add tests, add workflows

Author: derisen

.github/workflows/codeql.yml

@@ -0,0 +1,39 @@
+name: "Code Scan"
+
+on:
+  pull_request:
+    branches:
+      - master
+
+jobs:
+  CodeQL-Build:
+    strategy:
+      fail-fast: false
+
+    # CodeQL runs on ubuntu-latest, windows-latest, and macos-latest
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v2
+
+      # Initializes the CodeQL tools for scanning.
+      - name: Initialize CodeQL
+        uses: github/codeql-action/init@v1
+        with:
+          languages: javascript
+
+      # Autobuild attempts to build any compiled languages  (C/C++, C#, or Java).
+      # If this step fails, then you should remove it and run the build manually (see below).
+      #- name: Autobuild
+      #  uses: github/codeql-action/autobuild@v1
+
+      # ℹ️ Command-line programs to run using the OS shell.
+      # 📚 https://git.io/JvXDl
+
+      # ✏️ If the Autobuild fails above, remove it and uncomment the following three lines
+      #    and modify them (or add more) to build your code if your project
+      #    uses a compiled language
+
+      - name: Perform CodeQL Analysis
+        uses: github/codeql-action/analyze@v1

.github/workflows/node.js.yml

@@ -0,0 +1,98 @@
+# This workflow will do a clean install of node dependencies, build the source code and run tests across different versions of node
+# For more information see: https://help.github.com/actions/language-and-framework-guides/using-nodejs-with-github-actions
+
+name: "Build"
+
+on:
+  pull_request:
+    branches:
+      - master
+
+jobs:
+  build:
+
+    runs-on: ubuntu-latest
+
+    strategy:
+      matrix:
+        node-version: [12.x]
+        # See supported Node.js release schedule at https://nodejs.org/en/about/releases/
+
+    steps:
+    - uses: actions/checkout@v2
+    - name: Use Node.js ${{ matrix.node-version }}
+      uses: actions/setup-node@v2
+      with:
+        node-version: ${{ matrix.node-version }}
+
+    - run: |
+        cd 1-Authentication/1-sign-in/
+        npm ci
+        npm audit --production
+        npm run test
+
+    - run: |
+        cd 1-Authentication/2-sign-in-b2c/
+        npm ci
+        npm audit --production
+        npm run test
+
+    - run: |
+        cd 2-Authorization-I/1-call-graph/
+        npm ci
+        npm audit --production
+        npm run test
+
+    - run: |
+        cd 3-Authorization-II/1-call-api/API
+        npm ci
+        npm audit --production
+        npm run test
+
+    - run: |
+        cd 3-Authorization-II/1-call-api/SPA
+        npm ci
+        npm audit --production
+        npm run test
+
+    - run: |
+        cd 3-Authorization-II/2-call-api-b2c/API
+        npm ci
+        npm audit --production
+        npm run test
+
+    - run: |
+        cd 3-Authorization-II/2-call-api-b2c/SPA
+        npm ci
+        npm audit --production
+        npm run test
+
+    - run: |
+        cd 4-AdvancedGrants/1-call-api-graph/API
+        npm ci
+        npm audit --production
+        npm run test
+
+    - run: |
+        cd 4-AdvancedGrants/1-call-api-graph/SPA
+        npm ci
+        npm audit --production
+        npm run test
+
+    - run: |
+        cd 4-AdvancedGrants/2-call-api-api-ca/DownstreamAPI
+        npm ci
+        npm audit --production
+        npm run test
+
+    - run: |
+        cd 4-AdvancedGrants/2-call-api-api-ca/MiddletierAPI
+        npm ci
+        npm audit --production
+        npm run test
+      
+    - run: |
+        cd 4-AdvancedGrants/2-call-api-api-ca/SPA
+        npm ci
+        npm audit --production
+        npm run test

1-Authentication/1-sign-in/App/authConfig.js

@@ -1,47 +1,46 @@
-
 /**
  * Configuration object to be passed to MSAL instance on creation. 
  * For a full list of MSAL.js configuration parameters, visit:
  * https://github.com/AzureAD/microsoft-authentication-library-for-js/blob/dev/lib/msal-browser/docs/configuration.md 
  */
 
 const msalConfig = {
-    auth: {
-      clientId: "Enter_the_Application_Id_Here", // This is the ONLY mandatory field that you need to supply.
-      authority: "Enter_the_Cloud_Instance_Id_Here/Enter_the_Tenant_Info_Here", // Defaults to "https://login.microsoftonline.com/common"
-      redirectUri: "Enter_the_Redirect_Uri_Here", // You must register this URI on Azure Portal/App Registration. Defaults to window.location.href
-      postLogoutRedirectUri: "Enter_the_Redirect_Uri_Here/signout", // Simply remove this line if you would like navigate to index page after logout.
-      navigateToLoginRequestUrl: false, // If "true", will navigate back to the original request location before processing the auth code response.
-    },
-    cache: {
-      cacheLocation: "localStorage", // Configures cache location. "sessionStorage" is more secure, but "localStorage" gives you SSO.
-      storeAuthStateInCookie: false, // If you wish to store cache items in cookies as well as browser cache, set this to "true".
-    },
-    system: {
-      loggerOptions: {
-        loggerCallback: (level, message, containsPii) => {
-          if (containsPii) {
+  auth: {
+    clientId: "Enter_the_Application_Id_Here", // This is the ONLY mandatory field that you need to supply.
+    authority: "https://login.microsoftonline.com/Enter_the_Tenant_Info_Here", // Defaults to "https://login.microsoftonline.com/common"
+    redirectUri: "Enter_the_Redirect_Uri_Here", // You must register this URI on Azure Portal/App Registration. Defaults to window.location.href
+    postLogoutRedirectUri: "Enter_the_Redirect_Uri_Here/signout", // Simply remove this line if you would like navigate to index page after logout.
+    navigateToLoginRequestUrl: false, // If "true", will navigate back to the original request location before processing the auth code response.
+  },
+  cache: {
+    cacheLocation: "localStorage", // Configures cache location. "sessionStorage" is more secure, but "localStorage" gives you SSO.
+    storeAuthStateInCookie: false, // If you wish to store cache items in cookies as well as browser cache, set this to "true".
+  },
+  system: {
+    loggerOptions: {
+      loggerCallback: (level, message, containsPii) => {
+        if (containsPii) {
+          return;
+        }
+        switch (level) {
+          case msal.LogLevel.Error:
+            console.error(message);
+            return;
+          case msal.LogLevel.Info:
+            console.info(message);
+            return;
+          case msal.LogLevel.Verbose:
+            console.debug(message);
+            return;
+          case msal.LogLevel.Warning:
+            console.warn(message);
             return;
-          }
-          switch (level) {
-            case msal.LogLevel.Error:
-              console.error(message);
-              return;
-            case msal.LogLevel.Info:
-              console.info(message);
-              return;
-            case msal.LogLevel.Verbose:
-              console.debug(message);
-              return;
-            case msal.LogLevel.Warning:
-              console.warn(message);
-              return;
-          }
         }
       }
     }
-  };
-  
+  }
+};
+
 /**
  * Scopes you add here will be prompted for user consent during sign-in.
  * By default, MSAL.js will add OIDC scopes (openid, profile, email) to any login request.
@@ -61,4 +60,10 @@ const loginRequest = {
 //   scopes: ["openid", "profile"],
 //   loginHint: "[email protected]"
 // };
-  
+
+// exporting config object for jest
+if (typeof exports !== 'undefined') {
+  module.exports = {
+    msalConfig: msalConfig,
+  };
+}

1-Authentication/1-sign-in/App/index.html

@@ -8,11 +8,11 @@
   <link rel="SHORTCUT ICON" href="./favicon.svg" type="image/x-icon">
 
   <!-- msal.min.js can be used in the place of msal.js; included msal.js to make debug easy -->
-  <script src="https://alcdn.msauth.net/browser/2.15.0/js/msal-browser.js"
+  <script id="load-msal" src="https://alcdn.msauth.net/browser/2.15.0/js/msal-browser.js"
     integrity="sha384-dFzMiVGB5HpWZ+5w5VSif6jhWfNeplSw9ACYmQKZcY2azuT9kCxVWVI9HyfGdkHV"
     crossorigin="anonymous"></script>
-
-  <!-- To help ensure reliability, Microsoft provides a second CDN -->
+  
+    <!-- To help ensure reliability, Microsoft provides a second CDN -->
   <script type="text/javascript">
     if (typeof Msal === 'undefined') document.write(unescape("%3Cscript src='https://alcdn.msftauth.net/browser/2.15.0/js/msal-browser.js' type='text/javascript' crossorigin='anonymous' %3E%3C/script%3E"));
   </script>

1-Authentication/1-sign-in/package.json

@@ -5,7 +5,8 @@
   "main": "server.js",
   "scripts": {
     "start": "node server.js",
-    "dev": "nodemon server.js"
+    "dev": "nodemon server.js",
+    "test": "jest --forceExit"
   },
   "repository": {
     "type": "git",
@@ -32,6 +33,8 @@
     "morgan": "^1.10.0"
   },
   "devDependencies": {
-    "nodemon": "^2.0.12"
+    "jest": "^27.0.6",
+    "nodemon": "^2.0.12",
+    "supertest": "^6.1.4"
   }
 }

1-Authentication/1-sign-in/sample.test.js

@@ -0,0 +1,68 @@
+/**
+ * @jest-environment jsdom
+ */
+
+const request = require('supertest');
+const path = require('path');
+const fs = require('fs');
+
+const app = require('./server.js');
+
+jest.dontMock('fs');
+
+const html = fs.readFileSync(path.resolve(__dirname, './App/index.html'), 'utf8');
+
+describe('Sanitize index page', () => {
+    beforeAll(async() => {
+        global.document.documentElement.innerHTML = html.toString();
+    });
+
+    it('should have valid cdn link', () => {
+        expect(document.getElementById("load-msal").getAttribute("src")).toContain("https://alcdn.msauth.net/browser");
+    });
+});
+
+describe('Sanitize configuration object', () => {
+    beforeAll(() => {
+        global.msalConfig = require('./App/authConfig.js').msalConfig;
+    });
+
+    it('should define the config object', () => {
+        expect(msalConfig).toBeDefined();
+    });
+
+    it('should not contain credentials', () => {
+        const regexGuid = /^[0-9a-f]{8}-[0-9a-f]{4}-[1-5][0-9a-f]{3}-[89ab][0-9a-f]{3}-[0-9a-f]{12}$/i;
+        expect(regexGuid.test(msalConfig.auth.clientId)).toBe(false);
+    });
+
+    it('should contain authority URI', () => {
+        const regexUri = /[-a-zA-Z0-9@:%._\+~#=]{1,256}\.[a-zA-Z0-9()]{1,6}\b([-a-zA-Z0-9()@:%_\+.~#?&//=]*)?/gi;
+        expect(regexUri.test(msalConfig.auth.authority)).toBe(true);
+    });
+});
+
+describe('Ensure pages served', () => {
+
+    beforeAll(() => {
+        process.env.NODE_ENV = 'test';
+    });
+
+    it('should get index page', async () => {
+        const res = await request(app)
+            .get('/');
+
+        const data = await fs.promises.readFile(path.join(__dirname, './App/index.html'), 'utf8');
+        expect(res.statusCode).toEqual(200);
+        expect(res.text).toEqual(data);
+    });
+
+    it('should get signout page', async () => {
+        const res = await request(app)
+            .get('/signout');
+
+        const data = await fs.promises.readFile(path.join(__dirname, './App/signout.html'), 'utf8');
+        expect(res.statusCode).toEqual(200);
+        expect(res.text).toEqual(data);
+    });
+});

1-Authentication/1-sign-in/server.js

@@ -7,9 +7,6 @@ const DEFAULT_PORT = process.env.PORT || 3000;
 // initialize express.
 const app = express();
 
-// Initialize variables.
-let port = DEFAULT_PORT;
-
 // Configure morgan module to log all requests.
 app.use(morgan('dev'));
 
@@ -26,6 +23,8 @@ app.get('*', (req, res) => {
     res.sendFile(path.join(__dirname + '/index.html'));
 });
 
-// Start the server.
-app.listen(port);
-console.log(`Listening on port ${port}...`);
+app.listen(DEFAULT_PORT, () => {
+    console.log(`Sample app listening on port ${DEFAULT_PORT}!`)
+});
+
+module.exports = app;

1-Authentication/2-sign-in-b2c/App/authConfig.js

@@ -62,4 +62,11 @@ const loginRequest = {
 // const silentRequest = {
 //   scopes: ["openid", "profile"],
 //   loginHint: "[email protected]"
-// };
+// };
+
+// exporting config object for jest
+if (typeof exports !== 'undefined') {
+  module.exports = {
+    msalConfig: msalConfig,
+  };
+}

1-Authentication/2-sign-in-b2c/App/index.html

@@ -8,7 +8,7 @@
   <link rel="SHORTCUT ICON" href="./favicon.svg" type="image/x-icon">
 
   <!-- msal.min.js can be used in the place of msal.js; included msal.js to make debug easy -->
-  <script src="https://alcdn.msauth.net/browser/2.15.0/js/msal-browser.js"
+  <script id="load-msal" src="https://alcdn.msauth.net/browser/2.15.0/js/msal-browser.js"
     integrity="sha384-dFzMiVGB5HpWZ+5w5VSif6jhWfNeplSw9ACYmQKZcY2azuT9kCxVWVI9HyfGdkHV"
     crossorigin="anonymous"></script>
 

1-Authentication/2-sign-in-b2c/App/policies.js

@@ -21,4 +21,11 @@ const b2cPolicies = {
         }
     },
     authorityDomain: "fabrikamb2c.b2clogin.com"
+}
+
+// exporting config object for jest
+if (typeof exports !== 'undefined') {
+    module.exports = {
+        b2cPolicies: b2cPolicies,
+    };
 }