I’ve completed the Anonymous Message Board project (span of multiple days, very frustrating sometimes) and achieved the Legacy InfoSec and QA Certificate.
A lot of follow-up comments on this one, regarding Mocha, SuperAgent, and Responses. I would definitely like to contribute and improve this project on the FCC side. Learners be warned ~ there are many missing FCC tests in this project, as pointed out in some other forum boards. But don’t despair ~ read the forum threads on this topic, and keep digging into req/res, async.
Core Testing Subjects
- Read the HelmetJS docs on correct ContentSecurityPolicy implementation
- Similar to “Issue Tracker”, this project is set up so that each individual “thread” is its own model, with independent documents. Don’t make the mistake of setting up ONE model for all threads. At least, this is the mongoose process - straight mongoDB would be different.
- Be patient with functional testing. Because the tests are not written, be careful about how you testing PUT and DELETE. Particularly, Repl.it is a little fussy.
- scriptSrc- as part of contentSecurityPolicy, I needed to write these two lines of code to allow the boilerplate jQuery on the views sheets to display the information:
"styleSrc": ["'unsafe-inline'"], "scriptSrc": ["'self'", "localhost", "'unsafe-inline'", "code.jquery.com", "https://code.jquery.com/jquery-2.2.1.min.js"],
I thought that having “unsafe-inline” defeats the purpose of contentSecurityPolicy, but it was the only way to allow the jQuery and AJAX calls on the html view pages to work and function. Why, and how can it be done better?
Testing res.redirect in Chai - I scoured Google and the forum, and I can’t seem to find an answer to this. In some instances of the APi routing here, the response object is NOT a “res.send” or a “res.json” of the data object. It is a “res.redirect” to either
thread.html. In these instances, how do you test the response object in Chai? Since it redirects to a html page, would the res.body ACTUALLY be the html page?
I would like to beef up my functional tests somehow, on these two POST redirects. I mean, you can’t just do
assert.equal(res.body, process.cwd() + '/views/board.html'), right? And then, how do you test that the posted information exists on the redirected page?