From 2a57d0b6d0139d641abdfaffec4777346f253766 Mon Sep 17 00:00:00 2001
From: Nick O'Leary <nick.oleary@gmail.com>
Date: Wed, 25 Mar 2015 20:32:40 +0000
Subject: [PATCH] auth/login should return empty object when insecure

---
 red/api/auth/index.js           |  9 ++++++---
 red/api/index.js                |  3 ++-
 test/red/api/auth/index_spec.js | 19 ++++++++++++++++++-
 test/red/api/index_spec.js      |  5 -----
 4 files changed, 26 insertions(+), 10 deletions(-)

diff --git a/red/api/auth/index.js b/red/api/auth/index.js
index 4d4342656..344f80bd9 100644
--- a/red/api/auth/index.js
+++ b/red/api/auth/index.js
@@ -74,9 +74,12 @@ function getToken(req,res,next) {
 }
 
 function login(req,res) {
-    var response = {
-        "type":"credentials",
-        "prompts":[{id:"username",type:"text",label:"Username"},{id:"password",type:"password",label:"Password"}]
+    var response = {};
+    if (settings.adminAuth) {
+        response = {
+            "type":"credentials",
+            "prompts":[{id:"username",type:"text",label:"Username"},{id:"password",type:"password",label:"Password"}]
+        }
     }
     res.json(response);
 }
diff --git a/red/api/index.js b/red/api/index.js
index 7585405c7..271ee3698 100644
--- a/red/api/index.js
+++ b/red/api/index.js
@@ -51,6 +51,8 @@ function init(adminApp,storage) {
 
     adminApp.use(express.json());
     adminApp.use(express.urlencoded());
+
+    adminApp.get("/auth/login",auth.login);
     
     if (settings.adminAuth) {
         //TODO: all passport references ought to be in ./auth
@@ -61,7 +63,6 @@ function init(adminApp,storage) {
             auth.getToken,
             auth.errorHandler
         );
-        adminApp.get("/auth/login",auth.login);
         adminApp.post("/auth/revoke",auth.revoke);
     }
 
diff --git a/test/red/api/auth/index_spec.js b/test/red/api/auth/index_spec.js
index d773612b5..845c8d2d1 100644
--- a/test/red/api/auth/index_spec.js
+++ b/test/red/api/auth/index_spec.js
@@ -21,6 +21,7 @@ var sinon = require("sinon");
 var passport = require("passport");
 
 var auth = require("../../../../red/api/auth");
+var Users = require("../../../../red/api/auth/users");
 var Tokens = require("../../../../red/api/auth/tokens");
 
 var settings = require("../../../../red/settings");
@@ -71,7 +72,16 @@ describe("api auth middleware",function() {
     });
     
     describe("login", function() {
-        it("returns login details", function(done) {
+        beforeEach(function() {
+            sinon.stub(Tokens,"init",function(){});
+            sinon.stub(Users,"init",function(){});
+        });
+        afterEach(function() {
+            Tokens.init.restore();
+            Users.init.restore();
+        });
+        it("returns login details - credentials", function(done) {
+            auth.init({adminAuth:{}},null);
             auth.login(null,{json: function(resp) {
                 resp.should.have.a.property("type","credentials");
                 resp.should.have.a.property("prompts");
@@ -79,6 +89,13 @@ describe("api auth middleware",function() {
                 done();
             }});
         });
+        it("returns login details - none", function(done) {
+            auth.init({},null);
+            auth.login(null,{json: function(resp) {
+                resp.should.eql({});
+                done();
+            }});
+        });
             
     });
     
diff --git a/test/red/api/index_spec.js b/test/red/api/index_spec.js
index ec40d67ee..4117ae6a5 100644
--- a/test/red/api/index_spec.js
+++ b/test/red/api/index_spec.js
@@ -51,11 +51,6 @@ describe("api index", function() {
                 .get("/settings")
                 .expect(200,done)
         });
-        it('does not serve auth', function(done) {
-            request(app)
-                .get("/auth/login")
-                .expect(404,done)
-        });
     });
 
     describe("can serve auth", function() {