From f63610bb12f882a026cac4dacaff3b9f00faac30 Mon Sep 17 00:00:00 2001
From: Richard Hansen <rhansen@rhansen.org>
Date: Mon, 12 Apr 2021 15:31:36 -0400
Subject: [PATCH] tests: Test access bypass via read-only pad ID

---
 src/tests/backend/specs/socketio.js | 18 ++++++++++++++++++
 1 file changed, 18 insertions(+)

diff --git a/src/tests/backend/specs/socketio.js b/src/tests/backend/specs/socketio.js
index e19250e92..9b9e2101b 100644
--- a/src/tests/backend/specs/socketio.js
+++ b/src/tests/backend/specs/socketio.js
@@ -231,6 +231,24 @@ describe(__filename, function () {
       const message = await handshake(socket, 'pad');
       assert.equal(message.accessStatus, 'deny');
     });
+
+    it('authn anonymous read-only /p/pad -> 401, error', async function () {
+      this.timeout(400);
+      settings.requireAuthentication = true;
+      let res = await agent.get('/p/pad').auth('user', 'user-password').expect(200);
+      socket = await connect(res);
+      const clientVars = await handshake(socket, 'pad');
+      assert.equal(clientVars.type, 'CLIENT_VARS');
+      const readOnlyId = clientVars.data.readOnlyId;
+      assert(readOnlyManager.isReadOnlyId(readOnlyId));
+      socket.close();
+      res = await agent.get(`/p/${readOnlyId}`).expect(401);
+      // Despite the 401, try to read the pad via a socket.io connection anyway.
+      socket = await connect(res);
+      const message = await handshake(socket, readOnlyId);
+      assert.equal(message.accessStatus, 'deny');
+    });
+
     it('authn !cookie -> error', async function () {
       this.timeout(400);
       settings.requireAuthentication = true;