From a1c662b9d87788da163879eb9171edc16609281d Mon Sep 17 00:00:00 2001 From: Shane Kilkelly Date: Tue, 5 Jul 2016 14:55:08 +0100 Subject: [PATCH] Test session revocation on password change. --- .../acceptance/coffee/SessionTests.coffee | 77 +++++++++++++++++++ .../acceptance/coffee/helpers/User.coffee | 12 +-- 2 files changed, 83 insertions(+), 6 deletions(-) diff --git a/services/web/test/acceptance/coffee/SessionTests.coffee b/services/web/test/acceptance/coffee/SessionTests.coffee index 679d168f97..b2b02917ec 100644 --- a/services/web/test/acceptance/coffee/SessionTests.coffee +++ b/services/web/test/acceptance/coffee/SessionTests.coffee @@ -113,3 +113,80 @@ describe "Sessions", -> done() ) + describe 'three sessions, password reset', -> + + before -> + # set up second session for this user + @user2 = new User() + @user2.email = @user1.email + @user2.password = @user1.password + @user3 = new User() + @user3.email = @user1.email + @user3.password = @user1.password + + it "should erase both sessions when password is reset", (done) -> + async.series( + [ + (next) => + redis.clearUserSessions @user1, next + + # login, should add session to set + , (next) => + @user1.login (err) -> + next(err) + + , (next) => + redis.getUserSessions @user1, (err, sessions) => + expect(sessions.length).to.equal 1 + expect(sessions[0].slice(0, 5)).to.equal 'sess:' + next() + + # login again, should add the second session to set + , (next) => + @user2.login (err) -> + next(err) + + , (next) => + redis.getUserSessions @user1, (err, sessions) => + expect(sessions.length).to.equal 2 + expect(sessions[0].slice(0, 5)).to.equal 'sess:' + expect(sessions[1].slice(0, 5)).to.equal 'sess:' + next() + + # login third session, should add the second session to set + , (next) => + @user3.login (err) -> + next(err) + + , (next) => + redis.getUserSessions @user1, (err, sessions) => + expect(sessions.length).to.equal 3 + expect(sessions[0].slice(0, 5)).to.equal 'sess:' + expect(sessions[1].slice(0, 5)).to.equal 'sess:' + next() + + # password reset from second session, should erase two of the three sessions + , (next) => + @user2.changePassword (err) -> + next(err) + + , (next) => + redis.getUserSessions @user2, (err, sessions) => + expect(sessions.length).to.equal 1 + next() + + # logout second session, should remove last session from set + , (next) => + @user2.logout (err) -> + next(err) + + , (next) => + redis.getUserSessions @user1, (err, sessions) => + expect(sessions.length).to.equal 0 + next() + + ], (err, result) => + if err + throw err + done() + ) diff --git a/services/web/test/acceptance/coffee/helpers/User.coffee b/services/web/test/acceptance/coffee/helpers/User.coffee index fa6f3a9ba4..afdd766306 100644 --- a/services/web/test/acceptance/coffee/helpers/User.coffee +++ b/services/web/test/acceptance/coffee/helpers/User.coffee @@ -34,7 +34,7 @@ class User @getCsrfToken (error) => return callback(error) if error? @request.get { - url: "/logout" # Register will log in, but also ensure user exists + url: "/logout" json: email: @email password: @password @@ -91,19 +91,19 @@ class User }) callback() - resetPassword: (newPassword, callback = (error) ->) -> + changePassword: (callback = (error) ->) -> @getCsrfToken (error) => return callback(error) if error? @request.post { - url: "/user/password/set" # Register will log in, but also ensure user exists + url: "/user/password/update" json: - password: @password + currentPassword: @password + newPassword1: @password + newPassword2: @password }, (error, response, body) => return callback(error) if error? db.users.findOne {email: @email}, (error, user) => return callback(error) if error? - @id = user?._id?.toString() - @_id = user?._id?.toString() callback() module.exports = User