fix(putUser): ensure reserved words are enforced in metadata

ptitjes · ptitjes · commit b1ea26a771c1 · 2017-11-17T18:20:04.000+01:00
BREAKING CHANGE: In both signUp and putUser, '_id', '_rev', 'name',
'type', 'roles', 'password', 'password_scheme', 'iterations',
'derived_key', 'salt' are now all reserved words, and 'metadata' is
not a reserved word anymore.
diff --git a/src/index.js b/src/index.js
@@ -22,13 +22,23 @@ function wrapError(callback) {
 }
 
 function putUser(db, user, opts, callback) {
-  var reservedWords = ['name', 'password', 'roles', 'type', 'salt', 'metadata'];
+  var reservedWords = [
+    '_id',
+    '_rev',
+    'name',
+    'type',
+    'roles',
+    'password',
+    'password_scheme',
+    'iterations',
+    'derived_key',
+    'salt'
+  ];
+
   if (opts.metadata) {
     for (var key in opts.metadata) {
-      if (opts.hasOwnProperty(key)) {
-        if (reservedWords.indexOf(key) !== -1 || key.startsWith('_')) {
-          return callback(new AuthError('cannot use reserved word in metadata: "' + key + '"'));
-        }
+      if (opts.metadata.hasOwnProperty(key) && reservedWords.indexOf(key) !== -1) {
+        return callback(new AuthError('cannot use reserved word in metadata: "' + key + '"'));
       }
     }
     user = assign(user, opts.metadata);
diff --git a/test/test.js b/test/test.js
@@ -19,8 +19,8 @@ testCases.forEach(function (testCase) {
   describe('authentication-' + testCase, function () {
 
     var dbName = testCase === 'normal' ?
-      'http://localhost:5984/testdb' :
-      'http://localhost:5984/testdb/'; // trailing slash
+        'http://localhost:5984/testdb' :
+        'http://localhost:5984/testdb/'; // trailing slash
 
     var db;
 
@@ -141,6 +141,73 @@ testCases.forEach(function (testCase) {
       });
     });
 
+    var reservedWords = [
+      '_id',
+      '_rev',
+      'name',
+      'type',
+      'roles',
+      'password',
+      'password_scheme',
+      'iterations',
+      'derived_key',
+      'salt'
+    ];
+
+    reservedWords.forEach(function (key) {
+      it('Test changing metadata using reserved word "' + key + '"', function () {
+        return db.signup('robin', 'dickgrayson').then(function (res) {
+          res.ok.should.equal(true);
+          return db.login('robin', 'dickgrayson');
+        }).then(function () {
+          return db.getUser('robin').then(function (user) {
+            var metadata = {};
+            metadata[key] = 'test';
+            return db.putUser('robin', {metadata: metadata}).then(function (res) {
+              res.ok.should.not.equal(true);
+            }).catch(function (err) {
+              should.exist(err);
+              err.status.should.equal(400);
+              err.name.should.equal('authentication_error');
+              err.message.should.equal('cannot use reserved word in metadata: "' + key + '"');
+              err.error.should.equal(true);
+
+              if (key === 'password') {
+                return db.login('robin', 'dickgrayson').then(function (res) {
+                  res.ok.should.equal(true);
+                }).catch(function (err) {
+                  should.not.exist(err);
+                });
+              } else {
+                return db.getUser('robin').then(function (changedUser) {
+                  changedUser[key].should.deep.equal(user[key]);
+                }).catch(function (err) {
+                  should.not.exist(err);
+                });
+              }
+            });
+          });
+        });
+      });
+    });
+
+    it('Test changing metadata using non-reserved word "metadata"', function () {
+      var metadata = {test: 'test'};
+      return db.signup('robin', 'dickgrayson').then(function (res) {
+        res.ok.should.equal(true);
+        return db.login('robin', 'dickgrayson');
+      }).then(function () {
+        return db.putUser('robin', {metadata: {metadata: metadata}});
+      }).then(function (res) {
+        res.ok.should.equal(true);
+        return db.getUser('robin');
+      }).then(function (changedUser) {
+        changedUser.metadata.should.deep.equal(metadata);
+      }).catch(function (err) {
+        should.not.exist(err);
+      });
+    });
+
     it('Test wrong user for getUser', function () {
       return db.signup('robin', 'dickgrayson').then(function (res) {
         return db.signup('aquaman', 'sleeps_with_fishes');
