11defmodule PlausibleWeb.Api.StatsController.AuthorizationTest do
2- use PlausibleWeb.ConnCase
2+ use PlausibleWeb.ConnCase , async: true
33
44 describe "API authorization - as anonymous user" do
5- test "Sends 404 Not found for a site that doesn't exist" , % { conn: conn } do
5+ test "returns 404 for a site that doesn't exist" , % { conn: conn } do
66 conn = init_session ( conn )
77 conn = get ( conn , "/api/stats/fake-site.com/main-graph" )
88
9- assert conn . status == 404
9+ assert json_response ( conn , 404 ) == % {
10+ "error" => "Site does not exist or user does not have sufficient access."
11+ }
1012 end
1113
12- test "Sends 404 Not found for private site" , % { conn: conn } do
14+ test "returns 404 for private site" , % { conn: conn } do
1315 conn = init_session ( conn )
1416 site = insert ( :site , public: false )
1517 conn = get ( conn , "/api/stats/#{ site . domain } /main-graph" )
1618
17- assert conn . status == 404
19+ assert json_response ( conn , 404 ) == % {
20+ "error" => "Site does not exist or user does not have sufficient access."
21+ }
1822 end
1923
2024 test "returns stats for public site" , % { conn: conn } do
@@ -26,21 +30,102 @@ defmodule PlausibleWeb.Api.StatsController.AuthorizationTest do
2630 end
2731 end
2832
33+ describe "API authorization for shared links - as anonymous user" do
34+ test "returns 404 for non-existent shared link" , % { conn: conn } do
35+ site = new_site ( )
36+
37+ conn = get ( conn , "/api/stats/#{ site . domain } /top-stats?auth=does-not-exist" )
38+
39+ assert json_response ( conn , 404 ) == % {
40+ "error" => "Site does not exist or user does not have sufficient access."
41+ }
42+ end
43+
44+ test "returns 200 for unlisted shared link without cookie" , % { conn: conn } do
45+ site = new_site ( )
46+ link = insert ( :shared_link , site: site )
47+
48+ conn = get ( conn , "/api/stats/#{ site . domain } /top-stats?auth=#{ link . slug } " )
49+
50+ assert % { "top_stats" => _any } = json_response ( conn , 200 )
51+ end
52+
53+ test "returns 200 for password-protected link with valid cookie" , % { conn: conn } do
54+ site = new_site ( )
55+
56+ link =
57+ insert ( :shared_link , site: site , password_hash: Plausible.Auth.Password . hash ( "password" ) )
58+
59+ token = Plausible.Auth.Token . sign_shared_link ( link . slug )
60+ cookie_name = "shared-link-" <> link . slug
61+
62+ conn =
63+ conn
64+ |> put_req_cookie ( cookie_name , token )
65+ |> get ( "/api/stats/#{ site . domain } /top-stats?auth=#{ link . slug } " )
66+
67+ assert % { "top_stats" => _any } = json_response ( conn , 200 )
68+ end
69+
70+ test "returns 404 for password-protected link with invalid cookie value" , % { conn: conn } do
71+ site = new_site ( )
72+
73+ link =
74+ insert ( :shared_link , site: site , password_hash: Plausible.Auth.Password . hash ( "password" ) )
75+
76+ other_link =
77+ insert ( :shared_link ,
78+ name: "other link" ,
79+ site: site ,
80+ password_hash: Plausible.Auth.Password . hash ( "password" )
81+ )
82+
83+ other_link_token = Plausible.Auth.Token . sign_shared_link ( other_link . slug )
84+ cookie_name = "shared-link-" <> link . slug
85+
86+ conn =
87+ conn
88+ |> put_req_cookie ( cookie_name , other_link_token )
89+ |> get ( "/api/stats/#{ site . domain } /top-stats?auth=#{ link . slug } " )
90+
91+ assert json_response ( conn , 404 ) == % {
92+ "error" => "Site does not exist or user does not have sufficient access."
93+ }
94+ end
95+
96+ test "returns 404 for password-protected link without cookie" , % { conn: conn } do
97+ site = new_site ( )
98+
99+ link =
100+ insert ( :shared_link , site: site , password_hash: Plausible.Auth.Password . hash ( "password" ) )
101+
102+ conn = get ( conn , "/api/stats/#{ site . domain } /top-stats?auth=#{ link . slug } " )
103+
104+ assert json_response ( conn , 404 ) == % {
105+ "error" => "Site does not exist or user does not have sufficient access."
106+ }
107+ end
108+ end
109+
29110 describe "API authorization - as logged in user" do
30111 setup [ :create_user , :log_in ]
31112
32- test "Sends 404 Not found for a site that doesn't exist" , % { conn: conn } do
113+ test "returns 404 for a site that doesn't exist" , % { conn: conn } do
33114 conn = init_session ( conn )
34115 conn = get ( conn , "/api/stats/fake-site.com/main-graph/" )
35116
36- assert conn . status == 404
117+ assert json_response ( conn , 404 ) == % {
118+ "error" => "Site does not exist or user does not have sufficient access."
119+ }
37120 end
38121
39- test "Sends 404 Not found when user does not have access to site" , % { conn: conn } do
122+ test "returns 404 when user does not have access to site" , % { conn: conn } do
40123 site = new_site ( )
41124 conn = get ( conn , "/api/stats/#{ site . domain } /main-graph" )
42125
43- assert conn . status == 404
126+ assert json_response ( conn , 404 ) == % {
127+ "error" => "Site does not exist or user does not have sufficient access."
128+ }
44129 end
45130
46131 test "returns stats for public site" , % { conn: conn } do
0 commit comments