overleaf/services/web/test/UnitTests/coffee/PasswordReset/PasswordResetControllerTests.coffee

should = require('chai').should()
expect = require("chai").expect
SandboxedModule = require('sandboxed-module')
assert = require('assert')
path = require('path')
sinon = require('sinon')
modulePath = path.join __dirname, "../../../../app/js/Features/PasswordReset/PasswordResetController"
expect = require("chai").expect

describe "PasswordResetController", ->

	beforeEach ->

		@settings = {}
		@PasswordResetHandler =
			generateAndEmailResetToken:sinon.stub()
			setNewUserPassword:sinon.stub()
		@RateLimiter =
			addCount: sinon.stub()
		@UserSessionsManager =
			revokeAllUserSessions: sinon.stub().callsArgWith(2, null)
		@PasswordResetController = SandboxedModule.require modulePath, requires:
			"settings-sharelatex":@settings
			"./PasswordResetHandler":@PasswordResetHandler
			"logger-sharelatex": log:->
			"../../infrastructure/RateLimiter":@RateLimiter
			"../Authentication/AuthenticationController": @AuthenticationController = {}
			"../User/UserGetter": @UserGetter = {}
			"../User/UserSessionsManager": @UserSessionsManager

		@email = "bob@bob.com "
		@token = "my security token that was emailed to me"
		@password = "my new password"
		@req =
			body:
				email:@email
				passwordResetToken:@token
				password:@password
			i18n:
				translate:->
			session: {}
			query: {}

		@res = {}


	describe "requestReset", ->

		it "should error if the rate limit is hit", (done)->
			@PasswordResetHandler.generateAndEmailResetToken.callsArgWith(1, null, true)
			@RateLimiter.addCount.callsArgWith(1, null, false)
			@res.send = (code)=>
				code.should.equal 500
				@PasswordResetHandler.generateAndEmailResetToken.calledWith(@email.trim()).should.equal false
				done()
			@PasswordResetController.requestReset @req, @res


		it "should tell the handler to process that email", (done)->
			@RateLimiter.addCount.callsArgWith(1, null, true)
			@PasswordResetHandler.generateAndEmailResetToken.callsArgWith(1, null, true)
			@res.sendStatus = (code)=>
				code.should.equal 200
				@PasswordResetHandler.generateAndEmailResetToken.calledWith(@email.trim()).should.equal true
				done()
			@PasswordResetController.requestReset @req, @res

		it "should send a 500 if there is an error", (done)->
			@RateLimiter.addCount.callsArgWith(1, null, true)
			@PasswordResetHandler.generateAndEmailResetToken.callsArgWith(1, "error")
			@res.send = (code)=>
				code.should.equal 500
				done()
			@PasswordResetController.requestReset @req, @res

		it "should send a 404 if the email doesn't exist", (done)->
			@RateLimiter.addCount.callsArgWith(1, null, true)
			@PasswordResetHandler.generateAndEmailResetToken.callsArgWith(1, null, false)
			@res.send = (code)=>
				code.should.equal 404
				done()
			@PasswordResetController.requestReset @req, @res

		it "should lowercase the email address", (done)->
			@email = "UPerCaseEMAIL@example.Com"
			@req.body.email = @email
			@RateLimiter.addCount.callsArgWith(1, null, true)
			@PasswordResetHandler.generateAndEmailResetToken.callsArgWith(1, null, true)
			@res.sendStatus = (code)=>
				code.should.equal 200
				@PasswordResetHandler.generateAndEmailResetToken.calledWith(@email.toLowerCase()).should.equal true
				done()
			@PasswordResetController.requestReset @req, @res

	describe "setNewUserPassword", ->

		beforeEach ->
			@req.session.resetToken = @token

		it "should tell the user handler to reset the password", (done)->
			@PasswordResetHandler.setNewUserPassword.callsArgWith(2, null, true)
			@res.sendStatus = (code)=>
				code.should.equal 200
				@PasswordResetHandler.setNewUserPassword.calledWith(@token, @password).should.equal true
				done()
			@PasswordResetController.setNewUserPassword @req, @res

		it "should send 404 if the token didn't work", (done)->
			@PasswordResetHandler.setNewUserPassword.callsArgWith(2, null, false)
			@res.sendStatus = (code)=>
				code.should.equal 404
				done()
			@PasswordResetController.setNewUserPassword @req, @res

		it "should return 400 (Bad Request) if there is no password", (done)->
			@req.body.password = ""
			@PasswordResetHandler.setNewUserPassword.callsArgWith(2)
			@res.sendStatus = (code)=>
				code.should.equal 400
				@PasswordResetHandler.setNewUserPassword.called.should.equal false
				done()
			@PasswordResetController.setNewUserPassword @req, @res

		it "should return 400 (Bad Request) if there is no passwordResetToken", (done)->
			@req.body.passwordResetToken = ""
			@PasswordResetHandler.setNewUserPassword.callsArgWith(2)
			@res.sendStatus = (code)=>
				code.should.equal 400
				@PasswordResetHandler.setNewUserPassword.called.should.equal false
				done()
			@PasswordResetController.setNewUserPassword @req, @res

		it "should clear the session.resetToken", (done) ->
			@PasswordResetHandler.setNewUserPassword.callsArgWith(2, null, true)
			@res.sendStatus = (code)=>
				code.should.equal 200
				@req.session.should.not.have.property 'resetToken'
				done()
			@PasswordResetController.setNewUserPassword @req, @res

		it 'should clear sessions', (done) ->
			@PasswordResetHandler.setNewUserPassword.callsArgWith(2, null, true)
			@res.sendStatus = (code)=>
				@UserSessionsManager.revokeAllUserSessions.callCount.should.equal 1
				done()
			@PasswordResetController.setNewUserPassword @req, @res

		it "should login user if login_after is set", (done) ->
			@UserGetter.getUser = sinon.stub().callsArgWith(2, null, { email: "joe@example.com" })
			@PasswordResetHandler.setNewUserPassword.callsArgWith(2, null, true, @user_id = "user-id-123")
			@req.body.login_after = "true"
			@AuthenticationController.doLogin = (options, req, res, next)=>
				@UserGetter.getUser.calledWith(@user_id).should.equal true
				expect(options).to.deep.equal {
					email: "joe@example.com",
					password: @password
				}
				done()
			@PasswordResetController.setNewUserPassword @req, @res

	describe "renderSetPasswordForm", ->

		describe "with token in query-string", ->
			beforeEach ->
				@req.query.passwordResetToken = @token

			it "should set session.resetToken and redirect", (done) ->
				@req.session.should.not.have.property 'resetToken'
				@res.redirect = (path) =>
					path.should.equal '/user/password/set'
					@req.session.resetToken.should.equal @token
					done()
				@PasswordResetController.renderSetPasswordForm(@req, @res)

		describe "without a token in query-string", ->

			describe "with token in session", ->
				beforeEach ->
					@req.session.resetToken = @token

				it "should render the page, passing the reset token", (done) ->
					@res.render = (template_path, options) =>
						options.passwordResetToken.should.equal @req.session.resetToken
						done()
					@PasswordResetController.renderSetPasswordForm(@req, @res)

			describe "without a token in session", ->

				it "should redirect to the reset request page", (done) ->
					@res.redirect = (path) =>
						path.should.equal "/user/password/reset"
						@req.session.should.not.have.property 'resetToken'
						done()
					@PasswordResetController.renderSetPasswordForm(@req, @res)
written password reset handler 2014-05-15 11:20:23 -04:00			`should = require('chai').should()`
Improve pre-registered account activation process 2015-12-11 06:30:06 -05:00			`expect = require("chai").expect`
written password reset handler 2014-05-15 11:20:23 -04:00			`SandboxedModule = require('sandboxed-module')`
			`assert = require('assert')`
			`path = require('path')`
			`sinon = require('sinon')`
			`modulePath = path.join __dirname, "../../../../app/js/Features/PasswordReset/PasswordResetController"`
			`expect = require("chai").expect`

			`describe "PasswordResetController", ->`

			`beforeEach ->`

			`@settings = {}`
written password reset controller 2014-05-15 11:50:38 -04:00			`@PasswordResetHandler =`
			`generateAndEmailResetToken:sinon.stub()`
			`setNewUserPassword:sinon.stub()`
Keep password reset token in session, and strip it from reset page url. This fixes an issue where the reset token was leaked in the referrer header when navigating away from the password reset page to an external site. Now we get the token from the query string, store it in the session, then redirect to the bare url of the password reset page, which then uses the stored token to render the reset form. 2015-08-24 06:53:33 -04:00			`@RateLimiter =`
added rate limiting to password reset endpoint 2014-05-16 05:31:33 -04:00			`addCount: sinon.stub()`
clear sessions on password reset 2016-07-05 09:19:59 -04:00			`@UserSessionsManager =`
			`revokeAllUserSessions: sinon.stub().callsArgWith(2, null)`
written password reset handler 2014-05-15 11:20:23 -04:00			`@PasswordResetController = SandboxedModule.require modulePath, requires:`
			`"settings-sharelatex":@settings`
written password reset controller 2014-05-15 11:50:38 -04:00			`"./PasswordResetHandler":@PasswordResetHandler`
written password reset handler 2014-05-15 11:20:23 -04:00			`"logger-sharelatex": log:->`
added rate limiting to password reset endpoint 2014-05-16 05:31:33 -04:00			`"../../infrastructure/RateLimiter":@RateLimiter`
Improve pre-registered account activation process 2015-12-11 06:30:06 -05:00			`"../Authentication/AuthenticationController": @AuthenticationController = {}`
			`"../User/UserGetter": @UserGetter = {}`
clear sessions on password reset 2016-07-05 09:19:59 -04:00			`"../User/UserSessionsManager": @UserSessionsManager`
written password reset handler 2014-05-15 11:20:23 -04:00
written password reset controller 2014-05-15 11:50:38 -04:00			`@email = "bob@bob.com "`
			`@token = "my security token that was emailed to me"`
			`@password = "my new password"`
			`@req =`
			`body:`
			`email:@email`
added the token generator and its getNewToken function 2014-05-15 12:16:20 -04:00			`passwordResetToken:@token`
written password reset controller 2014-05-15 11:50:38 -04:00			`password:@password`
Changed the error messages which are sent down to the client to be translated first fixed up tests from titles we check when rendering, deleted them as they never catch anything important, more hastle than they are worth imo. 2014-08-01 09:03:38 -04:00			`i18n:`
			`translate:->`
Keep password reset token in session, and strip it from reset page url. This fixes an issue where the reset token was leaked in the referrer header when navigating away from the password reset page to an external site. Now we get the token from the query string, store it in the session, then redirect to the bare url of the password reset page, which then uses the stored token to render the reset form. 2015-08-24 06:53:33 -04:00			`session: {}`
			`query: {}`
written password reset handler 2014-05-15 11:20:23 -04:00
added rate limiting to password reset endpoint 2014-05-16 05:31:33 -04:00			`@res = {}`
written password reset handler 2014-05-15 11:20:23 -04:00

written password reset controller 2014-05-15 11:50:38 -04:00			`describe "requestReset", ->`
written password reset handler 2014-05-15 11:20:23 -04:00
added rate limiting to password reset endpoint 2014-05-16 05:31:33 -04:00			`it "should error if the rate limit is hit", (done)->`
Don't error on password reset if no email found, and translate error messages 2014-08-08 06:41:54 -04:00			`@PasswordResetHandler.generateAndEmailResetToken.callsArgWith(1, null, true)`
added rate limiting to password reset endpoint 2014-05-16 05:31:33 -04:00			`@RateLimiter.addCount.callsArgWith(1, null, false)`
			`@res.send = (code)=>`
			`code.should.equal 500`
			`@PasswordResetHandler.generateAndEmailResetToken.calledWith(@email.trim()).should.equal false`
			`done()`
			`@PasswordResetController.requestReset @req, @res`


written password reset controller 2014-05-15 11:50:38 -04:00			`it "should tell the handler to process that email", (done)->`
added rate limiting to password reset endpoint 2014-05-16 05:31:33 -04:00			`@RateLimiter.addCount.callsArgWith(1, null, true)`
Don't error on password reset if no email found, and translate error messages 2014-08-08 06:41:54 -04:00			`@PasswordResetHandler.generateAndEmailResetToken.callsArgWith(1, null, true)`
send -> sendStatus 2015-07-08 11:56:38 -04:00			`@res.sendStatus = (code)=>`
written password reset controller 2014-05-15 11:50:38 -04:00			`code.should.equal 200`
			`@PasswordResetHandler.generateAndEmailResetToken.calledWith(@email.trim()).should.equal true`
			`done()`
			`@PasswordResetController.requestReset @req, @res`
written password reset handler 2014-05-15 11:20:23 -04:00
written password reset controller 2014-05-15 11:50:38 -04:00			`it "should send a 500 if there is an error", (done)->`
added rate limiting to password reset endpoint 2014-05-16 05:31:33 -04:00			`@RateLimiter.addCount.callsArgWith(1, null, true)`
written password reset controller 2014-05-15 11:50:38 -04:00			`@PasswordResetHandler.generateAndEmailResetToken.callsArgWith(1, "error")`
			`@res.send = (code)=>`
			`code.should.equal 500`
			`done()`
			`@PasswordResetController.requestReset @req, @res`

Don't error on password reset if no email found, and translate error messages 2014-08-08 06:41:54 -04:00			`it "should send a 404 if the email doesn't exist", (done)->`
			`@RateLimiter.addCount.callsArgWith(1, null, true)`
			`@PasswordResetHandler.generateAndEmailResetToken.callsArgWith(1, null, false)`
			`@res.send = (code)=>`
			`code.should.equal 404`
			`done()`
			`@PasswordResetController.requestReset @req, @res`

lowercase password reset email 2014-06-10 12:54:29 -04:00			`it "should lowercase the email address", (done)->`
			`@email = "UPerCaseEMAIL@example.Com"`
			`@req.body.email = @email`
			`@RateLimiter.addCount.callsArgWith(1, null, true)`
Don't error on password reset if no email found, and translate error messages 2014-08-08 06:41:54 -04:00			`@PasswordResetHandler.generateAndEmailResetToken.callsArgWith(1, null, true)`
send -> sendStatus 2015-07-08 11:56:38 -04:00			`@res.sendStatus = (code)=>`
lowercase password reset email 2014-06-10 12:54:29 -04:00			`code.should.equal 200`
			`@PasswordResetHandler.generateAndEmailResetToken.calledWith(@email.toLowerCase()).should.equal true`
			`done()`
			`@PasswordResetController.requestReset @req, @res`

written password reset controller 2014-05-15 11:50:38 -04:00			`describe "setNewUserPassword", ->`

Keep password reset token in session, and strip it from reset page url. This fixes an issue where the reset token was leaked in the referrer header when navigating away from the password reset page to an external site. Now we get the token from the query string, store it in the session, then redirect to the bare url of the password reset page, which then uses the stored token to render the reset form. 2015-08-24 06:53:33 -04:00			`beforeEach ->`
			`@req.session.resetToken = @token`

written password reset controller 2014-05-15 11:50:38 -04:00			`it "should tell the user handler to reset the password", (done)->`
Show password reset expired message rather than server error if that's what has happened 2014-10-08 12:18:24 -04:00			`@PasswordResetHandler.setNewUserPassword.callsArgWith(2, null, true)`
send -> sendStatus 2015-07-08 11:56:38 -04:00			`@res.sendStatus = (code)=>`
written password reset controller 2014-05-15 11:50:38 -04:00			`code.should.equal 200`
			`@PasswordResetHandler.setNewUserPassword.calledWith(@token, @password).should.equal true`
			`done()`
			`@PasswordResetController.setNewUserPassword @req, @res`

Show password reset expired message rather than server error if that's what has happened 2014-10-08 12:18:24 -04:00			`it "should send 404 if the token didn't work", (done)->`
			`@PasswordResetHandler.setNewUserPassword.callsArgWith(2, null, false)`
Improve pre-registered account activation process 2015-12-11 06:30:06 -05:00			`@res.sendStatus = (code)=>`
Show password reset expired message rather than server error if that's what has happened 2014-10-08 12:18:24 -04:00			`code.should.equal 404`
written password reset controller 2014-05-15 11:50:38 -04:00			`done()`
			`@PasswordResetController.setNewUserPassword @req, @res`

Show password reset expired message rather than server error if that's what has happened 2014-10-08 12:18:24 -04:00			`it "should return 400 (Bad Request) if there is no password", (done)->`
written password reset controller 2014-05-15 11:50:38 -04:00			`@req.body.password = ""`
			`@PasswordResetHandler.setNewUserPassword.callsArgWith(2)`
send -> sendStatus 2015-07-08 11:56:38 -04:00			`@res.sendStatus = (code)=>`
Show password reset expired message rather than server error if that's what has happened 2014-10-08 12:18:24 -04:00			`code.should.equal 400`
written password reset controller 2014-05-15 11:50:38 -04:00			`@PasswordResetHandler.setNewUserPassword.called.should.equal false`
			`done()`
			`@PasswordResetController.setNewUserPassword @req, @res`

Show password reset expired message rather than server error if that's what has happened 2014-10-08 12:18:24 -04:00			`it "should return 400 (Bad Request) if there is no passwordResetToken", (done)->`
added the token generator and its getNewToken function 2014-05-15 12:16:20 -04:00			`@req.body.passwordResetToken = ""`
written password reset controller 2014-05-15 11:50:38 -04:00			`@PasswordResetHandler.setNewUserPassword.callsArgWith(2)`
send -> sendStatus 2015-07-08 11:56:38 -04:00			`@res.sendStatus = (code)=>`
Show password reset expired message rather than server error if that's what has happened 2014-10-08 12:18:24 -04:00			`code.should.equal 400`
written password reset controller 2014-05-15 11:50:38 -04:00			`@PasswordResetHandler.setNewUserPassword.called.should.equal false`
			`done()`
			`@PasswordResetController.setNewUserPassword @req, @res`

Keep password reset token in session, and strip it from reset page url. This fixes an issue where the reset token was leaked in the referrer header when navigating away from the password reset page to an external site. Now we get the token from the query string, store it in the session, then redirect to the bare url of the password reset page, which then uses the stored token to render the reset form. 2015-08-24 06:53:33 -04:00			`it "should clear the session.resetToken", (done) ->`
			`@PasswordResetHandler.setNewUserPassword.callsArgWith(2, null, true)`
			`@res.sendStatus = (code)=>`
			`code.should.equal 200`
			`@req.session.should.not.have.property 'resetToken'`
			`done()`
			`@PasswordResetController.setNewUserPassword @req, @res`
clear sessions on password reset 2016-07-05 09:19:59 -04:00
			`it 'should clear sessions', (done) ->`
			`@PasswordResetHandler.setNewUserPassword.callsArgWith(2, null, true)`
			`@res.sendStatus = (code)=>`
			`@UserSessionsManager.revokeAllUserSessions.callCount.should.equal 1`
			`done()`
			`@PasswordResetController.setNewUserPassword @req, @res`

Improve pre-registered account activation process 2015-12-11 06:30:06 -05:00			`it "should login user if login_after is set", (done) ->`
			`@UserGetter.getUser = sinon.stub().callsArgWith(2, null, { email: "joe@example.com" })`
			`@PasswordResetHandler.setNewUserPassword.callsArgWith(2, null, true, @user_id = "user-id-123")`
			`@req.body.login_after = "true"`
			`@AuthenticationController.doLogin = (options, req, res, next)=>`
			`@UserGetter.getUser.calledWith(@user_id).should.equal true`
			`expect(options).to.deep.equal {`
			`email: "joe@example.com",`
			`password: @password`
			`}`
			`done()`
			`@PasswordResetController.setNewUserPassword @req, @res`
Keep password reset token in session, and strip it from reset page url. This fixes an issue where the reset token was leaked in the referrer header when navigating away from the password reset page to an external site. Now we get the token from the query string, store it in the session, then redirect to the bare url of the password reset page, which then uses the stored token to render the reset form. 2015-08-24 06:53:33 -04:00
			`describe "renderSetPasswordForm", ->`

			`describe "with token in query-string", ->`
			`beforeEach ->`
			`@req.query.passwordResetToken = @token`

			`it "should set session.resetToken and redirect", (done) ->`
			`@req.session.should.not.have.property 'resetToken'`
			`@res.redirect = (path) =>`
			`path.should.equal '/user/password/set'`
			`@req.session.resetToken.should.equal @token`
			`done()`
			`@PasswordResetController.renderSetPasswordForm(@req, @res)`

			`describe "without a token in query-string", ->`

			`describe "with token in session", ->`
			`beforeEach ->`
			`@req.session.resetToken = @token`

			`it "should render the page, passing the reset token", (done) ->`
			`@res.render = (template_path, options) =>`
			`options.passwordResetToken.should.equal @req.session.resetToken`
			`done()`
			`@PasswordResetController.renderSetPasswordForm(@req, @res)`
written password reset handler 2014-05-15 11:20:23 -04:00
Keep password reset token in session, and strip it from reset page url. This fixes an issue where the reset token was leaked in the referrer header when navigating away from the password reset page to an external site. Now we get the token from the query string, store it in the session, then redirect to the bare url of the password reset page, which then uses the stored token to render the reset form. 2015-08-24 06:53:33 -04:00			`describe "without a token in session", ->`
written password reset handler 2014-05-15 11:20:23 -04:00
Keep password reset token in session, and strip it from reset page url. This fixes an issue where the reset token was leaked in the referrer header when navigating away from the password reset page to an external site. Now we get the token from the query string, store it in the session, then redirect to the bare url of the password reset page, which then uses the stored token to render the reset form. 2015-08-24 06:53:33 -04:00			`it "should redirect to the reset request page", (done) ->`
			`@res.redirect = (path) =>`
			`path.should.equal "/user/password/reset"`
			`@req.session.should.not.have.property 'resetToken'`
			`done()`
			`@PasswordResetController.renderSetPasswordForm(@req, @res)`