title/}</title>
 6 | 	<meta name="viewport" content="width=device-width"/>
 7 | 	<!--[if gt IE 8]><!--><link rel="stylesheet" href="/main.css"/><!--<![endif]-->
 8 | </head>
 9 | <body>
10 | 
11 | 	{+body/}
12 | 
13 | </body>
14 | </html>
15 | 


--------------------------------------------------------------------------------
/view/template/settings/edit-key.dust:
--------------------------------------------------------------------------------
 1 | {>"layout/full"/}
 2 | 
 3 | {<title}
 4 | 	Editing API Key - Sidekick
 5 | {/title}
 6 | 
 7 | {<secondary-nav}
 8 | 	{>"partial/nav/settings"/}
 9 | {/secondary-nav}
10 | 
11 | {<content}
12 | 
13 | 	<h1>Editing API Key</h1>
14 | 
15 | 	{>"partial/form/key" action=requestPath cta="Save changes"/}
16 | 
17 | {/content}
18 | 


--------------------------------------------------------------------------------
/view/template/admin/edit-user.dust:
--------------------------------------------------------------------------------
 1 | {>"layout/full"/}
 2 | 
 3 | {<title}
 4 | 	Editing User - Sidekick
 5 | {/title}
 6 | 
 7 | {<secondary-nav}
 8 | 	{>"partial/nav/admin"/}
 9 | {/secondary-nav}
10 | 
11 | {<content}
12 | 
13 | 	<h1>Editing User</h1>
14 | 
15 | 	{>"partial/form/user" action=requestPath cta="Save changes" formAdmin="true"/}
16 | 
17 | {/content}
18 | 


--------------------------------------------------------------------------------
/view/template/admin/new-user.dust:
--------------------------------------------------------------------------------
 1 | {>"layout/full"/}
 2 | 
 3 | {<title}
 4 | 	Creating User - Sidekick
 5 | {/title}
 6 | 
 7 | {<secondary-nav}
 8 | 	{>"partial/nav/admin"/}
 9 | {/secondary-nav}
10 | 
11 | {<content}
12 | 
13 | 	<h1>Create a new User</h1>
14 | 
15 | 	{>"partial/form/user" action=requestPath cta="Create user" formAdmin="true"/}
16 | 
17 | {/content}
18 | 


--------------------------------------------------------------------------------
/view/template/settings/new-key.dust:
--------------------------------------------------------------------------------
 1 | {>"layout/full"/}
 2 | 
 3 | {<title}
 4 | 	Generating API Key - Sidekick
 5 | {/title}
 6 | 
 7 | {<secondary-nav}
 8 | 	{>"partial/nav/settings"/}
 9 | {/secondary-nav}
10 | 
11 | {<content}
12 | 
13 | 	<h1>Generate a new API Key</h1>
14 | 
15 | 	{>"partial/form/key" action=requestPath cta="Generate API key"/}
16 | 
17 | {/content}
18 | 


--------------------------------------------------------------------------------
/data/seed/demo/settings.js:
--------------------------------------------------------------------------------
 1 | 'use strict';
 2 | 
 3 | // Demo setting details
 4 | exports.seed = async database => {
 5 | 
 6 | 	// Insert demo settings
 7 | 	await database('settings').insert([
 8 | 		{
 9 | 			id: 'publicReadAccess',
10 | 			value: JSON.stringify(true)
11 | 		},
12 | 		{
13 | 			id: 'setupComplete',
14 | 			value: JSON.stringify(true)
15 | 		}
16 | 	]);
17 | 
18 | };
19 | 


--------------------------------------------------------------------------------
/lib/middleware/not-found.js:
--------------------------------------------------------------------------------
 1 | 'use strict';
 2 | 
 3 | const httpError = require('http-errors');
 4 | 
 5 | /**
 6 |  * Create a middleware function which calls `next` with a 404 error.
 7 |  * @returns {Function} A middleware function.
 8 |  */
 9 | function notFound() {
10 | 	return (request, response, next) => {
11 | 		next(httpError(404));
12 | 	};
13 | }
14 | 
15 | module.exports = notFound;
16 | 


--------------------------------------------------------------------------------
/test/integration/seed/basic/settings.js:
--------------------------------------------------------------------------------
 1 | 'use strict';
 2 | 
 3 | // Test setting details
 4 | exports.seed = async database => {
 5 | 
 6 | 	// Insert test settings
 7 | 	await database('settings').insert([
 8 | 		{
 9 | 			id: 'publicReadAccess',
10 | 			value: JSON.stringify(false)
11 | 		},
12 | 		{
13 | 			id: 'setupComplete',
14 | 			value: JSON.stringify(true)
15 | 		}
16 | 	]);
17 | 
18 | };
19 | 


--------------------------------------------------------------------------------
/test/integration/seed/no-auth/settings.js:
--------------------------------------------------------------------------------
 1 | 'use strict';
 2 | 
 3 | // Test setting details
 4 | exports.seed = async database => {
 5 | 
 6 | 	// Insert test settings
 7 | 	await database('settings').insert([
 8 | 		{
 9 | 			id: 'publicReadAccess',
10 | 			value: JSON.stringify(true)
11 | 		},
12 | 		{
13 | 			id: 'setupComplete',
14 | 			value: JSON.stringify(true)
15 | 		}
16 | 	]);
17 | 
18 | };
19 | 


--------------------------------------------------------------------------------
/view/template/admin/settings.dust:
--------------------------------------------------------------------------------
 1 | {>"layout/full"/}
 2 | 
 3 | {<title}
 4 | 	Sidekick Settings - Sidekick
 5 | {/title}
 6 | 
 7 | {<secondary-nav}
 8 | 	{>"partial/nav/admin"/}
 9 | {/secondary-nav}
10 | 
11 | {<content}
12 | 
13 | 	<h1>Sidekick Settings</h1>
14 | 
15 | 	<p>Manage the way that Sidekick behaves.</p>
16 | 
17 | 	{>"partial/form/app-settings" action=requestPath cta="Save changes"/}
18 | 
19 | {/content}
20 | 


--------------------------------------------------------------------------------
/view/template/settings/profile.dust:
--------------------------------------------------------------------------------
 1 | {>"layout/full"/}
 2 | 
 3 | {<title}
 4 | 	Your Profile Settings - Sidekick
 5 | {/title}
 6 | 
 7 | {<secondary-nav}
 8 | 	{>"partial/nav/settings"/}
 9 | {/secondary-nav}
10 | 
11 | {<content}
12 | 
13 | 	<h1>Your Profile Settings</h1>
14 | 
15 | 	<p>Manage your profile.</p>
16 | 
17 | 	{>"partial/form/user" action="/settings/profile" cta="Save changes"/}
18 | 
19 | {/content}
20 | 


--------------------------------------------------------------------------------
/view/template/setup.dust:
--------------------------------------------------------------------------------
 1 | {>"layout/full"/}
 2 | 
 3 | {<title}
 4 | 	Setup - Sidekick
 5 | {/title}
 6 | 
 7 | {<content}
 8 | 
 9 | 	<h1>Sidekick Setup</h1>
10 | 
11 | 	<p>
12 | 		You're nearly there! We need a few more things from you before Sidekick is ready to display
13 | 		your accessibility information.
14 | 	</p>
15 | 
16 | 	{>"partial/form/setup" action=requestPath cta="Set up Sidekick"/}
17 | 
18 | {/content}
19 | 


--------------------------------------------------------------------------------
/view/helper/current-year.js:
--------------------------------------------------------------------------------
 1 | 'use strict';
 2 | 
 3 | /**
 4 |  * Initialise the current year view helper.
 5 |  * @param {Object} dust - a Dust view engine.
 6 |  * @returns {undefined} Nothing.
 7 |  */
 8 | function initCurrentYearHelper(dust) {
 9 | 	dust.helpers.currentYear = chunk => {
10 | 		const year = (new Date()).getFullYear();
11 | 		return chunk.write(year);
12 | 	};
13 | }
14 | 
15 | module.exports = initCurrentYearHelper;
16 | 


--------------------------------------------------------------------------------
/view/partial/alert/success.dust:
--------------------------------------------------------------------------------
 1 | 
 2 | {?errors}
 3 | 	<div class="alert alert--error">
 4 | 		<p><strong>The following errors occurred:</strong></p>
 5 | 		<ul>
 6 | 			{#errors}
 7 | 				<li data-test="alert-error">{.}</li>
 8 | 			{/errors}
 9 | 		</ul>
10 | 	</div>
11 | {/errors}
12 | 
13 | {?success}
14 | 	<div class="alert alert--success">
15 | 		<p data-test="alert-success"><strong>{success}</strong></p>
16 | 	</div>
17 | {/success}
18 | 


--------------------------------------------------------------------------------
/public/pa11y.svg:
--------------------------------------------------------------------------------
1 | <svg xmlns="http://www.w3.org/2000/svg" width="40" height="40" viewBox="0 0 40 40"><path fill="#3498DB" d="M10 0h-3.7c-.6 0-1 .5-1 1v6.1c0 .6.5 1 1 1h3.7v30.9c0 .6.5 1 1 1h7.3c.6 0 1-.5 1-1v-38c0-.6-.5-1-1-1h-8.3z"/><path fill="#F39C12" d="M25.3 0h-3.7c-.6 0-1 .5-1 1v6.1c0 .6.5 1 1 1h3.7v7.2c0 .6.5 1 1 1h7.3c.6 0 1-.5 1-1v-14.3c0-.6-.5-1-1-1h-8.3z"/><path fill="#E74C3C" d="M34.7 10.4l-24.7 10.4v10.5l24.1-10.1c.4-.2.6-.5.6-1v-9.8z"/></svg>


--------------------------------------------------------------------------------
/view/template/settings/password.dust:
--------------------------------------------------------------------------------
 1 | {>"layout/full"/}
 2 | 
 3 | {<title}
 4 | 	Your Password Settings - Sidekick
 5 | {/title}
 6 | 
 7 | {<secondary-nav}
 8 | 	{>"partial/nav/settings"/}
 9 | {/secondary-nav}
10 | 
11 | {<content}
12 | 
13 | 	<h1>Your Password Settings</h1>
14 | 
15 | 	<p>Manage your password and access to Sidekick.</p>
16 | 
17 | 	{>"partial/form/password" action="/settings/password" cta="Change password"/}
18 | 
19 | {/content}
20 | 


--------------------------------------------------------------------------------
/test/integration/helpers/auth.js:
--------------------------------------------------------------------------------
 1 | 'use strict';
 2 | 
 3 | // Log into the site and get a cookie jar
 4 | async function getCookieJar(email, password) {
 5 | 	const jar = request.jar();
 6 | 	await request.post('/login', {
 7 | 		headers: {
 8 | 			'Content-Type': 'application/x-www-form-urlencoded'
 9 | 		},
10 | 		body: `email=${email}&password=${password}`,
11 | 		jar
12 | 	});
13 | 	return jar;
14 | }
15 | 
16 | module.exports = {
17 | 	getCookieJar
18 | };
19 | 


--------------------------------------------------------------------------------
/data/seed/demo/site-pa11y-github.js:
--------------------------------------------------------------------------------
 1 | 'use strict';
 2 | 
 3 | // Pa11y website details
 4 | exports.seed = async database => {
 5 | 
 6 | 	// Insert demo site: github.com/pa11y/pa11y
 7 | 	await database('sites').insert([
 8 | 		{
 9 | 			id: 'r1BzElDDG',
10 | 			name: 'Pa11y GitHub Repo',
11 | 			base_url: 'https://github.com/pa11y/pa11y',
12 | 			is_runnable: true,
13 | 			is_scheduled: false,
14 | 			schedule: null,
15 | 			pa11y_config: JSON.stringify({})
16 | 		}
17 | 	]);
18 | 
19 | };
20 | 


--------------------------------------------------------------------------------
/view/partial/nav/footer.dust:
--------------------------------------------------------------------------------
 1 | 
 2 | <nav class="navigation navigation--footer">
 3 | 	<ul>
 4 | 		{?permissions.read}
 5 | 			<li>
 6 | 				<a href="/api/v1" class="navigation__item {@currentUrl test="/docs/api/*"}navigation__item--current{/currentUrl}">
 7 | 					API Documentation
 8 | 				</a>
 9 | 			</li>
10 | 		{/permissions.read}
11 | 		<li>
12 | 			<a href="https://github.com/pa11y/sidekick" class="navigation__item">
13 | 				GitHub Repository
14 | 			</a>
15 | 		</li>
16 | 	</ul>
17 | </nav>
18 | 


--------------------------------------------------------------------------------
/test/unit/mock/dashboard.mock.js:
--------------------------------------------------------------------------------
 1 | 'use strict';
 2 | 
 3 | const sinon = require('sinon');
 4 | 
 5 | const Dashboard = module.exports = sinon.stub();
 6 | 
 7 | const mockDashboard = module.exports.mockDashboard = {
 8 | 	environment: 'production',
 9 | 	log: require('./log.mock'),
10 | 	model: {
11 | 		Key: require('./model/key.mock'),
12 | 		Setting: require('./model/setting.mock'),
13 | 		User: require('./model/user.mock')
14 | 	},
15 | 	options: {}
16 | };
17 | 
18 | Dashboard.resolves(mockDashboard);
19 | 


--------------------------------------------------------------------------------
/test/unit/setup.test.js:
--------------------------------------------------------------------------------
 1 | 'use strict';
 2 | 
 3 | const assert = require('proclaim');
 4 | const mockery = require('mockery');
 5 | const sinon = require('sinon');
 6 | 
 7 | sinon.assert.expose(assert, {
 8 | 	includeFail: false,
 9 | 	prefix: ''
10 | });
11 | 
12 | beforeEach(() => {
13 | 	mockery.enable({
14 | 		useCleanCache: true,
15 | 		warnOnUnregistered: false,
16 | 		warnOnReplace: false
17 | 	});
18 | });
19 | 
20 | afterEach(() => {
21 | 	mockery.deregisterAll();
22 | 	mockery.disable();
23 | });
24 | 


--------------------------------------------------------------------------------
/.dustmiterc:
--------------------------------------------------------------------------------
 1 | {
 2 | 	"escapeCharactersMustBeValid": true,
 3 | 	"helperMustBeInsideSection": [
 4 | 		"first",
 5 | 		"last",
 6 | 		"sep"
 7 | 	],
 8 | 	"helperMustBeInsideSelect": [
 9 | 		"any",
10 | 		"none"
11 | 	],
12 | 	"helperMustHaveBody": [
13 | 		"first",
14 | 		"last",
15 | 		"sep"
16 | 	],
17 | 	"helperMustNotBeUsed": [
18 | 		"default",
19 | 		"idx",
20 | 		"if"
21 | 	],
22 | 	"helpersMustBeCamelCase": true,
23 | 	"logicHelpersMustHaveKeyAndValue": true,
24 | 	"referencesMustBeCamelCase": true
25 | }
26 | 


--------------------------------------------------------------------------------
/lib/middleware/require-auth.js:
--------------------------------------------------------------------------------
 1 | 'use strict';
 2 | 
 3 | const httpError = require('http-errors');
 4 | 
 5 | /**
 6 |  * Create a middleware function which requires an authenticated user.
 7 |  * @returns {Function} A middleware function.
 8 |  */
 9 | function requireAuth() {
10 | 	return (request, response, next) => {
11 | 		if (!request.authUser) {
12 | 			return next(httpError(401, 'You must authenticate to perform this action'));
13 | 		}
14 | 		next();
15 | 	};
16 | }
17 | 
18 | module.exports = requireAuth;
19 | 


--------------------------------------------------------------------------------
/controller/api-v1/docs.js:
--------------------------------------------------------------------------------
 1 | 'use strict';
 2 | 
 3 | /**
 4 |  * Initialise the documentation controller.
 5 |  * @param {Dashboard} dashboard - A dashboard instance.
 6 |  * @param {Object} router - The API Express router.
 7 |  * @returns {undefined} Nothing
 8 |  */
 9 | function initDocsController(dashboard, router) {
10 | 
11 | 	// The base path of the API redirects to the documentation
12 | 	router.get('/', (request, response) => {
13 | 		response.redirect('/docs/api/v1');
14 | 	});
15 | 
16 | }
17 | 
18 | module.exports = initDocsController;
19 | 


--------------------------------------------------------------------------------
/test/unit/mock/model/key.mock.js:
--------------------------------------------------------------------------------
 1 | 'use strict';
 2 | 
 3 | const sinon = require('sinon');
 4 | 
 5 | const Key = module.exports = sinon.stub();
 6 | Key.fetchOneById = sinon.stub();
 7 | Key.checkSecret = sinon.stub().resolves(true);
 8 | 
 9 | const mockKey = module.exports.mockKey = {
10 | 	get: sinon.stub(),
11 | 	serialize: sinon.stub()
12 | };
13 | 
14 | const mockSerializedKey = module.exports.mockSerializedKey = {
15 | 	id: 'mock-key-id'
16 | };
17 | 
18 | Key.returns(mockKey);
19 | mockKey.serialize.returns(mockSerializedKey);
20 | Key.fetchOneById.resolves(mockKey);
21 | 


--------------------------------------------------------------------------------
/controller/front-end/home.js:
--------------------------------------------------------------------------------
 1 | 'use strict';
 2 | 
 3 | /**
 4 |  * Initialise the home controller.
 5 |  * @param {Dashboard} dashboard - A dashboard instance.
 6 |  * @param {Object} router - The front end Express router.
 7 |  * @returns {undefined} Nothing
 8 |  */
 9 | function initHomeController(dashboard, router) {
10 | 
11 | 	// Home page
12 | 	router.get('/', (request, response) => {
13 | 		if (request.permissions.read) {
14 | 			response.render('template/home');
15 | 		} else {
16 | 			response.redirect('/login');
17 | 		}
18 | 	});
19 | 
20 | }
21 | 
22 | module.exports = initHomeController;
23 | 


--------------------------------------------------------------------------------
/view/partial/nav/admin.dust:
--------------------------------------------------------------------------------
 1 | 
 2 | <nav class="navigation navigation--secondary">
 3 | 	<ul>
 4 | 		<li>
 5 | 			<span class="navigation__item navigation__item--title">
 6 | 				Admin
 7 | 			</span>
 8 | 		</li>
 9 | 		<li>
10 | 			<a href="/admin/users" class="navigation__item {@currentUrl test="/admin/users*"}navigation__item--current{/currentUrl}">
11 | 				User Management
12 | 			</a>
13 | 		</li>
14 | 		<li>
15 | 			<a href="/admin/settings" class="navigation__item {@currentUrl test="/admin/settings"}navigation__item--current{/currentUrl}">
16 | 				Sidekick Settings
17 | 			</a>
18 | 		</li>
19 | 	</ul>
20 | </nav>
21 | 


--------------------------------------------------------------------------------
/test/unit/mock/model/user.mock.js:
--------------------------------------------------------------------------------
 1 | 'use strict';
 2 | 
 3 | const sinon = require('sinon');
 4 | 
 5 | const User = module.exports = sinon.stub();
 6 | User.fetchOneById = sinon.stub();
 7 | 
 8 | const mockUser = module.exports.mockUser = {
 9 | 	get: sinon.stub(),
10 | 	serialize: sinon.stub()
11 | };
12 | 
13 | const mockSerializedUser = module.exports.mockSerializedUser = {
14 | 	id: 'mock-user-id',
15 | 	permissions: {
16 | 		read: true,
17 | 		write: true,
18 | 		delete: false,
19 | 		admin: false
20 | 	}
21 | };
22 | 
23 | User.returns(mockUser);
24 | mockUser.serialize.returns(mockSerializedUser);
25 | User.fetchOneById.resolves(mockUser);
26 | 


--------------------------------------------------------------------------------
/lib/util/validation-error.js:
--------------------------------------------------------------------------------
 1 | 'use strict';
 2 | 
 3 | /**
 4 |  * Create a validation error which matches Joi's.
 5 |  * @param {(Array<String>|String)} messages - The validation message(s) to add to the validation error.
 6 |  * @returns {Error} An error object with the validation details.
 7 |  */
 8 | function validationError(messages) {
 9 | 	const error = new Error('Validation failed');
10 | 	error.name = 'ValidationError';
11 | 	if (typeof messages === 'string') {
12 | 		messages = [messages];
13 | 	}
14 | 	error.details = messages.map(message => {
15 | 		return {message};
16 | 	});
17 | 	return error;
18 | }
19 | 
20 | module.exports = validationError;
21 | 


--------------------------------------------------------------------------------
/lib/middleware/require-permission.js:
--------------------------------------------------------------------------------
 1 | 'use strict';
 2 | 
 3 | const httpError = require('http-errors');
 4 | 
 5 | /**
 6 |  * Create a middleware function which requires a specific permission.
 7 |  * @param {String} level - The permission level to require. One of 'read', 'write', 'delete', 'admin'.
 8 |  * @returns {Function} A middleware function.
 9 |  */
10 | function requirePermission(level) {
11 | 	return (request, response, next) => {
12 | 		if (!request.permissions || !request.permissions[level]) {
13 | 			return next(httpError(403, 'You are not authorised to perform this action'));
14 | 		}
15 | 		next();
16 | 	};
17 | }
18 | 
19 | module.exports = requirePermission;
20 | 


--------------------------------------------------------------------------------
/lib/util/bind-logger.js:
--------------------------------------------------------------------------------
 1 | 'use strict';
 2 | 
 3 | /**
 4 |  * Bind a logger's `log` and `error` methods with a string prefix.
 5 |  * @param {Object} logger - The logger to bind methods of
 6 |  * @param {Function} logger.error - The logger error method.
 7 |  * @param {Function} logger.info - The logger info method.
 8 |  * @param {String} prefix - The value to prefix logs with.
 9 |  * @returns {Object} An object with new `error` and `info` methods.
10 |  */
11 | function bindLogger(logger, prefix) {
12 | 	return {
13 | 		error: logger.error.bind(logger.error, prefix),
14 | 		info: logger.info.bind(logger.info, prefix)
15 | 	};
16 | }
17 | 
18 | module.exports = bindLogger;
19 | 


--------------------------------------------------------------------------------
/app.json:
--------------------------------------------------------------------------------
 1 | {
 2 |   "name": "Pa11y Sidekick",
 3 |   "description": "An accessibility dashboard",
 4 |   "keywords": [],
 5 |   "website": "https://github.com/pa11y/sidekick",
 6 |   "repository": "https://github.com/pa11y/sidekick",
 7 |   "logo": "http://pa11y.org/resources/brand/pa11y-logo-512x512.png",
 8 |   "success_url": "/",
 9 |   "env": {
10 |     "SESSION_SECRET": {
11 |       "description": "The secret to encrypt session IDs with",
12 |       "generator": "secret",
13 |       "required": true
14 |     }
15 |   },
16 |   "addons": [
17 |     {
18 |       "plan": "heroku-postgresql",
19 |       "options": {
20 |         "version": "9.6"
21 |       }
22 |     }
23 |   ]
24 | }
25 | 


--------------------------------------------------------------------------------
/env.sample:
--------------------------------------------------------------------------------
 1 | # This is a sample .env file for use in local development.
 2 | # Duplicate this file as .env in the root of the project
 3 | # and update the environment variables to match your
 4 | # desired config
 5 | #
 6 | # See the README for full descriptions of each of the
 7 | # available configurations.
 8 | 
 9 | # A PostgreSQL connection string
10 | DATABASE_URL=postgres://localhost:5432/pa11y_sidekick
11 | 
12 | # The lowest level of logs to output
13 | LOG_LEVEL=debug
14 | 
15 | # The environment to run the application in
16 | NODE_ENV=development
17 | 
18 | # The HTTP port to run the application on
19 | PORT=8080
20 | 
21 | # The secret to encrypt session IDs with
22 | SESSION_SECRET=development
23 | 


--------------------------------------------------------------------------------
/view/template/sites/sites.dust:
--------------------------------------------------------------------------------
 1 | {>"layout/full"/}
 2 | 
 3 | {<title}
 4 | 	Sites - Sidekick
 5 | {/title}
 6 | 
 7 | {<content}
 8 | 
 9 | 	<div class="heading-wrapper">
10 | 		<h1>Sites</h1>
11 | 		{?permissions.write}
12 | 			<a href="/sites/new" class="button">Create a new site</a>
13 | 		{/permissions.write}
14 | 	</div>
15 | 
16 | 	{?sites}
17 | 		<ul class="sites">
18 | 			{#sites}
19 | 				<li>
20 | 					<h3><a href="/sites/{id}">{name}</a></h3>
21 | 				</li>
22 | 			{/sites}
23 | 		</ul>
24 | 	{:else}
25 | 		<p>
26 | 			You don't have any sites yet.
27 | 			{?permissions.write}
28 | 				You can <a href="/sites/new">create one here</a>.</p>
29 | 			{/permissions.write}
30 | 	{/sites}
31 | 
32 | {/content}
33 | 


--------------------------------------------------------------------------------
/view/helper/current-url.js:
--------------------------------------------------------------------------------
 1 | 'use strict';
 2 | 
 3 | /**
 4 |  * Initialise the current URL view helper.
 5 |  * @param {Object} dust - a Dust view engine.
 6 |  * @returns {undefined} Nothing.
 7 |  */
 8 | function currentUrl(dust) {
 9 | 	dust.helpers.currentUrl = (chunk, context, bodies, params) => {
10 | 		if (!params.test || !bodies.block) {
11 | 			return chunk;
12 | 		}
13 | 		const pattern = params.test
14 | 			.replace('*', '.*')
15 | 			.replace('/', '\\/')
16 | 			.replace(/\/$/, '/?');
17 | 		const regExp = new RegExp(`^${pattern}$`);
18 | 		if (regExp.test(context.get('requestPath') || '')) {
19 | 			return chunk.render(bodies.block, context);
20 | 		}
21 | 		return chunk;
22 | 	};
23 | }
24 | 
25 | module.exports = currentUrl;
26 | 


--------------------------------------------------------------------------------
/view/template/sites/delete-url.dust:
--------------------------------------------------------------------------------
 1 | {>"layout/full"/}
 2 | 
 3 | {<title}
 4 | 	Deleting URL - Sidekick
 5 | {/title}
 6 | 
 7 | {<content}
 8 | 
 9 | 	<h1>Deleting URL</h1>
10 | 
11 | 	<p>
12 | 		This action is permanent and unrecoverable.
13 | 		Any data associated with this URL
14 | 		will no longer be accessible.
15 | 	</p>
16 | 
17 | 	<p>
18 | 		Are you sure you wish to delete the URL
19 | 		<b>{form.url.name}</b> <em>({form.url.address})</em>?
20 | 	</p>
21 | 
22 | 	<form data-test="delete-url-form" action="{requestPath}" method="post" enctype="application/x-www-form-urlencoded">
23 | 
24 | 		<div class="field">
25 | 			<input type="submit" value="Delete URL" class="button button--danger"/>
26 | 		</div>
27 | 
28 | 	</form>
29 | 
30 | {/content}
31 | 


--------------------------------------------------------------------------------
/view/partial/form/key.dust:
--------------------------------------------------------------------------------
 1 | 
 2 | <form data-test="key-form" action="{action}" method="post" enctype="application/x-www-form-urlencoded">
 3 | 
 4 | 	{>"partial/alert/success" success=form.key.success/}
 5 | 	{>"partial/alert/error" errors=form.key.errors/}
 6 | 
 7 | 	<div class="field field--text">
 8 | 		<label for="key-description">
 9 | 			Description
10 | 			<span class="field__sublabel">
11 | 				A brief description of the key, used to identify what this key is for later
12 | 			</span>
13 | 		</label>
14 | 		<input id="key-description" type="text" name="description" value="{form.key.description}" required/>
15 | 	</div>
16 | 
17 | 	<div class="field">
18 | 		<input type="submit" value="{cta}" class="button button--submit"/>
19 | 	</div>
20 | 
21 | </form>
22 | 


--------------------------------------------------------------------------------
/view/layout/full.dust:
--------------------------------------------------------------------------------
 1 | {>"layout/base"/}
 2 | 
 3 | {! A layout with all of the trimmings !}
 4 | 
 5 | {<body}
 6 | 
 7 | 	{?siteWideAlert}
 8 | 		<div class="alert alert--success alert--site-wide">
 9 | 			<p><strong>{siteWideAlert}</strong></p>
10 | 		</div>
11 | 	{/siteWideAlert}
12 | 
13 | 	<header role="banner">
14 | 		{+primary-nav}
15 | 			{>"partial/nav/main"/}
16 | 		{/primary-nav}
17 | 		{+secondary-nav/}
18 | 	</header>
19 | 
20 | 	<div role="main" class="page">
21 | 		<div class="page-inner">
22 | 			{+content/}
23 | 		</div>
24 | 	</div>
25 | 
26 | 	<footer role="contentinfo">
27 | 		{>"partial/nav/footer"/}
28 | 		<div class="copyright">
29 | 			<small>Copyright &copy; {@currentYear/}, Team Pa11y</small>
30 | 		</div>
31 | 	</footer>
32 | 
33 | {/body}
34 | 


--------------------------------------------------------------------------------
/script/seed.js:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env node
 2 | 'use strict';
 3 | 
 4 | const dotenv = require('dotenv');
 5 | const Dashboard = require('../lib/dashboard');
 6 | 
 7 | // Load configurations from an .env file if present
 8 | dotenv.config();
 9 | 
10 | // Create a Sidekick instance
11 | const dashboard = new Dashboard({
12 | 	databaseConnectionString: process.env.DATABASE_URL
13 | });
14 | 
15 | // Seed the database with demo data
16 | async function seed() {
17 | 	try {
18 | 		await dashboard.database.knex.seed.run({
19 | 			directory: `${__dirname}/../data/seed/demo`
20 | 		});
21 | 		console.log('Seeded the database with demo data');
22 | 		process.exit(0);
23 | 	} catch (error) {
24 | 		console.error(error.stack);
25 | 		process.exit(1);
26 | 	}
27 | }
28 | 
29 | seed();
30 | 


--------------------------------------------------------------------------------
/script/migrate-up.js:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env node
 2 | 'use strict';
 3 | 
 4 | const dotenv = require('dotenv');
 5 | const Dashboard = require('../lib/dashboard');
 6 | 
 7 | // Load configurations from an .env file if present
 8 | dotenv.config();
 9 | 
10 | // Create a Sidekick instance
11 | const dashboard = new Dashboard({
12 | 	databaseConnectionString: process.env.DATABASE_URL
13 | });
14 | 
15 | // Migrate up
16 | async function migrateUp() {
17 | 	try {
18 | 		await dashboard.database.knex.migrate.latest({
19 | 			directory: `${__dirname}/../data/migration`,
20 | 			tableName: 'migrations'
21 | 		});
22 | 		console.log('Migrated to latest database schema');
23 | 		process.exit(0);
24 | 	} catch (error) {
25 | 		console.error(error.stack);
26 | 		process.exit(1);
27 | 	}
28 | }
29 | 
30 | migrateUp();
31 | 


--------------------------------------------------------------------------------
/script/migrate-down.js:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env node
 2 | 'use strict';
 3 | 
 4 | const dotenv = require('dotenv');
 5 | const Dashboard = require('../lib/dashboard');
 6 | 
 7 | // Load configurations from an .env file if present
 8 | dotenv.config();
 9 | 
10 | // Create a Sidekick instance
11 | const dashboard = new Dashboard({
12 | 	databaseConnectionString: process.env.DATABASE_URL
13 | });
14 | 
15 | // Migrate down
16 | async function migrateDown() {
17 | 	try {
18 | 		await dashboard.database.knex.migrate.rollback({
19 | 			directory: `${__dirname}/../data/migration`,
20 | 			tableName: 'migrations'
21 | 		});
22 | 		console.log('Rolled back the latest migration');
23 | 		process.exit(0);
24 | 	} catch (error) {
25 | 		console.error(error.stack);
26 | 		process.exit(1);
27 | 	}
28 | }
29 | 
30 | migrateDown();
31 | 


--------------------------------------------------------------------------------
/view/partial/nav/settings.dust:
--------------------------------------------------------------------------------
 1 | 
 2 | <nav class="navigation navigation--secondary">
 3 | 	<ul>
 4 | 		<li>
 5 | 			<span class="navigation__item navigation__item--title">
 6 | 				Settings
 7 | 			</span>
 8 | 		</li>
 9 | 		<li>
10 | 			<a href="/settings/profile" class="navigation__item {@currentUrl test="/settings/profile"}navigation__item--current{/currentUrl}">
11 | 				Profile
12 | 			</a>
13 | 		</li>
14 | 		<li>
15 | 			<a href="/settings/password" class="navigation__item {@currentUrl test="/settings/password"}navigation__item--current{/currentUrl}">
16 | 				Password
17 | 			</a>
18 | 		</li>
19 | 		<li>
20 | 			<a href="/settings/keys" class="navigation__item {@currentUrl test="/settings/keys*"}navigation__item--current{/currentUrl}">
21 | 				API Keys
22 | 			</a>
23 | 		</li>
24 | 	</ul>
25 | </nav>
26 | 


--------------------------------------------------------------------------------
/view/partial/nav/api-docs.dust:
--------------------------------------------------------------------------------
 1 | 
 2 | <nav class="navigation navigation--secondary">
 3 | 	<ul>
 4 | 		<li>
 5 | 			<span class="navigation__item navigation__item--title">
 6 | 				API Documentation
 7 | 			</span>
 8 | 		</li>
 9 | 		<li>
10 | 			<a href="/docs/api/v1" class="navigation__item {@currentUrl test="/docs/api/v1"}navigation__item--current{/currentUrl}">
11 | 				Overview
12 | 			</a>
13 | 		</li>
14 | 		<li>
15 | 			<a href="/docs/api/v1/sites" class="navigation__item {@currentUrl test="/docs/api/v1/sites"}navigation__item--current{/currentUrl}">
16 | 				Sites
17 | 			</a>
18 | 		</li>
19 | 		<li>
20 | 			<a href="/docs/api/v1/users" class="navigation__item {@currentUrl test="/docs/api/v1/users"}navigation__item--current{/currentUrl}">
21 | 				Users
22 | 			</a>
23 | 		</li>
24 | 	</ul>
25 | </nav>
26 | 


--------------------------------------------------------------------------------
/view/template/settings/delete-key.dust:
--------------------------------------------------------------------------------
 1 | {>"layout/full"/}
 2 | 
 3 | {<title}
 4 | 	Deleting API Key - Sidekick
 5 | {/title}
 6 | 
 7 | {<secondary-nav}
 8 | 	{>"partial/nav/settings"/}
 9 | {/secondary-nav}
10 | 
11 | {<content}
12 | 
13 | 	<h1>Deleting API Key</h1>
14 | 
15 | 	<p>
16 | 		This action is permanent and unrecoverable.
17 | 		Any applications or scripts using this API key
18 | 		will cease to work.
19 | 	</p>
20 | 
21 | 	<p>
22 | 		Are you sure you wish to delete the key
23 | 		<em>{form.key.description}</em>?
24 | 	</p>
25 | 
26 | 	<form data-test="delete-key-form" action="{requestPath}" method="post" enctype="application/x-www-form-urlencoded">
27 | 
28 | 		<div class="field">
29 | 			<input type="submit" value="Delete API key" class="button button--danger"/>
30 | 		</div>
31 | 
32 | 	</form>
33 | 
34 | {/content}
35 | 


--------------------------------------------------------------------------------
/view/template/admin/delete-user.dust:
--------------------------------------------------------------------------------
 1 | {>"layout/full"/}
 2 | 
 3 | {<title}
 4 | 	Deleting User - Sidekick
 5 | {/title}
 6 | 
 7 | {<secondary-nav}
 8 | 	{>"partial/nav/admin"/}
 9 | {/secondary-nav}
10 | 
11 | {<content}
12 | 
13 | 	<h1>Deleting User</h1>
14 | 
15 | 	<p>
16 | 		This action is permanent and unrecoverable,
17 | 		This user will no longer be able to log in
18 | 		and all of their API keys will be deleted.
19 | 	</p>
20 | 
21 | 	<p>
22 | 		Are you sure you wish to delete the user
23 | 		<em>{form.user.email}</em>?
24 | 	</p>
25 | 
26 | 	<form data-test="delete-user-form" action="{requestPath}" method="post" enctype="application/x-www-form-urlencoded">
27 | 
28 | 		<div class="field">
29 | 			<input type="submit" value="Delete user" class="button button--danger"/>
30 | 		</div>
31 | 
32 | 	</form>
33 | 
34 | {/content}
35 | 


--------------------------------------------------------------------------------
/view/partial/form/login.dust:
--------------------------------------------------------------------------------
 1 | 
 2 | <form data-test="login-form" action="/login" method="post" enctype="application/x-www-form-urlencoded">
 3 | 
 4 | 	{>"partial/alert/error" errors=form.login.errors/}
 5 | 
 6 | 	{?form.login.referer}
 7 | 		<input type="hidden" name="referer" value="{form.login.referer}"/>
 8 | 	{/form.login.referer}
 9 | 
10 | 	<div class="field field--text">
11 | 		<label for="login-email">Email address</label>
12 | 		<input id="login-email" type="email" name="email" value="{form.login.email}" required/>
13 | 	</div>
14 | 
15 | 	<div class="field field--text">
16 | 		<label for="login-password">Password</label>
17 | 		<input id="login-password" type="password" name="password" value="" required/>
18 | 	</div>
19 | 
20 | 	<div class="field">
21 | 		<input type="submit" value="Login" class="button button--submit"/>
22 | 	</div>
23 | 
24 | </form>
25 | 


--------------------------------------------------------------------------------
/data/migration/20180221234637_urls.js:
--------------------------------------------------------------------------------
 1 | 'use strict';
 2 | 
 3 | exports.up = async database => {
 4 | 
 5 | 	// Create the URLs table
 6 | 	await database.schema.createTable('urls', table => {
 7 | 
 8 | 		// Meta information
 9 | 		table.string('id').unique().primary();
10 | 		table.timestamp('created_at').defaultTo(database.fn.now());
11 | 		table.timestamp('updated_at').defaultTo(database.fn.now());
12 | 
13 | 		// URL information
14 | 		table.string('site_id').notNullable();
15 | 		table.string('name').notNullable();
16 | 		table.string('address').notNullable();
17 | 		table.json('pa11y_config').notNullable().defaultTo('{}');
18 | 
19 | 		// Foreign key contraints
20 | 		table.foreign('site_id').references('sites.id').onDelete('CASCADE');
21 | 
22 | 	});
23 | 
24 | };
25 | 
26 | exports.down = async database => {
27 | 	await database.schema.dropTable('urls');
28 | };
29 | 


--------------------------------------------------------------------------------
/test/integration/routes/api-v1/index.test.js:
--------------------------------------------------------------------------------
 1 | 'use strict';
 2 | 
 3 | const assert = require('proclaim');
 4 | const database = require('../../helpers/database');
 5 | let response;
 6 | 
 7 | describe('GET /api/v1', () => {
 8 | 
 9 | 	describe('when everything is valid', () => {
10 | 
11 | 		before(async () => {
12 | 			await database.seed(dashboard, 'basic');
13 | 			response = await request.get('/api/v1');
14 | 		});
15 | 
16 | 		it('responds with a 302 status', () => {
17 | 			assert.strictEqual(response.statusCode, 302);
18 | 		});
19 | 
20 | 		it('responds with a Location header pointing to the API documentation page', () => {
21 | 			assert.strictEqual(response.headers.location, '/docs/api/v1');
22 | 		});
23 | 
24 | 		it('responds with plain text', () => {
25 | 			assert.include(response.headers['content-type'], 'text/plain');
26 | 		});
27 | 
28 | 	});
29 | 
30 | });
31 | 


--------------------------------------------------------------------------------
/view/partial/form/app-settings.dust:
--------------------------------------------------------------------------------
 1 | 
 2 | <form data-test="settings-form" action="{action}" method="post" enctype="application/x-www-form-urlencoded">
 3 | 
 4 | 	{>"partial/alert/success" success=form.settings.success/}
 5 | 	{>"partial/alert/error" errors=form.settings.errors/}
 6 | 
 7 | 	<div class="field">
 8 | 		<label for="settings-public-access">
 9 | 			Public Access
10 | 			<span class="field__sublabel">
11 | 				<input id="settings-public-access" type="checkbox" name="publicReadAccess" {?form.settings.publicReadAccess}checked{/form.settings.publicReadAccess}/>
12 | 				Check this box if you'd like your Accessibility data to be publicly viewable.
13 | 				Go on, show it off to the world!
14 | 			</span>
15 | 		</label>
16 | 	</div>
17 | 
18 | 	<div class="field">
19 | 		<input type="submit" value="{cta}" class="button button--submit"/>
20 | 	</div>
21 | 
22 | </form>
23 | 


--------------------------------------------------------------------------------
/data/migration/20180217203355_sites.js:
--------------------------------------------------------------------------------
 1 | 'use strict';
 2 | 
 3 | exports.up = async database => {
 4 | 
 5 | 	// Create the sites table
 6 | 	await database.schema.createTable('sites', table => {
 7 | 
 8 | 		// Meta information
 9 | 		table.string('id').unique().primary();
10 | 		table.timestamp('created_at').defaultTo(database.fn.now());
11 | 		table.timestamp('updated_at').defaultTo(database.fn.now());
12 | 
13 | 		// Site information
14 | 		table.string('name').notNullable();
15 | 		table.string('base_url').notNullable();
16 | 		table.boolean('is_runnable').notNullable().defaultTo(true);
17 | 		table.boolean('is_scheduled').notNullable().defaultTo(false);
18 | 		table.string('schedule');
19 | 		table.json('pa11y_config').notNullable().defaultTo('{}');
20 | 
21 | 	});
22 | 
23 | };
24 | 
25 | exports.down = async database => {
26 | 	await database.schema.dropTable('sites');
27 | };
28 | 


--------------------------------------------------------------------------------
/view/template/error.dust:
--------------------------------------------------------------------------------
 1 | {>"layout/full"/}
 2 | 
 3 | {<title}
 4 | 	Error {error.status}: {error.message} - Sidekick
 5 | {/title}
 6 | 
 7 | {<content}
 8 | 
 9 | 	<h1>Error {error.status}: {error.message}</h1>
10 | 
11 | 	{@select key=error.status}
12 | 
13 | 		{@eq value=401}
14 | 			<p>You must <a href="/login?referer={requestPath}">log in</a> before you'll be able to access this page</p>
15 | 		{/eq}
16 | 
17 | 		{@eq value=404}
18 | 			<p>The page you're looking for can't be found.</p>
19 | 		{/eq}
20 | 
21 | 		{@eq value=500}
22 | 			<p>Something went wrong internally.</p>
23 | 		{/eq}
24 | 
25 | 	{/select}
26 | 
27 | 	{! We only send the stack if the app is running in development mode !}
28 | 	{?error.stack}
29 | 		<hr/>
30 | 		<p>Note: you can see the full error because Sidekick is running in development mode:</p>
31 | 		<pre>{error.stack}</pre>
32 | 	{/error.stack}
33 | 
34 | {/content}
35 | 


--------------------------------------------------------------------------------
/test/integration/seed/no-auth/auth.js:
--------------------------------------------------------------------------------
 1 | 'use strict';
 2 | 
 3 | const bcrypt = require('bcrypt');
 4 | 
 5 | // Test authentication details
 6 | exports.seed = async database => {
 7 | 
 8 | 	// Insert test users
 9 | 	await database('users').insert([
10 | 		{
11 | 			id: 'mock-owner-id',
12 | 			email: 'owner@example.com',
13 | 			password: await bcrypt.hash('password', 10),
14 | 			is_owner: true,
15 | 			allow_read: true,
16 | 			allow_write: true,
17 | 			allow_delete: true,
18 | 			allow_admin: true
19 | 		},
20 | 		{
21 | 			id: 'mock-user-id',
22 | 			email: 'user@example.com',
23 | 			password: await bcrypt.hash('password', 10)
24 | 		}
25 | 	]);
26 | 
27 | 	// Insert test API keys
28 | 	await database('keys').insert([
29 | 		{
30 | 			id: 'mock-key',
31 | 			secret: await bcrypt.hash('mock-secret', 5),
32 | 			user_id: 'mock-user-id',
33 | 			description: 'Example key'
34 | 		}
35 | 	]);
36 | 
37 | };
38 | 


--------------------------------------------------------------------------------
/test/integration/routes/front-end/404.test.js:
--------------------------------------------------------------------------------
 1 | 'use strict';
 2 | 
 3 | const assert = require('proclaim');
 4 | const database = require('../../helpers/database');
 5 | let response;
 6 | 
 7 | describe('GET /404', () => {
 8 | 
 9 | 	before(async () => {
10 | 		await database.seed(dashboard, 'basic');
11 | 	});
12 | 
13 | 	describe('when everything is valid', () => {
14 | 
15 | 		before(async () => {
16 | 			response = await request.get('/404');
17 | 		});
18 | 
19 | 		it('responds with a 404 status', () => {
20 | 			assert.strictEqual(response.statusCode, 404);
21 | 		});
22 | 
23 | 		it('responds with HTML', () => {
24 | 			assert.include(response.headers['content-type'], 'text/html');
25 | 		});
26 | 
27 | 		it('it responds with an error page', () => {
28 | 			const body = response.body.document.querySelector('body');
29 | 			assert.match(body.innerHTML, /not found/i);
30 | 		});
31 | 
32 | 	});
33 | 
34 | });
35 | 


--------------------------------------------------------------------------------
/controller/front-end/docs.js:
--------------------------------------------------------------------------------
 1 | 'use strict';
 2 | 
 3 | const requirePermission = require('../../lib/middleware/require-permission');
 4 | 
 5 | /**
 6 |  * Initialise the documentation controller.
 7 |  * @param {Dashboard} dashboard - A dashboard instance.
 8 |  * @param {Object} router - The API Express router.
 9 |  * @returns {undefined} Nothing
10 |  */
11 | function initDocsController(dashboard, router) {
12 | 
13 | 	// API documentation routes
14 | 	router.get('/docs/api/v1', requirePermission('read'), (request, response) => {
15 | 		response.render('template/docs/api-v1');
16 | 	});
17 | 	router.get('/docs/api/v1/sites', requirePermission('read'), (request, response) => {
18 | 		response.render('template/docs/api-v1-sites');
19 | 	});
20 | 	router.get('/docs/api/v1/users', requirePermission('read'), (request, response) => {
21 | 		response.render('template/docs/api-v1-users');
22 | 	});
23 | 
24 | }
25 | 
26 | module.exports = initDocsController;
27 | 


--------------------------------------------------------------------------------
/CONTRIBUTING.md:
--------------------------------------------------------------------------------
 1 | 
 2 | # Contributing Guide
 3 | 
 4 | Thanks for getting involved :tada:
 5 | 
 6 | The Pa11y team loves to see new contributors, and we strive to provide a welcoming and inclusive environment. We ask that all contributors read and follow [our code of conduct][code-of-conduct] before joining. If you represent an organisation, then you might find our [guide for companies][companies] helpful.
 7 | 
 8 | Our website outlines the many ways that you can contribute to Pa11y:
 9 | 
10 |   - [Help us to talk to our users][communications]
11 |   - [Help us out with design][designers]
12 |   - [Help us with our code][developers]
13 | 
14 | 
15 | 
16 | [code-of-conduct]: http://pa11y.org/contributing/code-of-conduct/
17 | [communications]: http://pa11y.org/contributing/communications/
18 | [companies]: http://pa11y.org/contributing/companies/
19 | [designers]: http://pa11y.org/contributing/designers/
20 | [developers]: http://pa11y.org/contributing/developers/
21 | 


--------------------------------------------------------------------------------
/script/create-migration.js:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env node
 2 | 'use strict';
 3 | 
 4 | const dotenv = require('dotenv');
 5 | const Dashboard = require('../lib/dashboard');
 6 | 
 7 | // Load configurations from an .env file if present
 8 | dotenv.config();
 9 | 
10 | // Check for a migration name
11 | const migrationName = process.argv[2];
12 | if (!migrationName) {
13 | 	console.log('Usage: ./script/create-migration.js <name>');
14 | 	process.exit(1);
15 | }
16 | 
17 | // Create a Sidekick instance
18 | const dashboard = new Dashboard({
19 | 	databaseConnectionString: process.env.DATABASE_URL
20 | });
21 | 
22 | // Create a migration
23 | async function createMigration() {
24 | 	try {
25 | 		const result = await dashboard.database.knex.migrate.make(migrationName, {
26 | 			directory: `${__dirname}/../data/migration`,
27 | 			tableName: 'migrations'
28 | 		});
29 | 		console.log(`Created migration file: ${result}`);
30 | 		process.exit(0);
31 | 	} catch (error) {
32 | 		console.error(error.stack);
33 | 		process.exit(1);
34 | 	}
35 | }
36 | 
37 | createMigration();
38 | 


--------------------------------------------------------------------------------
/data/migration/20191021121104_update_version_columns_jsonb.js:
--------------------------------------------------------------------------------
 1 | 'use strict';
 2 | 
 3 | exports.up = async database => {
 4 | 
 5 | 	// Change json columns to jsonb
 6 | 	await database.schema.alterTable('settings', table => {
 7 | 		table.jsonb('value').alter();
 8 | 	});
 9 | 	await database.schema.alterTable('sessions', table => {
10 | 		table.jsonb('sess').alter();
11 | 	});
12 | 	await database.schema.alterTable('sites', table => {
13 | 		table.jsonb('pa11y_config').alter();
14 | 	});
15 | 	await database.schema.alterTable('urls', table => {
16 | 		table.jsonb('pa11y_config').alter();
17 | 	});
18 | };
19 | 
20 | exports.down = async database => {
21 | 
22 | 	// Change jsonb columns to json
23 | 	await database.schema.alterTable('settings', table => {
24 | 		table.json('value').alter();
25 | 	});
26 | 	await database.schema.alterTable('sessions', table => {
27 | 		table.json('sess').alter();
28 | 	});
29 | 	await database.schema.alterTable('sites', table => {
30 | 		table.json('pa11y_config').alter();
31 | 	});
32 | 	await database.schema.alterTable('urls', table => {
33 | 		table.json('pa11y_config').alter();
34 | 	});
35 | 
36 | };
37 | 


--------------------------------------------------------------------------------
/lib/middleware/get-app-url.js:
--------------------------------------------------------------------------------
 1 | 'use strict';
 2 | 
 3 | const url = require('url');
 4 | 
 5 | /**
 6 |  * Create a middleware function which adds hostname information to the request object.
 7 |  * @returns {Function} A middleware function.
 8 |  */
 9 | function getAppUrl(configuredHostname) {
10 | 	if (configuredHostname && !/^https?:\/\//i.test(configuredHostname)) {
11 | 		configuredHostname = `http://${configuredHostname}`;
12 | 	}
13 | 	const parsed = url.parse(configuredHostname || '');
14 | 	parsed.protocol = (parsed.protocol ? parsed.protocol.replace(':', '') : null);
15 | 	return (request, response, next) => {
16 | 		const isLocal = (!parsed.hostname && request.connection.remoteAddress === '::1');
17 | 		const protocol = parsed.protocol || request.headers['X-Forwarded-Proto'] || request.protocol || 'http';
18 | 		const host = parsed.hostname || request.headers['X-Forwarded-Host'] || request.hostname || 'localhost';
19 | 		let port = parsed.port || request.headers['X-Forwarded-Port'] || (isLocal ? request.connection.localPort : null);
20 | 		port = (port ? `:${port}` : '');
21 | 		request.appUrl = `${protocol}://${host}${port}`;
22 | 		next();
23 | 	};
24 | }
25 | 
26 | module.exports = getAppUrl;
27 | 


--------------------------------------------------------------------------------
/index.js:
--------------------------------------------------------------------------------
 1 | 'use strict';
 2 | 
 3 | const dotenv = require('dotenv');
 4 | const Dashboard = require('./lib/dashboard');
 5 | const winston = require('winston');
 6 | 
 7 | // Load configurations from an .env file if present
 8 | dotenv.config();
 9 | 
10 | // Grab configurations from environment variables
11 | const options = {
12 | 	dashboardUrl: process.env.DASHBOARD_URL,
13 | 	databaseConnectionString: process.env.DATABASE_URL,
14 | 	environment: process.env.NODE_ENV,
15 | 	port: process.env.PORT,
16 | 	requestLogFormat: process.env.REQUEST_LOG_FORMAT,
17 | 	sessionSecret: process.env.SESSION_SECRET
18 | };
19 | 
20 | // Create a logger to use in the application
21 | options.log = new winston.Logger({
22 | 	level: process.env.LOG_LEVEL || (options.environment === 'production' ? 'verbose' : 'debug'),
23 | 	transports: [
24 | 		new winston.transports.Console({
25 | 			showLevel: false
26 | 		})
27 | 	]
28 | });
29 | 
30 | // Set up a request logger (should only appear when
31 | // the log level is verbose)
32 | options.requestLogStream = {
33 | 	write: message => options.log.verbose(message.trim())
34 | };
35 | 
36 | // Initialise and start Sidekick
37 | const dashboard = new Dashboard(options);
38 | dashboard.start();
39 | 


--------------------------------------------------------------------------------
/data/seed/demo/site-pa11y.js:
--------------------------------------------------------------------------------
 1 | 'use strict';
 2 | 
 3 | // Pa11y website details
 4 | exports.seed = async database => {
 5 | 
 6 | 	// Insert demo site: pa11y.org
 7 | 	await database('sites').insert([
 8 | 		{
 9 | 			id: 'ByXMzeDwf',
10 | 			name: 'Pa11y Website',
11 | 			base_url: 'http://pa11y.org/',
12 | 			is_runnable: true,
13 | 			is_scheduled: false,
14 | 			schedule: null,
15 | 			pa11y_config: JSON.stringify({
16 | 				timeout: 20000
17 | 			})
18 | 		}
19 | 	]);
20 | 	await database('urls').insert([
21 | 		{
22 | 			id: 'SkOx3Fiwf',
23 | 			site_id: 'ByXMzeDwf',
24 | 			name: 'Home',
25 | 			address: '/',
26 | 			pa11y_config: JSON.stringify({})
27 | 		},
28 | 		{
29 | 			id: 'SkDV2KjDG',
30 | 			site_id: 'ByXMzeDwf',
31 | 			name: 'News',
32 | 			address: '/news',
33 | 			pa11y_config: JSON.stringify({})
34 | 		},
35 | 		{
36 | 			id: 'HysE2YjDM',
37 | 			site_id: 'ByXMzeDwf',
38 | 			name: 'Contributing',
39 | 			address: '/contributing',
40 | 			pa11y_config: JSON.stringify({})
41 | 		},
42 | 		{
43 | 			id: 'SylT-M2PM',
44 | 			site_id: 'ByXMzeDwf',
45 | 			name: 'Home (strict)',
46 | 			address: '/',
47 | 			pa11y_config: JSON.stringify({
48 | 				standard: 'WCAG2AAA'
49 | 			})
50 | 		}
51 | 	]);
52 | 
53 | };
54 | 


--------------------------------------------------------------------------------
/test/unit/mock/express.mock.js:
--------------------------------------------------------------------------------
 1 | 'use strict';
 2 | 
 3 | const sinon = require('sinon');
 4 | 
 5 | const express = module.exports = sinon.stub();
 6 | express.static = sinon.stub();
 7 | 
 8 | const mockAddress = module.exports.mockAddress = {
 9 | 	port: 1234
10 | };
11 | 
12 | const mockServer = module.exports.mockServer = {
13 | 	address: sinon.stub()
14 | };
15 | 
16 | const mockApp = module.exports.mockApp = {
17 | 	disable: sinon.stub(),
18 | 	enable: sinon.stub(),
19 | 	engine: sinon.stub(),
20 | 	listen: sinon.stub().yieldsAsync(),
21 | 	locals: {
22 | 		foo: 'bar'
23 | 	},
24 | 	set: sinon.stub(),
25 | 	use: sinon.stub()
26 | };
27 | 
28 | const mockStaticMiddleware = module.exports.mockStaticMiddleware = sinon.stub();
29 | 
30 | module.exports.mockRequest = {
31 | 	app: mockApp,
32 | 	headers: {},
33 | 	session: {}
34 | };
35 | 
36 | module.exports.mockResponse = {
37 | 	locals: {
38 | 		foo: 'bar'
39 | 	},
40 | 	render: sinon.stub().yields(),
41 | 	send: sinon.stub().returnsThis(),
42 | 	set: sinon.stub().returnsThis(),
43 | 	status: sinon.stub().returnsThis()
44 | };
45 | 
46 | mockServer.address.returns(mockAddress);
47 | mockApp.listen.returns(mockServer);
48 | express.static.returns(mockStaticMiddleware);
49 | express.returns(mockApp);
50 | 


--------------------------------------------------------------------------------
/.travis.yml:
--------------------------------------------------------------------------------
 1 | 
 2 | # Container version
 3 | # (important for modern PostgreSQL)
 4 | dist: trusty
 5 | sudo: false
 6 | 
 7 | # Build matrix
 8 | language: node_js
 9 | matrix:
10 |   include:
11 | 
12 |     # Run linter once
13 |     - node_js: '8'
14 |       env: LINT=true
15 | 
16 |     # Run unit tests with varying Node.js
17 |     # and default PostgreSQL (9.5)
18 | 
19 |     - node_js: '8'
20 |       env: NODE=8
21 | 
22 |     # Run integration tests with varying
23 |     # PostgreSQL and default Node.js (8)
24 | 
25 |     - node_js: '8'
26 |       env: POSTGRES=9.5
27 |       addons:
28 |         postgresql: '9.5'
29 | 
30 |     - node_js: '8'
31 |       env: POSTGRES=9.6
32 |       addons:
33 |         postgresql: '9.6'
34 | 
35 | # Global environment variables
36 | env:
37 |   global:
38 |     - TEST_DATABASE=postgres://postgres:@localhost:5432/pa11y_sidekick_travis
39 | 
40 | # Services setup
41 | services:
42 |   - postgresql
43 | addons:
44 |   postgresql: '9.5'
45 | 
46 | # Build script
47 | before_script:
48 |   - psql -c "CREATE DATABASE pa11y_sidekick_travis" -U postgres
49 | script:
50 |   - 'if [ $LINT ]; then make verify; fi'
51 |   - 'if [ $NODE ]; then make test-unit-coverage; fi'
52 |   - 'if [ $POSTGRES ]; then make test-integration; fi'
53 | 


--------------------------------------------------------------------------------
/test/integration/helpers/database.js:
--------------------------------------------------------------------------------
 1 | 'use strict';
 2 | 
 3 | // Destroy the test database and migrate to the latest version
 4 | async function cleanDatabase(dashboard) {
 5 | 	await destroyDatabase(dashboard);
 6 | 	await dashboard.database.knex.migrate.latest({
 7 | 		directory: `${__dirname}/../../../data/migration`,
 8 | 		tableName: 'migrations'
 9 | 	});
10 | }
11 | 
12 | // Destroy the test database
13 | async function destroyDatabase(dashboard) {
14 | 
15 | 	// Destroying the database also involves clearing an
16 | 	// in-memory cache of settings
17 | 	dashboard.model.Setting.clearInMemoryCache();
18 | 
19 | 	const result = await dashboard.database.knex.raw(
20 | 		'SELECT tablename FROM pg_tables WHERE schemaname=\'public\''
21 | 	);
22 | 	await dashboard.database.knex.raw(result.rows.map(row => {
23 | 		return `DROP TABLE ${row.tablename} CASCADE`;
24 | 	}).join(';'));
25 | }
26 | 
27 | // Seed the test database from a test data directory
28 | async function seedDatabase(dashboard, seedDirectory) {
29 | 	await cleanDatabase(dashboard);
30 | 	await dashboard.database.knex.seed.run({
31 | 		directory: `${__dirname}/../seed/${seedDirectory}`
32 | 	});
33 | }
34 | 
35 | module.exports = {
36 | 	clean: cleanDatabase,
37 | 	destroy: destroyDatabase,
38 | 	seed: seedDatabase
39 | };
40 | 


--------------------------------------------------------------------------------
/data/seed/demo/auth.js:
--------------------------------------------------------------------------------
 1 | 'use strict';
 2 | 
 3 | const bcrypt = require('bcrypt');
 4 | 
 5 | // Demo authentication details
 6 | exports.seed = async database => {
 7 | 
 8 | 	// Insert demo users
 9 | 	await database('users').insert([
10 | 		{
11 | 			id: 'BkT_N7xgM',
12 | 			email: 'admin@example.com',
13 | 			password: await bcrypt.hash('password', 10),
14 | 			is_owner: true,
15 | 			allow_read: true,
16 | 			allow_write: true,
17 | 			allow_delete: true,
18 | 			allow_admin: true
19 | 		},
20 | 		{
21 | 			id: 'Sk3yJbq8G',
22 | 			email: 'user1@example.com',
23 | 			password: await bcrypt.hash('password', 10),
24 | 			allow_read: true,
25 | 			allow_write: true,
26 | 			allow_delete: true,
27 | 			allow_admin: false
28 | 		},
29 | 		{
30 | 			id: 'H1lgJb5LM',
31 | 			email: 'user2@example.com',
32 | 			password: await bcrypt.hash('password', 10),
33 | 			allow_read: true,
34 | 			allow_write: false,
35 | 			allow_delete: false,
36 | 			allow_admin: false
37 | 		}
38 | 	]);
39 | 
40 | 	// Insert demo API keys
41 | 	await database('keys').insert([
42 | 		{
43 | 			id: '1e861691c81ee30a3dc0d22a41cd29f7cd250d02',
44 | 			secret: await bcrypt.hash('25087d5ae4166302494f23e303064a0591b13816', 5),
45 | 			user_id: 'BkT_N7xgM',
46 | 			description: 'Admin access key'
47 | 		}
48 | 	]);
49 | 
50 | };
51 | 


--------------------------------------------------------------------------------
/lib/middleware/auth-with-cookie.js:
--------------------------------------------------------------------------------
 1 | 'use strict';
 2 | 
 3 | const httpError = require('http-errors');
 4 | 
 5 | /**
 6 |  * Create a middleware function which authenticates a user with a session cookie.
 7 |  * @returns {Function} A middleware function.
 8 |  */
 9 | function authWithCookie() {
10 | 	return async (request, response, next) => {
11 | 		const dashboard = request.app.dashboard;
12 | 
13 | 		if (request.session && request.session.userId) {
14 | 			try {
15 | 
16 | 				// Load the user that matches the session user ID
17 | 				const user = await dashboard.model.User.fetchOneById(request.session.userId);
18 | 				if (!user) {
19 | 					delete request.session;
20 | 					throw httpError(401, 'Invalid credentials');
21 | 				}
22 | 
23 | 				request.authUser = user.serialize();
24 | 				request.permissions = request.authUser.permissions;
25 | 
26 | 			} catch (error) {
27 | 				return next(error);
28 | 			}
29 | 		}
30 | 
31 | 		// Fetch the default permissions if none are set
32 | 		if (!request.permissions) {
33 | 			try {
34 | 				request.permissions = {
35 | 					read: await dashboard.model.Setting.get('publicReadAccess')
36 | 				};
37 | 			} catch (error) {}
38 | 		}
39 | 		request.permissions = request.permissions || {};
40 | 
41 | 		next();
42 | 	};
43 | }
44 | 
45 | module.exports = authWithCookie;
46 | 


--------------------------------------------------------------------------------
/test/integration/seed/no-auth/sites.js:
--------------------------------------------------------------------------------
 1 | 'use strict';
 2 | 
 3 | // Test site details
 4 | exports.seed = async database => {
 5 | 
 6 | 	// Insert test sites
 7 | 	await database('sites').insert([
 8 | 		{
 9 | 			id: 'mock-site-id-1',
10 | 			name: 'Mock Site 1',
11 | 			base_url: 'http://mock-site-1/',
12 | 			is_runnable: true,
13 | 			is_scheduled: true,
14 | 			schedule: 'mock-schedule',
15 | 			pa11y_config: JSON.stringify({})
16 | 		},
17 | 		{
18 | 			id: 'mock-site-id-2',
19 | 			name: 'Mock Site 2',
20 | 			base_url: 'http://mock-site-2/',
21 | 			is_runnable: true,
22 | 			is_scheduled: true,
23 | 			schedule: 'mock-schedule',
24 | 			pa11y_config: JSON.stringify({})
25 | 		}
26 | 	]);
27 | 	await database('urls').insert([
28 | 		{
29 | 			id: 'mock-url-id-1',
30 | 			site_id: 'mock-site-id-1',
31 | 			name: 'Mock URL 1',
32 | 			address: '/',
33 | 			pa11y_config: JSON.stringify({
34 | 				timeout: 500
35 | 			})
36 | 		},
37 | 		{
38 | 			id: 'mock-url-id-2',
39 | 			site_id: 'mock-site-id-1',
40 | 			name: 'Mock URL 2',
41 | 			address: '/example',
42 | 			pa11y_config: JSON.stringify({})
43 | 		},
44 | 		{
45 | 			id: 'mock-url-id-3',
46 | 			site_id: 'mock-site-id-1',
47 | 			name: 'Mock URL 3',
48 | 			address: 'http://mock-url-3/example',
49 | 			pa11y_config: JSON.stringify({})
50 | 		}
51 | 	]);
52 | 
53 | };
54 | 


--------------------------------------------------------------------------------
/test/integration/seed/basic/sites.js:
--------------------------------------------------------------------------------
 1 | 'use strict';
 2 | 
 3 | // Test site details
 4 | exports.seed = async database => {
 5 | 
 6 | 	// Insert test sites
 7 | 	await database('sites').insert([
 8 | 		{
 9 | 			id: 'mock-site-id-1',
10 | 			name: 'Mock Site 1',
11 | 			base_url: 'http://mock-site-1/',
12 | 			is_runnable: true,
13 | 			is_scheduled: true,
14 | 			schedule: 'mock-schedule',
15 | 			pa11y_config: JSON.stringify({
16 | 				standard: 'WCAG2AAA'
17 | 			})
18 | 		},
19 | 		{
20 | 			id: 'mock-site-id-2',
21 | 			name: 'Mock Site 2 (no URLs)',
22 | 			base_url: 'http://mock-site-2/',
23 | 			is_runnable: true,
24 | 			is_scheduled: true,
25 | 			schedule: 'mock-schedule',
26 | 			pa11y_config: JSON.stringify({})
27 | 		}
28 | 	]);
29 | 	await database('urls').insert([
30 | 		{
31 | 			id: 'mock-url-id-1',
32 | 			site_id: 'mock-site-id-1',
33 | 			name: 'Mock URL 1',
34 | 			address: '/',
35 | 			pa11y_config: JSON.stringify({
36 | 				timeout: 500
37 | 			})
38 | 		},
39 | 		{
40 | 			id: 'mock-url-id-2',
41 | 			site_id: 'mock-site-id-1',
42 | 			name: 'Mock URL 2',
43 | 			address: '/example',
44 | 			pa11y_config: JSON.stringify({})
45 | 		},
46 | 		{
47 | 			id: 'mock-url-id-3',
48 | 			site_id: 'mock-site-id-1',
49 | 			name: 'Mock URL 3',
50 | 			address: 'http://mock-url-3/example',
51 | 			pa11y_config: JSON.stringify({})
52 | 		}
53 | 	]);
54 | 
55 | };
56 | 


--------------------------------------------------------------------------------
/view/partial/form/password.dust:
--------------------------------------------------------------------------------
 1 | 
 2 | <form data-test="password-form" action="{action}" method="post" enctype="application/x-www-form-urlencoded">
 3 | 
 4 | 	{>"partial/alert/success" success=form.password.success/}
 5 | 	{>"partial/alert/error" errors=form.password.errors/}
 6 | 
 7 | 	<div class="field field--text">
 8 | 		<label for="password-current">
 9 | 			Current password
10 | 			<span class="field__sublabel">
11 | 				Enter your current password to verify that it's you
12 | 			</span>
13 | 		</label>
14 | 		<input id="password-current" type="password" name="current" required/>
15 | 	</div>
16 | 
17 | 	<div class="field field--text">
18 | 		<label for="password-next">
19 | 			New password
20 | 			<span class="field__sublabel">
21 | 				Enter your new password. This must be 6 or more characters in length
22 | 			</span>
23 | 		</label>
24 | 		<input id="password-next" type="password" name="next" required/>
25 | 	</div>
26 | 
27 | 	<div class="field field--text">
28 | 		<label for="password-confirm">
29 | 			Confirm new password
30 | 			<span class="field__sublabel">
31 | 				Re-enter your new password to confirm the change
32 | 			</span>
33 | 		</label>
34 | 		<input id="password-confirm" type="password" name="confirm" required/>
35 | 	</div>
36 | 
37 | 	<div class="field">
38 | 		<input type="submit" value="{cta}" class="button button--submit"/>
39 | 	</div>
40 | 
41 | </form>
42 | 


--------------------------------------------------------------------------------
/test/unit/lib/middleware/not-found.test.js:
--------------------------------------------------------------------------------
 1 | 'use strict';
 2 | 
 3 | const assert = require('proclaim');
 4 | const mockery = require('mockery');
 5 | const sinon = require('sinon');
 6 | 
 7 | describe('lib/middleware/not-found', () => {
 8 | 	let notFound;
 9 | 	let httpError;
10 | 
11 | 	beforeEach(() => {
12 | 
13 | 		httpError = sinon.spy(require('http-errors'));
14 | 		mockery.registerMock('http-errors', httpError);
15 | 
16 | 		notFound = require('../../../../lib/middleware/not-found');
17 | 	});
18 | 
19 | 	it('exports a function', () => {
20 | 		assert.isFunction(notFound);
21 | 	});
22 | 
23 | 	describe('notFound()', () => {
24 | 		let middleware;
25 | 
26 | 		beforeEach(() => {
27 | 			middleware = notFound();
28 | 		});
29 | 
30 | 		it('returns a middleware function', () => {
31 | 			assert.isFunction(middleware);
32 | 		});
33 | 
34 | 		describe('middleware(request, response, next)', () => {
35 | 			let next;
36 | 
37 | 			beforeEach(() => {
38 | 				next = sinon.spy();
39 | 				middleware({}, {}, next);
40 | 			});
41 | 
42 | 			it('creates a 404 HTTP error', () => {
43 | 				assert.calledOnce(httpError);
44 | 				assert.calledWithExactly(httpError, 404);
45 | 			});
46 | 
47 | 			it('calls `next` with the created error', () => {
48 | 				assert.calledOnce(next);
49 | 				assert.calledWithExactly(next, httpError.firstCall.returnValue);
50 | 			});
51 | 
52 | 		});
53 | 
54 | 	});
55 | 
56 | });
57 | 


--------------------------------------------------------------------------------
/view/partial/form/url.dust:
--------------------------------------------------------------------------------
 1 | 
 2 | <form data-test="url-form" action="{action}" method="post" enctype="application/x-www-form-urlencoded">
 3 | 
 4 | 	{>"partial/alert/success" success=form.url.success/}
 5 | 	{>"partial/alert/error" errors=form.url.errors/}
 6 | 
 7 | 	<div class="field field--text">
 8 | 		<label for="url-name">
 9 | 			Name
10 | 			<span class="field__sublabel">
11 | 				A human-readable name for the URL, this appears across the interface
12 | 			</span>
13 | 		</label>
14 | 		<input id="url-name" type="text" name="name" value="{form.url.name}" required/>
15 | 	</div>
16 | 
17 | 	<div class="field field--text">
18 | 		<label for="url-address">
19 | 			Path
20 | 			<span class="field__sublabel">
21 | 				The path to be appended on to the base URL of the site, starting with "/", e.g. /index.html
22 | 			</span>
23 | 		</label>
24 | 		<input id="url-address" type="text" name="address" value="{form.url.address}" placeholder="{site.baseUrl}" required/>
25 | 	</div>
26 | 
27 |     <!-- TODO we haven't decided what format this data takes yet -->
28 | 	<div class="field field--checkbox">
29 | 		<label for="url-pa11y-config">
30 | 		    Pa11y Config
31 | 			<span class="field__sublabel">
32 | 				Need to decide how to input this data...
33 | 			</span>
34 | 		</label>
35 | 	</div>
36 | 
37 | 	<div class="field">
38 | 		<input type="submit" value="{cta}" class="button button--submit"/>
39 | 	</div>
40 | 
41 | </form>
42 | 


--------------------------------------------------------------------------------
/view/partial/nav/main.dust:
--------------------------------------------------------------------------------
 1 | 
 2 | <nav class="navigation navigation--primary">
 3 | 	<ul>
 4 | 		<li>
 5 | 			<a href="/" class="navigation__item pa11y-logo">
 6 | 				Pa11y Sidekick
 7 | 			</a>
 8 | 		</li>
 9 | 		{?permissions.read}
10 | 			<li>
11 | 				<a href="/sites" class="navigation__item {@currentUrl test="/sites*"}navigation__item--current{/currentUrl}">
12 | 					Sites
13 | 				</a>
14 | 			</li>
15 | 		{/permissions.read}
16 | 		{?permissions.admin}
17 | 			<li>
18 | 				<a href="/admin" class="navigation__item {@currentUrl test="/admin*"}navigation__item--current{/currentUrl}">
19 | 					Admin
20 | 				</a>
21 | 			</li>
22 | 		{/permissions.admin}
23 | 		{?authUser}
24 | 			<li class="navigation__shifter">
25 | 				<span class="navigation__item navigation__item--informational">
26 | 					Logged in as {authUser.email}
27 | 					{?authUser.isOwner}(owner){/authUser.isOwner}
28 | 				</span>
29 | 			</li>
30 | 			<li>
31 | 				{>"partial/form/logout" inNavigation="true"/}
32 | 			</li>
33 | 			<li>
34 | 				<a href="/settings/profile" class="navigation__item {@currentUrl test="/settings/*"}navigation__item--current{/currentUrl}">
35 | 					Settings
36 | 				</a>
37 | 			</li>
38 | 		{:else}
39 | 			{@ne key=requestPath value="/login"}
40 | 				<li class="navigation__shifter">
41 | 					<a href="/login?referer={requestUrl}" class="navigation__item">
42 | 						Login
43 | 					</a>
44 | 				</li>
45 | 			{/ne}
46 | 		{/authUser}
47 | 	</ul>
48 | </nav>
49 | 


--------------------------------------------------------------------------------
/lib/middleware/flash.js:
--------------------------------------------------------------------------------
 1 | 'use strict';
 2 | 
 3 | /**
 4 |  * Class representing a flash messenger.
 5 |  */
 6 | class FlashMessenger {
 7 | 
 8 | 	/**
 9 | 	 * Create a flash messenger.
10 | 	 * @param {Object} request - An Express or Connect request object.
11 | 	 */
12 | 	constructor(request) {
13 | 		this.request = request;
14 | 		this.messages = {};
15 | 		if (this.request.session.flash) {
16 | 			this.messages = this.request.session.flash;
17 | 			delete this.request.session.flash;
18 | 		}
19 | 	}
20 | 
21 | 	/**
22 | 	 * Set a flash message.
23 | 	 * @param {String} key - The key to store the message under.
24 | 	 * @param {*} value - The value of the message.
25 | 	 * @returns {undefined} Nothing.
26 | 	 */
27 | 	set(key, value) {
28 | 		if (!this.request.session.flash) {
29 | 			this.request.session.flash = {};
30 | 		}
31 | 		this.request.session.flash[key] = value;
32 | 	}
33 | 
34 | 	/**
35 | 	 * Get a flash message.
36 | 	 * @param {String} key - The key to fetch the message for.
37 | 	 * @returns {*} The message stored at the key.
38 | 	 */
39 | 	get(key) {
40 | 		return this.messages[key];
41 | 	}
42 | 
43 | }
44 | 
45 | /**
46 |  * Create a middleware function which adds flash messaging.
47 |  * @returns {Function} A middleware function.
48 |  */
49 | function flash() {
50 | 	return (request, response, next) => {
51 | 		request.flash = new flash.FlashMessenger(request);
52 | 		next();
53 | 	};
54 | }
55 | 
56 | module.exports = flash;
57 | module.exports.FlashMessenger = FlashMessenger;
58 | 


--------------------------------------------------------------------------------
/test/integration/setup.test.js:
--------------------------------------------------------------------------------
 1 | 'use strict';
 2 | 
 3 | const Dashboard = require('../..');
 4 | const {JSDOM} = require('jsdom');
 5 | const request = require('request-promise-native');
 6 | 
 7 | before(async () => {
 8 | 
 9 | 	// Create a test dashboard and start it
10 | 	const dashboard = global.dashboard = new Dashboard({
11 | 		databaseConnectionString: process.env.TEST_DATABASE || 'postgres://localhost:5432/pa11y_sidekick_test',
12 | 		environment: 'test',
13 | 		log: {
14 | 			info: () => {},
15 | 			error: () => {}
16 | 		},
17 | 		port: process.env.TEST_PORT || 0,
18 | 		requestLogStream: {
19 | 			write: () => {}
20 | 		},
21 | 		sessionSecret: 'test'
22 | 	});
23 | 	await dashboard.start();
24 | 
25 | 	// Set up a pre-configured request function
26 | 	global.request = request.defaults({
27 | 		baseUrl: dashboard.address,
28 | 		followRedirect: false,
29 | 		resolveWithFullResponse: true,
30 | 		simple: false,
31 | 		transform: (body, response) => {
32 | 			if (response.headers['content-type']) {
33 | 				if (response.headers['content-type'].includes('text/html')) {
34 | 					const dom = new JSDOM(response.body);
35 | 					response.body = dom.window;
36 | 				} else if (response.headers['content-type'].includes('application/json')) {
37 | 					response.body = JSON.parse(response.body);
38 | 				}
39 | 			}
40 | 			return response;
41 | 		}
42 | 	});
43 | 
44 | });
45 | 
46 | after(() => {
47 | 	if (dashboard) {
48 | 		dashboard.server.close();
49 | 		dashboard.database.knex.destroy();
50 | 	}
51 | });
52 | 


--------------------------------------------------------------------------------
/test/unit/lib/util/bind-logger.test.js:
--------------------------------------------------------------------------------
 1 | 'use strict';
 2 | 
 3 | const assert = require('proclaim');
 4 | 
 5 | describe('lib/util/bind-logger', () => {
 6 | 	let bindLogger;
 7 | 	let logger;
 8 | 
 9 | 	beforeEach(() => {
10 | 		logger = require('../../mock/log.mock');
11 | 		bindLogger = require('../../../../lib/util/bind-logger');
12 | 	});
13 | 
14 | 	it('exports a function', () => {
15 | 		assert.isFunction(bindLogger);
16 | 	});
17 | 
18 | 	describe('bindLogger(logger, prefix)', () => {
19 | 		let returnValue;
20 | 
21 | 		beforeEach(() => {
22 | 			returnValue = bindLogger(logger, 'mock-prefix');
23 | 		});
24 | 
25 | 		it('returns an object which has `error` and `info` methods', () => {
26 | 			assert.isObject(returnValue);
27 | 			assert.isFunction(returnValue.error);
28 | 			assert.isFunction(returnValue.info);
29 | 		});
30 | 
31 | 		describe('.error(message)', () => {
32 | 
33 | 			beforeEach(() => {
34 | 				returnValue.error('mock-message');
35 | 			});
36 | 
37 | 			it('calls `logger.error` with `prefix` and `message`', () => {
38 | 				assert.calledOnce(logger.error);
39 | 				assert.calledWithExactly(logger.error, 'mock-prefix', 'mock-message');
40 | 			});
41 | 
42 | 		});
43 | 
44 | 		describe('.info(message)', () => {
45 | 
46 | 			beforeEach(() => {
47 | 				returnValue.info('mock-message');
48 | 			});
49 | 
50 | 			it('calls `logger.info` with `prefix` and `message`', () => {
51 | 				assert.calledOnce(logger.info);
52 | 				assert.calledWithExactly(logger.info, 'mock-prefix', 'mock-message');
53 | 			});
54 | 
55 | 		});
56 | 
57 | 	});
58 | 
59 | });
60 | 


--------------------------------------------------------------------------------
/lib/middleware/auth-with-key.js:
--------------------------------------------------------------------------------
 1 | 'use strict';
 2 | 
 3 | const httpError = require('http-errors');
 4 | 
 5 | /**
 6 |  * Create a middleware function which authenticates a user with an API key and secret.
 7 |  * @returns {Function} A middleware function.
 8 |  */
 9 | function authWithKey() {
10 | 	return async (request, response, next) => {
11 | 		const dashboard = request.app.dashboard;
12 | 
13 | 		// Get the API key and secret from headers
14 | 		const apiKey = request.headers['x-api-key'];
15 | 		const apiSecret = request.headers['x-api-secret'];
16 | 
17 | 		if (apiKey && apiSecret) {
18 | 			try {
19 | 
20 | 				// Get the key from the database and check whether the secret matches
21 | 				const key = await dashboard.model.Key.fetchOneById(apiKey);
22 | 				const secretMatches = await dashboard.model.Key.checkSecret(apiSecret, (key ? key.get('secret') : ''));
23 | 
24 | 				if (!key || !secretMatches) {
25 | 					return next(httpError(401, 'Invalid credentials'));
26 | 				}
27 | 
28 | 				// Load the user that matches the authenticated key
29 | 				request.authUser = (await dashboard.model.User.fetchOneById(key.get('user_id'))).serialize();
30 | 				request.authKey = key.serialize();
31 | 				request.permissions = request.authUser.permissions;
32 | 
33 | 			} catch (error) {
34 | 				return next(error);
35 | 			}
36 | 		}
37 | 
38 | 		// Fetch the default permissions if none are set
39 | 		if (!request.permissions) {
40 | 			try {
41 | 				request.permissions = {
42 | 					read: await dashboard.model.Setting.get('publicReadAccess')
43 | 				};
44 | 			} catch (error) {}
45 | 		}
46 | 		request.permissions = request.permissions || {};
47 | 
48 | 		next();
49 | 	};
50 | }
51 | 
52 | module.exports = authWithKey;
53 | 


--------------------------------------------------------------------------------
/view/helper/code-block.js:
--------------------------------------------------------------------------------
 1 | 'use strict';
 2 | 
 3 | /**
 4 |  * Initialise the code block view helper.
 5 |  * @param {Object} dust - a Dust view engine.
 6 |  * @returns {undefined} Nothing.
 7 |  */
 8 | function codeBlock(dust) {
 9 | 	dust.helpers.codeBlock = (chunk, context, bodies, params) => {
10 | 		if (!bodies.block) {
11 | 			return chunk;
12 | 		}
13 | 		const language = (params.language ? ` class="${params.language}"` : '');
14 | 
15 | 		// Capture the code and trim linebreaks
16 | 		let code = captureBody(bodies.block, context).replace(/^[\r\n]+|[\s]+$/g, '');
17 | 
18 | 		// Unindent everything by the initial whitespace amount
19 | 		const whitespaceMatch = code.match(/^(\s+)/);
20 | 		if (whitespaceMatch && whitespaceMatch[1]) {
21 | 			const initialWhitespace = new RegExp(`([\\r\\n]|^)${whitespaceMatch[1]}`, 'g');
22 | 			code = code.replace(initialWhitespace, '$1');
23 | 		}
24 | 
25 | 		// Replace tabs with four spaces, as this displays better in-browser
26 | 		code = code.replace(/\t/g, '    ');
27 | 
28 | 		// Write the code block
29 | 		chunk.write(`<pre><code${language}>${code}</code></pre>`);
30 | 	};
31 | }
32 | 
33 | /**
34 |  * Capture the text output by a chunk render.
35 |  * @param {Object} block - a Dust block.
36 |  * @param {Object} context - a Dust context.
37 |  * @returns {undefined} Nothing.
38 |  */
39 | function captureBody(block, context) {
40 | 	let output = '';
41 | 	const chunk = {
42 | 		w: string => { // eslint-disable-line id-length
43 | 			output += string;
44 | 			return chunk;
45 | 		},
46 | 		f: string => { // eslint-disable-line id-length
47 | 			return chunk.w(string);
48 | 		}
49 | 	};
50 | 	block(chunk, context);
51 | 	return output;
52 | }
53 | 
54 | module.exports = codeBlock;
55 | 


--------------------------------------------------------------------------------
/Makefile:
--------------------------------------------------------------------------------
 1 | 
 2 | # Reusable Makefile
 3 | # ------------------------------------------------------------------------
 4 | # This section of the Makefile should not be modified, it includes
 5 | # commands from my reusable Makefile: https://github.com/rowanmanning/make
 6 | -include node_modules/@rowanmanning/make/javascript/index.mk
 7 | # [edit below this line]
 8 | # ------------------------------------------------------------------------
 9 | 
10 | 
11 | # Running tasks
12 | # -------------
13 | 
14 | # Start the application in production mode
15 | start:
16 | 	@NODE_ENV=production node index.js
17 | 
18 | # Start the application in development mode and auto-restart
19 | # whenever code changes
20 | start-dev:
21 | 	@NODE_ENV=development nodemon -e dust,js,json index.js
22 | 
23 | 
24 | # Configuration tasks
25 | # -------------------
26 | 
27 | # Configure the application for local development
28 | config: .env
29 | 
30 | # Duplicate the sample environment variable file
31 | .env:
32 | 	@echo "Creating .env file from env.sample"
33 | 	@cp ./env.sample ./.env;
34 | 	@$(TASK_DONE)
35 | 
36 | 
37 | # Database tasks
38 | # --------------
39 | 
40 | # Create the local development database
41 | db-create:
42 | 	@psql -c "CREATE DATABASE pa11y_sidekick"
43 | 	@$(TASK_DONE)
44 | 
45 | # Create the local automated testing database
46 | db-create-test:
47 | 	@psql -c "CREATE DATABASE pa11y_sidekick_test"
48 | 	@$(TASK_DONE)
49 | 
50 | # Migrate to the latest version of the database schema
51 | db-migrate-up:
52 | 	@./script/migrate-up.js
53 | 	@$(TASK_DONE)
54 | 
55 | # Roll back the most recent migration
56 | db-migrate-down:
57 | 	@./script/migrate-down.js
58 | 	@$(TASK_DONE)
59 | 
60 | # Seed the database with some demo data
61 | db-seed:
62 | 	@./script/seed.js
63 | 	@$(TASK_DONE)
64 | 


--------------------------------------------------------------------------------
/controller/front-end/auth.js:
--------------------------------------------------------------------------------
 1 | 'use strict';
 2 | 
 3 | const express = require('express');
 4 | 
 5 | /**
 6 |  * Initialise the authentication controller.
 7 |  * @param {Dashboard} dashboard - A dashboard instance.
 8 |  * @param {Object} router - The front end Express router.
 9 |  * @returns {undefined} Nothing
10 |  */
11 | function initAuthController(dashboard, router) {
12 | 	const User = dashboard.model.User;
13 | 
14 | 	// Display the login page
15 | 	router.get('/login', (request, response) => {
16 | 		response.render('template/login', {
17 | 			form: {
18 | 				login: {
19 | 					referer: request.query.referer || null
20 | 				}
21 | 			}
22 | 		});
23 | 	});
24 | 
25 | 	// Perform the login action
26 | 	router.post('/login', express.urlencoded({extended: false}), async (request, response, next) => {
27 | 		try {
28 | 
29 | 			// Attempt to log in
30 | 			const user = await User.fetchOneByEmail(request.body.email);
31 | 			if (user && await User.checkPassword(request.body.password, user.get('password'))) {
32 | 				request.session.userId = user.get('id');
33 | 				return response.redirect(request.body.referer || '/');
34 | 			}
35 | 
36 | 			// Logging in failed, re-render the login page
37 | 			response.status(401).render('template/login', {
38 | 				form: {
39 | 					login: {
40 | 						email: request.body.email,
41 | 						errors: [
42 | 							'Email address is not registered, or password is incorrect'
43 | 						],
44 | 						referer: request.body.referer || null
45 | 					}
46 | 				}
47 | 			});
48 | 
49 | 		} catch (error) {
50 | 			return next(error);
51 | 		}
52 | 	});
53 | 
54 | 	// Perform the logout action
55 | 	router.post('/logout', (request, response) => {
56 | 		if (request.session) {
57 | 			delete request.session;
58 | 		}
59 | 		return response.redirect('/');
60 | 	});
61 | 
62 | }
63 | 
64 | module.exports = initAuthController;
65 | 


--------------------------------------------------------------------------------
/package.json:
--------------------------------------------------------------------------------
 1 | {
 2 |   "name": "pa11y-sidekick",
 3 |   "version": "0.0.0",
 4 |   "private": true,
 5 |   "description": "An accessibility dashboard",
 6 |   "keywords": [],
 7 |   "author": "Team Pa11y",
 8 |   "contributors": [
 9 |     "Rowan Manning (http://rowanmanning.com/)"
10 |   ],
11 |   "repository": {
12 |     "type": "git",
13 |     "url": "https://github.com/pa11y/sidekick.git"
14 |   },
15 |   "homepage": "https://github.com/pa11y/sidekick",
16 |   "bugs": "https://github.com/pa11y/sidekick/issues",
17 |   "license": "LGPL-3.0",
18 |   "engines": {
19 |     "node": "^8",
20 |     "npm": "^5"
21 |   },
22 |   "dependencies": {
23 |     "adaro": "^1.0.4",
24 |     "bcrypt": "^3.0.6",
25 |     "bookshelf": "^0.15.1",
26 |     "canvas": "^2.6.0",
27 |     "compression": "^1.7.4",
28 |     "connect-session-knex": "^1.4.0",
29 |     "dotenv": "^8.2.0",
30 |     "express": "^4.17.1",
31 |     "express-session": "^1.17.0",
32 |     "http-errors": "^1.7.3",
33 |     "@hapi/joi": "^15.1.1",
34 |     "knex": "^0.17.6",
35 |     "lodash": "^4.17.15",
36 |     "morgan": "^1.9.1",
37 |     "nocache": "^2.1.0",
38 |     "pg": "^7.12.1",
39 |     "require-header": "^1.0.4",
40 |     "shortid": "^2.2.15",
41 |     "winston": "^2.4.0"
42 |   },
43 |   "devDependencies": {
44 |     "@rowanmanning/eslint-config": "^2.1.0",
45 |     "@rowanmanning/make": "^1.2.0",
46 |     "dustmite": "^2.0.4",
47 |     "eslint": "^5.2.0",
48 |     "jsdom": "^15.2.0",
49 |     "mocha": "^6.2.2",
50 |     "mockery": "^2.1.0",
51 |     "nodemon": "^1.19.4",
52 |     "nyc": "^14.1.1",
53 |     "proclaim": "^3.6.0",
54 |     "request": "^2.88.0",
55 |     "request-promise-native": "^1.0.7",
56 |     "sinon": "^7.5.0"
57 |   },
58 |   "optionalDependencies": {
59 |     "fsevents": "^2.1.1"
60 |   },
61 |   "main": "./lib/dashboard.js",
62 |   "scripts": {
63 |     "test": "make ci",
64 |     "start": "node index.js"
65 |   }
66 | }
67 | 


--------------------------------------------------------------------------------
/view/partial/form/setup.dust:
--------------------------------------------------------------------------------
 1 | 
 2 | <form data-test="setup-form" action="{action}" method="post" enctype="application/x-www-form-urlencoded">
 3 | 
 4 | 	{>"partial/alert/error" errors=form.setup.errors/}
 5 | 
 6 | 	<div class="field field--text">
 7 | 		<label for="setup-admin-email">
 8 | 			Admin email address
 9 | 			<span class="field__sublabel">The email address for the Sidekick super-admin</span>
10 | 		</label>
11 | 		<input id="setup-admin-email" type="email" name="adminEmail" value="{form.setup.adminEmail}" required/>
12 | 	</div>
13 | 
14 | 	<div class="field field--text">
15 | 		<label for="setup-admin-password">
16 | 			Admin password
17 | 			<span class="field__sublabel">
18 | 				Enter the super-admin password. This must be 6 or more characters in length
19 | 			</span>
20 | 		</label>
21 | 		<input id="setup-admin-password" type="password" name="adminPassword" required/>
22 | 	</div>
23 | 
24 | 	<div class="field field--text">
25 | 		<label for="setup-admin-password-confirm">
26 | 			Confirm admin password
27 | 			<span class="field__sublabel">
28 | 				Re-enter the super-admin password to confirm it
29 | 			</span>
30 | 		</label>
31 | 		<input id="setup-admin-password-confirm" type="password" name="adminPasswordConfirm" required/>
32 | 	</div>
33 | 
34 | 	<div class="field">
35 | 		<label for="setup-public-read-access">
36 | 			Public Access
37 | 			<span class="field__sublabel">
38 | 				<input id="setup-public-read-access" type="checkbox" name="publicReadAccess" {?form.setup.publicReadAccess}checked{/form.setup.publicReadAccess}/>
39 | 				Check this box if you'd like your Accessibility data to be publicly viewable.
40 | 				Go on, show it off to the world! You can change this setting later if you change your mind
41 | 			</span>
42 | 		</label>
43 | 	</div>
44 | 
45 | 	<div class="field">
46 | 		<input type="submit" value="{cta}" class="button button--submit"/>
47 | 	</div>
48 | 
49 | </form>
50 | 


--------------------------------------------------------------------------------
/test/unit/lib/middleware/require-auth.test.js:
--------------------------------------------------------------------------------
 1 | 'use strict';
 2 | 
 3 | const assert = require('proclaim');
 4 | const mockery = require('mockery');
 5 | const sinon = require('sinon');
 6 | 
 7 | describe('lib/middleware/require-auth', () => {
 8 | 	let httpError;
 9 | 	let requireAuth;
10 | 
11 | 	beforeEach(() => {
12 | 
13 | 		httpError = sinon.spy(require('http-errors'));
14 | 		mockery.registerMock('http-errors', httpError);
15 | 
16 | 		requireAuth = require('../../../../lib/middleware/require-auth');
17 | 	});
18 | 
19 | 	it('exports a function', () => {
20 | 		assert.isFunction(requireAuth);
21 | 	});
22 | 
23 | 	describe('requireAuth()', () => {
24 | 		let middleware;
25 | 
26 | 		beforeEach(() => {
27 | 			middleware = requireAuth();
28 | 		});
29 | 
30 | 		it('returns a middleware function', () => {
31 | 			assert.isFunction(middleware);
32 | 		});
33 | 
34 | 		describe('middleware(request, response, next)', () => {
35 | 			let next;
36 | 			let request;
37 | 
38 | 			beforeEach(() => {
39 | 				request = {
40 | 					authUser: {}
41 | 				};
42 | 				next = sinon.spy();
43 | 				middleware(request, {}, next);
44 | 			});
45 | 
46 | 			it('calls `next` with nothing', () => {
47 | 				assert.calledOnce(next);
48 | 				assert.calledWithExactly(next);
49 | 			});
50 | 
51 | 			describe('when no user is authenticated', () => {
52 | 
53 | 				beforeEach(() => {
54 | 					delete request.authUser;
55 | 					next.resetHistory();
56 | 					middleware(request, {}, next);
57 | 				});
58 | 
59 | 				it('creates a 401 HTTP error', () => {
60 | 					assert.calledOnce(httpError);
61 | 					assert.calledWithExactly(httpError, 401, 'You must authenticate to perform this action');
62 | 				});
63 | 
64 | 				it('calls `next` with the created error', () => {
65 | 					assert.calledOnce(next);
66 | 					assert.calledWithExactly(next, httpError.firstCall.returnValue);
67 | 				});
68 | 
69 | 			});
70 | 
71 | 		});
72 | 
73 | 	});
74 | 
75 | });
76 | 


--------------------------------------------------------------------------------
/test/unit/lib/util/validation-error.test.js:
--------------------------------------------------------------------------------
 1 | 'use strict';
 2 | 
 3 | const assert = require('proclaim');
 4 | 
 5 | describe('lib/util/validation-error', () => {
 6 | 	let validationError;
 7 | 
 8 | 	beforeEach(() => {
 9 | 		validationError = require('../../../../lib/util/validation-error');
10 | 	});
11 | 
12 | 	it('exports a function', () => {
13 | 		assert.isFunction(validationError);
14 | 	});
15 | 
16 | 	describe('validationError(messages)', () => {
17 | 		let error;
18 | 
19 | 		beforeEach(() => {
20 | 			error = validationError([
21 | 				'mock message 1',
22 | 				'mock message 2'
23 | 			]);
24 | 		});
25 | 
26 | 		it('returns an error object', () => {
27 | 			assert.isObject(error);
28 | 			assert.instanceOf(error, Error);
29 | 		});
30 | 
31 | 		describe('.name', () => {
32 | 
33 | 			it('is "ValidationError"', () => {
34 | 				assert.strictEqual(error.name, 'ValidationError');
35 | 			});
36 | 
37 | 		});
38 | 
39 | 		describe('.message', () => {
40 | 
41 | 			it('is a generic validation message', () => {
42 | 				assert.strictEqual(error.message, 'Validation failed');
43 | 			});
44 | 
45 | 		});
46 | 
47 | 		describe('.details', () => {
48 | 
49 | 			it('is an array of validation details', () => {
50 | 				assert.isArray(error.details);
51 | 				assert.deepEqual(error.details, [
52 | 					{
53 | 						message: 'mock message 1'
54 | 					},
55 | 					{
56 | 						message: 'mock message 2'
57 | 					}
58 | 				]);
59 | 			});
60 | 
61 | 		});
62 | 
63 | 		describe('when `messages` is a string', () => {
64 | 			let error;
65 | 
66 | 			beforeEach(() => {
67 | 				error = validationError('mock message');
68 | 			});
69 | 
70 | 			describe('.details', () => {
71 | 
72 | 				it('is an array of validation details', () => {
73 | 					assert.isArray(error.details);
74 | 					assert.deepEqual(error.details, [
75 | 						{
76 | 							message: 'mock message'
77 | 						}
78 | 					]);
79 | 				});
80 | 
81 | 			});
82 | 
83 | 		});
84 | 
85 | 	});
86 | 
87 | });
88 | 


--------------------------------------------------------------------------------
/test/integration/routes/front-end/docs-api-v1.test.js:
--------------------------------------------------------------------------------
 1 | 'use strict';
 2 | 
 3 | const assert = require('proclaim');
 4 | const auth = require('../../helpers/auth');
 5 | const database = require('../../helpers/database');
 6 | let response;
 7 | 
 8 | describe('GET /docs/api/v1', () => {
 9 | 
10 | 	before(async () => {
11 | 		await database.seed(dashboard, 'basic');
12 | 	});
13 | 
14 | 	describe('when a user is logged in', () => {
15 | 
16 | 		before(async () => {
17 | 			response = await request.get('/docs/api/v1', {
18 | 				jar: await auth.getCookieJar('read@example.com', 'password')
19 | 			});
20 | 		});
21 | 
22 | 		it('responds with a 200 status', () => {
23 | 			assert.strictEqual(response.statusCode, 200);
24 | 		});
25 | 
26 | 		it('responds with HTML', () => {
27 | 			assert.include(response.headers['content-type'], 'text/html');
28 | 		});
29 | 
30 | 	});
31 | 
32 | 	describe('when no user is logged in', () => {
33 | 
34 | 		before(async () => {
35 | 			response = await request.get('/docs/api/v1');
36 | 		});
37 | 
38 | 		it('responds with a 403 status', () => {
39 | 			assert.strictEqual(response.statusCode, 403);
40 | 		});
41 | 
42 | 		it('responds with HTML', () => {
43 | 			assert.include(response.headers['content-type'], 'text/html');
44 | 		});
45 | 
46 | 		it('it responds with an error page', () => {
47 | 			const body = response.body.document.querySelector('body');
48 | 			assert.match(body.innerHTML, /not authorised/i);
49 | 		});
50 | 
51 | 	});
52 | 
53 | 	describe('when no user is logged in and the public read access setting is enabled', () => {
54 | 
55 | 		before(async () => {
56 | 			await database.seed(dashboard, 'no-auth');
57 | 			response = await request.get('/');
58 | 		});
59 | 
60 | 		it('responds with a 200 status', () => {
61 | 			assert.strictEqual(response.statusCode, 200);
62 | 		});
63 | 
64 | 		it('responds with HTML', () => {
65 | 			assert.include(response.headers['content-type'], 'text/html');
66 | 		});
67 | 
68 | 	});
69 | 
70 | });
71 | 


--------------------------------------------------------------------------------
/test/integration/routes/front-end/index.test.js:
--------------------------------------------------------------------------------
 1 | 'use strict';
 2 | 
 3 | const assert = require('proclaim');
 4 | const auth = require('../../helpers/auth');
 5 | const database = require('../../helpers/database');
 6 | let response;
 7 | 
 8 | describe('GET /', () => {
 9 | 
10 | 	before(async () => {
11 | 		await database.seed(dashboard, 'basic');
12 | 	});
13 | 
14 | 	describe('when a user is logged in', () => {
15 | 
16 | 		before(async () => {
17 | 			response = await request.get('/', {
18 | 				jar: await auth.getCookieJar('read@example.com', 'password')
19 | 			});
20 | 		});
21 | 
22 | 		it('responds with a 200 status', () => {
23 | 			assert.strictEqual(response.statusCode, 200);
24 | 		});
25 | 
26 | 		it('responds with HTML', () => {
27 | 			assert.include(response.headers['content-type'], 'text/html');
28 | 		});
29 | 
30 | 		// Temporary until home page has more content
31 | 		it('it responds with the home page', () => {
32 | 			const body = response.body.document.querySelector('body');
33 | 			assert.match(body.innerHTML, /hello world/i);
34 | 		});
35 | 
36 | 	});
37 | 
38 | 	describe('when no user is logged in', () => {
39 | 
40 | 		before(async () => {
41 | 			response = await request.get('/');
42 | 		});
43 | 
44 | 		it('responds with a 302 status', () => {
45 | 			assert.strictEqual(response.statusCode, 302);
46 | 		});
47 | 
48 | 		it('responds with a Location header pointing to the login page', () => {
49 | 			assert.strictEqual(response.headers.location, '/login');
50 | 		});
51 | 
52 | 		it('responds with plain text', () => {
53 | 			assert.include(response.headers['content-type'], 'text/plain');
54 | 		});
55 | 
56 | 	});
57 | 
58 | 	describe('when no user is logged in and the public read access setting is enabled', () => {
59 | 
60 | 		before(async () => {
61 | 			await database.seed(dashboard, 'no-auth');
62 | 			response = await request.get('/');
63 | 		});
64 | 
65 | 		it('responds with a 200 status', () => {
66 | 			assert.strictEqual(response.statusCode, 200);
67 | 		});
68 | 
69 | 		it('responds with HTML', () => {
70 | 			assert.include(response.headers['content-type'], 'text/html');
71 | 		});
72 | 
73 | 	});
74 | 
75 | });
76 | 


--------------------------------------------------------------------------------
/test/integration/routes/front-end/settings-keys.test.js:
--------------------------------------------------------------------------------
 1 | 'use strict';
 2 | 
 3 | const assert = require('proclaim');
 4 | const auth = require('../../helpers/auth');
 5 | const database = require('../../helpers/database');
 6 | let response;
 7 | 
 8 | describe('GET /settings/keys', () => {
 9 | 
10 | 	before(async () => {
11 | 		await database.seed(dashboard, 'basic');
12 | 	});
13 | 
14 | 	describe('when a user is logged in', () => {
15 | 
16 | 		describe('when everything is valid', () => {
17 | 
18 | 			before(async () => {
19 | 				response = await request.get('/settings/keys', {
20 | 					jar: await auth.getCookieJar('read@example.com', 'password')
21 | 				});
22 | 			});
23 | 
24 | 			it('responds with a 200 status', () => {
25 | 				assert.strictEqual(response.statusCode, 200);
26 | 			});
27 | 
28 | 			it('responds with HTML', () => {
29 | 				assert.include(response.headers['content-type'], 'text/html');
30 | 			});
31 | 
32 | 			it('responds with a link to generate a new key', () => {
33 | 				const link = response.body.document.querySelector('a[href="/settings/keys/new"]');
34 | 				assert.isNotNull(link);
35 | 			});
36 | 
37 | 			it('responds with a table containing all the user\'s API keys', () => {
38 | 				const table = response.body.document.querySelector('[data-test=keys-table]');
39 | 				assert.isNotNull(table);
40 | 				assert.match(table.textContent, /key with read permissions/i);
41 | 				assert.match(table.textContent, /mock-read-key/i);
42 | 				assert.isNotNull(table.querySelector('a[href="/settings/keys/mock-read-key/edit"]'), 'Has an edit link');
43 | 				assert.isNotNull(table.querySelector('a[href="/settings/keys/mock-read-key/delete"]'), 'Has a delete link');
44 | 			});
45 | 
46 | 		});
47 | 
48 | 	});
49 | 
50 | 	describe('when no user is logged in', () => {
51 | 
52 | 		before(async () => {
53 | 			response = await request.get('/settings/keys');
54 | 		});
55 | 
56 | 		it('responds with a 401 status', () => {
57 | 			assert.strictEqual(response.statusCode, 401);
58 | 		});
59 | 
60 | 		it('it responds with an error page', () => {
61 | 			const body = response.body.document.querySelector('body');
62 | 			assert.match(body.innerHTML, /must authenticate/i);
63 | 		});
64 | 
65 | 	});
66 | 
67 | });
68 | 


--------------------------------------------------------------------------------
/view/partial/form/site.dust:
--------------------------------------------------------------------------------
 1 | 
 2 | <form data-test="site-form" action="{action}" method="post" enctype="application/x-www-form-urlencoded">
 3 | 
 4 | 	{>"partial/alert/success" success=form.site.success/}
 5 | 	{>"partial/alert/error" errors=form.site.errors/}
 6 | 
 7 | 	<div class="field field--text">
 8 | 		<label for="site-name">
 9 | 			Name
10 | 			<span class="field__sublabel">
11 | 				A human-readable name for the site, this appears across the interface
12 | 			</span>
13 | 		</label>
14 | 		<input id="site-name" type="text" name="name" value="{form.site.name}" required/>
15 | 	</div>
16 | 
17 | 	<div class="field field--text">
18 | 		<label for="site-base-url">
19 | 			Base URL
20 | 			<span class="field__sublabel">
21 | 				The base URL for the site, which is prepended to each URL
22 | 			</span>
23 | 		</label>
24 | 		<input id="site-base-url" type="url" name="baseUrl" value="{form.site.baseUrl}" required/>
25 | 	</div>
26 | 
27 | 	<div class="field field--checkbox">
28 | 		<label for="site-is-runnable">
29 | 			Runnable
30 | 			<span class="field__sublabel">
31 | 				<input id="site-is-runnable" type="checkbox" name="isRunnable" {?form.site.isRunnable}checked{/form.site.isRunnable}/>
32 | 				Whether tests can be run for this site through the Sidekick interface.
33 | 				Do not enable this if you only wish to push data into Sidekick via an API
34 | 			</span>
35 | 		</label>
36 | 	</div>
37 | 
38 | 	<div class="field field--checkbox">
39 | 		<label for="site-is-scheduled">
40 | 			Schedule
41 | 			<span class="field__sublabel">
42 | 				<input id="site-is-scheduled" type="checkbox" name="isScheduled" {?form.site.isScheduled}checked{/form.site.isScheduled}/>
43 | 				Whether tests should be run on a schedule
44 | 			</span>
45 | 		</label>
46 | 	</div>
47 | 
48 | 	<div class="field field--text">
49 | 		<label for="site-schedule">
50 | 			Schedule frequency
51 | 			<span class="field__sublabel">
52 | 				TODO we haven't decided what format this data takes yet, possibly a crontab
53 | 			</span>
54 | 		</label>
55 | 		<input id="site-schedule" type="text" name="schedule" value="{form.site.schedule}"/>
56 | 	</div>
57 | 
58 | 	<div class="field">
59 | 		<input type="submit" value="{cta}" class="button button--submit"/>
60 | 	</div>
61 | 
62 | </form>
63 | 


--------------------------------------------------------------------------------
/test/unit/lib/middleware/require-permission.test.js:
--------------------------------------------------------------------------------
 1 | 'use strict';
 2 | 
 3 | const assert = require('proclaim');
 4 | const mockery = require('mockery');
 5 | const sinon = require('sinon');
 6 | 
 7 | describe('lib/middleware/require-permission', () => {
 8 | 	let Dashboard;
 9 | 	let httpError;
10 | 	let requirePermission;
11 | 
12 | 	beforeEach(() => {
13 | 
14 | 		Dashboard = require('../../mock/dashboard.mock');
15 | 
16 | 		httpError = sinon.spy(require('http-errors'));
17 | 		mockery.registerMock('http-errors', httpError);
18 | 
19 | 		requirePermission = require('../../../../lib/middleware/require-permission');
20 | 	});
21 | 
22 | 	it('exports a function', () => {
23 | 		assert.isFunction(requirePermission);
24 | 	});
25 | 
26 | 	describe('requirePermission(level)', () => {
27 | 		let middleware;
28 | 
29 | 		beforeEach(() => {
30 | 			middleware = requirePermission('mock-level');
31 | 		});
32 | 
33 | 		it('returns a middleware function', () => {
34 | 			assert.isFunction(middleware);
35 | 		});
36 | 
37 | 		describe('middleware(request, response, next)', () => {
38 | 			let dashboard;
39 | 			let next;
40 | 			let request;
41 | 
42 | 			beforeEach(() => {
43 | 				dashboard = Dashboard.mockDashboard;
44 | 				request = {
45 | 					app: {
46 | 						dashboard
47 | 					},
48 | 					permissions: {
49 | 						'mock-level': true
50 | 					}
51 | 				};
52 | 				next = sinon.spy();
53 | 				return middleware(request, {}, next);
54 | 			});
55 | 
56 | 			it('calls `next` with nothing', () => {
57 | 				assert.calledOnce(next);
58 | 				assert.calledWithExactly(next);
59 | 			});
60 | 
61 | 			describe('when the authenticated user does not have the required permission', () => {
62 | 
63 | 				beforeEach(() => {
64 | 					request.permissions['mock-level'] = false;
65 | 					next.resetHistory();
66 | 					return middleware(request, {}, next);
67 | 				});
68 | 
69 | 				it('creates a 403 HTTP error', () => {
70 | 					assert.calledOnce(httpError);
71 | 					assert.calledWithExactly(httpError, 403, 'You are not authorised to perform this action');
72 | 				});
73 | 
74 | 				it('calls `next` with the created error', () => {
75 | 					assert.calledOnce(next);
76 | 					assert.calledWithExactly(next, httpError.firstCall.returnValue);
77 | 				});
78 | 
79 | 			});
80 | 
81 | 		});
82 | 
83 | 	});
84 | 
85 | });
86 | 


--------------------------------------------------------------------------------
/view/template/settings/keys.dust:
--------------------------------------------------------------------------------
 1 | {>"layout/full"/}
 2 | 
 3 | {<title}
 4 | 	Your API Key Settings - Sidekick
 5 | {/title}
 6 | 
 7 | {<secondary-nav}
 8 | 	{>"partial/nav/settings"/}
 9 | {/secondary-nav}
10 | 
11 | {<content}
12 | 
13 | 	<div class="heading-wrapper">
14 | 		<h1>Your API Key Settings</h1>
15 | 		<a href="/settings/keys/new" class="button">Generate a new API key</a>
16 | 	</div>
17 | 
18 | 	<p>
19 | 		Manage your Sidekick API keys. For information on how to use these keys,
20 | 		See the <a href="/docs/api/v1">API documentation</a>.
21 | 	</p>
22 | 
23 | 	{?form.key.created}
24 | 		<div class="alert alert--success">
25 | 			<p data-test="key-new">
26 | 				<strong>Your new API key has been generated</strong><br/>
27 | 				It's important to store the details below somewhere secure, as the
28 | 				API secret will never be displayed again.
29 | 			</p>
30 | 			<table>
31 | 				<tbody>
32 | 					<tr>
33 | 						<th scope="row">API Key</th>
34 | 						<td><code>{form.key.created.id}</code></td>
35 | 					</tr>
36 | 					<tr>
37 | 						<th scope="row">API Secret</th>
38 | 						<td><code>{form.key.created.secret}</code></td>
39 | 					</tr>
40 | 				</tbody>
41 | 			</table>
42 | 		</div>
43 | 	{/form.key.created}
44 | 
45 | 	{?form.key.deleted}
46 | 		<div class="alert alert--success">
47 | 			<p data-test="key-deleted">
48 | 				<strong>Your API key "{form.key.deleted.description}" has been deleted</strong>
49 | 			</p>
50 | 		</div>
51 | 	{/form.key.deleted}
52 | 
53 | 	{?keys}
54 | 		<div class="table-wrapper">
55 | 			<table data-test="keys-table" class="table table--striped">
56 | 				<thead>
57 | 					<tr>
58 | 						<th>Description</th>
59 | 						<th>Generated</th>
60 | 						<th>API Key</th>
61 | 						<th>Controls</th>
62 | 					</tr>
63 | 				</thead>
64 | 				<tbody>
65 | 					{#keys}
66 | 						<tr>
67 | 							<td><a href="/settings/keys/{id}/edit">{description}</a></td>
68 | 							<td>{meta.dateCreated}</td>
69 | 							<td><code>{id}</code></td>
70 | 							<td>
71 | 								<a href="/settings/keys/{id}/edit">Edit</a>
72 | 								<a href="/settings/keys/{id}/delete">Delete</a>
73 | 							</td>
74 | 						</tr>
75 | 					{/keys}
76 | 				</tbody>
77 | 			</table>
78 | 		</div>
79 | 	{:else}
80 | 		<p>You don't have any API keys yet; you can <a href="/settings/keys/new">generate one here</a>.</p>
81 | 	{/keys}
82 | 
83 | {/content}
84 | 


--------------------------------------------------------------------------------
/data/migration/20171117142417_setup.js:
--------------------------------------------------------------------------------
 1 | 'use strict';
 2 | 
 3 | exports.up = async database => {
 4 | 
 5 | 	// Create the settings table
 6 | 	await database.schema.createTable('settings', table => {
 7 | 
 8 | 		// Meta information
 9 | 		table.string('id').unique().primary();
10 | 		table.timestamp('created_at').defaultTo(database.fn.now());
11 | 		table.timestamp('updated_at').defaultTo(database.fn.now());
12 | 
13 | 		// Setting information
14 | 		table.json('value').defaultTo('null');
15 | 
16 | 	});
17 | 
18 | 	// Create the users table
19 | 	await database.schema.createTable('users', table => {
20 | 
21 | 		// Meta information
22 | 		table.string('id').unique().primary();
23 | 		table.timestamp('created_at').defaultTo(database.fn.now());
24 | 		table.timestamp('updated_at').defaultTo(database.fn.now());
25 | 
26 | 		// User information
27 | 		table.string('email').notNullable().unique();
28 | 		table.string('password').notNullable();
29 | 		table.boolean('is_owner').notNullable().defaultTo(false);
30 | 		table.boolean('allow_read').notNullable().defaultTo(true);
31 | 		table.boolean('allow_write').notNullable().defaultTo(true);
32 | 		table.boolean('allow_delete').notNullable().defaultTo(false);
33 | 		table.boolean('allow_admin').notNullable().defaultTo(false);
34 | 
35 | 	});
36 | 
37 | 	// Create the keys table
38 | 	await database.schema.createTable('keys', table => {
39 | 
40 | 		// Meta information
41 | 		table.string('id').unique().primary();
42 | 		table.string('user_id').notNullable();
43 | 		table.timestamp('created_at').defaultTo(database.fn.now());
44 | 		table.timestamp('updated_at').defaultTo(database.fn.now());
45 | 
46 | 		// Key information
47 | 		table.string('secret').notNullable();
48 | 		table.string('description').notNullable();
49 | 
50 | 		// Indexes and foreign key contraints
51 | 		table.foreign('user_id').references('users.id').onDelete('CASCADE');
52 | 
53 | 	});
54 | 
55 | 	// Create the sessions table
56 | 	await database.schema.createTable('sessions', table => {
57 | 
58 | 		// Session table columns
59 | 		table.string('sid').unique().primary();
60 | 		table.json('sess').notNullable();
61 | 		table.timestamp('expired').notNullable().index();
62 | 
63 | 	});
64 | 
65 | };
66 | 
67 | exports.down = async database => {
68 | 	await database.schema.dropTable('sessions');
69 | 	await database.schema.dropTable('keys');
70 | 	await database.schema.dropTable('users');
71 | 	await database.schema.dropTable('settings');
72 | };
73 | 


--------------------------------------------------------------------------------
/controller/front-end/setup.js:
--------------------------------------------------------------------------------
 1 | 'use strict';
 2 | 
 3 | const express = require('express');
 4 | const validationError = require('../../lib/util/validation-error');
 5 | 
 6 | /**
 7 |  * Initialise the setup controller.
 8 |  * @param {Dashboard} dashboard - A dashboard instance.
 9 |  * @param {Object} router - The front end Express router.
10 |  * @returns {undefined} Nothing
11 |  */
12 | function initSetupController(dashboard, router) {
13 | 	const Setting = dashboard.model.Setting;
14 | 	const User = dashboard.model.User;
15 | 
16 | 	// Setup page
17 | 	router.get('/', async (request, response, next) => {
18 | 		if (await Setting.get('setupComplete')) {
19 | 			return next();
20 | 		}
21 | 		response.render('template/setup');
22 | 	});
23 | 
24 | 	// Setup action
25 | 	router.post('/', express.urlencoded({extended: false}), async (request, response, next) => {
26 | 		if (await Setting.get('setupComplete')) {
27 | 			return next();
28 | 		}
29 | 		try {
30 | 
31 | 			// Check that the password and confirmation match
32 | 			if (request.body.adminPassword !== request.body.adminPasswordConfirm) {
33 | 				throw validationError('password and confirmed password do not match');
34 | 			}
35 | 
36 | 			// Set up the admin user
37 | 			await User.create({
38 | 				email: request.body.adminEmail,
39 | 				password: request.body.adminPassword,
40 | 				is_owner: true,
41 | 				allow_read: true,
42 | 				allow_write: true,
43 | 				allow_delete: true,
44 | 				allow_admin: true
45 | 			});
46 | 
47 | 			// Set all the settings
48 | 			await Setting.set('publicReadAccess', Boolean(request.body.publicReadAccess));
49 | 			await Setting.set('setupComplete', true);
50 | 
51 | 			// All done
52 | 			request.flash.set('site-wide-alert', 'Sidekick has been successfully set up! You can now log in with the super admin details you entered');
53 | 			if (request.body.publicReadAccess) {
54 | 				return response.redirect('/');
55 | 			}
56 | 			return response.redirect('/login');
57 | 
58 | 		} catch (error) {
59 | 			if (error.name === 'ValidationError') {
60 | 				return response.status(400).render('template/setup', {
61 | 					form: {
62 | 						setup: {
63 | 							adminEmail: request.body.adminEmail,
64 | 							publicReadAccess: request.body.publicReadAccess,
65 | 							errors: error.details.map(detail => detail.message)
66 | 						}
67 | 					}
68 | 				});
69 | 			}
70 | 			return next(error);
71 | 		}
72 | 	});
73 | 
74 | }
75 | 
76 | module.exports = initSetupController;
77 | 


--------------------------------------------------------------------------------
/view/template/admin/users.dust:
--------------------------------------------------------------------------------
 1 | {>"layout/full"/}
 2 | 
 3 | {<title}
 4 | 	User Management - Sidekick
 5 | {/title}
 6 | 
 7 | {<secondary-nav}
 8 | 	{>"partial/nav/admin"/}
 9 | {/secondary-nav}
10 | 
11 | {<content}
12 | 
13 | 	<div class="heading-wrapper">
14 | 		<h1>User Management</h1>
15 | 		<a href="/admin/users/new" class="button">Create a new user</a>
16 | 	</div>
17 | 
18 | 	<p>Manage the users who have access to Sidekick.</p>
19 | 
20 | 	{?form.user.created}
21 | 		<div class="alert alert--success">
22 | 			<p data-test="user-new">
23 | 				The user "{form.user.created.email}" has been created.
24 | 			</p>
25 | 		</div>
26 | 	{/form.user.created}
27 | 
28 | 	{?form.user.deleted}
29 | 		<div class="alert alert--success">
30 | 			<p data-test="user-deleted">
31 | 				<strong>The user with email "{form.user.deleted.email}" has been deleted</strong>
32 | 			</p>
33 | 		</div>
34 | 	{/form.user.deleted}
35 | 
36 | 	<div class="table-wrapper">
37 | 		<table data-test="users-table" class="table table--striped">
38 | 			<thead>
39 | 				<tr>
40 | 					<th rowspan="2">User</th>
41 | 					<th rowspan="2">Created</th>
42 | 					<th colspan="4">Permissions</th>
43 | 					<th rowspan="2">Controls</th>
44 | 				</tr>
45 | 				<tr>
46 | 					<th>Read</th>
47 | 					<th>Write</th>
48 | 					<th>Delete</th>
49 | 					<th>Admin</th>
50 | 				</tr>
51 | 			</thead>
52 | 			<tbody>
53 | 				{#users}
54 | 					<tr>
55 | 						<td>
56 | 							{?isOwner}
57 | 								{email} (owner)
58 | 							{:else}
59 | 								{@eq key=id value=authUser.id}
60 | 									{email} (you)
61 | 								{:else}
62 | 									<a href="/admin/users/{id}/edit">{email}</a>
63 | 								{/eq}
64 | 							{/isOwner}
65 | 						</td>
66 | 						<td>{meta.dateCreated}</td>
67 | 						<td>{?permissions.read}Yes{:else}No{/permissions.read}</td>
68 | 						<td>{?permissions.write}Yes{:else}No{/permissions.write}</td>
69 | 						<td>{?permissions.delete}Yes{:else}No{/permissions.delete}</td>
70 | 						<td>{?permissions.admin}Yes{:else}No{/permissions.admin}</td>
71 | 						<td>
72 | 							{?isOwner}
73 | 								Owners cannot be modified here
74 | 							{:else}
75 | 								{@eq key=id value=authUser.id}
76 | 									You cannot modify yourself here
77 | 								{:else}
78 | 									<a href="/admin/users/{id}/edit">Edit</a>
79 | 									<a href="/admin/users/{id}/delete">Delete</a>
80 | 								{/eq}
81 | 							{/isOwner}
82 | 						</td>
83 | 					</tr>
84 | 				{/users}
85 | 			</tbody>
86 | 		</table>
87 | 	</div>
88 | 
89 | {/content}
90 | 


--------------------------------------------------------------------------------
/view/template/sites/site.dust:
--------------------------------------------------------------------------------
 1 | {>"layout/full"/}
 2 | 
 3 | {<title}
 4 | 	{site.name} - Sites - Sidekick
 5 | {/title}
 6 | 
 7 | {<content}
 8 | 
 9 | 	{?form.site.created}
10 | 		<div class="alert alert--success">
11 | 			<p data-test="site-new">
12 | 				The site "{form.site.created.name}" has been created.
13 | 			</p>
14 | 		</div>
15 | 	{/form.site.created}
16 | 
17 | 	<div class="heading-wrapper">
18 | 		<h1>{site.name}</h1>
19 | 	</div>
20 | 
21 | 	<dl>
22 | 		<dt>Base URL</dt>
23 | 		<dd><a href="{site.baseUrl}">{site.baseUrl}</a></dd>
24 | 		<dt>Runnable</dt>
25 | 		<dd>{?site.isRunnable}Yes{:else}No{/site.isRunnable}</a></dd>
26 | 		<dt>Scheduled</dt>
27 | 		<dd>{?site.isScheduled}Yes{:else}No{/site.isScheduled}</a></dd>
28 | 	</dl>
29 | 
30 |     <hr>
31 | 
32 | 	<div class="heading-wrapper">
33 |    	    <h2>URLs</h2>
34 | 		{?permissions.write}
35 |         	<a href="{site.id}/urls/new" class="button">Add a new URL for this site</a>
36 |         {/permissions.write}
37 | 	</div>
38 | 
39 | 	{?urls}
40 |    		<div class="table-wrapper">
41 |    			<table data-test="urls-table" class="table table--striped">
42 |    				<thead>
43 |    					<tr>
44 |    						<th>Name</th>
45 |    						<th>Path</th>
46 |    						<th>Pa11y Config</th>
47 |    						<th>Options</th>
48 |    					</tr>
49 |    				</thead>
50 |    				<tbody>
51 |    					{#urls}
52 |    						<tr>
53 |    							<td>{name}</td>
54 |    							<td>{address}</td>
55 |    							<td>
56 |    							    {#pa11yConfig}
57 |    							        <ul>
58 |    							            {?pa11yConfig.actions}
59 |    							                <li>Actions: {pa11yConfig.actions}</li>
60 |    							            {/pa11yConfig.actions}
61 |    							            {?pa11yConfig.runners}
62 |    							                <li>Runners: {pa11yConfig.runners}</li>
63 |    							            {/pa11yConfig.runners}
64 |    							            {?pa11yConfig.standard}
65 |    							                <li>Standard: {pa11yConfig.standard}</li>
66 |    							            {/pa11yConfig.standard}
67 |                                        </ul>
68 |                                    {/pa11yConfig}
69 |    							</td>
70 |    							{?permissions.write}
71 |    							<td>
72 |    								<a href="/sites/{site}/urls/{id}/edit">Edit</a>
73 |    								<a href="/sites/{site}/urls/{id}/delete">Delete</a>
74 |    							</td>
75 |    							{/permissions.write}
76 |    						</tr>
77 |    					{/urls}
78 |    				</tbody>
79 |    			</table>
80 |    		</div>
81 |    	{:else}
82 |    	<p>You don't have any URLs to test for this site yet{?permissions.write}; you can <a href="{site.id}/urls/new">add one here</a>{/permissions.write}.</p>
83 |    	{/urls}
84 | 
85 | {/content}
86 | 


--------------------------------------------------------------------------------
/model/setting.js:
--------------------------------------------------------------------------------
  1 | 'use strict';
  2 | 
  3 | /**
  4 |  * Initialise the Setting model.
  5 |  * @param {Dashboard} dashboard - A dashboard instance.
  6 |  * @returns {Model} A Bookshelf model.
  7 |  */
  8 | function initSettingModel(dashboard) {
  9 | 
 10 | 	// Storage point for in-memory settings
 11 | 	let inMemorySettings;
 12 | 
 13 | 	// Model prototypal methods
 14 | 	const Setting = dashboard.database.Model.extend({
 15 | 		tableName: 'settings',
 16 | 
 17 | 		// Model initialization
 18 | 		initialize() {
 19 | 
 20 | 			// When a model is created...
 21 | 			this.on('creating', () => {
 22 | 				// Fill out automatic fields
 23 | 				this.attributes.created_at = new Date();
 24 | 			});
 25 | 
 26 | 			// When a model is saved...
 27 | 			this.on('saving', () => {
 28 | 				// Fill out automatic fields
 29 | 				this.attributes.updated_at = new Date();
 30 | 			});
 31 | 
 32 | 		},
 33 | 
 34 | 		// Override default serialization so we can control output
 35 | 		serialize() {
 36 | 			return {
 37 | 				id: this.get('id'),
 38 | 				value: this.get('value'),
 39 | 				meta: {
 40 | 					dateCreated: this.get('created_at'),
 41 | 					dateUpdated: this.get('updated_at')
 42 | 				}
 43 | 			};
 44 | 		}
 45 | 
 46 | 	// Model static methods
 47 | 	}, {
 48 | 
 49 | 		// Fetch all settings as an object with key/value pairs
 50 | 		async fetchAsObject(forceRefresh = false) {
 51 | 			if (!inMemorySettings || forceRefresh) {
 52 | 				const settings = {};
 53 | 				(await Setting.fetchAll()).toArray().forEach(setting => {
 54 | 					settings[setting.get('id')] = setting;
 55 | 				});
 56 | 				inMemorySettings = settings;
 57 | 			}
 58 | 			return inMemorySettings;
 59 | 		},
 60 | 
 61 | 		// Clear the in-memory settings cache
 62 | 		clearInMemoryCache() {
 63 | 			inMemorySettings = undefined;
 64 | 		},
 65 | 
 66 | 		// Get the value of a single setting
 67 | 		async get(settingId) {
 68 | 			const setting = (await Setting.fetchAsObject())[settingId];
 69 | 			return (setting ? setting.get('value') : undefined);
 70 | 		},
 71 | 
 72 | 		// Set a setting
 73 | 		async set(settingId, value) {
 74 | 			let setting = (await Setting.fetchAsObject())[settingId];
 75 | 			value = JSON.stringify(value);
 76 | 
 77 | 			// The setting already exists, update it
 78 | 			if (setting) {
 79 | 				setting.set('value', value);
 80 | 				await setting.save();
 81 | 
 82 | 			// The setting doesn't exist, create it
 83 | 			} else {
 84 | 				setting = new Setting({
 85 | 					id: settingId,
 86 | 					value
 87 | 				});
 88 | 				await setting.save(null, {
 89 | 					method: 'insert'
 90 | 				});
 91 | 			}
 92 | 
 93 | 			// Clear the in-memory cache
 94 | 			this.clearInMemoryCache();
 95 | 		}
 96 | 
 97 | 	});
 98 | 
 99 | 	return Setting;
100 | }
101 | 
102 | module.exports = initSettingModel;
103 | 


--------------------------------------------------------------------------------
/controller/api-v1/index.js:
--------------------------------------------------------------------------------
 1 | 'use strict';
 2 | 
 3 | const authWithKey = require('../../lib/middleware/auth-with-key');
 4 | const express = require('express');
 5 | const initDocsController = require('./docs');
 6 | const initKeysController = require('./keys');
 7 | const initMeController = require('./me');
 8 | const initSitesController = require('./sites');
 9 | const initUrlsController = require('./urls');
10 | const initUsersController = require('./users');
11 | const notFound = require('../../lib/middleware/not-found');
12 | 
13 | /**
14 |  * Initialise the V1 API controller.
15 |  * @param {Dashboard} dashboard - A dashboard instance.
16 |  * @returns {Object} An Express router.
17 |  */
18 | function initApiV1Contoller(dashboard) {
19 | 
20 | 	// Create an Express router for the V1 API
21 | 	const router = new express.Router({
22 | 		caseSensitive: true,
23 | 		strict: true
24 | 	});
25 | 
26 | 	// Set permissive CORS headers for the API
27 | 	router.use((request, response, next) => {
28 | 		response.set({
29 | 			'Access-Control-Allow-Headers': 'X-Api-Key, X-Api-Secret',
30 | 			'Access-Control-Allow-Methods': 'DELETE, GET, HEAD, POST, PATCH',
31 | 			'Access-Control-Allow-Origin': '*'
32 | 		});
33 | 		next();
34 | 	});
35 | 
36 | 	// Allow authentication through an API key/secret pair
37 | 	router.use(authWithKey());
38 | 
39 | 	// Mount routes. Order here is important
40 | 	initDocsController(dashboard, router);
41 | 	initSitesController(dashboard, router);
42 | 	initUrlsController(dashboard, router);
43 | 	initUsersController(dashboard, router);
44 | 	initKeysController(dashboard, router);
45 | 	initMeController(dashboard, router);
46 | 
47 | 	// Middleware to handle errors
48 | 	router.use(notFound());
49 | 	router.use((error, request, response, next) => { // eslint-disable-line no-unused-vars
50 | 
51 | 		// The status code should be a client or server error
52 | 		let statusCode = (error.status && error.status >= 400 ? error.status : 500);
53 | 
54 | 		// Handle Joi validation errors differently
55 | 		let validationDetails;
56 | 		if (error.name === 'ValidationError') {
57 | 			statusCode = (statusCode < 500 ? statusCode : 400);
58 | 			error.message = 'Validation failed';
59 | 			validationDetails = error.details.map(detail => detail.message);
60 | 		}
61 | 
62 | 		// Output helpful error information as JSON
63 | 		response.status(statusCode).send({
64 | 			status: statusCode,
65 | 			message: error.message,
66 | 			validation: validationDetails,
67 | 			stack: (dashboard.environment === 'development' ? error.stack : undefined)
68 | 		});
69 | 
70 | 		// Output server errors in the logs – we need
71 | 		// to know about these
72 | 		if (error.status >= 500) {
73 | 			dashboard.log.error(error.stack);
74 | 		}
75 | 
76 | 	});
77 | 
78 | 	return router;
79 | }
80 | 
81 | module.exports = initApiV1Contoller;
82 | 


--------------------------------------------------------------------------------
/view/partial/form/user.dust:
--------------------------------------------------------------------------------
 1 | 
 2 | <form data-test="user-form" action="{action}" method="post" enctype="application/x-www-form-urlencoded">
 3 | 
 4 | 	{>"partial/alert/success" success=form.user.success/}
 5 | 	{>"partial/alert/error" errors=form.user.errors/}
 6 | 
 7 | 	<div class="field field--text">
 8 | 		<label for="user-email">Email address</label>
 9 | 		<input id="user-email" type="email" name="email" value="{form.user.email}" required/>
10 | 	</div>
11 | 
12 | 	{?formAdmin}
13 | 
14 | 		<div class="field field--text">
15 | 			<label for="user-password">
16 | 				Password
17 | 				<span class="field__sublabel">
18 | 					Enter a password. This must be 6 or more characters in length
19 | 				</span>
20 | 			</label>
21 | 			<input id="user-password" type="password" name="password"/>
22 | 		</div>
23 | 
24 | 		<div class="field field--text">
25 | 			<label for="user-password-confirm">
26 | 				Confirm password
27 | 				<span class="field__sublabel">
28 | 					Re-enter the password to confirm
29 | 				</span>
30 | 			</label>
31 | 			<input id="user-password-confirm" type="password" name="passwordConfirm"/>
32 | 		</div>
33 | 
34 | 		<div class="field field--checkbox">
35 | 			<label for="user-allow-read">
36 | 				Read permission
37 | 				<span class="field__sublabel">
38 | 					<input id="user-allow-read" type="checkbox" name="allowRead" {?form.user.allowRead}checked{/form.user.allowRead}/>
39 | 					User is permitted to view the dashboard
40 | 				</span>
41 | 			</label>
42 | 		</div>
43 | 
44 | 		<div class="field field--checkbox">
45 | 			<label for="user-allow-write">
46 | 				Write permission
47 | 				<span class="field__sublabel">
48 | 					<input id="user-allow-write" type="checkbox" name="allowWrite" {?form.user.allowWrite}checked{/form.user.allowWrite}/>
49 | 					User is permitted to create and edit dashboard content
50 | 				</span>
51 | 			</label>
52 | 		</div>
53 | 
54 | 		<div class="field field--checkbox">
55 | 			<label for="user-allow-delete">
56 | 				Delete permission
57 | 				<span class="field__sublabel">
58 | 					<input id="user-allow-delete" type="checkbox" name="allowDelete" {?form.user.allowDelete}checked{/form.user.allowDelete}/>
59 | 					User is permitted to delete dashboard content
60 | 				</span>
61 | 			</label>
62 | 		</div>
63 | 
64 | 		<div class="field field--checkbox">
65 | 			<label for="user-allow-admin">
66 | 				Admin permission
67 | 				<span class="field__sublabel">
68 | 					<input id="user-allow-admin" type="checkbox" name="allowAdmin" {?form.user.allowAdmin}checked{/form.user.allowAdmin}/>
69 | 					User is permitted to administer other users and change settings
70 | 				</span>
71 | 			</label>
72 | 		</div>
73 | 
74 | 	{/formAdmin}
75 | 
76 | 	<div class="field">
77 | 		<input type="submit" value="{cta}" class="button button--submit"/>
78 | 	</div>
79 | 
80 | </form>
81 | 


--------------------------------------------------------------------------------
/controller/api-v1/urls.js:
--------------------------------------------------------------------------------
 1 | 'use strict';
 2 | 
 3 | const express = require('express');
 4 | const httpError = require('http-errors');
 5 | const requirePermission = require('../../lib/middleware/require-permission');
 6 | 
 7 | /**
 8 |  * Initialise the URLs controller.
 9 |  * @param {Dashboard} dashboard - A dashboard instance.
10 |  * @param {Object} router - The API Express router.
11 |  * @returns {undefined} Nothing
12 |  */
13 | function initUrlsController(dashboard, router) {
14 | 	const Url = dashboard.model.Url;
15 | 
16 | 	// Add param callback for URL IDs
17 | 	router.param('urlId', async (request, response, next, urlId) => {
18 | 		try {
19 | 			request.urlFromParam = await Url.fetchOneByIdAndSiteId(urlId, request.params.siteId);
20 | 			return next(request.urlFromParam ? undefined : httpError(404));
21 | 		} catch (error) {
22 | 			return next(error);
23 | 		}
24 | 	});
25 | 
26 | 	// List a single site's URLs by site ID
27 | 	router.get('/sites/:siteId/urls', requirePermission('read'), async (request, response, next) => {
28 | 		try {
29 | 			const site = request.siteFromParam;
30 | 			response.send(await Url.fetchBySiteId(site.get('id')));
31 | 		} catch (error) {
32 | 			return next(error);
33 | 		}
34 | 	});
35 | 
36 | 	// Create a new URL for a site
37 | 	router.post('/sites/:siteId/urls', requirePermission('write'), express.json(), async (request, response, next) => {
38 | 		try {
39 | 			const site = request.siteFromParam;
40 | 			const url = await Url.create({
41 | 				site_id: site.get('id'),
42 | 				name: request.body.name,
43 | 				address: request.body.address,
44 | 				pa11y_config: request.body.pa11yConfig
45 | 			});
46 | 			response.status(201).send(url);
47 | 		} catch (error) {
48 | 			return next(error);
49 | 		}
50 | 	});
51 | 
52 | 	// Get a single site URL by ID
53 | 	router.get('/sites/:siteId/urls/:urlId', requirePermission('read'), (request, response, next) => {
54 | 		try {
55 | 			const url = request.urlFromParam;
56 | 			response.send(url);
57 | 		} catch (error) {
58 | 			return next(error);
59 | 		}
60 | 	});
61 | 
62 | 	// Update a URL
63 | 	router.patch('/sites/:siteId/urls/:urlId', requirePermission('write'), express.json(), async (request, response, next) => {
64 | 		try {
65 | 			const url = request.urlFromParam;
66 | 			await url.update({
67 | 				name: request.body.name,
68 | 				address: request.body.address,
69 | 				pa11y_config: request.body.pa11yConfig
70 | 			});
71 | 			response.status(200).send(url);
72 | 		} catch (error) {
73 | 			return next(error);
74 | 		}
75 | 	});
76 | 
77 | 	// Delete a url
78 | 	router.delete('/sites/:siteId/urls/:urlId', requirePermission('delete'), async (request, response, next) => {
79 | 		try {
80 | 			const url = request.urlFromParam;
81 | 			await url.destroy();
82 | 			response.status(204).send({});
83 | 		} catch (error) {
84 | 			return next(error);
85 | 		}
86 | 	});
87 | 
88 | }
89 | 
90 | module.exports = initUrlsController;
91 | 


--------------------------------------------------------------------------------
/controller/api-v1/sites.js:
--------------------------------------------------------------------------------
 1 | 'use strict';
 2 | 
 3 | const express = require('express');
 4 | const httpError = require('http-errors');
 5 | const requirePermission = require('../../lib/middleware/require-permission');
 6 | 
 7 | /**
 8 |  * Initialise the sites controller.
 9 |  * @param {Dashboard} dashboard - A dashboard instance.
10 |  * @param {Object} router - The API Express router.
11 |  * @returns {undefined} Nothing
12 |  */
13 | function initSitesController(dashboard, router) {
14 | 	const Site = dashboard.model.Site;
15 | 
16 | 	// Add a param callback for site IDs
17 | 	router.param('siteId', async (request, response, next, siteId) => {
18 | 		try {
19 | 			request.siteFromParam = await Site.fetchOneById(siteId);
20 | 			return next(request.siteFromParam ? undefined : httpError(404));
21 | 		} catch (error) {
22 | 			return next(error);
23 | 		}
24 | 	});
25 | 
26 | 	// List all sites
27 | 	router.get('/sites', requirePermission('read'), async (request, response, next) => {
28 | 		try {
29 | 			response.send(await Site.fetchAll());
30 | 		} catch (error) {
31 | 			return next(error);
32 | 		}
33 | 	});
34 | 
35 | 	// Create a new site
36 | 	router.post('/sites', requirePermission('write'), express.json(), async (request, response, next) => {
37 | 		try {
38 | 			const site = await Site.create({
39 | 				name: request.body.name,
40 | 				base_url: request.body.baseUrl,
41 | 				is_runnable: request.body.isRunnable,
42 | 				is_scheduled: request.body.isScheduled,
43 | 				schedule: request.body.schedule,
44 | 				pa11y_config: request.body.pa11yConfig
45 | 			});
46 | 			response.status(201).send(site);
47 | 		} catch (error) {
48 | 			return next(error);
49 | 		}
50 | 	});
51 | 
52 | 	// Get a single site by ID
53 | 	router.get('/sites/:siteId', requirePermission('read'), (request, response, next) => {
54 | 		try {
55 | 			const site = request.siteFromParam;
56 | 			response.send(site);
57 | 		} catch (error) {
58 | 			return next(error);
59 | 		}
60 | 	});
61 | 
62 | 	// Update a site by ID
63 | 	router.patch('/sites/:siteId', requirePermission('write'), express.json(), async (request, response, next) => {
64 | 		try {
65 | 			const site = request.siteFromParam;
66 | 			await site.update({
67 | 				name: request.body.name,
68 | 				base_url: request.body.baseUrl,
69 | 				is_runnable: request.body.isRunnable,
70 | 				is_scheduled: request.body.isScheduled,
71 | 				schedule: request.body.schedule,
72 | 				pa11y_config: request.body.pa11yConfig
73 | 			});
74 | 			response.status(200).send(site);
75 | 		} catch (error) {
76 | 			return next(error);
77 | 		}
78 | 	});
79 | 
80 | 	// Delete a site by ID
81 | 	router.delete('/sites/:siteId', requirePermission('delete'), async (request, response, next) => {
82 | 		try {
83 | 			const site = request.siteFromParam;
84 | 			await site.destroy();
85 | 			response.status(204).send({});
86 | 		} catch (error) {
87 | 			return next(error);
88 | 		}
89 | 	});
90 | 
91 | }
92 | 
93 | module.exports = initSitesController;
94 | 


--------------------------------------------------------------------------------
/controller/api-v1/users.js:
--------------------------------------------------------------------------------
  1 | 'use strict';
  2 | 
  3 | const express = require('express');
  4 | const httpError = require('http-errors');
  5 | const requirePermission = require('../../lib/middleware/require-permission');
  6 | 
  7 | /**
  8 |  * Initialise the users controller.
  9 |  * @param {Dashboard} dashboard - A dashboard instance.
 10 |  * @param {Object} router - The API Express router.
 11 |  * @returns {undefined} Nothing
 12 |  */
 13 | function initUsersController(dashboard, router) {
 14 | 	const User = dashboard.model.User;
 15 | 
 16 | 	// Add a param callback for user IDs
 17 | 	router.param('userId', async (request, response, next, userId) => {
 18 | 		try {
 19 | 			request.userFromParam = await User.fetchOneById(userId);
 20 | 			return next(request.userFromParam ? undefined : httpError(404));
 21 | 		} catch (error) {
 22 | 			return next(error);
 23 | 		}
 24 | 	});
 25 | 
 26 | 	// List all users
 27 | 	router.get('/users', requirePermission('admin'), async (request, response, next) => {
 28 | 		try {
 29 | 			response.send(await User.fetchAll());
 30 | 		} catch (error) {
 31 | 			return next(error);
 32 | 		}
 33 | 	});
 34 | 
 35 | 	// Create a new user
 36 | 	router.post('/users', requirePermission('admin'), express.json(), async (request, response, next) => {
 37 | 		try {
 38 | 			const user = await User.create({
 39 | 				email: request.body.email,
 40 | 				password: request.body.password,
 41 | 				allow_read: request.body.read,
 42 | 				allow_write: request.body.write,
 43 | 				allow_delete: request.body.delete,
 44 | 				allow_admin: request.body.admin
 45 | 			});
 46 | 			response.status(201).send(user);
 47 | 		} catch (error) {
 48 | 			return next(error);
 49 | 		}
 50 | 	});
 51 | 
 52 | 	// Get a single user by ID
 53 | 	router.get('/users/:userId', requirePermission('admin'), (request, response, next) => {
 54 | 		try {
 55 | 			const user = request.userFromParam;
 56 | 			response.send(user);
 57 | 		} catch (error) {
 58 | 			return next(error);
 59 | 		}
 60 | 	});
 61 | 
 62 | 	// Update a user
 63 | 	router.patch('/users/:userId', requirePermission('admin'), express.json(), async (request, response, next) => {
 64 | 		try {
 65 | 			const user = request.userFromParam;
 66 | 			if (user.get('is_owner')) {
 67 | 				throw httpError(403, 'You are not authorized to modify an owner');
 68 | 			}
 69 | 			await user.update({
 70 | 				email: request.body.email,
 71 | 				password: request.body.password,
 72 | 				allow_read: request.body.read,
 73 | 				allow_write: request.body.write,
 74 | 				allow_delete: request.body.delete,
 75 | 				allow_admin: request.body.admin
 76 | 			});
 77 | 			response.status(200).send(user);
 78 | 		} catch (error) {
 79 | 			return next(error);
 80 | 		}
 81 | 	});
 82 | 
 83 | 	// Delete a user
 84 | 	router.delete('/users/:userId', requirePermission('admin'), async (request, response, next) => {
 85 | 		try {
 86 | 			const user = request.userFromParam;
 87 | 			if (request.authUser && user.get('id') === request.authUser.id) {
 88 | 				throw httpError(403, 'You are not authorized to delete yourself');
 89 | 			}
 90 | 			if (user.get('is_owner')) {
 91 | 				throw httpError(403, 'You are not authorized to modify an owner');
 92 | 			}
 93 | 			await user.destroy();
 94 | 			response.status(204).send({});
 95 | 		} catch (error) {
 96 | 			return next(error);
 97 | 		}
 98 | 	});
 99 | 
100 | }
101 | 
102 | module.exports = initUsersController;
103 | 


--------------------------------------------------------------------------------
/controller/api-v1/keys.js:
--------------------------------------------------------------------------------
  1 | 'use strict';
  2 | 
  3 | const express = require('express');
  4 | const httpError = require('http-errors');
  5 | const requirePermission = require('../../lib/middleware/require-permission');
  6 | 
  7 | /**
  8 |  * Initialise the keys controller.
  9 |  * @param {Dashboard} dashboard - A dashboard instance.
 10 |  * @param {Object} router - The API Express router.
 11 |  * @returns {undefined} Nothing
 12 |  */
 13 | function initKeysController(dashboard, router) {
 14 | 	const Key = dashboard.model.Key;
 15 | 
 16 | 	// Add param callback for API key IDs
 17 | 	router.param('keyId', async (request, response, next, keyId) => {
 18 | 		try {
 19 | 			request.keyFromParam = await Key.fetchOneByIdAndUserId(keyId, request.params.userId);
 20 | 			return next(request.keyFromParam ? undefined : httpError(404));
 21 | 		} catch (error) {
 22 | 			return next(error);
 23 | 		}
 24 | 	});
 25 | 
 26 | 	// List a single user's keys by user ID
 27 | 	router.get('/users/:userId/keys', requirePermission('admin'), async (request, response, next) => {
 28 | 		try {
 29 | 			const user = request.userFromParam;
 30 | 			response.send(await Key.fetchByUserId(user.get('id')));
 31 | 		} catch (error) {
 32 | 			return next(error);
 33 | 		}
 34 | 	});
 35 | 
 36 | 	// Create a new key for a user
 37 | 	router.post('/users/:userId/keys', requirePermission('admin'), express.json(), async (request, response, next) => {
 38 | 		try {
 39 | 			const user = request.userFromParam;
 40 | 			const secret = Key.generateSecret();
 41 | 			const key = await Key.create({
 42 | 				user_id: user.get('id'),
 43 | 				description: request.body.description,
 44 | 				secret
 45 | 			});
 46 | 			response.status(201).send({
 47 | 				key: key.get('id'),
 48 | 				secret
 49 | 			});
 50 | 		} catch (error) {
 51 | 			return next(error);
 52 | 		}
 53 | 	});
 54 | 
 55 | 	// Get a single user key by ID
 56 | 	router.get('/users/:userId/keys/:keyId', requirePermission('admin'), (request, response, next) => {
 57 | 		try {
 58 | 			const key = request.keyFromParam;
 59 | 			response.send(key);
 60 | 		} catch (error) {
 61 | 			return next(error);
 62 | 		}
 63 | 	});
 64 | 
 65 | 	// Update a key
 66 | 	router.patch('/users/:userId/keys/:keyId', requirePermission('admin'), express.json(), async (request, response, next) => {
 67 | 		try {
 68 | 			const user = request.userFromParam;
 69 | 			const key = request.keyFromParam;
 70 | 			if (user.get('is_owner')) {
 71 | 				throw httpError(403, 'You are not authorized to modify an owner\'s keys');
 72 | 			}
 73 | 			await key.update({
 74 | 				description: request.body.description
 75 | 			});
 76 | 			response.status(200).send(key);
 77 | 		} catch (error) {
 78 | 			return next(error);
 79 | 		}
 80 | 	});
 81 | 
 82 | 	// Delete a key
 83 | 	router.delete('/users/:userId/keys/:keyId', requirePermission('admin'), async (request, response, next) => {
 84 | 		try {
 85 | 			const user = request.userFromParam;
 86 | 			const key = request.keyFromParam;
 87 | 			if (request.authKey && key.get('id') === request.authKey.id) {
 88 | 				throw httpError(403, 'You are not authorized to delete the key currently being used to authenticate');
 89 | 			}
 90 | 			if (user.get('is_owner')) {
 91 | 				throw httpError(403, 'You are not authorized to modify an owner\'s keys');
 92 | 			}
 93 | 			await key.destroy();
 94 | 			response.status(204).send({});
 95 | 		} catch (error) {
 96 | 			return next(error);
 97 | 		}
 98 | 	});
 99 | 
100 | }
101 | 
102 | module.exports = initKeysController;
103 | 


--------------------------------------------------------------------------------
/test/integration/seed/basic/auth.js:
--------------------------------------------------------------------------------
  1 | 'use strict';
  2 | 
  3 | const bcrypt = require('bcrypt');
  4 | 
  5 | // Test authentication details
  6 | exports.seed = async database => {
  7 | 
  8 | 	// Insert test users
  9 | 	await database('users').insert([
 10 | 		{
 11 | 			id: 'mock-owner-id',
 12 | 			email: 'owner@example.com',
 13 | 			password: await bcrypt.hash('password', 10),
 14 | 			is_owner: true,
 15 | 			allow_read: true,
 16 | 			allow_write: true,
 17 | 			allow_delete: true,
 18 | 			allow_admin: true
 19 | 		},
 20 | 		{
 21 | 			id: 'mock-admin-id',
 22 | 			email: 'admin@example.com',
 23 | 			password: await bcrypt.hash('password', 10),
 24 | 			allow_read: true,
 25 | 			allow_write: true,
 26 | 			allow_delete: true,
 27 | 			allow_admin: true
 28 | 		},
 29 | 		{
 30 | 			id: 'mock-delete-id',
 31 | 			email: 'delete@example.com',
 32 | 			password: await bcrypt.hash('password', 10),
 33 | 			allow_read: true,
 34 | 			allow_write: true,
 35 | 			allow_delete: true,
 36 | 			allow_admin: false
 37 | 		},
 38 | 		{
 39 | 			id: 'mock-write-id',
 40 | 			email: 'write@example.com',
 41 | 			password: await bcrypt.hash('password', 10),
 42 | 			allow_read: true,
 43 | 			allow_write: true,
 44 | 			allow_delete: false,
 45 | 			allow_admin: false
 46 | 		},
 47 | 		{
 48 | 			id: 'mock-read-id',
 49 | 			email: 'read@example.com',
 50 | 			password: await bcrypt.hash('password', 10),
 51 | 			allow_read: true,
 52 | 			allow_write: false,
 53 | 			allow_delete: false,
 54 | 			allow_admin: false
 55 | 		},
 56 | 		{
 57 | 			id: 'mock-noaccess-id',
 58 | 			email: 'noaccess@example.com',
 59 | 			password: await bcrypt.hash('password', 10),
 60 | 			allow_read: false,
 61 | 			allow_write: false,
 62 | 			allow_delete: false,
 63 | 			allow_admin: false
 64 | 		},
 65 | 		{
 66 | 			id: 'mock-nokeys-id',
 67 | 			email: 'nokeys@example.com',
 68 | 			password: await bcrypt.hash('password', 10),
 69 | 			allow_read: false,
 70 | 			allow_write: false,
 71 | 			allow_delete: false,
 72 | 			allow_admin: false
 73 | 		}
 74 | 	]);
 75 | 
 76 | 	// Insert test API keys
 77 | 	await database('keys').insert([
 78 | 		{
 79 | 			id: 'mock-owner-key',
 80 | 			secret: await bcrypt.hash('mock-owner-secret', 5),
 81 | 			user_id: 'mock-owner-id',
 82 | 			description: 'Key with admin permissions belonging to an owner'
 83 | 		},
 84 | 		{
 85 | 			id: 'mock-admin-key',
 86 | 			secret: await bcrypt.hash('mock-admin-secret', 5),
 87 | 			user_id: 'mock-admin-id',
 88 | 			description: 'Key with admin permissions'
 89 | 		},
 90 | 		{
 91 | 			id: 'mock-delete-key',
 92 | 			secret: await bcrypt.hash('mock-delete-secret', 5),
 93 | 			user_id: 'mock-delete-id',
 94 | 			description: 'Key with delete permissions'
 95 | 		},
 96 | 		{
 97 | 			id: 'mock-write-key',
 98 | 			secret: await bcrypt.hash('mock-write-secret', 5),
 99 | 			user_id: 'mock-write-id',
100 | 			description: 'Key with write permissions'
101 | 		},
102 | 		{
103 | 			id: 'mock-read-key',
104 | 			secret: await bcrypt.hash('mock-read-secret', 5),
105 | 			user_id: 'mock-read-id',
106 | 			description: 'Key with read permissions'
107 | 		},
108 | 		{
109 | 			id: 'mock-read-key-2',
110 | 			secret: await bcrypt.hash('mock-read-secret', 5),
111 | 			user_id: 'mock-read-id',
112 | 			description: 'Key with read permissions again'
113 | 		},
114 | 		{
115 | 			id: 'mock-noaccess-key',
116 | 			secret: await bcrypt.hash('mock-noaccess-secret', 5),
117 | 			user_id: 'mock-noaccess-id',
118 | 			description: 'Key with no permissions'
119 | 		}
120 | 	]);
121 | 
122 | };
123 | 


--------------------------------------------------------------------------------
/controller/api-v1/me.js:
--------------------------------------------------------------------------------
  1 | 'use strict';
  2 | 
  3 | const express = require('express');
  4 | const httpError = require('http-errors');
  5 | const requireAuth = require('../../lib/middleware/require-auth');
  6 | 
  7 | /**
  8 |  * Initialise the "me" controller.
  9 |  * @param {Dashboard} dashboard - A dashboard instance.
 10 |  * @param {Object} router - The API Express router.
 11 |  * @returns {undefined} Nothing
 12 |  */
 13 | function initMeController(dashboard, router) {
 14 | 	const Key = dashboard.model.Key;
 15 | 	const User = dashboard.model.User;
 16 | 
 17 | 	// Require authentication for all of these routes
 18 | 	router.use('/me', requireAuth());
 19 | 
 20 | 	// Add param callback for current user API key IDs
 21 | 	router.param('myKeyId', async (request, response, next, myKeyId) => {
 22 | 		try {
 23 | 			request.keyFromParam = await Key.fetchOneByIdAndUserId(myKeyId, request.authUser.id);
 24 | 			return next(request.keyFromParam ? undefined : httpError(404));
 25 | 		} catch (error) {
 26 | 			return next(error);
 27 | 		}
 28 | 	});
 29 | 
 30 | 	// Get the currently authenticated user
 31 | 	router.get('/me', (request, response) => {
 32 | 		response.send(request.authUser);
 33 | 	});
 34 | 
 35 | 	// Update the currently authenticated user
 36 | 	router.patch('/me', express.json(), async (request, response, next) => {
 37 | 		try {
 38 | 			const user = await User.fetchOneById(request.authUser.id);
 39 | 			await user.update({
 40 | 				email: request.body.email,
 41 | 				password: request.body.password
 42 | 			});
 43 | 			response.status(200).send(user);
 44 | 		} catch (error) {
 45 | 			return next(error);
 46 | 		}
 47 | 	});
 48 | 
 49 | 	// List the currently authenticated user's keys
 50 | 	router.get('/me/keys', async (request, response, next) => {
 51 | 		try {
 52 | 			response.send(await Key.fetchByUserId(request.authUser.id));
 53 | 		} catch (error) {
 54 | 			return next(error);
 55 | 		}
 56 | 	});
 57 | 
 58 | 	// Create a new key for the currently authenticated user
 59 | 	router.post('/me/keys', express.json(), async (request, response, next) => {
 60 | 		try {
 61 | 			const secret = Key.generateSecret();
 62 | 			const key = await Key.create({
 63 | 				user_id: request.authUser.id,
 64 | 				description: request.body.description,
 65 | 				secret
 66 | 			});
 67 | 			response.status(201).send({
 68 | 				key: key.get('id'),
 69 | 				secret
 70 | 			});
 71 | 		} catch (error) {
 72 | 			return next(error);
 73 | 		}
 74 | 	});
 75 | 
 76 | 	// Get a single currently authenticated user key by ID
 77 | 	router.get('/me/keys/:myKeyId', (request, response, next) => {
 78 | 		try {
 79 | 			const key = request.keyFromParam;
 80 | 			response.send(key);
 81 | 		} catch (error) {
 82 | 			return next(error);
 83 | 		}
 84 | 	});
 85 | 
 86 | 	// Update a single currently authenticated user key
 87 | 	router.patch('/me/keys/:myKeyId', express.json(), async (request, response, next) => {
 88 | 		try {
 89 | 			const key = request.keyFromParam;
 90 | 			await key.update({
 91 | 				description: request.body.description
 92 | 			});
 93 | 			response.status(200).send(key);
 94 | 		} catch (error) {
 95 | 			return next(error);
 96 | 		}
 97 | 	});
 98 | 
 99 | 	// Delete a single currently authenticated user key
100 | 	router.delete('/me/keys/:myKeyId', async (request, response, next) => {
101 | 		try {
102 | 			const key = request.keyFromParam;
103 | 			if (request.authKey && key.get('id') === request.authKey.id) {
104 | 				return next(httpError(403, 'You are not authorized to delete the key currently being used to authenticate'));
105 | 			}
106 | 			await key.destroy();
107 | 			response.status(204).send({});
108 | 		} catch (error) {
109 | 			return next(error);
110 | 		}
111 | 	});
112 | 
113 | }
114 | 
115 | module.exports = initMeController;
116 | 


--------------------------------------------------------------------------------
/controller/front-end/index.js:
--------------------------------------------------------------------------------
  1 | 'use strict';
  2 | 
  3 | const authWithCookie = require('../../lib/middleware/auth-with-cookie');
  4 | const express = require('express');
  5 | const flash = require('../../lib/middleware/flash');
  6 | const initAdminController = require('./admin');
  7 | const initAuthController = require('./auth');
  8 | const initDocsController = require('./docs');
  9 | const initHomeController = require('./home');
 10 | const initSettingsController = require('./settings');
 11 | const initSetupController = require('./setup');
 12 | const initSitesController = require('./sites');
 13 | const notFound = require('../../lib/middleware/not-found');
 14 | const session = require('express-session');
 15 | const SessionStore = require('connect-session-knex')(session);
 16 | const uuid = require('uuid/v4');
 17 | 
 18 | /**
 19 |  * Initialise the Front End controller.
 20 |  * @param {Dashboard} dashboard - A dashboard instance.
 21 |  * @returns {Object} An Express router.
 22 |  */
 23 | function initFrontEndController(dashboard) {
 24 | 	const Setting = dashboard.model.Setting;
 25 | 
 26 | 	// Create an Express router for the front end
 27 | 	const router = new express.Router({
 28 | 		caseSensitive: true,
 29 | 		strict: true
 30 | 	});
 31 | 
 32 | 	// Serve static files
 33 | 	router.use(express.static(`${__dirname}/../../public`));
 34 | 
 35 | 	// Set up session middleware, backed by the database
 36 | 	router.use(session({
 37 | 		cookie: {
 38 | 			maxAge: 1000 * 60 * 60 * 24 * 7 // 1 week
 39 | 		},
 40 | 		name: 'sidekick.sid',
 41 | 		resave: false,
 42 | 		saveUninitialized: false,
 43 | 		secret: dashboard.options.sessionSecret || uuid(),
 44 | 		store: new SessionStore({
 45 | 			knex: dashboard.database.knex,
 46 | 			createtable: false
 47 | 		}),
 48 | 		unset: 'destroy'
 49 | 	}));
 50 | 
 51 | 	// Set up flash messaging
 52 | 	router.use(flash());
 53 | 
 54 | 	// Allow authentication through a session cookie
 55 | 	router.use(authWithCookie());
 56 | 
 57 | 	// Add default view data
 58 | 	router.use((request, response, next) => {
 59 | 		response.locals.siteWideAlert = request.flash.get('site-wide-alert');
 60 | 		response.locals.appUrl = request.appUrl;
 61 | 		response.locals.authUser = request.authUser;
 62 | 		response.locals.permissions = request.permissions;
 63 | 		response.locals.requestPath = request.path;
 64 | 		response.locals.requestUrl = request.url;
 65 | 		response.locals.publicReadAccess = Setting.get('publicReadAccess');
 66 | 		next();
 67 | 	});
 68 | 
 69 | 	// Mount routes
 70 | 	// IMPORTANT: the setup controller MUST be mounted before the home controller
 71 | 	initSetupController(dashboard, router);
 72 | 	initHomeController(dashboard, router);
 73 | 	initAuthController(dashboard, router);
 74 | 	initDocsController(dashboard, router);
 75 | 	initSitesController(dashboard, router);
 76 | 	initSettingsController(dashboard, router);
 77 | 	initAdminController(dashboard, router);
 78 | 
 79 | 	// Middleware to handle errors
 80 | 	router.use(notFound());
 81 | 	router.use((error, request, response, next) => { // eslint-disable-line no-unused-vars
 82 | 
 83 | 		// The status code should be a client or server error
 84 | 		const statusCode = (error.status && error.status >= 400 ? error.status : 500);
 85 | 
 86 | 		// Render a helpful error page
 87 | 		response.status(statusCode).render('template/error', {
 88 | 			error: {
 89 | 				status: statusCode,
 90 | 				message: error.message,
 91 | 				stack: (dashboard.environment === 'development' ? error.stack : undefined)
 92 | 			}
 93 | 		});
 94 | 
 95 | 		// Output server errors in the logs – we need
 96 | 		// to know about these
 97 | 		if (error.status >= 500) {
 98 | 			dashboard.log.error(error.stack);
 99 | 		}
100 | 
101 | 	});
102 | 
103 | 	return router;
104 | }
105 | 
106 | module.exports = initFrontEndController;
107 | 


--------------------------------------------------------------------------------
/view/template/docs/api-v1.dust:
--------------------------------------------------------------------------------
  1 | {>"layout/full"/}
  2 | 
  3 | {<title}
  4 | 	API Documentation - Sidekick
  5 | {/title}
  6 | 
  7 | {<secondary-nav}
  8 | 	{>"partial/nav/api-docs"/}
  9 | {/secondary-nav}
 10 | 
 11 | {<content}
 12 | 
 13 | 	<h1>API Documentation</h1>
 14 | 
 15 | 	<p>
 16 | 		Sidekick comes with a REST API which can be used to automate certain tasks or push data
 17 | 		into the dashboard from external sources. The documentation here outlines which endpoints
 18 | 		are available.
 19 | 	</p>
 20 | 
 21 | 	<ol class="table-of-contents">
 22 | 		<li><a href="#version">Current version</a></li>
 23 | 		<li><a href="#authentication">Authentication</a></li>
 24 | 		<li><a href="#permissions">Permissions</a></li>
 25 | 		<li><a href="#content-types">Content-Types</a></li>
 26 | 		<li><a href="#cors">Cross Origin Resource Sharing</a></li>
 27 | 		<li><a href="#errors">Errors</a></li>
 28 | 	</ol>
 29 | 
 30 | 
 31 | 	<h2 id="version">Current version</h2>
 32 | 
 33 | 	<p>
 34 | 		The current version of the API is <code>v1</code>. All endpoints are prefixed with this
 35 | 		version identifier.
 36 | 	</p>
 37 | 
 38 | 
 39 | 	<h2 id="authentication">Authentication</h2>
 40 | 
 41 | 	<p>
 42 | 		Many endpoints in the API require authentication. Before you can authenticate, you'll need to
 43 | 		generate an API key and secret. <a href="/settings/keys">You can do that here</a>.
 44 | 	</p>
 45 | 
 46 | 	<p>
 47 | 		When you have an API key and secret you must set them as headers whenever you make a request
 48 | 		to the API:
 49 | 	</p>
 50 | 
 51 | 	{@codeBlock language="http"}
 52 | 		X-Api-Key: xxx-xxxx-xxx
 53 | 		X-Api-Secret: xxx-xxxx-xxx
 54 | 	{/codeBlock}
 55 | 
 56 | 
 57 | 	<h2 id="permissions">Permissions</h2>
 58 | 
 59 | 	<p>
 60 | 		Different endpoints require different user permissions to access. The documentation for each
 61 | 		endpoint will outline which is required.
 62 | 	</p>
 63 | 
 64 | 	<p>
 65 | 		The permission levels are as follows. Note that these don't stack: a user with <code>WRITE</code>
 66 | 		access does not automatically have <code>READ</code> access.
 67 | 	</p>
 68 | 
 69 | 	<div class="table-wrapper">
 70 | 		<table class="table table--striped">
 71 | 			<thead>
 72 | 				<tr>
 73 | 					<th>Permission</th>
 74 | 					<th>Description</th>
 75 | 				</tr>
 76 | 			</thead>
 77 | 			<tbody>
 78 | 				<tr>
 79 | 					<td><code>READ</code></th>
 80 | 					<td>Allowed to list and get most resources</td>
 81 | 				</tr>
 82 | 				<tr>
 83 | 					<td><code>WRITE</code></th>
 84 | 					<td>Allowed to create new resources and update existing resources</td>
 85 | 				</tr>
 86 | 				<tr>
 87 | 					<td><code>DELETE</code></th>
 88 | 					<td>Allowed to delete resources</td>
 89 | 				</tr>
 90 | 				<tr>
 91 | 					<td><code>ADMIN</code></th>
 92 | 					<td>Allowed to administer users and access</td>
 93 | 				</tr>
 94 | 			</tbody>
 95 | 		</table>
 96 | 	</div>
 97 | 
 98 | 	<p>
 99 | 		If you don't know what permission level an API key and secret grant you, you can check by
100 | 		<a href="#authentication">authenticating</a> and
101 | 		<a href="/docs/api/v1/users#get-api-v1-me">requesting the authenticated user details</a>.
102 | 	</p>
103 | 
104 | 
105 | 	<h2 id="content-types">Content-Types</h2>
106 | 
107 | 	<p>
108 | 		All endpoints respond with a <code>Content-Type</code> header of <code>application/json</code>
109 | 		unless explicitly stated otherwise.
110 | 	</p>
111 | 
112 | 
113 | 	<h2 id="cors">Cross Origin Resource Sharing</h2>
114 | 
115 | 	<p>
116 | 		All endpoints respond with appropriate and permissive
117 | 		<a href="https://www.w3.org/TR/cors/">CORS</a> headers.
118 | 	</p>
119 | 
120 | 
121 | 	<h2 id="errors">Errors</h2>
122 | 
123 | 	<p>
124 | 		The API returns error messages as JSON following the schema below:
125 | 	</p>
126 | 
127 | 	{@codeBlock language="json"}
128 | 		{
129 | 			"status": 404,           // The HTTP status code of the response
130 | 			"message": "Not Found",  // A short description of the error that occurred
131 | 			"validation": [
132 | 				"example"            // Additional validation messages (optional)
133 | 			]
134 | 		}
135 | 	{/codeBlock}
136 | 
137 | {/content}
138 | 


--------------------------------------------------------------------------------
/docs/deploy/heroku.md:
--------------------------------------------------------------------------------
 1 | 
 2 | # Heroku Deployment Guide
 3 | 
 4 | Running Sidekick on [Heroku] is nice and easy compared to hosting on a server of your own. We provide manual instructions as well as a one-click button to get you set up.
 5 | 
 6 | 
 7 | ## Table of Contents
 8 | 
 9 |   - [One-Click Setup](#one-click-setup)
10 |   - [Manual Setup](#manual-setup)
11 |   - [Questions and Troubleshooting](#questions-and-troubleshooting)
12 | 
13 | 
14 | ## One-Click Setup
15 | 
16 | The button below sets up a full Heroku application, including the required add-ons and configuration. You'll need a Heroku account to get started, and Sidekick will run fine on the free tier which has a few limitations.
17 | 
18 | For most Heroku users, all you need to do is click the button and fill out a few fields. Then complete the setup step in the new Sidekick application.
19 | 
20 | [![Deploy to Heroku][heroku-button-image]][heroku-button-url]
21 | 
22 | 
23 | ## Manual Setup
24 | 
25 | To deploy Sidekick to Heroku manually you'll need a Heroku account. Then follow the instructions below:
26 | 
27 |   1. Visit <https://dashboard.heroku.com/> and click the button to create a new app
28 | 
29 |   2. Fill out and submit the form with your application name
30 | 
31 |   3. Now we need to create a database. Click on the "Resources" tab and search under "Add-ons" for "Heroku Postgres". When it appears, click the name of the add-on
32 | 
33 |   4. In the pop-up, provision a "Hobby Dev" plan. As your Sidekick database gets bigger you may need to increase this plan, but for now the free one is fine
34 | 
35 |   5. Now we need to add some configurations. Click on the "Settings" tab and then under "Config Variables", click "Reveal Config Vars"
36 | 
37 |   6. Configure your app using the [configurations outlined here][config]. If you want to get set up quickly then you should just need to set the following:
38 | 
39 |       - **`SESSION_SECRET`**: The secret to encrypt session IDs with. Ideally you should set this to a generated key, you can use something like [UUID Generator] for this
40 | 
41 |   7. Now we're ready to deploy for the first time. Click on the "Deploy" tab and choose a deployment method. We recommend either Heroku Git, or connecting to a forked copy of Sidekick on GitHub. Either way, the instructions in the Heroku interface should be helpful here
42 | 
43 |   8. Now you should be able to access your new application in-browser, click the "Open app" button that appears at the top of your dashboard in Heroku. A Sidekick page should load
44 | 
45 |   9. Complete the set-up step in the Sidekick interface, now you're ready to start using Sidekick!
46 | 
47 | 
48 | ## Questions and Troubleshooting
49 | 
50 | Here we outline some common questions and issues around deploying to Heroku.
51 | 
52 | ### I see a Heroku error page when I visit my application
53 | 
54 | This is likely due to a missing deployment, your code may not be on your Heroku app yet. Check the [Heroku deployment guide][heroku-deployment] for help.
55 | 
56 | ### When does the database migrate?
57 | 
58 | We migrate the database during the [Heroku release phase][heroku-release-phase]. This means that your database is up-to-date as soon as the new deployment completes.
59 | 
60 | ### Can I use Heroku preboot?
61 | 
62 | No. [Heroku's preboot feature][heroku-preboot] allows for zero downtime deployments and ensures that traffic can be received by a new deployment before switching out the production dynos. This doesn't play nicely with Sidekick due to the fact we use [Heroku release phases][heroku-release-phase] to migrate the database, and this happens _before_ the dynos switch over.
63 | 
64 | 
65 | 
66 | [config]: https://github.com/pa11y/sidekick#configuration
67 | [heroku]: https://www.heroku.com/
68 | [heroku-button-image]: https://www.herokucdn.com/deploy/button.svg
69 | [heroku-button-url]: https://heroku.com/deploy?template=https://github.com/pa11y/sidekick
70 | [heroku-deployment]: https://devcenter.heroku.com/categories/deployment
71 | [heroku-preboot]: https://devcenter.heroku.com/articles/preboot
72 | [heroku-release-phase]: https://devcenter.heroku.com/articles/release-phase
73 | [uuid generator]: https://www.uuidgenerator.net/
74 | 


--------------------------------------------------------------------------------
/test/unit/lib/middleware/flash.test.js:
--------------------------------------------------------------------------------
  1 | 'use strict';
  2 | 
  3 | const assert = require('proclaim');
  4 | const sinon = require('sinon');
  5 | 
  6 | describe('lib/middleware/flash', () => {
  7 | 	let flash;
  8 | 	let FlashMessenger;
  9 | 
 10 | 	beforeEach(() => {
 11 | 		flash = require('../../../../lib/middleware/flash');
 12 | 		FlashMessenger = flash.FlashMessenger;
 13 | 	});
 14 | 
 15 | 	it('exports a function', () => {
 16 | 		assert.isFunction(flash);
 17 | 	});
 18 | 
 19 | 	describe('flash()', () => {
 20 | 		let middleware;
 21 | 
 22 | 		beforeEach(() => {
 23 | 			middleware = flash();
 24 | 		});
 25 | 
 26 | 		it('returns a middleware function', () => {
 27 | 			assert.isFunction(middleware);
 28 | 		});
 29 | 
 30 | 		describe('middleware(request, response, next)', () => {
 31 | 			let next;
 32 | 			let request;
 33 | 			let mockFlashMessenger;
 34 | 
 35 | 			beforeEach(() => {
 36 | 				mockFlashMessenger = {
 37 | 					isMockFlashMessenger: true
 38 | 				};
 39 | 				flash.FlashMessenger = sinon.stub().returns(mockFlashMessenger);
 40 | 				request = {
 41 | 					isMockRequest: true
 42 | 				};
 43 | 				next = sinon.spy();
 44 | 				middleware(request, {}, next);
 45 | 			});
 46 | 
 47 | 			it('creates a new FlashMessenger instance and stores it on the request', () => {
 48 | 				assert.calledOnce(flash.FlashMessenger);
 49 | 				assert.calledWithNew(flash.FlashMessenger);
 50 | 				assert.calledWithExactly(flash.FlashMessenger, request);
 51 | 				assert.strictEqual(request.flash, mockFlashMessenger);
 52 | 			});
 53 | 
 54 | 			it('calls `next` with nothing', () => {
 55 | 				assert.calledOnce(next);
 56 | 				assert.calledWithExactly(next);
 57 | 			});
 58 | 
 59 | 		});
 60 | 
 61 | 	});
 62 | 
 63 | 	describe('flash.FlashMessenger', () => {
 64 | 
 65 | 		it('is a class constructor', () => {
 66 | 			assert.isFunction(FlashMessenger);
 67 | 			assert.throws(() => FlashMessenger(), /constructor flashmessenger/i); // eslint-disable-line new-cap
 68 | 		});
 69 | 
 70 | 		describe('new flash.FlashMessenger(request)', () => {
 71 | 			let flash;
 72 | 			let instance;
 73 | 			let request;
 74 | 
 75 | 			beforeEach(() => {
 76 | 				flash = {
 77 | 					mockFlash: true
 78 | 				};
 79 | 				request = {
 80 | 					session: {
 81 | 						flash
 82 | 					}
 83 | 				};
 84 | 				instance = new FlashMessenger(request);
 85 | 			});
 86 | 
 87 | 			it('deletes `request.session.flash`', () => {
 88 | 				assert.isUndefined(request.session.flash);
 89 | 			});
 90 | 
 91 | 			describe('.request', () => {
 92 | 
 93 | 				it('is set to the passed in request', () => {
 94 | 					assert.strictEqual(instance.request, request);
 95 | 				});
 96 | 
 97 | 			});
 98 | 
 99 | 			describe('.messages', () => {
100 | 
101 | 				it('is set to the session `flash` property', () => {
102 | 					assert.strictEqual(instance.messages, flash);
103 | 				});
104 | 
105 | 			});
106 | 
107 | 			describe('.get(key)', () => {
108 | 
109 | 				it('returns the value of the given key', () => {
110 | 					instance.messages = {
111 | 						mockKey: 'mock value'
112 | 					};
113 | 					assert.strictEqual(instance.get('mockKey'), 'mock value');
114 | 				});
115 | 
116 | 				describe('when the given key does not exist', () => {
117 | 
118 | 					it('returns `undefined`', () => {
119 | 						instance.messages = {};
120 | 						assert.isUndefined(instance.get('mockKey'));
121 | 					});
122 | 
123 | 				});
124 | 
125 | 			});
126 | 
127 | 			describe('.set(key, value)', () => {
128 | 
129 | 				it('adds the new key/value to the request session `flash` property', () => {
130 | 					delete request.session.flash;
131 | 					instance.set('mockKey', 'mock value');
132 | 					instance.set('mockKey2', 'mock value 2');
133 | 					assert.isObject(request.session.flash);
134 | 					assert.strictEqual(request.session.flash.mockKey, 'mock value');
135 | 					assert.strictEqual(request.session.flash.mockKey2, 'mock value 2');
136 | 				});
137 | 
138 | 			});
139 | 
140 | 			describe('when `request.session.flash` is not defined', () => {
141 | 
142 | 				beforeEach(() => {
143 | 					request = {
144 | 						session: {}
145 | 					};
146 | 					instance = new FlashMessenger(request);
147 | 				});
148 | 
149 | 				describe('.messages', () => {
150 | 
151 | 					it('is set to the an empty object', () => {
152 | 						assert.deepEqual(instance.messages, {});
153 | 					});
154 | 
155 | 				});
156 | 
157 | 			});
158 | 
159 | 		});
160 | 
161 | 	});
162 | 
163 | });
164 | 


--------------------------------------------------------------------------------
/model/key.js:
--------------------------------------------------------------------------------
  1 | 'use strict';
  2 | 
  3 | const bcrypt = require('bcrypt');
  4 | const crypto = require('crypto');
  5 | const joi = require('@hapi/joi');
  6 | 
  7 | /**
  8 |  * Initialise the Key model.
  9 |  * @param {Dashboard} dashboard - A dashboard instance.
 10 |  * @returns {Model} A Bookshelf model.
 11 |  */
 12 | function initKeyModel(dashboard) {
 13 | 
 14 | 	// Model validation schema
 15 | 	const schema = joi.object().keys({
 16 | 		user_id: joi.string().required(),
 17 | 		secret: joi.string().min(20).required(),
 18 | 		description: joi.string().required()
 19 | 	});
 20 | 
 21 | 	// Model prototypal methods
 22 | 	const Key = dashboard.database.Model.extend({
 23 | 		tableName: 'keys',
 24 | 
 25 | 		// Model initialization
 26 | 		initialize() {
 27 | 
 28 | 			// When a model is created...
 29 | 			this.on('creating', () => {
 30 | 
 31 | 				// Fill out automatic fields
 32 | 				this.attributes.id = Key.generateSecret();
 33 | 				this.attributes.created_at = new Date();
 34 | 
 35 | 			});
 36 | 
 37 | 			// When a model is saved...
 38 | 			this.on('saving', async () => {
 39 | 
 40 | 				// Fill out automatic fields
 41 | 				this.attributes.updated_at = new Date();
 42 | 
 43 | 				// Trim the description if it's changed
 44 | 				if (typeof this.attributes.description === 'string' && this.hasChanged('description')) {
 45 | 					this.attributes.description = this.attributes.description.trim();
 46 | 				}
 47 | 
 48 | 				// Validate the model
 49 | 				await this.validateSave();
 50 | 
 51 | 				// Hash the secret if it's changed
 52 | 				if (this.hasChanged('secret')) {
 53 | 					this.attributes.secret = await Key.hashSecret(this.attributes.secret);
 54 | 				}
 55 | 
 56 | 			});
 57 | 
 58 | 		},
 59 | 
 60 | 		// Validate the model before saving
 61 | 		validateSave() {
 62 | 			// Validate against the schema
 63 | 			return new Promise((resolve, reject) => {
 64 | 				schema.validate(this.attributes, {
 65 | 					abortEarly: false,
 66 | 					allowUnknown: true
 67 | 				}, error => {
 68 | 					if (error) {
 69 | 						return reject(error);
 70 | 					}
 71 | 					resolve();
 72 | 				});
 73 | 			});
 74 | 		},
 75 | 
 76 | 		// Update the key with user-provided data
 77 | 		async update(data) {
 78 | 			if (data.description !== undefined) {
 79 | 				this.set('description', data.description);
 80 | 			}
 81 | 			await this.save();
 82 | 			return this;
 83 | 		},
 84 | 
 85 | 		// Override default serialization so we can control output
 86 | 		serialize() {
 87 | 			return {
 88 | 				id: this.get('id'),
 89 | 				user: this.get('user_id'),
 90 | 				description: this.get('description'),
 91 | 				meta: {
 92 | 					dateCreated: this.get('created_at'),
 93 | 					dateUpdated: this.get('updated_at')
 94 | 				}
 95 | 			};
 96 | 		},
 97 | 
 98 | 		// User relationship
 99 | 		user() {
100 | 			return this.belongsTo(dashboard.model.User);
101 | 		}
102 | 
103 | 	// Model static methods
104 | 	}, {
105 | 
106 | 		// Generate a secret
107 | 		generateSecret() {
108 | 			return crypto.randomBytes(20).toString('hex');
109 | 		},
110 | 
111 | 		// Hash a secret
112 | 		hashSecret(secret) {
113 | 			const saltRounds = 5;
114 | 			return bcrypt.hash(secret, saltRounds);
115 | 		},
116 | 
117 | 		// Check a secret against a hashed secret
118 | 		checkSecret(secret, hash) {
119 | 			return bcrypt.compare(secret, hash);
120 | 		},
121 | 
122 | 		// Create a key with user-provided data
123 | 		async create(data) {
124 | 			const key = new Key({
125 | 				user_id: data.user_id,
126 | 				description: data.description,
127 | 				secret: data.secret
128 | 			});
129 | 			await key.save();
130 | 			return key;
131 | 		},
132 | 
133 | 		// Fetch a key by ID
134 | 		fetchOneById(keyId) {
135 | 			return Key.collection().query(qb => {
136 | 				qb.where('id', keyId);
137 | 			}).fetchOne();
138 | 		},
139 | 
140 | 		// Fetch a key by ID and user ID
141 | 		fetchOneByIdAndUserId(keyId, userId) {
142 | 			return Key.collection().query(qb => {
143 | 				qb.where('id', keyId);
144 | 				qb.where('user_id', userId);
145 | 			}).fetchOne({
146 | 				withRelated: ['user']
147 | 			});
148 | 		},
149 | 
150 | 		// Fetch keys by user ID
151 | 		fetchByUserId(userId) {
152 | 			return Key.collection().query(qb => {
153 | 				qb.where('user_id', userId);
154 | 				qb.orderBy('description', 'asc');
155 | 			}).fetch({
156 | 				withRelated: ['user']
157 | 			});
158 | 		}
159 | 
160 | 	});
161 | 
162 | 	return Key;
163 | }
164 | 
165 | module.exports = initKeyModel;
166 | 


--------------------------------------------------------------------------------
/model/site.js:
--------------------------------------------------------------------------------
  1 | 'use strict';
  2 | 
  3 | const joi = require('@hapi/joi');
  4 | const shortid = require('shortid');
  5 | 
  6 | /**
  7 |  * Initialise the Site model.
  8 |  * @param {Dashboard} dashboard - A dashboard instance.
  9 |  * @returns {Model} A Bookshelf model.
 10 |  */
 11 | function initSiteModel(dashboard) {
 12 | 
 13 | 	// Model validation schema
 14 | 	const schema = joi.object().keys({
 15 | 		name: joi.string().min(1).required(),
 16 | 		base_url: joi.string().uri({
 17 | 			scheme: [
 18 | 				'http',
 19 | 				'https'
 20 | 			]
 21 | 		}).required(),
 22 | 		is_runnable: joi.boolean().required(),
 23 | 		is_scheduled: joi.boolean().required(),
 24 | 		schedule: [joi.string().min(1), null],
 25 | 		pa11y_config: joi.object()
 26 | 	});
 27 | 
 28 | 	// Model prototypal methods
 29 | 	const Site = dashboard.database.Model.extend({
 30 | 		tableName: 'sites',
 31 | 
 32 | 		// Model initialization
 33 | 		initialize() {
 34 | 
 35 | 			// When a model is created...
 36 | 			this.on('creating', () => {
 37 | 
 38 | 				// Fill out automatic fields
 39 | 				this.attributes.id = shortid.generate();
 40 | 				this.attributes.created_at = new Date();
 41 | 
 42 | 			});
 43 | 
 44 | 			// When a model is saved...
 45 | 			this.on('saving', async () => {
 46 | 
 47 | 				// Fill out automatic fields
 48 | 				this.attributes.updated_at = new Date();
 49 | 
 50 | 				// Validate the model
 51 | 				await this.validateSave();
 52 | 
 53 | 				// Encode the Pa11y config if it's changed
 54 | 				if (this.hasChanged('pa11y_config')) {
 55 | 					this.attributes.pa11y_config = JSON.stringify(this.attributes.pa11y_config);
 56 | 				}
 57 | 
 58 | 			});
 59 | 
 60 | 		},
 61 | 
 62 | 		// Validate the model before saving
 63 | 		validateSave() {
 64 | 			return new Promise((resolve, reject) => {
 65 | 				// Validate against the schema
 66 | 				schema.validate(this.attributes, {
 67 | 					abortEarly: false,
 68 | 					allowUnknown: true
 69 | 				}, error => {
 70 | 					if (error) {
 71 | 						return reject(error);
 72 | 					}
 73 | 					resolve();
 74 | 				});
 75 | 			});
 76 | 		},
 77 | 
 78 | 		// Update the site with user-provided data
 79 | 		async update(data) {
 80 | 			if (data.name !== undefined) {
 81 | 				this.set('name', data.name);
 82 | 			}
 83 | 			if (data.base_url !== undefined) {
 84 | 				this.set('base_url', data.base_url);
 85 | 			}
 86 | 			if (data.is_runnable !== undefined) {
 87 | 				this.set('is_runnable', Boolean(data.is_runnable));
 88 | 			}
 89 | 			if (data.is_scheduled !== undefined) {
 90 | 				this.set('is_scheduled', Boolean(data.is_scheduled));
 91 | 			}
 92 | 			if (data.schedule !== undefined) {
 93 | 				this.set('schedule', data.schedule);
 94 | 			}
 95 | 			if (data.pa11y_config !== undefined) {
 96 | 				this.set('pa11y_config', data.pa11y_config);
 97 | 			}
 98 | 			await this.save();
 99 | 			return this;
100 | 		},
101 | 
102 | 		// Override default serialization so we can control output
103 | 		serialize() {
104 | 			return {
105 | 				id: this.get('id'),
106 | 				name: this.get('name'),
107 | 				baseUrl: this.get('base_url'),
108 | 				isRunnable: this.get('is_runnable'),
109 | 				isScheduled: this.get('is_scheduled'),
110 | 				schedule: this.get('schedule'),
111 | 				pa11yConfig: this.get('pa11y_config'),
112 | 				meta: {
113 | 					dateCreated: this.get('created_at'),
114 | 					dateUpdated: this.get('updated_at')
115 | 				}
116 | 			};
117 | 		},
118 | 
119 | 		// URL relationship
120 | 		urls() {
121 | 			return this.hasMany(dashboard.model.Url);
122 | 		}
123 | 
124 | 	// Model static methods
125 | 	}, {
126 | 
127 | 		// Create a site with user-provided data
128 | 		async create(data) {
129 | 			const site = new Site({
130 | 				name: data.name,
131 | 				base_url: data.base_url,
132 | 				is_runnable: Boolean(data.is_runnable),
133 | 				is_scheduled: Boolean(data.is_scheduled),
134 | 				schedule: data.schedule || null,
135 | 				pa11y_config: data.pa11y_config
136 | 			});
137 | 			await site.save();
138 | 			return site;
139 | 		},
140 | 
141 | 		// Fetch all sites
142 | 		fetchAll() {
143 | 			return Site.collection().query(qb => {
144 | 				qb.orderBy('name', 'asc');
145 | 				qb.orderBy('created_at', 'asc');
146 | 			}).fetch();
147 | 		},
148 | 
149 | 		// Fetch a site by id
150 | 		fetchOneById(siteId) {
151 | 			return Site.collection().query(qb => {
152 | 				qb.where('id', siteId);
153 | 			}).fetchOne();
154 | 		},
155 | 
156 | 		// Check whether a site with a given ID exists
157 | 		async existsById(siteId) {
158 | 			const count = await Site.collection().query(qb => {
159 | 				qb.where('id', siteId);
160 | 			}).count();
161 | 			return (count > 0);
162 | 		}
163 | 
164 | 	});
165 | 
166 | 	return Site;
167 | }
168 | 
169 | module.exports = initSiteModel;
170 | 


--------------------------------------------------------------------------------
/model/url.js:
--------------------------------------------------------------------------------
  1 | 'use strict';
  2 | 
  3 | const defaults = require('lodash/defaults');
  4 | const joi = require('@hapi/joi');
  5 | const shortid = require('shortid');
  6 | 
  7 | /**
  8 |  * Initialise the Url model.
  9 |  * @param {Dashboard} dashboard - A dashboard instance.
 10 |  * @returns {Model} A Bookshelf model.
 11 |  */
 12 | function initUrlModel(dashboard) {
 13 | 
 14 | 	// Model validation schema
 15 | 	const schema = joi.object().keys({
 16 | 		site_id: joi.string().required(),
 17 | 		name: joi.string().min(1).required(),
 18 | 		address: joi.string().min(1).required(),
 19 | 		pa11y_config: joi.object()
 20 | 	});
 21 | 
 22 | 	// Model prototypal methods
 23 | 	const Url = dashboard.database.Model.extend({
 24 | 		tableName: 'urls',
 25 | 
 26 | 		// Model initialization
 27 | 		initialize() {
 28 | 
 29 | 			// When a model is created...
 30 | 			this.on('creating', () => {
 31 | 
 32 | 				// Fill out automatic fields
 33 | 				this.attributes.id = shortid.generate();
 34 | 				this.attributes.created_at = new Date();
 35 | 
 36 | 			});
 37 | 
 38 | 			// When a model is saved...
 39 | 			this.on('saving', async () => {
 40 | 
 41 | 				// Fill out automatic fields
 42 | 				this.attributes.updated_at = new Date();
 43 | 
 44 | 				// Validate the model
 45 | 				await this.validateSave();
 46 | 
 47 | 				// Encode the Pa11y config if it's changed
 48 | 				if (this.hasChanged('pa11y_config')) {
 49 | 					this.attributes.pa11y_config = JSON.stringify(this.attributes.pa11y_config);
 50 | 				}
 51 | 
 52 | 			});
 53 | 
 54 | 		},
 55 | 
 56 | 		// Validate the model before saving
 57 | 		validateSave() {
 58 | 			return new Promise((resolve, reject) => {
 59 | 				// Validate against the schema
 60 | 				schema.validate(this.attributes, {
 61 | 					abortEarly: false,
 62 | 					allowUnknown: true
 63 | 				}, error => {
 64 | 					if (error) {
 65 | 						return reject(error);
 66 | 					}
 67 | 					resolve();
 68 | 				});
 69 | 			});
 70 | 		},
 71 | 
 72 | 		// Update the URL with user-provided data
 73 | 		async update(data) {
 74 | 			if (data.name !== undefined) {
 75 | 				this.set('name', data.name);
 76 | 			}
 77 | 			if (data.address !== undefined) {
 78 | 				this.set('address', data.address);
 79 | 			}
 80 | 			if (data.pa11y_config !== undefined) {
 81 | 				this.set('pa11y_config', data.pa11y_config);
 82 | 			}
 83 | 			await this.save();
 84 | 			return this;
 85 | 		},
 86 | 
 87 | 		// Override default serialization so we can control output
 88 | 		serialize() {
 89 | 			return {
 90 | 				id: this.get('id'),
 91 | 				site: this.get('site_id'),
 92 | 				name: this.get('name'),
 93 | 				address: this.get('address'),
 94 | 				fullAddress: this.fullAddress(),
 95 | 				pa11yConfig: this.pa11yConfig(),
 96 | 				meta: {
 97 | 					dateCreated: this.get('created_at'),
 98 | 					dateUpdated: this.get('updated_at')
 99 | 				}
100 | 			};
101 | 		},
102 | 
103 | 		// Site relationship
104 | 		site() {
105 | 			return this.belongsTo(dashboard.model.Site);
106 | 		},
107 | 
108 | 		// Get the full address of the URL (including base URL of site)
109 | 		fullAddress() {
110 | 			let baseUrl = this.related('site').get('base_url');
111 | 			let address = this.get('address');
112 | 			if (baseUrl === undefined || /^https?:\/\//i.test(address)) {
113 | 				return address;
114 | 			}
115 | 			if (baseUrl.endsWith('/')) {
116 | 				baseUrl = baseUrl.substr(0, baseUrl.length - 1);
117 | 			}
118 | 			if (!address.startsWith('/')) {
119 | 				address = `/${address}`;
120 | 			}
121 | 			return `${baseUrl}${address}`;
122 | 		},
123 | 
124 | 		// Get the full Pa11y config, merging with the parent site
125 | 		pa11yConfig() {
126 | 			return defaults({}, this.get('pa11y_config'), this.related('site').get('pa11y_config'));
127 | 		}
128 | 
129 | 	// Model static methods
130 | 	}, {
131 | 
132 | 		// Create a URL with user-provided data
133 | 		async create(data) {
134 | 			const site = new Url({
135 | 				site_id: data.site_id,
136 | 				name: data.name,
137 | 				address: data.address,
138 | 				pa11y_config: data.pa11y_config
139 | 			});
140 | 			await site.save();
141 | 			return site;
142 | 		},
143 | 
144 | 		// Fetch all URLs
145 | 		fetchAll() {
146 | 			return Url.collection().query(qb => {
147 | 				qb.orderBy('name', 'asc');
148 | 				qb.orderBy('address', 'asc');
149 | 				qb.orderBy('created_at', 'asc');
150 | 			}).fetch();
151 | 		},
152 | 
153 | 		// Fetch a URL by id
154 | 		fetchOneById(urlId) {
155 | 			return Url.collection().query(qb => {
156 | 				qb.where('id', urlId);
157 | 			}).fetchOne();
158 | 		},
159 | 
160 | 		// Fetch a URL by ID and site ID
161 | 		fetchOneByIdAndSiteId(urlId, siteId) {
162 | 			return Url.collection().query(qb => {
163 | 				qb.where('id', urlId);
164 | 				qb.where('site_id', siteId);
165 | 			}).fetchOne({
166 | 				withRelated: ['site']
167 | 			});
168 | 		},
169 | 
170 | 		// Fetch URLs by site ID
171 | 		fetchBySiteId(siteId) {
172 | 			return Url.collection().query(qb => {
173 | 				qb.where('site_id', siteId);
174 | 				qb.orderBy('name', 'asc');
175 | 				qb.orderBy('address', 'asc');
176 | 				qb.orderBy('created_at', 'asc');
177 | 			}).fetch({
178 | 				withRelated: ['site']
179 | 			});
180 | 		}
181 | 
182 | 	});
183 | 
184 | 	return Url;
185 | }
186 | 
187 | module.exports = initUrlModel;
188 | 


--------------------------------------------------------------------------------
/test/unit/lib/middleware/get-app-url.test.js:
--------------------------------------------------------------------------------
  1 | 'use strict';
  2 | 
  3 | const assert = require('proclaim');
  4 | const sinon = require('sinon');
  5 | 
  6 | describe('lib/middleware/get-app-url', () => {
  7 | 	let getAppUrl;
  8 | 
  9 | 	beforeEach(() => {
 10 | 		getAppUrl = require('../../../../lib/middleware/get-app-url');
 11 | 	});
 12 | 
 13 | 	it('exports a function', () => {
 14 | 		assert.isFunction(getAppUrl);
 15 | 	});
 16 | 
 17 | 	describe('getAppUrl(configuredHostname)', () => {
 18 | 		let middleware;
 19 | 
 20 | 		beforeEach(() => {
 21 | 			middleware = getAppUrl('https://mock-configured-host/');
 22 | 		});
 23 | 
 24 | 		it('returns a middleware function', () => {
 25 | 			assert.isFunction(middleware);
 26 | 		});
 27 | 
 28 | 		describe('middleware(request, response, next)', () => {
 29 | 			let next;
 30 | 			let request;
 31 | 
 32 | 			beforeEach(() => {
 33 | 				request = {
 34 | 					connection: {
 35 | 						remoteAddress: 'mock-request-remote-address',
 36 | 						localPort: 'mock-request-local-port'
 37 | 					},
 38 | 					headers: {},
 39 | 					protocol: 'mock-request-protocol',
 40 | 					hostname: 'mock-request-host'
 41 | 				};
 42 | 				next = sinon.spy();
 43 | 				middleware(request, {}, next);
 44 | 			});
 45 | 
 46 | 			it('sets the `request.appUrl` property to the expected URL', () => {
 47 | 				assert.strictEqual(request.appUrl, 'https://mock-configured-host');
 48 | 			});
 49 | 
 50 | 			it('calls `next` with nothing', () => {
 51 | 				assert.calledOnce(next);
 52 | 				assert.calledWithExactly(next);
 53 | 			});
 54 | 
 55 | 			describe('when `configuredHostname` is not defined', () => {
 56 | 
 57 | 				beforeEach(() => {
 58 | 					next.resetHistory();
 59 | 					delete request.appUrl;
 60 | 					request.headers = {
 61 | 						'X-Forwarded-Host': 'mock-request-forwarded-host',
 62 | 						'X-Forwarded-Port': 'mock-request-forwarded-port',
 63 | 						'X-Forwarded-Proto': 'mock-request-forwarded-protocol'
 64 | 					};
 65 | 					getAppUrl()(request, {}, next);
 66 | 				});
 67 | 
 68 | 				it('sets the `request.appUrl` property to the expected URL', () => {
 69 | 					assert.strictEqual(request.appUrl, 'mock-request-forwarded-protocol://mock-request-forwarded-host:mock-request-forwarded-port');
 70 | 				});
 71 | 
 72 | 				it('calls `next` with nothing', () => {
 73 | 					assert.calledOnce(next);
 74 | 					assert.calledWithExactly(next);
 75 | 				});
 76 | 
 77 | 			});
 78 | 
 79 | 			describe('when `configuredHostname` is not defined and X-Forwarded headers are not available', () => {
 80 | 
 81 | 				beforeEach(() => {
 82 | 					next.resetHistory();
 83 | 					delete request.appUrl;
 84 | 					request.headers = {};
 85 | 					getAppUrl()(request, {}, next);
 86 | 				});
 87 | 
 88 | 				it('sets the `request.appUrl` property to the expected URL', () => {
 89 | 					assert.strictEqual(request.appUrl, 'mock-request-protocol://mock-request-host');
 90 | 				});
 91 | 
 92 | 				it('calls `next` with nothing', () => {
 93 | 					assert.calledOnce(next);
 94 | 					assert.calledWithExactly(next);
 95 | 				});
 96 | 
 97 | 			});
 98 | 
 99 | 			describe('when `configuredHostname` is not defined and no request details are available', () => {
100 | 
101 | 				beforeEach(() => {
102 | 					next.resetHistory();
103 | 					delete request.appUrl;
104 | 					delete request.hostname;
105 | 					delete request.protocol;
106 | 					request.headers = {};
107 | 					getAppUrl()(request, {}, next);
108 | 				});
109 | 
110 | 				it('sets the `request.appUrl` property to the expected URL', () => {
111 | 					assert.strictEqual(request.appUrl, 'http://localhost');
112 | 				});
113 | 
114 | 				it('calls `next` with nothing', () => {
115 | 					assert.calledOnce(next);
116 | 					assert.calledWithExactly(next);
117 | 				});
118 | 
119 | 			});
120 | 
121 | 			describe('when `configuredHostname` is not defined, no request details are available, and the request host is local', () => {
122 | 
123 | 				beforeEach(() => {
124 | 					next.resetHistory();
125 | 					delete request.appUrl;
126 | 					delete request.hostname;
127 | 					delete request.protocol;
128 | 					request.connection.remoteAddress = '::1';
129 | 					request.headers = {};
130 | 					getAppUrl()(request, {}, next);
131 | 				});
132 | 
133 | 				it('sets the `request.appUrl` property to the expected URL', () => {
134 | 					assert.strictEqual(request.appUrl, 'http://localhost:mock-request-local-port');
135 | 				});
136 | 
137 | 				it('calls `next` with nothing', () => {
138 | 					assert.calledOnce(next);
139 | 					assert.calledWithExactly(next);
140 | 				});
141 | 
142 | 			});
143 | 
144 | 			describe('when `configuredHostname` is missing a protocol', () => {
145 | 
146 | 				beforeEach(() => {
147 | 					next.resetHistory();
148 | 					delete request.appUrl;
149 | 					delete request.hostname;
150 | 					delete request.protocol;
151 | 					request.connection.remoteAddress = '::1';
152 | 					request.headers = {};
153 | 					getAppUrl('mock-configured-host')(request, {}, next);
154 | 				});
155 | 
156 | 				it('sets the `request.appUrl` property to the expected URL', () => {
157 | 					assert.strictEqual(request.appUrl, 'http://mock-configured-host');
158 | 				});
159 | 
160 | 				it('calls `next` with nothing', () => {
161 | 					assert.calledOnce(next);
162 | 					assert.calledWithExactly(next);
163 | 				});
164 | 
165 | 			});
166 | 
167 | 		});
168 | 
169 | 	});
170 | 
171 | });
172 | 


--------------------------------------------------------------------------------
/test/unit/lib/middleware/auth-with-cookie.test.js:
--------------------------------------------------------------------------------
  1 | 'use strict';
  2 | 
  3 | const assert = require('proclaim');
  4 | const mockery = require('mockery');
  5 | const sinon = require('sinon');
  6 | 
  7 | describe('lib/middleware/auth-with-cookie', () => {
  8 | 	let authWithCookie;
  9 | 	let Dashboard;
 10 | 	let httpError;
 11 | 
 12 | 	beforeEach(() => {
 13 | 
 14 | 		Dashboard = require('../../mock/dashboard.mock');
 15 | 
 16 | 		httpError = sinon.spy(require('http-errors'));
 17 | 		mockery.registerMock('http-errors', httpError);
 18 | 
 19 | 		authWithCookie = require('../../../../lib/middleware/auth-with-cookie');
 20 | 	});
 21 | 
 22 | 	it('exports a function', () => {
 23 | 		assert.isFunction(authWithCookie);
 24 | 	});
 25 | 
 26 | 	describe('authWithCookie()', () => {
 27 | 		let dashboard;
 28 | 		let middleware;
 29 | 
 30 | 		beforeEach(() => {
 31 | 			dashboard = Dashboard.mockDashboard;
 32 | 			middleware = authWithCookie();
 33 | 		});
 34 | 
 35 | 		it('returns a middleware function', () => {
 36 | 			assert.isFunction(middleware);
 37 | 		});
 38 | 
 39 | 		describe('middleware(request, response, next)', () => {
 40 | 			let callbackError;
 41 | 			let request;
 42 | 
 43 | 			beforeEach(done => {
 44 | 				request = {
 45 | 					app: {
 46 | 						dashboard
 47 | 					},
 48 | 					session: {
 49 | 						userId: 'mock-user-id'
 50 | 					}
 51 | 				};
 52 | 				middleware(request, {}, error => {
 53 | 					callbackError = error;
 54 | 					done();
 55 | 				});
 56 | 			});
 57 | 
 58 | 			it('fetches a user with the ID given in the session', () => {
 59 | 				assert.calledOnce(dashboard.model.User.fetchOneById);
 60 | 				assert.calledWithExactly(dashboard.model.User.fetchOneById, 'mock-user-id');
 61 | 			});
 62 | 
 63 | 			it('sets the request `authUser` property to a serialized copy of the loaded user', () => {
 64 | 				assert.calledOnce(dashboard.model.User.mockUser.serialize);
 65 | 				assert.strictEqual(request.authUser, dashboard.model.User.mockSerializedUser);
 66 | 			});
 67 | 
 68 | 			it('sets the request `permissions` property to the loaded user\'s permissions', () => {
 69 | 				assert.strictEqual(request.permissions, dashboard.model.User.mockSerializedUser.permissions);
 70 | 			});
 71 | 
 72 | 			it('calls `next` with nothing', () => {
 73 | 				assert.isUndefined(callbackError);
 74 | 			});
 75 | 
 76 | 			describe('when the user ID is invalid', () => {
 77 | 
 78 | 				beforeEach(done => {
 79 | 					dashboard.model.User.fetchOneById.resolves();
 80 | 					middleware(request, {}, error => {
 81 | 						callbackError = error;
 82 | 						done();
 83 | 					});
 84 | 				});
 85 | 
 86 | 				it('deletes the user session', () => {
 87 | 					assert.isUndefined(request.session);
 88 | 				});
 89 | 
 90 | 				it('creates a 401 HTTP error', () => {
 91 | 					assert.calledOnce(httpError);
 92 | 					assert.calledWithExactly(httpError, 401, 'Invalid credentials');
 93 | 				});
 94 | 
 95 | 				it('calls `next` with the created error', () => {
 96 | 					assert.strictEqual(callbackError, httpError.firstCall.returnValue);
 97 | 				});
 98 | 
 99 | 			});
100 | 
101 | 			describe('when no user is authenticated', () => {
102 | 
103 | 				beforeEach(done => {
104 | 					dashboard.model.Setting.get.withArgs('publicReadAccess').resolves(true);
105 | 					delete request.session;
106 | 					delete request.permissions;
107 | 					middleware(request, {}, error => {
108 | 						callbackError = error;
109 | 						done();
110 | 					});
111 | 				});
112 | 
113 | 				it('sets the request `permissions` property to the default permissions', () => {
114 | 					assert.calledOnce(dashboard.model.Setting.get);
115 | 					assert.calledWithExactly(dashboard.model.Setting.get, 'publicReadAccess');
116 | 					assert.deepEqual(request.permissions, {
117 | 						read: true
118 | 					});
119 | 				});
120 | 
121 | 				it('calls `next` with nothing', () => {
122 | 					assert.isUndefined(callbackError);
123 | 				});
124 | 
125 | 			});
126 | 
127 | 			describe('when no user is authenticated and public read access is disabled', () => {
128 | 
129 | 				beforeEach(done => {
130 | 					dashboard.model.Setting.get.withArgs('publicReadAccess').resolves(false);
131 | 					delete request.session;
132 | 					delete request.permissions;
133 | 					middleware(request, {}, error => {
134 | 						callbackError = error;
135 | 						done();
136 | 					});
137 | 				});
138 | 
139 | 				it('sets the request `permissions` property to an empty object', () => {
140 | 					assert.deepEqual(request.permissions, {
141 | 						read: false
142 | 					});
143 | 				});
144 | 
145 | 				it('calls `next` with nothing', () => {
146 | 					assert.isUndefined(callbackError);
147 | 				});
148 | 
149 | 			});
150 | 
151 | 			describe('when one of the model methods errors', () => {
152 | 				let modelError;
153 | 
154 | 				beforeEach(done => {
155 | 					modelError = new Error('mock model error');
156 | 					dashboard.model.User.fetchOneById.rejects(modelError);
157 | 					middleware(request, {}, error => {
158 | 						callbackError = error;
159 | 						done();
160 | 					});
161 | 				});
162 | 
163 | 				it('calls `next` with the error', () => {
164 | 					assert.strictEqual(callbackError, modelError);
165 | 				});
166 | 
167 | 			});
168 | 
169 | 			describe('when loading the settings errors', () => {
170 | 				let settingsError;
171 | 
172 | 				beforeEach(done => {
173 | 					delete request.session;
174 | 					delete request.permissions;
175 | 					settingsError = new Error('mock settings error');
176 | 					dashboard.model.Setting.get.rejects(settingsError);
177 | 					middleware(request, {}, error => {
178 | 						callbackError = error;
179 | 						done();
180 | 					});
181 | 				});
182 | 
183 | 				it('sets the request `permissions` property to an empty object', () => {
184 | 					assert.deepEqual(request.permissions, {});
185 | 				});
186 | 
187 | 				it('calls `next` with nothing', () => {
188 | 					assert.isUndefined(callbackError);
189 | 				});
190 | 
191 | 			});
192 | 
193 | 		});
194 | 
195 | 	});
196 | 
197 | });
198 | 


--------------------------------------------------------------------------------
/model/user.js:
--------------------------------------------------------------------------------
  1 | 'use strict';
  2 | 
  3 | const bcrypt = require('bcrypt');
  4 | const joi = require('@hapi/joi');
  5 | const shortid = require('shortid');
  6 | const validationError = require('../lib/util/validation-error');
  7 | 
  8 | /**
  9 |  * Initialise the User model.
 10 |  * @param {Dashboard} dashboard - A dashboard instance.
 11 |  * @returns {Model} A Bookshelf model.
 12 |  */
 13 | function initUserModel(dashboard) {
 14 | 
 15 | 	// Model validation schema
 16 | 	const schema = joi.object().keys({
 17 | 		email: joi.string().email().required(),
 18 | 		password: joi.string().min(6).required(),
 19 | 		is_owner: joi.boolean().required(),
 20 | 		allow_read: joi.boolean().required(),
 21 | 		allow_write: joi.boolean().required(),
 22 | 		allow_delete: joi.boolean().required(),
 23 | 		allow_admin: joi.boolean().required()
 24 | 	});
 25 | 
 26 | 	// Model prototypal methods
 27 | 	const User = dashboard.database.Model.extend({
 28 | 		tableName: 'users',
 29 | 
 30 | 		// Model initialization
 31 | 		initialize() {
 32 | 
 33 | 			// When a model is created...
 34 | 			this.on('creating', () => {
 35 | 
 36 | 				// Fill out automatic fields
 37 | 				this.attributes.id = shortid.generate();
 38 | 				this.attributes.created_at = new Date();
 39 | 
 40 | 			});
 41 | 
 42 | 			// When a model is saved...
 43 | 			this.on('saving', async () => {
 44 | 
 45 | 				// Fill out automatic fields
 46 | 				this.attributes.updated_at = new Date();
 47 | 
 48 | 				// Validate the model
 49 | 				await this.validateSave();
 50 | 
 51 | 				// Hash the password if it's changed
 52 | 				if (this.hasChanged('password')) {
 53 | 					this.attributes.password = await User.hashPassword(this.attributes.password);
 54 | 				}
 55 | 
 56 | 			});
 57 | 
 58 | 		},
 59 | 
 60 | 		// Validate the model before saving
 61 | 		validateSave() {
 62 | 			return new Promise((resolve, reject) => {
 63 | 				// Validate against the schema
 64 | 				schema.validate(this.attributes, {
 65 | 					abortEarly: false,
 66 | 					allowUnknown: true
 67 | 				}, async error => {
 68 | 					if (error) {
 69 | 						return reject(error);
 70 | 					}
 71 | 
 72 | 					// Ensure that email is unique
 73 | 					if (this.hasChanged('email') && await User.existsByEmail(this.attributes.email)) {
 74 | 						return reject(validationError('"email" must be unique'));
 75 | 					}
 76 | 
 77 | 					resolve();
 78 | 
 79 | 				});
 80 | 			});
 81 | 		},
 82 | 
 83 | 		// Update the user with user-provided data
 84 | 		async update(data) {
 85 | 			if (data.email !== undefined) {
 86 | 				this.set('email', data.email);
 87 | 			}
 88 | 			if (data.password !== undefined) {
 89 | 				this.set('password', data.password);
 90 | 			}
 91 | 			if (data.allow_read !== undefined) {
 92 | 				this.set('allow_read', Boolean(data.allow_read));
 93 | 			}
 94 | 			if (data.allow_write !== undefined) {
 95 | 				this.set('allow_write', Boolean(data.allow_write));
 96 | 			}
 97 | 			if (data.allow_delete !== undefined) {
 98 | 				this.set('allow_delete', Boolean(data.allow_delete));
 99 | 			}
100 | 			if (data.allow_admin !== undefined) {
101 | 				this.set('allow_admin', Boolean(data.allow_admin));
102 | 			}
103 | 			await this.save();
104 | 			return this;
105 | 		},
106 | 
107 | 		// Change the user's password
108 | 		async changePassword({current, next, confirm}) {
109 | 			if (!await User.checkPassword(current, this.get('password'))) {
110 | 				throw validationError('current password was incorrect');
111 | 			}
112 | 			if (next !== confirm) {
113 | 				throw validationError('new and confirmed passwords do not match');
114 | 			}
115 | 			return this.update({
116 | 				password: next
117 | 			});
118 | 		},
119 | 
120 | 		// Override default serialization so we can control output
121 | 		serialize() {
122 | 			return {
123 | 				id: this.get('id'),
124 | 				email: this.get('email'),
125 | 				isOwner: this.get('is_owner'),
126 | 				permissions: {
127 | 					read: this.get('allow_read'),
128 | 					write: this.get('allow_write'),
129 | 					delete: this.get('allow_delete'),
130 | 					admin: this.get('allow_admin')
131 | 				},
132 | 				meta: {
133 | 					dateCreated: this.get('created_at'),
134 | 					dateUpdated: this.get('updated_at')
135 | 				}
136 | 			};
137 | 		},
138 | 
139 | 		// Key relationship
140 | 		keys() {
141 | 			return this.hasMany(dashboard.model.Key);
142 | 		}
143 | 
144 | 
145 | 	// Model static methods
146 | 	}, {
147 | 
148 | 		// Hash a password
149 | 		hashPassword(password) {
150 | 			const saltRounds = 10;
151 | 			return bcrypt.hash(password, saltRounds);
152 | 		},
153 | 
154 | 		// Check a password against a hashed password
155 | 		checkPassword(password, hash) {
156 | 			return bcrypt.compare(password, hash);
157 | 		},
158 | 
159 | 		// Create a user with user-provided data
160 | 		async create(data) {
161 | 			const user = new User({
162 | 				email: data.email,
163 | 				password: data.password,
164 | 				is_owner: Boolean(data.is_owner),
165 | 				allow_read: Boolean(data.allow_read),
166 | 				allow_write: Boolean(data.allow_write),
167 | 				allow_delete: Boolean(data.allow_delete),
168 | 				allow_admin: Boolean(data.allow_admin)
169 | 			});
170 | 			await user.save();
171 | 			return user;
172 | 		},
173 | 
174 | 		// Fetch all users
175 | 		fetchAll() {
176 | 			return User.collection().query(qb => {
177 | 				qb.orderBy('is_owner', 'desc');
178 | 				qb.orderBy('email', 'asc');
179 | 			}).fetch();
180 | 		},
181 | 
182 | 		// Fetch a user by id
183 | 		fetchOneById(userId) {
184 | 			return User.collection().query(qb => {
185 | 				qb.where('id', userId);
186 | 			}).fetchOne();
187 | 		},
188 | 
189 | 		// Fetch a user by email
190 | 		fetchOneByEmail(email) {
191 | 			return User.collection().query(qb => {
192 | 				qb.where('email', email);
193 | 			}).fetchOne();
194 | 		},
195 | 
196 | 		// Check whether a user with a given ID exists
197 | 		async existsById(userId) {
198 | 			const count = await User.collection().query(qb => {
199 | 				qb.where('id', userId);
200 | 			}).count();
201 | 			return (count > 0);
202 | 		},
203 | 
204 | 		// Check whether a user with a given email exists
205 | 		async existsByEmail(email) {
206 | 			const count = await User.collection().query(qb => {
207 | 				qb.where('email', email);
208 | 			}).count();
209 | 			return (count > 0);
210 | 		}
211 | 
212 | 	});
213 | 
214 | 	return User;
215 | }
216 | 
217 | module.exports = initUserModel;
218 | 


--------------------------------------------------------------------------------
/test/integration/routes/api-v1/me-keys.test.js:
--------------------------------------------------------------------------------
  1 | 'use strict';
  2 | 
  3 | const assert = require('proclaim');
  4 | const bcrypt = require('bcrypt');
  5 | const database = require('../../helpers/database');
  6 | let response;
  7 | 
  8 | describe('GET /api/v1/me/keys', () => {
  9 | 
 10 | 	before(async () => {
 11 | 		await database.seed(dashboard, 'basic');
 12 | 	});
 13 | 
 14 | 	describe('when everything is valid', () => {
 15 | 
 16 | 		before(async () => {
 17 | 			response = await request.get('/api/v1/me/keys', {
 18 | 				headers: {
 19 | 					'X-Api-Key': 'mock-read-key',
 20 | 					'X-Api-Secret': 'mock-read-secret'
 21 | 				}
 22 | 			});
 23 | 		});
 24 | 
 25 | 		it('responds with a 200 status', () => {
 26 | 			assert.strictEqual(response.statusCode, 200);
 27 | 		});
 28 | 
 29 | 		it('responds with JSON', () => {
 30 | 			assert.include(response.headers['content-type'], 'application/json');
 31 | 		});
 32 | 
 33 | 		it('responds with each key for the currently authenticated user', () => {
 34 | 			assert.isArray(response.body);
 35 | 			assert.lengthEquals(response.body, 2);
 36 | 			assert.isObject(response.body[0]);
 37 | 			assert.strictEqual(response.body[0].id, 'mock-read-key');
 38 | 			assert.strictEqual(response.body[0].user, 'mock-read-id');
 39 | 			assert.isObject(response.body[1]);
 40 | 			assert.strictEqual(response.body[1].id, 'mock-read-key-2');
 41 | 			assert.strictEqual(response.body[1].user, 'mock-read-id');
 42 | 		});
 43 | 
 44 | 	});
 45 | 
 46 | 	describe('when no API credentials are provided', () => {
 47 | 
 48 | 		before(async () => {
 49 | 			response = await request.get('/api/v1/me/keys');
 50 | 		});
 51 | 
 52 | 		it('responds with a 401 status', () => {
 53 | 			assert.strictEqual(response.statusCode, 401);
 54 | 		});
 55 | 
 56 | 		it('responds with JSON', () => {
 57 | 			assert.include(response.headers['content-type'], 'application/json');
 58 | 		});
 59 | 
 60 | 		it('responds with error details', () => {
 61 | 			assert.isObject(response.body);
 62 | 			assert.isString(response.body.message);
 63 | 			assert.strictEqual(response.body.status, 401);
 64 | 		});
 65 | 
 66 | 	});
 67 | 
 68 | });
 69 | 
 70 | describe('POST /api/v1/me/keys', () => {
 71 | 
 72 | 	describe('when everything is valid', () => {
 73 | 
 74 | 		before(async () => {
 75 | 			await database.seed(dashboard, 'basic');
 76 | 			response = await request.post('/api/v1/me/keys', {
 77 | 				headers: {
 78 | 					'Content-Type': 'application/json',
 79 | 					'X-Api-Key': 'mock-read-key',
 80 | 					'X-Api-Secret': 'mock-read-secret'
 81 | 				},
 82 | 				body: JSON.stringify({
 83 | 					id: 'extra-property-id',
 84 | 					user_id: 'mock-admin-id',
 85 | 					secret: 'extra-property-secret',
 86 | 					description: 'mock-description'
 87 | 				})
 88 | 			});
 89 | 		});
 90 | 
 91 | 		it('creates a new key in the database', async () => {
 92 | 			const keys = await dashboard.database.knex.select('*').from('keys').where({
 93 | 				description: 'mock-description'
 94 | 			});
 95 | 			const key = keys[0];
 96 | 			assert.lengthEquals(keys, 1, 'One key is present');
 97 | 			assert.isString(key.id, 'Key has an ID');
 98 | 			assert.notStrictEqual(key.id, 'extra-property-id', 'Key ID cannot be set in request');
 99 | 			assert.isString(key.secret, 'Key has a secret');
100 | 			assert.notStrictEqual(key.secret, 'extra-property-secret', 'Key secret cannot be set in request');
101 | 			assert.strictEqual(key.user_id, 'mock-read-id', 'Key is associated with the authenticated user');
102 | 			assert.strictEqual(key.description, 'mock-description', 'Key has the correct description');
103 | 		});
104 | 
105 | 		it('responds with a 201 status', () => {
106 | 			assert.strictEqual(response.statusCode, 201);
107 | 		});
108 | 
109 | 		it('responds with JSON', () => {
110 | 			assert.include(response.headers['content-type'], 'application/json');
111 | 		});
112 | 
113 | 		it('responds with the new key and secret', async () => {
114 | 			const keys = await dashboard.database.knex.select('*').from('keys').where({
115 | 				description: 'mock-description'
116 | 			});
117 | 			assert.isObject(response.body);
118 | 			assert.strictEqual(response.body.key, keys[0].id);
119 | 			assert.notStrictEqual(response.body.secret, keys[0].secret, 'Secret is hashed');
120 | 			assert.isTrue(await bcrypt.compare(response.body.secret, keys[0].secret), 'Secret is hashed');
121 | 		});
122 | 
123 | 	});
124 | 
125 | 	describe('when the request does not include a description property', () => {
126 | 
127 | 		before(async () => {
128 | 			await database.seed(dashboard, 'basic');
129 | 			response = await request.post('/api/v1/me/keys', {
130 | 				headers: {
131 | 					'Content-Type': 'application/json',
132 | 					'X-Api-Key': 'mock-read-key',
133 | 					'X-Api-Secret': 'mock-read-secret'
134 | 				},
135 | 				body: JSON.stringify({})
136 | 			});
137 | 		});
138 | 
139 | 		it('responds with a 400 status', () => {
140 | 			assert.strictEqual(response.statusCode, 400);
141 | 		});
142 | 
143 | 		it('responds with JSON', () => {
144 | 			assert.include(response.headers['content-type'], 'application/json');
145 | 		});
146 | 
147 | 		it('responds with error details', () => {
148 | 			assert.isObject(response.body);
149 | 			assert.isString(response.body.message);
150 | 			assert.isArray(response.body.validation);
151 | 			assert.deepEqual(response.body.validation, [
152 | 				'"description" is required'
153 | 			]);
154 | 			assert.strictEqual(response.body.status, 400);
155 | 		});
156 | 
157 | 	});
158 | 
159 | 	describe('when no API credentials are provided', () => {
160 | 
161 | 		before(async () => {
162 | 			await database.seed(dashboard, 'basic');
163 | 			response = await request.post('/api/v1/me/keys', {
164 | 				headers: {
165 | 					'Content-Type': 'application/json'
166 | 				},
167 | 				body: JSON.stringify({
168 | 					description: 'mock-description'
169 | 				})
170 | 			});
171 | 		});
172 | 
173 | 		it('responds with a 401 status', () => {
174 | 			assert.strictEqual(response.statusCode, 401);
175 | 		});
176 | 
177 | 		it('responds with JSON', () => {
178 | 			assert.include(response.headers['content-type'], 'application/json');
179 | 		});
180 | 
181 | 		it('responds with error details', () => {
182 | 			assert.isObject(response.body);
183 | 			assert.isString(response.body.message);
184 | 			assert.strictEqual(response.body.status, 401);
185 | 		});
186 | 
187 | 	});
188 | 
189 | });
190 | 


--------------------------------------------------------------------------------
/lib/dashboard.js:
--------------------------------------------------------------------------------
  1 | 'use strict';
  2 | 
  3 | const adaro = require('adaro');
  4 | const getAppUrl = require('./middleware/get-app-url');
  5 | const bookshelf = require('bookshelf');
  6 | const bindLogger = require('./util/bind-logger');
  7 | const compression = require('compression');
  8 | const defaults = require('lodash/defaults');
  9 | const express = require('express');
 10 | const initApiV1Controller = require('../controller/api-v1');
 11 | const initFrontEndController = require('../controller/front-end');
 12 | const initKeyModel = require('../model/key');
 13 | const initSettingModel = require('../model/setting');
 14 | const initSiteModel = require('../model/site');
 15 | const initUrlModel = require('../model/url');
 16 | const initUserModel = require('../model/user');
 17 | const knex = require('knex');
 18 | const morgan = require('morgan');
 19 | const nocache = require('nocache');
 20 | const path = require('path');
 21 | const viewHelpers = require('../view/helper');
 22 | 
 23 | /**
 24 |  * Class representing a Sidekick dashboard.
 25 |  */
 26 | class Dashboard {
 27 | 
 28 | 	/**
 29 | 	 * Create a Sidekick dashboard.
 30 | 	 * @param {Object} options - The dashboard options.
 31 | 	 * @param {String} [options.databaseConnectionString] - A PostgreSQL connection string.
 32 | 	 * @param {String} [options.environment] - The environment to run the dashboard in. One of "development", "production", or "test".
 33 | 	 * @param {Object} [options.log] - A logger which has `error` and `info` methods.
 34 | 	 * @param {(String|Number)} [options.port] - The HTTP port to run the dashboard on.
 35 | 	 * @param {String} [options.requestLogFormat] - The Morgan request log format to use in request logging.
 36 | 	 * @param {Stream} [options.requestLogStream] - The stream to pipe request logs to.
 37 | 	 * @param {String} [options.sessionSecret] - The secret key with which to encrypt session data.
 38 | 	 */
 39 | 	constructor(options) {
 40 | 
 41 | 		// Default the passed in options so we know we've got
 42 | 		// everything that we need to start up
 43 | 		this.options = defaults({}, options, Dashboard.defaults);
 44 | 		this.environment = options.environment;
 45 | 
 46 | 		// Set up the database
 47 | 		this.database = Dashboard.createDatabaseConnection(this.options.databaseConnectionString);
 48 | 		this.model = {
 49 | 			Key: initKeyModel(this),
 50 | 			Setting: initSettingModel(this),
 51 | 			Site: initSiteModel(this),
 52 | 			Url: initUrlModel(this),
 53 | 			User: initUserModel(this)
 54 | 		};
 55 | 
 56 | 		// Set up the Express application
 57 | 		this.app = Dashboard.createExpressApplication(this);
 58 | 
 59 | 		// Set some defaults for properties which are not present
 60 | 		// until the dashboard is started
 61 | 		this.address = null;
 62 | 		this.server = null;
 63 | 
 64 | 		// Bind the log methods so that we prefix all non request
 65 | 		// logs with the application name
 66 | 		this.log = bindLogger(this.options.log, 'Sidekick:');
 67 | 		this.log.info('✔︎ initialization complete');
 68 | 
 69 | 	}
 70 | 
 71 | 	/**
 72 | 	 * Start the dashboard, binding on the port configured during initialisation.
 73 | 	 * @returns {Promise} A promise which resolves when the dashboard starts.
 74 | 	 */
 75 | 	start() {
 76 | 		return new Promise((resolve, reject) => {
 77 | 
 78 | 			// Start the Express application and capture the
 79 | 			// server object that it returns
 80 | 			this.server = this.app.listen(this.options.port, error => {
 81 | 
 82 | 				if (error) {
 83 | 					this.log.error(error.stack);
 84 | 					return reject(error);
 85 | 				}
 86 | 
 87 | 				// We have to get the port here because sometimes
 88 | 				// the port in the options is undefined or 0. If
 89 | 				// that's the case then a random port is assigned
 90 | 				// and we want to tell the user what it is
 91 | 				const port = this.server.address().port;
 92 | 				this.address = `http://localhost:${port}`;
 93 | 
 94 | 				// All done
 95 | 				this.log.info(`✔︎ started (${this.address}/ in ${this.environment} mode)`);
 96 | 				resolve(this);
 97 | 
 98 | 			});
 99 | 
100 | 		});
101 | 	}
102 | 
103 | 	/**
104 | 	 * Create a Bookshelf database connection.
105 | 	 * @param {String} connectionString - A PostgreSQL connection string.
106 | 	 * @returns {Bookshelf} A Bookshelf instance.
107 | 	 */
108 | 	static createDatabaseConnection(connectionString) {
109 | 		return bookshelf(knex({
110 | 			client: 'pg',
111 | 			connection: connectionString
112 | 		}));
113 | 	}
114 | 
115 | 	/**
116 | 	 * Create an Express application.
117 | 	 * @param {Dashboard} dashboard - The Dashboard instance to use in the application.
118 | 	 * @returns {Object} A configured Express application.
119 | 	 */
120 | 	static createExpressApplication(dashboard) {
121 | 		const app = express();
122 | 		app.dashboard = dashboard;
123 | 
124 | 		// Set some Express configurations
125 | 		app.set('env', dashboard.environment);
126 | 		app.set('json spaces', 4);
127 | 		app.disable('x-powered-by');
128 | 		app.enable('strict routing');
129 | 		app.enable('case sensitive routing');
130 | 
131 | 		// Configure the view engine. We use Adaro for
132 | 		// rendering Dust templates as it allows us to
133 | 		// load custom helpers easily
134 | 		app.set('views', path.resolve(__dirname, '../view'));
135 | 		app.engine('dust', adaro.dust({
136 | 			helpers: viewHelpers,
137 | 			whitespace: true
138 | 		}));
139 | 		app.set('view engine', 'dust');
140 | 
141 | 		// Disable browser caching
142 | 		// (for alpha/beta, we'll do this properly later)
143 | 		app.disable('etag');
144 | 		app.use(nocache());
145 | 
146 | 		// Compress responses with deflate
147 | 		app.use(compression());
148 | 
149 | 		// Set up a morgan request logger. This outputs request
150 | 		// information, useful for debugging
151 | 		morgan.token('auth', (request, response, field) => {
152 | 			if (field === 'user' && request.authUser) {
153 | 				return request.authUser.id;
154 | 			}
155 | 			if (field === 'key' && request.authKey) {
156 | 				return request.authKey.id;
157 | 			}
158 | 			return '-';
159 | 		});
160 | 		app.use(morgan(dashboard.options.requestLogFormat, {
161 | 			stream: dashboard.options.requestLogStream
162 | 		}));
163 | 
164 | 		app.use(getAppUrl(dashboard.options.dashboardUrl));
165 | 
166 | 		// Mount top-level controllers
167 | 		app.use('/api/v1', initApiV1Controller(dashboard));
168 | 		app.use(initFrontEndController(dashboard));
169 | 
170 | 		return app;
171 | 	}
172 | 
173 | }
174 | 
175 | /**
176 |  * The default options used when constructing a dashboard.
177 |  * @static
178 |  */
179 | Dashboard.defaults = {
180 | 	dashboardUrl: null,
181 | 	databaseConnectionString: 'postgres://localhost:5432/pa11y_sidekick',
182 | 	environment: 'development',
183 | 	log: console,
184 | 	port: 8080,
185 | 	requestLogFormat: `${morgan.combined} authUser=":auth[user]" authKey=":auth[key]"`,
186 | 	sessionSecret: null
187 | };
188 | 
189 | module.exports = Dashboard;
190 | 


--------------------------------------------------------------------------------
/public/main.css:
--------------------------------------------------------------------------------
  1 | @charset "utf-8";
  2 | 
  3 | /* TODO rewrite this, everything in here should be considered temporary */
  4 | 
  5 | 
  6 | /* Resets */
  7 | 
  8 | html,
  9 | body {
 10 | 	margin: 0;
 11 | 	padding: 0;
 12 | }
 13 | body {
 14 | 	background-color: #eee;
 15 | 	color: #333;
 16 | 	font-family: sans-serif;
 17 | 	font-size: 16px;
 18 | }
 19 | 
 20 | blockquote, caption, dl, figure, h1, .h1, h2, .h2, h3, .h3, h4, .h4, h5, .h5, h6, .h6, hr, ol, p, pre, table, ul {
 21 | 	margin-top: 0;
 22 | 	margin-bottom: 20px;
 23 | }
 24 | h1, .h1 {
 25 | 	font-size: 26px;
 26 | }
 27 | h2, .h2 {
 28 | 	font-size: 22px;
 29 | 	margin-top: 40px;
 30 | }
 31 | 
 32 | a {
 33 | 	color: #1871ad;
 34 | }
 35 | a:focus,
 36 | button:focus,
 37 | input:focus {
 38 | 	outline: solid 2px #3498db;
 39 | }
 40 | 
 41 | 
 42 | /* Navigation */
 43 | 
 44 | .navigation ul {
 45 | 	display: flex;
 46 | 	list-style: none;
 47 | 	margin: 0;
 48 | 	padding: 10px;
 49 | }
 50 | .navigation li {
 51 | 	display: flex;
 52 | }
 53 | .navigation__item {
 54 | 	display: flex;
 55 | 	padding: 10px;
 56 | 	text-decoration: none;
 57 | }
 58 | input[type=submit].navigation__item {
 59 | 	background: none;
 60 | 	color: inherit;
 61 | 	border: none;
 62 | 	font: inherit;
 63 | 	cursor: pointer;
 64 | }
 65 | 
 66 | 
 67 | /* Table of contents */
 68 | 
 69 | .table-of-contents {
 70 | 	list-style: lower-roman;
 71 | }
 72 | 
 73 | 
 74 | /* Primary navigation */
 75 | 
 76 | .navigation--primary {
 77 | 	background-color: #333;
 78 | 	color: #fff;
 79 | }
 80 | .navigation--primary ul {
 81 | 	align-items: center;
 82 | }
 83 | .navigation--primary li {
 84 | 	margin-right: 5px;
 85 | }
 86 | .navigation--primary li:last-child {
 87 | 	margin-right: 0;
 88 | }
 89 | .navigation--primary .navigation__shifter {
 90 | 	margin-left: auto;
 91 | }
 92 | .navigation--primary .navigation__item,
 93 | .navigation--primary input[type=submit].navigation__item {
 94 | 	color: #fff;
 95 | 	border-bottom: solid 3px transparent;
 96 | 	padding-bottom: 7px;
 97 | }
 98 | .navigation--primary .navigation__item--informational {
 99 | 	color: #ccc;
100 | }
101 | .navigation--primary a.navigation__item:hover,
102 | .navigation--primary input[type=submit].navigation__item:hover {
103 | 	background-color: #444;
104 | }
105 | .navigation--primary .navigation__item--current,
106 | .navigation--primary a.navigation__item--current:hover {
107 | 	background-color: #444;
108 | 	border-color: #3498db;
109 | }
110 | .pa11y-logo {
111 | 	line-height: 30px;
112 | }
113 | .pa11y-logo:before {
114 | 	background-image: url("pa11y.svg");
115 | 	background-repeat: no-repeat;
116 | 	background-size: contain;
117 | 	content: "";
118 | 	display: block;
119 | 	width: 40px;
120 | 	height: auto;
121 | }
122 | 
123 | 
124 | /* Secondary navigation */
125 | 
126 | .navigation--secondary {
127 | 	background-color: #666;
128 | 	color: #333;
129 | }
130 | .navigation--secondary ul {
131 | 	padding-bottom: 0px;
132 | }
133 | .navigation--footer li {
134 | 	margin-right: 5px;
135 | }
136 | .navigation--secondary .navigation__item {
137 | 	color: #fff;
138 | }
139 | .navigation--secondary a.navigation__item:hover {
140 | 	background-color: #777;
141 | }
142 | .navigation--secondary .navigation__item--title {
143 | 	color: #ccc;
144 | }
145 | .navigation--secondary .navigation__item--title:after {
146 | 	content: ":";
147 | 	margin-right: 5px;
148 | }
149 | .navigation--secondary .navigation__item--current,
150 | .navigation--secondary a.navigation__item--current:hover {
151 | 	background-color: #fff;
152 | 	color: inherit;
153 | }
154 | 
155 | 
156 | /* Site Footer */
157 | 
158 | .site-footer {
159 | 	font-size: 14px;
160 | }
161 | .site-copyright {
162 | 	color: #666;
163 | 	font-size: 14px;
164 | }
165 | 
166 | 
167 | /* Footer navigation */
168 | 
169 | .navigation--footer ul {
170 | 	font-size: 14px;
171 | }
172 | .navigation--footer .navigation__item:hover {
173 | 	background-color: #ddd;
174 | }
175 | .navigation--footer .navigation__item {
176 | 	border-bottom: solid 3px transparent;
177 | 	padding-bottom: 7px;
178 | }
179 | .navigation--footer .navigation__item:hover,
180 | .navigation--footer .navigation__item--current {
181 | 	background-color: #ddd;
182 | }
183 | .navigation--footer .navigation__item--current {
184 | 	border-color: #3498db;
185 | }
186 | 
187 | 
188 | /* Copyright notice */
189 | 
190 | .copyright {
191 | 	padding: 0 20px 20px 20px;
192 | }
193 | .copyright small {
194 | 	font-size: 14px;
195 | }
196 | 
197 | 
198 | /* Page content */
199 | 
200 | .page {
201 | 	background-color: #fff;
202 | 	padding: 30px 20px 40px 20px;
203 | }
204 | .page-inner {
205 | 	max-width: 700px;
206 | }
207 | 
208 | 
209 | /* Alerts */
210 | 
211 | .alert {
212 | 	background-color: #ccc;
213 | 	margin-bottom: 20px;
214 | 	padding: 10px;
215 | }
216 | .alert > p {
217 | 	margin-top: 0;
218 | 	margin-bottom: 0;
219 | }
220 | .alert ul {
221 | 	margin-top: 10px;
222 | 	margin-bottom: 0;
223 | }
224 | .alert--error {
225 | 	background-color: #f9cfca;
226 | 	color: #900;
227 | }
228 | .alert--success {
229 | 	background-color: #d6f9b8;
230 | 	color: #060;
231 | }
232 | .alert--site-wide {
233 | 	margin-bottom: 0;
234 | 	padding: 20px;
235 | }
236 | 
237 | 
238 | /* Forms */
239 | 
240 | .field {
241 | 	margin-bottom: 20px;
242 | }
243 | .field:last-child {
244 | 	margin-bottom: 0;
245 | }
246 | .field label {
247 | 	display: block;
248 | 	font-weight: bold;
249 | 	margin-bottom: 10px;
250 | }
251 | .field__sublabel {
252 | 	color: #666;
253 | 	display: block;
254 | 	font-size: 14px;
255 | 	font-weight: normal;
256 | 	margin-top: 5px;
257 | }
258 | .field--text input {
259 | 	border: solid 2px #ccc;
260 | 	box-sizing: border-box;
261 | 	display: block;
262 | 	font-size: 14px;
263 | 	max-width: 250px;
264 | 	padding: 8px;
265 | 	width: 100%;
266 | }
267 | 
268 | 
269 | /* Buttons */
270 | 
271 | .button {
272 | 	background-color: #1871ad;
273 | 	border: solid 2px #1871ad;
274 | 	box-sizing: border-box;
275 | 	color: #fff;
276 | 	display: inline-block;
277 | 	font-family: sans-serif;
278 | 	font-size: 14px;
279 | 	font-weight: bold;
280 | 	line-height: 1.3;
281 | 	padding: 8px;
282 | 	text-align: center;
283 | 	text-decoration: none;
284 | }
285 | .button:hover {
286 | 	background-color: #3498db;
287 | }
288 | .button--danger {
289 | 	background-color: #8e271c;
290 | 	border-color: #8e271c;
291 | }
292 | .button--danger:hover {
293 | 	background-color: #e74c3c;
294 | }
295 | 
296 | 
297 | /* Heading wrappers (for button display mostly) */
298 | .heading-wrapper {
299 | 	display: flex;
300 | 	align-items: flex-start;
301 | 	margin-bottom: 20px;
302 | }
303 | .heading-wrapper h1,
304 | .heading-wrapper .h1,
305 | .heading-wrapper h2,
306 | .heading-wrapper .h2 {
307 | 	margin-bottom: 0;
308 | 	margin-right: auto;
309 | }
310 | 
311 | 
312 | /* Tables */
313 | 
314 | .table-wrapper {
315 | 	border: solid 2px #ccc;
316 | 	margin-bottom: 20px;
317 | 	display: inline-block;
318 | 	max-width: 100%;
319 | 	overflow: auto;
320 | }
321 | table {
322 | 	border-collapse: collapse;
323 | 	border-spacing: 0;
324 | }
325 | .table {
326 | 	box-sizing: border-box;
327 | 	border: solid 2px #ccc;
328 | }
329 | .table-wrapper .table {
330 | 	border: none;
331 | 	margin-bottom: 0;
332 | }
333 | .table th {
334 | 	background-color: #ccc;
335 | 	font-weight: bold;
336 | }
337 | table th,
338 | table td {
339 | 	text-align: left;
340 | 	vertical-align: top;
341 | }
342 | .table th,
343 | .table td {
344 | 	padding: 10px;
345 | }
346 | .table td {
347 | 	border: none;
348 | }
349 | .table--striped tbody tr:nth-child(2n) {
350 | 	background-color: #eee;
351 | }
352 | .table dl,
353 | .table ol,
354 | .table pre,
355 | .table ul {
356 | 	margin-bottom: 0;
357 | }
358 | 


--------------------------------------------------------------------------------
/controller/front-end/settings.js:
--------------------------------------------------------------------------------
  1 | 'use strict';
  2 | 
  3 | const express = require('express');
  4 | const requireAuth = require('../../lib/middleware/require-auth');
  5 | 
  6 | /**
  7 |  * Initialise the settings controller.
  8 |  * @param {Dashboard} dashboard - A dashboard instance.
  9 |  * @param {Object} router - The front end Express router.
 10 |  * @returns {undefined} Nothing
 11 |  */
 12 | function initSettingsController(dashboard, router) {
 13 | 	const Key = dashboard.model.Key;
 14 | 	const User = dashboard.model.User;
 15 | 
 16 | 	// Redirect the base settings page to profile settings
 17 | 	router.get('/settings', requireAuth(), (request, response) => {
 18 | 		response.redirect('/settings/profile');
 19 | 	});
 20 | 
 21 | 	// Display the profile settings page
 22 | 	router.get('/settings/profile', requireAuth(), (request, response) => {
 23 | 		response.render('template/settings/profile', {
 24 | 			form: {
 25 | 				user: {
 26 | 					email: request.authUser.email,
 27 | 					success: request.flash.get('form.user.success')
 28 | 				}
 29 | 			}
 30 | 		});
 31 | 	});
 32 | 
 33 | 	// Save the profile settings page
 34 | 	router.post('/settings/profile', requireAuth(), express.urlencoded({extended: false}), async (request, response, next) => {
 35 | 		try {
 36 | 
 37 | 			// Attempt to update the user
 38 | 			const user = await User.fetchOneById(request.authUser.id);
 39 | 			await user.update({
 40 | 				email: request.body.email
 41 | 			});
 42 | 
 43 | 			// Redirect back to the non-POST version of the page
 44 | 			request.flash.set('form.user.success', 'Your profile changes have been saved');
 45 | 			response.redirect(request.path);
 46 | 
 47 | 		} catch (error) {
 48 | 			if (error.name === 'ValidationError') {
 49 | 				return response.status(400).render('template/settings/profile', {
 50 | 					form: {
 51 | 						user: {
 52 | 							email: request.body.email,
 53 | 							errors: error.details.map(detail => detail.message)
 54 | 						}
 55 | 					}
 56 | 				});
 57 | 			}
 58 | 			return next(error);
 59 | 		}
 60 | 	});
 61 | 
 62 | 	// Display the profile password page
 63 | 	router.get('/settings/password', requireAuth(), (request, response) => {
 64 | 		response.render('template/settings/password', {
 65 | 			form: {
 66 | 				password: {
 67 | 					success: request.flash.get('form.password.success')
 68 | 				}
 69 | 			}
 70 | 		});
 71 | 	});
 72 | 
 73 | 	// Save the profile password page
 74 | 	router.post('/settings/password', requireAuth(), express.urlencoded({extended: false}), async (request, response, next) => {
 75 | 		try {
 76 | 
 77 | 			// Attempt to update the user password
 78 | 			const user = await User.fetchOneById(request.authUser.id);
 79 | 			await user.changePassword({
 80 | 				current: request.body.current,
 81 | 				next: request.body.next,
 82 | 				confirm: request.body.confirm
 83 | 			});
 84 | 
 85 | 			// Redirect back to the non-POST version of the page
 86 | 			request.flash.set('form.password.success', 'Your password has been updated');
 87 | 			response.redirect(request.path);
 88 | 
 89 | 		} catch (error) {
 90 | 			if (error.name === 'ValidationError') {
 91 | 				return response.status(400).render('template/settings/password', {
 92 | 					form: {
 93 | 						password: {
 94 | 							errors: error.details.map(detail => detail.message)
 95 | 						}
 96 | 					}
 97 | 				});
 98 | 			}
 99 | 			return next(error);
100 | 		}
101 | 	});
102 | 
103 | 	// TODO write integration tests for the /settings/keys routes
104 | 
105 | 	// Display the profile API keys page
106 | 	router.get('/settings/keys', requireAuth(), async (request, response) => {
107 | 		response.render('template/settings/keys', {
108 | 			keys: (await Key.fetchByUserId(request.authUser.id)).serialize(),
109 | 			form: {
110 | 				key: {
111 | 					created: request.flash.get('form.key.created'),
112 | 					deleted: request.flash.get('form.key.deleted')
113 | 				}
114 | 			}
115 | 		});
116 | 	});
117 | 
118 | 	// Display the new API key page
119 | 	router.get('/settings/keys/new', requireAuth(), (request, response) => {
120 | 		response.render('template/settings/new-key');
121 | 	});
122 | 
123 | 	// Generate an API key
124 | 	router.post('/settings/keys/new', requireAuth(), express.urlencoded({extended: false}), async (request, response, next) => {
125 | 		try {
126 | 
127 | 			// Attempt to create a key
128 | 			const secret = Key.generateSecret();
129 | 			const key = await Key.create({
130 | 				user_id: request.authUser.id,
131 | 				description: request.body.description,
132 | 				secret
133 | 			});
134 | 
135 | 			// Redirect back to the main key management page
136 | 			request.flash.set('form.key.created', {
137 | 				id: key.get('id'),
138 | 				secret
139 | 			});
140 | 			response.redirect('/settings/keys');
141 | 
142 | 		} catch (error) {
143 | 			if (error.name === 'ValidationError') {
144 | 				return response.status(400).render('template/settings/new-key', {
145 | 					form: {
146 | 						key: {
147 | 							errors: error.details.map(detail => detail.message)
148 | 						}
149 | 					}
150 | 				});
151 | 			}
152 | 			return next(error);
153 | 		}
154 | 	});
155 | 
156 | 	// Display the profile API key edit page
157 | 	router.get('/settings/keys/:keyId/edit', requireAuth(), async (request, response, next) => {
158 | 		try {
159 | 			const key = await Key.fetchOneByIdAndUserId(request.params.keyId, request.authUser.id);
160 | 			if (!key) {
161 | 				return next();
162 | 			}
163 | 			response.render('template/settings/edit-key', {
164 | 				form: {
165 | 					key: {
166 | 						description: key.get('description'),
167 | 						success: request.flash.get('form.key.success')
168 | 					}
169 | 				}
170 | 			});
171 | 		} catch (error) {
172 | 			return next(error);
173 | 		}
174 | 	});
175 | 
176 | 	// Edit an API key
177 | 	router.post('/settings/keys/:keyId/edit', requireAuth(), express.urlencoded({extended: false}), async (request, response, next) => {
178 | 		try {
179 | 
180 | 			// Attempt to update a key
181 | 			const key = await Key.fetchOneByIdAndUserId(request.params.keyId, request.authUser.id);
182 | 			if (!key) {
183 | 				return next();
184 | 			}
185 | 			await key.update({
186 | 				description: request.body.description
187 | 			});
188 | 
189 | 			// Redirect back to the main key management page
190 | 			request.flash.set('form.key.success', 'Your API key changes have been saved');
191 | 			response.redirect(request.path);
192 | 
193 | 		} catch (error) {
194 | 			if (error.name === 'ValidationError') {
195 | 				return response.status(400).render('template/settings/new-key', {
196 | 					form: {
197 | 						key: {
198 | 							errors: error.details.map(detail => detail.message)
199 | 						}
200 | 					}
201 | 				});
202 | 			}
203 | 			return next(error);
204 | 		}
205 | 	});
206 | 
207 | 	// Display the profile API key delete page
208 | 	router.get('/settings/keys/:keyId/delete', requireAuth(), async (request, response, next) => {
209 | 		try {
210 | 			const key = await Key.fetchOneByIdAndUserId(request.params.keyId, request.authUser.id);
211 | 			if (!key) {
212 | 				return next();
213 | 			}
214 | 			response.render('template/settings/delete-key', {
215 | 				form: {
216 | 					key: key.serialize()
217 | 				}
218 | 			});
219 | 		} catch (error) {
220 | 			return next(error);
221 | 		}
222 | 	});
223 | 
224 | 	// Delete an API key
225 | 	router.post('/settings/keys/:keyId/delete', requireAuth(), express.urlencoded({extended: false}), async (request, response, next) => {
226 | 		try {
227 | 
228 | 			// Attempt to delete the key
229 | 			const key = await Key.fetchOneByIdAndUserId(request.params.keyId, request.authUser.id);
230 | 			if (!key) {
231 | 				return next();
232 | 			}
233 | 			const keyDescription = key.get('description');
234 | 			await key.destroy();
235 | 
236 | 			// Redirect back to the main key management page
237 | 			request.flash.set('form.key.deleted', {
238 | 				id: request.params.keyId,
239 | 				description: keyDescription
240 | 			});
241 | 			response.redirect('/settings/keys');
242 | 
243 | 		} catch (error) {
244 | 			return next(error);
245 | 		}
246 | 	});
247 | 
248 | }
249 | 
250 | module.exports = initSettingsController;
251 | 


--------------------------------------------------------------------------------
/test/integration/routes/front-end/settings-profile.test.js:
--------------------------------------------------------------------------------
  1 | 'use strict';
  2 | 
  3 | const assert = require('proclaim');
  4 | const auth = require('../../helpers/auth');
  5 | const database = require('../../helpers/database');
  6 | const querystring = require('querystring');
  7 | let response;
  8 | 
  9 | describe('GET /settings/profile', () => {
 10 | 
 11 | 	before(async () => {
 12 | 		await database.seed(dashboard, 'basic');
 13 | 	});
 14 | 
 15 | 	describe('when a user is logged in', () => {
 16 | 
 17 | 		describe('when everything is valid', () => {
 18 | 
 19 | 			before(async () => {
 20 | 				response = await request.get('/settings/profile', {
 21 | 					jar: await auth.getCookieJar('read@example.com', 'password')
 22 | 				});
 23 | 			});
 24 | 
 25 | 			it('responds with a 200 status', () => {
 26 | 				assert.strictEqual(response.statusCode, 200);
 27 | 			});
 28 | 
 29 | 			it('responds with HTML', () => {
 30 | 				assert.include(response.headers['content-type'], 'text/html');
 31 | 			});
 32 | 
 33 | 			it('responds with no error messages', () => {
 34 | 				const errors = response.body.document.querySelectorAll('[data-test=password-form] [data-test=alert-error]');
 35 | 				assert.lengthEquals(errors, 0);
 36 | 			});
 37 | 
 38 | 			it('responds with a password form', () => {
 39 | 				const form = response.body.document.querySelector('[data-test=user-form]');
 40 | 				assert.isNotNull(form);
 41 | 				assert.strictEqual(form.getAttribute('action'), '/settings/profile');
 42 | 				assert.strictEqual(form.getAttribute('method'), 'post');
 43 | 
 44 | 				const emailField = form.querySelector('input[name="email"]');
 45 | 				assert.strictEqual(emailField.getAttribute('type'), 'email');
 46 | 				assert.strictEqual(emailField.getAttribute('value'), 'read@example.com');
 47 | 			});
 48 | 
 49 | 		});
 50 | 
 51 | 	});
 52 | 
 53 | 	describe('when no user is logged in', () => {
 54 | 
 55 | 		before(async () => {
 56 | 			response = await request.get('/settings/profile');
 57 | 		});
 58 | 
 59 | 		it('responds with a 401 status', () => {
 60 | 			assert.strictEqual(response.statusCode, 401);
 61 | 		});
 62 | 
 63 | 		it('it responds with an error page', () => {
 64 | 			const body = response.body.document.querySelector('body');
 65 | 			assert.match(body.innerHTML, /must authenticate/i);
 66 | 		});
 67 | 
 68 | 	});
 69 | 
 70 | });
 71 | 
 72 | describe('POST /settings/profile', () => {
 73 | 
 74 | 	describe('when a user is logged in', () => {
 75 | 
 76 | 		describe('when everything is valid', () => {
 77 | 
 78 | 			before(async () => {
 79 | 				await database.seed(dashboard, 'basic');
 80 | 				response = await request.post('/settings/profile', {
 81 | 					headers: {
 82 | 						'Content-Type': 'application/x-www-form-urlencoded'
 83 | 					},
 84 | 					body: querystring.stringify({
 85 | 						email: 'read-updated@example.com'
 86 | 					}),
 87 | 					jar: await auth.getCookieJar('read@example.com', 'password')
 88 | 				});
 89 | 			});
 90 | 
 91 | 			it('updates the expected user details in the database', async () => {
 92 | 				const users = await dashboard.database.knex.select('*').from('users').where({
 93 | 					email: 'read-updated@example.com'
 94 | 				});
 95 | 				const user = users[0];
 96 | 
 97 | 				assert.lengthEquals(users, 1, 'One user is present');
 98 | 				assert.strictEqual(user.email, 'read-updated@example.com', 'User has the correct new email');
 99 | 			});
100 | 
101 | 			it('responds with a 302 status', () => {
102 | 				assert.strictEqual(response.statusCode, 302);
103 | 			});
104 | 
105 | 			it('responds with a Location header pointing to the profile settings page', () => {
106 | 				assert.strictEqual(response.headers.location, '/settings/profile');
107 | 			});
108 | 
109 | 			it('responds with plain text', () => {
110 | 				assert.include(response.headers['content-type'], 'text/plain');
111 | 			});
112 | 
113 | 		});
114 | 
115 | 		describe('when the request includes an invalid email', () => {
116 | 
117 | 			before(async () => {
118 | 				await database.seed(dashboard, 'basic');
119 | 				response = await request.post('/settings/profile', {
120 | 					headers: {
121 | 						'Content-Type': 'application/x-www-form-urlencoded'
122 | 					},
123 | 					body: querystring.stringify({
124 | 						email: 'invalid-email'
125 | 					}),
126 | 					jar: await auth.getCookieJar('read@example.com', 'password')
127 | 				});
128 | 			});
129 | 
130 | 			it('does not update the user in the database', async () => {
131 | 				const users = await dashboard.database.knex.select('*').from('users').where({
132 | 					email: 'invalid-email'
133 | 				});
134 | 				const user = users[0];
135 | 				assert.isUndefined(user);
136 | 			});
137 | 
138 | 			it('responds with a 400 status', () => {
139 | 				assert.strictEqual(response.statusCode, 400);
140 | 			});
141 | 
142 | 			it('responds with HTML', () => {
143 | 				assert.include(response.headers['content-type'], 'text/html');
144 | 			});
145 | 
146 | 			it('responds with an error message', () => {
147 | 				const errors = response.body.document.querySelectorAll('[data-test=user-form] [data-test=alert-error]');
148 | 				assert.lengthEquals(errors, 1);
149 | 				assert.match(errors[0].textContent, /must be a valid email/i);
150 | 			});
151 | 
152 | 			it('responds with a user form with the posted data pre-filled', () => {
153 | 				const form = response.body.document.querySelector('[data-test=user-form]');
154 | 				assert.isNotNull(form);
155 | 				assert.strictEqual(form.getAttribute('action'), '/settings/profile');
156 | 				assert.strictEqual(form.getAttribute('method'), 'post');
157 | 
158 | 				const emailField = form.querySelector('input[name="email"]');
159 | 				assert.strictEqual(emailField.getAttribute('type'), 'email');
160 | 				assert.strictEqual(emailField.getAttribute('value'), 'invalid-email');
161 | 			});
162 | 
163 | 		});
164 | 
165 | 		describe('when the request includes an email that\'s already in use', () => {
166 | 
167 | 			before(async () => {
168 | 				await database.seed(dashboard, 'basic');
169 | 				response = await request.post('/settings/profile', {
170 | 					headers: {
171 | 						'Content-Type': 'application/x-www-form-urlencoded'
172 | 					},
173 | 					body: querystring.stringify({
174 | 						email: 'admin@example.com'
175 | 					}),
176 | 					jar: await auth.getCookieJar('read@example.com', 'password')
177 | 				});
178 | 			});
179 | 
180 | 			it('does not update the user in the database', async () => {
181 | 				const users = await dashboard.database.knex.select('*').from('users').where({
182 | 					email: 'admin@example.com'
183 | 				});
184 | 				assert.lengthEquals(users, 1);
185 | 			});
186 | 
187 | 			it('responds with a 400 status', () => {
188 | 				assert.strictEqual(response.statusCode, 400);
189 | 			});
190 | 
191 | 			it('responds with HTML', () => {
192 | 				assert.include(response.headers['content-type'], 'text/html');
193 | 			});
194 | 
195 | 			it('responds with an error message', () => {
196 | 				const errors = response.body.document.querySelectorAll('[data-test=user-form] [data-test=alert-error]');
197 | 				assert.lengthEquals(errors, 1);
198 | 				assert.match(errors[0].textContent, /must be unique/i);
199 | 			});
200 | 
201 | 			it('responds with a user form with the posted data pre-filled', () => {
202 | 				const form = response.body.document.querySelector('[data-test=user-form]');
203 | 				assert.isNotNull(form);
204 | 				assert.strictEqual(form.getAttribute('action'), '/settings/profile');
205 | 				assert.strictEqual(form.getAttribute('method'), 'post');
206 | 
207 | 				const emailField = form.querySelector('input[name="email"]');
208 | 				assert.strictEqual(emailField.getAttribute('type'), 'email');
209 | 				assert.strictEqual(emailField.getAttribute('value'), 'admin@example.com');
210 | 			});
211 | 
212 | 		});
213 | 
214 | 	});
215 | 
216 | 	describe('when no user is logged in', () => {
217 | 
218 | 		before(async () => {
219 | 			response = await request.get('/settings/profile');
220 | 		});
221 | 
222 | 		it('responds with a 401 status', () => {
223 | 			assert.strictEqual(response.statusCode, 401);
224 | 		});
225 | 
226 | 		it('it responds with an error page', () => {
227 | 			const body = response.body.document.querySelector('body');
228 | 			assert.match(body.innerHTML, /must authenticate/i);
229 | 		});
230 | 
231 | 	});
232 | 
233 | });
234 | 


--------------------------------------------------------------------------------