Commit graph

82 commits

Author SHA1 Message Date
Philip Molares
188f206746 test(e2e): add tests for too weak passwords
Signed-off-by: Philip Molares <philip.molares@udo.edu>
2022-10-03 10:36:46 +02:00
Philip Molares
3ba9f95f83 test: fix test and use stronger passwords
Signed-off-by: Philip Molares <philip.molares@udo.edu>
2022-10-03 10:36:46 +02:00
Philip Molares
754e725b7f test(e2e): fix notes service
Signed-off-by: Philip Molares <philip.molares@udo.edu>
Signed-off-by: Tilman Vatteroth <git@tilmanvatteroth.de>
2022-09-18 21:29:35 +02:00
David Mehren
a626ace4b9 fix(history-entry): remove composite primary keys
TypeORM promises to support composite primary keys,
but that does not work in reality.
This replaces the composite key used in the permission entities with
a single generated primary key and
a unique index on the relation columns.

See https://github.com/typeorm/typeorm/issues/8513

Signed-off-by: David Mehren <git@herrmehren.de>
2022-09-18 20:57:52 +02:00
Philip Molares
6293bf72b2 test(private-api): add test for get note metadata call
Signed-off-by: Philip Molares <philip.molares@udo.edu>
2022-08-28 13:02:33 +02:00
David Mehren
156957cd63 tests(e2e/private/history): don't compare promises
Signed-off-by: David Mehren <git@herrmehren.de>
2022-08-07 22:45:25 +02:00
David Mehren
0ebaa7c838 tests(e2e/private/auth): fix race in cleanup
Signed-off-by: David Mehren <git@herrmehren.de>
2022-08-02 08:59:37 +02:00
Tilman Vatteroth
8596bed729 refactor: remove cycling dependency between notes and revisions
Signed-off-by: Tilman Vatteroth <git@tilmanvatteroth.de>
2022-07-10 19:46:03 +02:00
David Mehren
2f1e6628a1 test(private/notes): add regression test
For reasons, the typeorm 0.3 started to always return all notes in the database.
This adds a regression test to check for that.

Signed-off-by: David Mehren <git@herrmehren.de>
2022-06-12 20:09:07 +02:00
David Mehren
c4975e4783 refactor: adapt for typeorm 0.3
Signed-off-by: David Mehren <git@herrmehren.de>
2022-06-12 20:09:07 +02:00
Philip Molares
174eee8f0a test: ldap auth config
Signed-off-by: Philip Molares <philip.molares@udo.edu>
2022-04-17 21:05:13 +02:00
David Mehren
e7ca10bb66 refactor(history-entry-import-dto): rename lastVisited -> lastVisitedAt
Signed-off-by: David Mehren <git@herrmehren.de>
2022-03-07 13:54:43 +01:00
David Mehren
342efcd7b7 feat(note-metadata): replace primaryAlias with primaryAddress
The primary address is never null.
If no alias is set, the id is returned.

To still easily get the primary alias, the complete Alias DTOs
are now included in the metadata.

Signed-off-by: David Mehren <git@herrmehren.de>
2022-03-07 13:54:43 +01:00
David Mehren
64b16c831e refactor(register-dto): rename displayname -> displayName
Signed-off-by: David Mehren <git@herrmehren.de>
2022-03-07 13:54:43 +01:00
David Mehren
6944094b9b fix(api/private/me): require and document displayName
This renames the argument in the POST /profile route to `displayName`
to be more consistent with the UserDTO.

It also adds OpenAPI docs.

Signed-off-by: David Mehren <git@herrmehren.de>
2022-03-07 13:54:43 +01:00
David Mehren
d6ea4d29fe feat(api/private/me): include authProvider in UserInfo
This information is supposed to be used by the frontend
to identify the login method that was used.

The used login method is saved as a string into the session data
and extracted via a new SessionAuthProvider decorator.

Signed-off-by: David Mehren <git@herrmehren.de>
2022-03-07 13:54:43 +01:00
David Mehren
8e31f3a393 refactor(api/private/media): return MediaUpload object instead of url
This ensures the private POST /media API behaves in the same way as /me/media

Signed-off-by: David Mehren <git@herrmehren.de>
2022-03-07 13:54:43 +01:00
David Mehren
9c6d3d9dab test: test don't need to set up sessions by themselves
The setup is handled inside TestSetupBuilder.

Signed-off-by: David Mehren <git@herrmehren.de>
2022-03-06 22:24:21 +01:00
David Mehren
9030488025 test: make tests order-independent
MariaDB seems to order the returned media objects in a different way,
making our tests fail.

This refactors the tests to be independent of the order of returned data.

Signed-off-by: David Mehren <git@herrmehren.de>
2022-03-06 22:24:21 +01:00
David Mehren
552cb05d92 refactor(api/private/tokens): validate POST data with DTO
This adds a `AuthTokenCreateDto` which allows
to fully validate incoming JSON data.

Signed-off-by: David Mehren <git@herrmehren.de>
2022-03-06 22:24:21 +01:00
David Mehren
a6734cc58f test: ensure testSetup.cleanup is called
Signed-off-by: David Mehren <git@herrmehren.de>
2022-03-06 22:24:21 +01:00
David Mehren
0be8e4ea55 feat(api/private): add GroupsController
The GroupsController can be used to fetch information about groups.

Signed-off-by: David Mehren <git@herrmehren.de>
2022-03-01 20:20:18 +01:00
David Mehren
0394679134 feat(user-info-dto): split email into separate DTO
The email address should only be available
in /me routes.
This commit splits the email address into a new FullUserInfoDto.

Signed-off-by: David Mehren <git@herrmehren.de>
2022-03-01 20:20:18 +01:00
David Mehren
a7edf00ebc feat(api/private): add UsersController
The UsersController can be used to fetch information about users.

Signed-off-by: David Mehren <git@herrmehren.de>
2022-03-01 20:20:18 +01:00
Philip Molares
cae55e0baa test: fix e2e test error codes
As these were changed with the openapi decorator the test need to reflect this.

Signed-off-by: Philip Molares <philip.molares@udo.edu>
2022-02-20 20:56:09 +01:00
Philip Molares
6269c7f7bc test: fix expected error codes in multiple test
In the e2e tests the global filter must be added via the special provider 'APP_FILTER' and not with useGlobalFilters, because if not the filter breaks, because of the way supertest handles the http-connection.

See: https://github.com/nestjs/nest/issues/1160#issuecomment-468698640

Signed-off-by: Philip Molares <philip.molares@udo.edu>
2022-02-07 00:08:41 +01:00
Yannick Bungers
42ad99e20b Replace fs.rmdir recursive by fs.rm recursive
fs.rmdir(path, { recursive: true}) is deprecated and
is replaced by fs.rm(path, { recursive: true}).

Signed-off-by: Yannick Bungers <git@innay.de>
2022-01-31 08:55:42 +01:00
Philip Molares
f4a580cf2a refactor(config): extract note config from app config
This commit separates the app config object from a new note config object. This was done to separate different concerns in different config files. Especially if the number of settings that are about notes increase, it is a good idea to keep them separate from the app config.

Signed-off-by: Philip Molares <philip.molares@udo.edu>
2022-01-30 22:19:50 +01:00
David Mehren
ac1cdc63e0 style(e2e-tests): remove unused imports
Signed-off-by: David Mehren <git@herrmehren.de>
2022-01-27 21:05:17 +01:00
David Mehren
d1dbd1bb22 feat(test-setup): restructure to synchronous builder
The previous pattern used async methods for the builder pattern,
which were hideous to use when chained multiple times.

This extracts the builder into a separate class
and uses normal functions in the builder.
These queue async functions in arrays, which are executed
at the correct time, when the new async `build` function is called.

Signed-off-by: David Mehren <git@herrmehren.de>
2022-01-27 21:05:17 +01:00
David Mehren
ae52f70ef9 test(e2e/private/alias): test all error scenarios
Signed-off-by: David Mehren <git@herrmehren.de>
2022-01-27 21:05:17 +01:00
David Mehren
b2802d4c29 test(e2e/private/alias): use testSetup with users
Signed-off-by: David Mehren <git@herrmehren.de>
2022-01-27 21:05:17 +01:00
David Mehren
6cd3feb82c
refactor(history-entry): rename lastVisited
This is part of an effort to name all date attributes
consistently.

Signed-off-by: David Mehren <git@herrmehren.de>
2022-01-16 22:04:34 +01:00
David Mehren
b0e2987987
refactor(auth-token): rename lastUsed to lastUsedAt
This is part of an effort to name all date attributes
consistently.

Signed-off-by: David Mehren <git@herrmehren.de>
2022-01-16 21:52:15 +01:00
Erik Michelson
277e2fb1ca
feat(auth): password change requires old password
By checking the "old" password of the user prior to a password change, the
password change function is more secured against abuse.

Signed-off-by: Erik Michelson <github@erik.michelson.eu>
2021-12-28 01:46:40 +01:00
David Mehren
235e4f647c
refactor(note): lazy-load relations
Signed-off-by: David Mehren <git@herrmehren.de>
2021-11-30 16:46:07 +01:00
David Mehren
b4a65b47f0
fix(auth): use sha-512 for auth tokens
Bcrypt hashes are too slow to be validated on every request.
As our tokens are random and have a fixed length, it is reasonable
to use SHA-512 instead.

SHA-512 is recommended as cryptographically strong by the BSI:
https://www.bsi.bund.de/SharedDocs/Downloads/EN/BSI/Publications/TechGuidelines/TG02102/BSI-TR-02102-1.pdf?__blob=publicationFile

Fixes https://github.com/hedgedoc/hedgedoc/issues/1881

Signed-off-by: David Mehren <git@herrmehren.de>
2021-12-09 23:04:00 +01:00
Philip Molares
988909eb0b
test: fix note e2e test 'fails, when user can't read note'
Because the rejection now happens automatically in the permissions guard it now returns a 403 instead of 401

Signed-off-by: Philip Molares <philip.molares@udo.edu>
2021-11-21 18:03:29 +01:00
David Mehren
b9d3c95d2d
fix(note): fix type for owner param
To make the create method easier to use in conjunction
with the authentication framework, this commit changes the type of
the `owner` parameter from `User | undefined` to `User | null`.

Signed-off-by: David Mehren <git@herrmehren.de>
2021-11-14 21:44:59 +01:00
Philip Molares
ed5367d456
test(private-api): fix aliases expect
Signed-off-by: Philip Molares <philip.molares@udo.edu>
2021-11-08 21:40:36 +01:00
David Mehren
0fc2b1309a
Add E2E tests for login and registration
Signed-off-by: David Mehren <git@herrmehren.de>
2021-10-21 19:51:42 +02:00
David Mehren
c02f845ecb
AuthController: Return 409 Conflict when user already exists
The previously used HTTP error 400 'Bad Request' is not really
applicable here, as the client did not send a malformed message.

Signed-off-by: David Mehren <git@herrmehren.de>
2021-10-27 19:39:18 +02:00
David Mehren
9e2b9caca9
Update API routes in private API E2E tests
Signed-off-by: David Mehren <git@herrmehren.de>
2021-10-15 17:06:56 +02:00
David Mehren
1cc797f13d
Separate private and public API in TestSetup
Including both PublicApiModule and PrivateApiModule in the test setup
lead to the API routes overwriting each other.
This adds a router to separate the APIs as they are in the normal app.

Signed-off-by: David Mehren <git@herrmehren.de>
2021-10-15 16:44:43 +02:00
David Mehren
474ca5deaf
Migrate private history API E2E test to global TestSetup
Signed-off-by: David Mehren <git@herrmehren.de>
2021-10-14 22:44:30 +02:00
David Mehren
6ee9589b2c
Migrate private me API E2E test to global TestSetup
Signed-off-by: David Mehren <git@herrmehren.de>
2021-10-14 22:01:18 +02:00
David Mehren
60bbe42447
Migrate private media API E2E test to global TestSetup
Signed-off-by: David Mehren <git@herrmehren.de>
2021-10-14 21:57:10 +02:00
David Mehren
86a910a9e8
Migrate private notes API E2E test to global TestSetup
Signed-off-by: David Mehren <git@herrmehren.de>
2021-10-14 21:45:13 +02:00
Alexandru Văleanu
32929c1e77
Add delete media in private API (#1736)
Adds the missing API route of deleting media in the private API.
2021-10-18 19:00:28 +01:00
Yannick Bungers
40103cb397
fix username spelling from userName
Signed-off-by: Yannick Bungers <git@innay.de>
2021-10-13 22:28:10 +02:00