Revoked share links (#664)

* Move to revokation API for share links

* Respect revoked share links
Add documentation for shares endpoints

* 💚

server/api/__snapshots__/shares.test.js.snap

@@ -17,3 +17,12 @@ Object {
   "status": 401,
 }
 `;
+
+exports[`#shares.revoke should require authentication 1`] = `
+Object {
+  "error": "authentication_required",
+  "message": "Authentication required",
+  "ok": false,
+  "status": 401,
+}
+`;

server/api/documents.js

@@ -165,7 +165,12 @@ router.post('documents.info', auth({ required: false }), async ctx => {
   let document;
 
   if (shareId) {
-    const share = await Share.findById(shareId, {
+    const share = await Share.find({
+      where: {
+        // $FlowFixMe
+        revokedAt: { [Op.eq]: null },
+        id: shareId,
+      },
       include: [
         {
           model: Document,

server/api/documents.test.js

@@ -36,7 +36,7 @@ describe('#documents.info', async () => {
     expect(body.data.id).toEqual(document.id);
   });
 
-  it('should return redacted documents from shareId without token', async () => {
+  it('should return redacted document from shareId without token', async () => {
     const { document } = await seed();
     const share = await buildShare({
       documentId: document.id,
@@ -55,6 +55,20 @@ describe('#documents.info', async () => {
     expect(body.data.updatedBy).toEqual(undefined);
   });
 
+  it('should not return document from revoked shareId', async () => {
+    const { document, user } = await seed();
+    const share = await buildShare({
+      documentId: document.id,
+      teamId: document.teamId,
+    });
+    await share.revoke(user.id);
+
+    const res = await server.post('/api/documents.info', {
+      body: { shareId: share.id },
+    });
+    expect(res.status).toEqual(400);
+  });
+
   it('should return documents from shareId with token', async () => {
     const { user, document, collection } = await seed();
     const share = await buildShare({

server/api/shares.js

@@ -1,11 +1,13 @@
 // @flow
 import Router from 'koa-router';
+import Sequelize from 'sequelize';
 import auth from '../middlewares/authentication';
 import pagination from './middlewares/pagination';
 import { presentShare } from '../presenters';
 import { Document, User, Share } from '../models';
 import policy from '../policies';
 
+const Op = Sequelize.Op;
 const { authorize } = policy;
 const router = new Router();
 
@@ -14,7 +16,12 @@ router.post('shares.list', auth(), pagination(), async ctx => {
   if (direction !== 'ASC') direction = 'DESC';
 
   const user = ctx.state.user;
-  const where = { teamId: user.teamId, userId: user.id };
+  const where = {
+    teamId: user.teamId,
+    userId: user.id,
+    // $FlowFixMe
+    revokedAt: { [Op.eq]: null },
+  };
 
   if (user.isAdmin) delete where.userId;
 
@@ -68,15 +75,15 @@ router.post('shares.create', auth(), async ctx => {
   };
 });
 
-router.post('shares.delete', auth(), async ctx => {
+router.post('shares.revoke', auth(), async ctx => {
   const { id } = ctx.body;
   ctx.assertPresent(id, 'id is required');
 
   const user = ctx.state.user;
   const share = await Share.findById(id);
-  authorize(user, 'delete', share);
+  authorize(user, 'revoke', share);
 
-  await share.destroy();
+  await share.revoke(user.id);
 
   ctx.body = {
     success: true,

server/api/shares.test.js

@@ -32,6 +32,24 @@ describe('#shares.list', async () => {
     expect(body.data[0].documentTitle).toBe(document.title);
   });
 
+  it('should not return revoked shares', async () => {
+    const { user, document } = await seed();
+    const share = await buildShare({
+      documentId: document.id,
+      teamId: user.teamId,
+      userId: user.id,
+    });
+    await share.revoke(user.id);
+
+    const res = await server.post('/api/shares.list', {
+      body: { token: user.getJwtToken() },
+    });
+    const body = await res.json();
+
+    expect(res.status).toEqual(200);
+    expect(body.data.length).toEqual(0);
+  });
+
   it('admins should only return shares created by all users', async () => {
     const { admin, document } = await seed();
     const share = await buildShare({
@@ -106,3 +124,58 @@ describe('#shares.create', async () => {
     expect(res.status).toEqual(403);
   });
 });
+
+describe('#shares.revoke', async () => {
+  it('should allow author to revoke a share', async () => {
+    const { user, document } = await seed();
+    const share = await buildShare({
+      documentId: document.id,
+      teamId: user.teamId,
+      userId: user.id,
+    });
+
+    const res = await server.post('/api/shares.revoke', {
+      body: { token: user.getJwtToken(), id: share.id },
+    });
+    expect(res.status).toEqual(200);
+  });
+
+  it('should allow admin to revoke a share', async () => {
+    const { user, admin, document } = await seed();
+    const share = await buildShare({
+      documentId: document.id,
+      teamId: user.teamId,
+      userId: user.id,
+    });
+
+    const res = await server.post('/api/shares.revoke', {
+      body: { token: admin.getJwtToken(), id: share.id },
+    });
+    expect(res.status).toEqual(200);
+  });
+
+  it('should require authentication', async () => {
+    const { user, document } = await seed();
+    const share = await buildShare({
+      documentId: document.id,
+      teamId: user.teamId,
+      userId: user.id,
+    });
+    const res = await server.post('/api/shares.revoke', {
+      body: { id: share.id },
+    });
+    const body = await res.json();
+
+    expect(res.status).toEqual(401);
+    expect(body).toMatchSnapshot();
+  });
+
+  it('should require authorization', async () => {
+    const { document } = await seed();
+    const user = await buildUser();
+    const res = await server.post('/api/shares.create', {
+      body: { token: user.getJwtToken(), documentId: document.id },
+    });
+    expect(res.status).toEqual(403);
+  });
+});