2021-09-02 21:41:32 +00:00
|
|
|
/*
|
2023-01-08 15:09:51 +00:00
|
|
|
* SPDX-FileCopyrightText: 2023 The HedgeDoc developers (see AUTHORS file)
|
2021-09-02 21:41:32 +00:00
|
|
|
*
|
|
|
|
* SPDX-License-Identifier: AGPL-3.0-only
|
|
|
|
*/
|
|
|
|
|
|
|
|
/* eslint-disable
|
|
|
|
@typescript-eslint/no-unsafe-assignment,
|
|
|
|
@typescript-eslint/no-unsafe-member-access
|
|
|
|
*/
|
|
|
|
import request from 'supertest';
|
|
|
|
|
2023-01-08 14:15:56 +00:00
|
|
|
import { NotInDBError } from '../../src/errors/errors';
|
2021-09-02 21:41:32 +00:00
|
|
|
import { LoginDto } from '../../src/identity/local/login.dto';
|
|
|
|
import { RegisterDto } from '../../src/identity/local/register.dto';
|
|
|
|
import { UpdatePasswordDto } from '../../src/identity/local/update-password.dto';
|
|
|
|
import { UserRelationEnum } from '../../src/users/user-relation.enum';
|
|
|
|
import { checkPassword } from '../../src/utils/password';
|
2023-05-13 12:56:42 +00:00
|
|
|
import { Username } from '../../src/utils/username';
|
2022-01-06 20:41:36 +00:00
|
|
|
import { TestSetup, TestSetupBuilder } from '../test-setup';
|
2021-09-02 21:41:32 +00:00
|
|
|
|
|
|
|
describe('Auth', () => {
|
2021-10-15 15:06:56 +00:00
|
|
|
let testSetup: TestSetup;
|
|
|
|
|
2023-05-13 12:56:42 +00:00
|
|
|
let username: Username;
|
2022-02-14 10:12:35 +00:00
|
|
|
let displayName: string;
|
2021-09-02 21:41:32 +00:00
|
|
|
let password: string;
|
|
|
|
|
2023-03-26 11:24:53 +00:00
|
|
|
beforeAll(async () => {
|
2022-01-06 20:41:36 +00:00
|
|
|
testSetup = await TestSetupBuilder.create().build();
|
2021-10-15 15:06:56 +00:00
|
|
|
await testSetup.app.init();
|
|
|
|
|
2021-09-02 21:41:32 +00:00
|
|
|
username = 'hardcoded';
|
2022-02-14 10:12:35 +00:00
|
|
|
displayName = 'Testy';
|
2021-09-02 21:41:32 +00:00
|
|
|
password = 'test_password';
|
|
|
|
});
|
|
|
|
|
2023-03-26 11:24:53 +00:00
|
|
|
afterAll(async () => {
|
2022-07-31 19:39:25 +00:00
|
|
|
// Yes, this is a bad hack, but there is a race somewhere and I have
|
|
|
|
// no idea how to fix it.
|
|
|
|
await new Promise((resolve) => {
|
|
|
|
setTimeout(resolve, 1000);
|
|
|
|
});
|
2022-03-04 12:13:46 +00:00
|
|
|
await testSetup.cleanup();
|
|
|
|
});
|
|
|
|
|
2021-09-02 21:41:32 +00:00
|
|
|
describe('POST /auth/local', () => {
|
|
|
|
it('works', async () => {
|
|
|
|
const registrationDto: RegisterDto = {
|
2022-02-14 10:12:35 +00:00
|
|
|
displayName: displayName,
|
2021-09-02 21:41:32 +00:00
|
|
|
password: password,
|
|
|
|
username: username,
|
|
|
|
};
|
2021-10-15 15:06:56 +00:00
|
|
|
await request(testSetup.app.getHttpServer())
|
|
|
|
.post('/api/private/auth/local')
|
2021-09-02 21:41:32 +00:00
|
|
|
.set('Content-Type', 'application/json')
|
|
|
|
.send(JSON.stringify(registrationDto))
|
|
|
|
.expect(201);
|
2021-10-15 15:06:56 +00:00
|
|
|
const newUser = await testSetup.userService.getUserByUsername(username, [
|
2021-09-02 21:41:32 +00:00
|
|
|
UserRelationEnum.IDENTITIES,
|
|
|
|
]);
|
2022-02-14 10:12:35 +00:00
|
|
|
expect(newUser.displayName).toEqual(displayName);
|
2021-09-02 21:41:32 +00:00
|
|
|
await expect(newUser.identities).resolves.toHaveLength(1);
|
|
|
|
await expect(
|
|
|
|
checkPassword(
|
|
|
|
password,
|
|
|
|
(await newUser.identities)[0].passwordHash ?? '',
|
|
|
|
),
|
|
|
|
).resolves.toBeTruthy();
|
2023-01-08 14:15:56 +00:00
|
|
|
await testSetup.userService.deleteUser(newUser);
|
2021-09-02 21:41:32 +00:00
|
|
|
});
|
|
|
|
describe('fails', () => {
|
|
|
|
it('when the user already exits', async () => {
|
2023-03-26 11:24:53 +00:00
|
|
|
const conflictingUserName = 'already_existing';
|
|
|
|
const conflictingUser = await testSetup.userService.createUser(
|
|
|
|
conflictingUserName,
|
|
|
|
displayName,
|
|
|
|
);
|
2021-09-02 21:41:32 +00:00
|
|
|
const registrationDto: RegisterDto = {
|
2022-02-14 10:12:35 +00:00
|
|
|
displayName: displayName,
|
2021-09-02 21:41:32 +00:00
|
|
|
password: password,
|
2023-03-26 11:24:53 +00:00
|
|
|
username: conflictingUserName,
|
2021-09-02 21:41:32 +00:00
|
|
|
};
|
2021-10-15 15:06:56 +00:00
|
|
|
await request(testSetup.app.getHttpServer())
|
|
|
|
.post('/api/private/auth/local')
|
2021-09-02 21:41:32 +00:00
|
|
|
.set('Content-Type', 'application/json')
|
|
|
|
.send(JSON.stringify(registrationDto))
|
2021-10-27 17:39:18 +00:00
|
|
|
.expect(409);
|
2023-03-26 11:24:53 +00:00
|
|
|
await testSetup.userService.deleteUser(conflictingUser);
|
2021-09-02 21:41:32 +00:00
|
|
|
});
|
|
|
|
it('when registration is disabled', async () => {
|
2021-10-15 15:06:56 +00:00
|
|
|
testSetup.configService.get('authConfig').local.enableRegister = false;
|
2021-09-02 21:41:32 +00:00
|
|
|
const registrationDto: RegisterDto = {
|
2022-02-14 10:12:35 +00:00
|
|
|
displayName: displayName,
|
2021-09-02 21:41:32 +00:00
|
|
|
password: password,
|
|
|
|
username: username,
|
|
|
|
};
|
2021-10-15 15:06:56 +00:00
|
|
|
await request(testSetup.app.getHttpServer())
|
|
|
|
.post('/api/private/auth/local')
|
2021-09-02 21:41:32 +00:00
|
|
|
.set('Content-Type', 'application/json')
|
|
|
|
.send(JSON.stringify(registrationDto))
|
2023-01-08 15:09:51 +00:00
|
|
|
.expect(403);
|
2021-10-15 15:06:56 +00:00
|
|
|
testSetup.configService.get('authConfig').local.enableRegister = true;
|
2021-09-02 21:41:32 +00:00
|
|
|
});
|
|
|
|
});
|
2023-03-26 11:24:53 +00:00
|
|
|
it('does not create a user if the PasswordTooWeakError is encountered', async () => {
|
2023-01-08 14:15:56 +00:00
|
|
|
const registrationDto: RegisterDto = {
|
|
|
|
displayName: displayName,
|
|
|
|
password: 'test1234',
|
2021-09-02 21:41:32 +00:00
|
|
|
username: username,
|
|
|
|
};
|
2021-10-15 15:06:56 +00:00
|
|
|
const response = await request(testSetup.app.getHttpServer())
|
2023-01-08 14:15:56 +00:00
|
|
|
.post('/api/private/auth/local')
|
2021-09-02 21:41:32 +00:00
|
|
|
.set('Content-Type', 'application/json')
|
2023-01-08 14:15:56 +00:00
|
|
|
.send(JSON.stringify(registrationDto))
|
2021-09-02 21:41:32 +00:00
|
|
|
.expect(400);
|
2023-01-08 14:15:56 +00:00
|
|
|
expect(response.text).toContain('PasswordTooWeakError');
|
|
|
|
await expect(() =>
|
|
|
|
testSetup.userService.getUserByUsername(username, [
|
|
|
|
UserRelationEnum.IDENTITIES,
|
|
|
|
]),
|
|
|
|
).rejects.toThrow(NotInDBError);
|
2021-12-28 00:46:40 +00:00
|
|
|
});
|
2021-09-02 21:41:32 +00:00
|
|
|
});
|
|
|
|
|
2023-01-08 14:15:56 +00:00
|
|
|
describe('Already existing user', () => {
|
|
|
|
beforeAll(async () => {
|
|
|
|
const registrationDto: RegisterDto = {
|
|
|
|
displayName: displayName,
|
2021-09-02 21:41:32 +00:00
|
|
|
password: password,
|
|
|
|
username: username,
|
|
|
|
};
|
2021-10-15 15:06:56 +00:00
|
|
|
await request(testSetup.app.getHttpServer())
|
2023-01-08 14:15:56 +00:00
|
|
|
.post('/api/private/auth/local')
|
2021-09-02 21:41:32 +00:00
|
|
|
.set('Content-Type', 'application/json')
|
2023-01-08 14:15:56 +00:00
|
|
|
.send(JSON.stringify(registrationDto))
|
2021-09-02 21:41:32 +00:00
|
|
|
.expect(201);
|
|
|
|
});
|
2023-01-08 14:15:56 +00:00
|
|
|
describe('PUT /auth/local', () => {
|
|
|
|
const newPassword = 'new_password';
|
|
|
|
let cookie = '';
|
|
|
|
beforeEach(async () => {
|
|
|
|
const loginDto: LoginDto = {
|
|
|
|
password: password,
|
|
|
|
username: username,
|
|
|
|
};
|
|
|
|
const response = await request(testSetup.app.getHttpServer())
|
|
|
|
.post('/api/private/auth/local/login')
|
|
|
|
.set('Content-Type', 'application/json')
|
|
|
|
.send(JSON.stringify(loginDto))
|
|
|
|
.expect(201);
|
|
|
|
cookie = response.get('Set-Cookie')[0];
|
|
|
|
});
|
|
|
|
it('works', async () => {
|
|
|
|
// Change password
|
|
|
|
const changePasswordDto: UpdatePasswordDto = {
|
|
|
|
currentPassword: password,
|
|
|
|
newPassword: newPassword,
|
|
|
|
};
|
|
|
|
await request(testSetup.app.getHttpServer())
|
|
|
|
.put('/api/private/auth/local')
|
|
|
|
.set('Content-Type', 'application/json')
|
|
|
|
.set('Cookie', cookie)
|
|
|
|
.send(JSON.stringify(changePasswordDto))
|
|
|
|
.expect(200);
|
|
|
|
// Successfully login with new password
|
|
|
|
const loginDto: LoginDto = {
|
|
|
|
password: newPassword,
|
|
|
|
username: username,
|
|
|
|
};
|
|
|
|
const response = await request(testSetup.app.getHttpServer())
|
|
|
|
.post('/api/private/auth/local/login')
|
|
|
|
.set('Content-Type', 'application/json')
|
|
|
|
.send(JSON.stringify(loginDto))
|
|
|
|
.expect(201);
|
|
|
|
cookie = response.get('Set-Cookie')[0];
|
|
|
|
// Reset password
|
|
|
|
const changePasswordBackDto: UpdatePasswordDto = {
|
|
|
|
currentPassword: newPassword,
|
|
|
|
newPassword: password,
|
|
|
|
};
|
|
|
|
await request(testSetup.app.getHttpServer())
|
|
|
|
.put('/api/private/auth/local')
|
|
|
|
.set('Content-Type', 'application/json')
|
|
|
|
.set('Cookie', cookie)
|
|
|
|
.send(JSON.stringify(changePasswordBackDto))
|
|
|
|
.expect(200);
|
|
|
|
});
|
|
|
|
it('fails, when registration is disabled', async () => {
|
|
|
|
testSetup.configService.get('authConfig').local.enableLogin = false;
|
|
|
|
// Try to change password
|
|
|
|
const changePasswordDto: UpdatePasswordDto = {
|
|
|
|
currentPassword: password,
|
|
|
|
newPassword: newPassword,
|
|
|
|
};
|
|
|
|
await request(testSetup.app.getHttpServer())
|
|
|
|
.put('/api/private/auth/local')
|
|
|
|
.set('Content-Type', 'application/json')
|
|
|
|
.set('Cookie', cookie)
|
|
|
|
.send(JSON.stringify(changePasswordDto))
|
2023-03-25 17:58:48 +00:00
|
|
|
.expect(403);
|
2023-01-08 14:15:56 +00:00
|
|
|
// enable login again
|
|
|
|
testSetup.configService.get('authConfig').local.enableLogin = true;
|
|
|
|
// new password doesn't work for login
|
|
|
|
const loginNewPasswordDto: LoginDto = {
|
|
|
|
password: newPassword,
|
|
|
|
username: username,
|
|
|
|
};
|
|
|
|
await request(testSetup.app.getHttpServer())
|
|
|
|
.post('/api/private/auth/local/login')
|
|
|
|
.set('Content-Type', 'application/json')
|
|
|
|
.send(JSON.stringify(loginNewPasswordDto))
|
|
|
|
.expect(401);
|
|
|
|
// old password does work for login
|
|
|
|
const loginOldPasswordDto: LoginDto = {
|
|
|
|
password: password,
|
|
|
|
username: username,
|
|
|
|
};
|
|
|
|
await request(testSetup.app.getHttpServer())
|
|
|
|
.post('/api/private/auth/local/login')
|
|
|
|
.set('Content-Type', 'application/json')
|
|
|
|
.send(JSON.stringify(loginOldPasswordDto))
|
|
|
|
.expect(201);
|
|
|
|
});
|
|
|
|
it('fails, when old password is wrong', async () => {
|
|
|
|
// Try to change password
|
|
|
|
const changePasswordDto: UpdatePasswordDto = {
|
|
|
|
currentPassword: 'wrong',
|
|
|
|
newPassword: newPassword,
|
|
|
|
};
|
|
|
|
await request(testSetup.app.getHttpServer())
|
|
|
|
.put('/api/private/auth/local')
|
|
|
|
.set('Content-Type', 'application/json')
|
|
|
|
.set('Cookie', cookie)
|
|
|
|
.send(JSON.stringify(changePasswordDto))
|
|
|
|
.expect(401);
|
|
|
|
// old password still does work for login
|
|
|
|
const loginOldPasswordDto: LoginDto = {
|
|
|
|
password: password,
|
|
|
|
username: username,
|
|
|
|
};
|
|
|
|
await request(testSetup.app.getHttpServer())
|
|
|
|
.post('/api/private/auth/local/login')
|
|
|
|
.set('Content-Type', 'application/json')
|
|
|
|
.send(JSON.stringify(loginOldPasswordDto))
|
|
|
|
.expect(201);
|
|
|
|
});
|
|
|
|
});
|
2021-09-02 21:41:32 +00:00
|
|
|
|
2023-01-08 14:15:56 +00:00
|
|
|
describe('POST /auth/local/login', () => {
|
|
|
|
it('works', async () => {
|
|
|
|
testSetup.configService.get('authConfig').local.enableLogin = true;
|
|
|
|
const loginDto: LoginDto = {
|
|
|
|
password: password,
|
|
|
|
username: username,
|
|
|
|
};
|
|
|
|
await request(testSetup.app.getHttpServer())
|
|
|
|
.post('/api/private/auth/local/login')
|
|
|
|
.set('Content-Type', 'application/json')
|
|
|
|
.send(JSON.stringify(loginDto))
|
|
|
|
.expect(201);
|
|
|
|
});
|
|
|
|
});
|
|
|
|
|
|
|
|
describe('DELETE /auth/logout', () => {
|
|
|
|
it('works', async () => {
|
|
|
|
testSetup.configService.get('authConfig').local.enableLogin = true;
|
|
|
|
const loginDto: LoginDto = {
|
|
|
|
password: password,
|
|
|
|
username: username,
|
|
|
|
};
|
|
|
|
const response = await request(testSetup.app.getHttpServer())
|
|
|
|
.post('/api/private/auth/local/login')
|
|
|
|
.set('Content-Type', 'application/json')
|
|
|
|
.send(JSON.stringify(loginDto))
|
|
|
|
.expect(201);
|
|
|
|
const cookie = response.get('Set-Cookie')[0];
|
|
|
|
await request(testSetup.app.getHttpServer())
|
|
|
|
.delete('/api/private/auth/logout')
|
|
|
|
.set('Cookie', cookie)
|
|
|
|
.expect(204);
|
|
|
|
});
|
2021-09-02 21:41:32 +00:00
|
|
|
});
|
|
|
|
});
|
|
|
|
});
|