component extends="coldbox.system.testing.BaseInterceptorTest" interceptor="interceptors.SimpleSecurity" {
/*********************************** LIFE CYCLE Methods ***********************************/
mockSecurityService = createEmptyMock( "models.SecurityService" );
/*********************************** BDD SUITES ***********************************/
describe( "SimpleSecurity Interceptor Suite", function() {
beforeEach( function( currentSpec ) {
// Setup the interceptor target
// inject mock into interceptor
mockEvent = getMockRequestContext();
it( "can be created (canary)", function() {
expect( interceptor ).toBeComponent();
it( "can allow already logged in users", function() {
// test already logged in and mock authorize so we can see if it was called
mockSecurityService.$( "isLoggedIn", true ).$( "authorize", false );
interceptor.preProcess( mockEvent, {} );
expect( mockSecurityService.$never( "authorize" ) ).toBeTrue();
it( "will challenge if you are not logged in and you don't have the right credentials", function() {
// test NOT logged in and NO credentials, so just challenge
mockSecurityService.$( "isLoggedIn", false ).$( "authorize", false );
// mock incoming headers and no auth credentials
.$args( "Authorization" )
.$( "getHTTPBasicCredentials", { username : "", password : "" } )
interceptor.preProcess( mockEvent, {} );
// verify authorize called once
expect( mockSecurityService.$once( "authorize" ) ).toBeTrue();
expect( mockEvent.$once( "setHTTPHeader" ) ).toBeTrue();
expect( mockEvent.getRenderData().statusCode ).toBe( 401 );
it( "should authorize if you are not logged in but have valid credentials", function() {
// Test NOT logged in With basic credentials that are valid
mockSecurityService.$( "isLoggedIn", false ).$( "authorize", true );
// reset mocks for testing
.$( "getHTTPBasicCredentials", { username : "luis", password : "luis" } )
interceptor.preProcess( mockEvent, {} );
// Assert header never called.
expect( mockEvent.$never( "setHTTPHeader" ) ).toBeTrue();