const { expect } = require('chai') const UserHelper = require('./helpers/UserHelper') const { db } = require('../../../app/src/infrastructure/mongodb') describe('PasswordReset', function () { let email, response, user, userHelper, token, emailQuery beforeEach(async function () { userHelper = new UserHelper() email = 'somecooluser@example.com' emailQuery = `?email=${encodeURIComponent(email)}` userHelper = await UserHelper.createUser({ email }) user = userHelper.user // generate the token await userHelper.getCsrfToken() response = await userHelper.fetch('/user/password/reset', { method: 'POST', body: new URLSearchParams({ email }), }) token = ( await db.tokens.findOne({ 'data.user_id': user._id.toString(), }) ).token }) describe('with a valid token', function () { describe('when logged in', function () { beforeEach(async function () { userHelper = await UserHelper.loginUser({ email, password: userHelper.getDefaultPassword(), }) response = await userHelper.fetch( `/user/password/set?passwordResetToken=${token}&email=${email}` ) expect(response.status).to.equal(302) expect(response.headers.get('location')).to.equal( UserHelper.url(`/user/password/set${emailQuery}`).toString() ) // send reset request response = await userHelper.fetch('/user/password/set', { method: 'POST', body: new URLSearchParams({ passwordResetToken: token, password: 'a-password', }), }) userHelper = await UserHelper.getUser({ email }) user = userHelper.user }) it('update the password', async function () { expect(user.hashedPassword).to.exist expect(user.password).to.not.exist }) it('log the change with initiatorId', async function () { const auditLog = userHelper.getAuditLogWithoutNoise() expect(auditLog).to.exist expect(auditLog[0]).to.exist expect(typeof auditLog[0].initiatorId).to.equal('object') expect(auditLog[0].initiatorId).to.deep.equal(user._id) expect(auditLog[0].operation).to.equal('reset-password') expect(auditLog[0].ipAddress).to.equal('127.0.0.1') expect(auditLog[0].timestamp).to.exist }) }) describe('when logged in as another user', function () { let otherUser, otherUserEmail beforeEach(async function () { otherUserEmail = userHelper.getDefaultEmail() userHelper = await UserHelper.createUser({ email: otherUserEmail }) otherUser = userHelper.user userHelper = await UserHelper.loginUser({ email: otherUserEmail, password: userHelper.getDefaultPassword(), }) response = await userHelper.fetch( `/user/password/set?passwordResetToken=${token}&email=${email}` ) expect(response.status).to.equal(302) expect(response.headers.get('location')).to.equal( UserHelper.url(`/user/password/set${emailQuery}`).toString() ) // send reset request response = await userHelper.fetch('/user/password/set', { method: 'POST', body: new URLSearchParams({ passwordResetToken: token, password: 'a-password', }), }) userHelper = await UserHelper.getUser({ email }) user = userHelper.user }) it('update the password', async function () { expect(user.hashedPassword).to.exist expect(user.password).to.not.exist }) it('log the change with the logged in user as the initiatorId', async function () { const auditLog = userHelper.getAuditLogWithoutNoise() expect(auditLog).to.exist expect(auditLog[0]).to.exist expect(typeof auditLog[0].initiatorId).to.equal('object') expect(auditLog[0].initiatorId).to.deep.equal(otherUser._id) expect(auditLog[0].operation).to.equal('reset-password') expect(auditLog[0].ipAddress).to.equal('127.0.0.1') expect(auditLog[0].timestamp).to.exist }) }) describe('when not logged in', function () { beforeEach(async function () { response = await userHelper.fetch( `/user/password/set?passwordResetToken=${token}&email=${email}` ) expect(response.status).to.equal(302) expect(response.headers.get('location')).to.equal( UserHelper.url(`/user/password/set${emailQuery}`).toString() ) // send reset request response = await userHelper.fetch('/user/password/set', { method: 'POST', body: new URLSearchParams({ passwordResetToken: token, password: 'a-password', }), }) userHelper = await UserHelper.getUser({ email }) user = userHelper.user }) it('updates the password', function () { expect(user.hashedPassword).to.exist expect(user.password).to.not.exist }) it('log the change', async function () { const auditLog = userHelper.getAuditLogWithoutNoise() expect(auditLog).to.exist expect(auditLog[0]).to.exist expect(auditLog[0].initiatorId).to.equal(null) expect(auditLog[0].operation).to.equal('reset-password') expect(auditLog[0].ipAddress).to.equal('127.0.0.1') expect(auditLog[0].timestamp).to.exist }) }) describe('password checks', function () { beforeEach(async function () { response = await userHelper.fetch( `/user/password/set?passwordResetToken=${token}&email=${email}` ) expect(response.status).to.equal(302) expect(response.headers.get('location')).to.equal( UserHelper.url(`/user/password/set${emailQuery}`).toString() ) }) it('without a password should return 400 and not log the change', async function () { // send reset request response = await userHelper.fetch('/user/password/set', { method: 'POST', body: new URLSearchParams({ passwordResetToken: token, }), }) expect(response.status).to.equal(400) userHelper = await UserHelper.getUser({ email }) const auditLog = userHelper.getAuditLogWithoutNoise() expect(auditLog).to.deep.equal([]) }) it('without a valid password should return 400 and not log the change', async function () { // send reset request response = await userHelper.fetch('/user/password/set', { method: 'POST', body: new URLSearchParams({ passwordResetToken: token, password: 'short', }), }) expect(response.status).to.equal(400) userHelper = await UserHelper.getUser({ email }) const auditLog = userHelper.getAuditLogWithoutNoise() expect(auditLog).to.deep.equal([]) }) it('should flag email in password', async function () { const localPart = email.split('@').shift() // send bad password response = await userHelper.fetch('/user/password/set', { method: 'POST', headers: { 'Content-Type': 'application/json', Accept: 'application/json', }, body: JSON.stringify({ passwordResetToken: token, password: localPart, email, }), }) expect(response.status).to.equal(400) const body = await response.json() expect(body).to.deep.equal({ message: { text: 'Password cannot contain parts of email address' }, }) }) it('should flag password too similar to email', async function () { const localPart = email.split('@').shift() const localPartReversed = localPart.split('').reverse().join('') // send bad password response = await userHelper.fetch('/user/password/set', { method: 'POST', headers: { 'Content-Type': 'application/json', Accept: 'application/json', }, body: JSON.stringify({ passwordResetToken: token, password: `${localPartReversed}123`, email, }), }) expect(response.status).to.equal(400) const body = await response.json() expect(body).to.deep.equal({ message: { text: 'Password is too similar to email address' }, }) }) it('should be able to retry after providing an invalid password', async function () { // send bad password response = await userHelper.fetch('/user/password/set', { method: 'POST', body: new URLSearchParams({ passwordResetToken: token, password: 'short', }), }) expect(response.status).to.equal(400) // send good password response = await userHelper.fetch('/user/password/set', { method: 'POST', body: new URLSearchParams({ passwordResetToken: token, password: 'SomeThingVeryStrong!11', }), }) expect(response.status).to.equal(200) userHelper = await UserHelper.getUser({ email }) const auditLog = userHelper.getAuditLogWithoutNoise() expect(auditLog.length).to.equal(1) }) it('when the password is the same as current, should return 400 and log the change', async function () { // send reset request response = await userHelper.fetch('/user/password/set', { method: 'POST', body: new URLSearchParams({ passwordResetToken: token, password: userHelper.getDefaultPassword(), }), }) expect(response.status).to.equal(400) const body = await response.json() expect(body.message.key).to.equal('password-must-be-different') userHelper = await UserHelper.getUser({ email }) const auditLog = userHelper.getAuditLogWithoutNoise() expect(auditLog.length).to.equal(1) }) }) }) describe('multiple attempts to set the password, reaching attempt limit', async function () { beforeEach(async function () { response = await userHelper.fetch( `/user/password/set?passwordResetToken=${token}&email=${email}` ) expect(response.status).to.equal(302) expect(response.headers.get('location')).to.equal( UserHelper.url(`/user/password/set${emailQuery}`).toString() ) }) it('should allow multiple attempts with same-password error, then deny further attempts', async function () { const sendSamePasswordRequest = async function () { return userHelper.fetch('/user/password/set', { method: 'POST', headers: { Accept: 'application/json', }, body: new URLSearchParams({ passwordResetToken: token, password: userHelper.getDefaultPassword(), }), }) } // Three attempts at setting the password, all rejected for being the same as // the current password const response1 = await sendSamePasswordRequest() expect(response1.status).to.equal(400) const body1 = await response1.json() expect(body1.message.key).to.equal('password-must-be-different') const response2 = await sendSamePasswordRequest() expect(response2.status).to.equal(400) const body2 = await response2.json() expect(body2.message.key).to.equal('password-must-be-different') const response3 = await sendSamePasswordRequest() expect(response3.status).to.equal(400) const body3 = await response3.json() expect(body3.message.key).to.equal('password-must-be-different') // Fourth attempt is rejected because the token has been used too many times const response4 = await sendSamePasswordRequest() expect(response4.status).to.equal(404) const body4 = await response4.json() expect(body4.message.key).to.equal('token-expired') }) it('should allow multiple attempts with same-password error, then set the password', async function () { const sendSamePasswordRequest = async function () { return userHelper.fetch('/user/password/set', { method: 'POST', headers: { Accept: 'application/json', }, body: new URLSearchParams({ passwordResetToken: token, password: userHelper.getDefaultPassword(), }), }) } // Two attempts at setting the password, all rejected for being the same as // the current password const response1 = await sendSamePasswordRequest() expect(response1.status).to.equal(400) const body1 = await response1.json() expect(body1.message.key).to.equal('password-must-be-different') const response2 = await sendSamePasswordRequest() expect(response2.status).to.equal(400) const body2 = await response2.json() expect(body2.message.key).to.equal('password-must-be-different') // Third attempt is succeeds const response3 = await userHelper.fetch('/user/password/set', { method: 'POST', body: new URLSearchParams({ passwordResetToken: token, password: 'some-new-password', }), }) expect(response3.status).to.equal(200) // Check the user and audit log userHelper = await UserHelper.getUser({ email }) user = userHelper.user expect(user.hashedPassword).to.exist expect(user.password).to.not.exist const auditLog = userHelper.getAuditLogWithoutNoise() expect(auditLog).to.exist expect(auditLog[0]).to.exist expect(auditLog[0].initiatorId).to.equal(null) expect(auditLog[0].operation).to.equal('reset-password') expect(auditLog[0].ipAddress).to.equal('127.0.0.1') expect(auditLog[0].timestamp).to.exist }) }) describe('without a valid token', function () { it('no token should redirect to page to re-request reset token', async function () { response = await userHelper.fetch(`/user/password/set?&email=${email}`) expect(response.status).to.equal(302) expect(response.headers.get('location')).to.equal( UserHelper.url('/user/password/reset').toString() ) }) it('should show error for invalid tokens and return 404 if used', async function () { const invalidToken = 'not-real-token' response = await userHelper.fetch( `/user/password/set?&passwordResetToken=${invalidToken}&email=${email}` ) expect(response.status).to.equal(302) expect(response.headers.get('location')).to.equal( UserHelper.url('/user/password/reset?error=token_expired').toString() ) // send reset request response = await userHelper.fetch('/user/password/set', { method: 'POST', body: new URLSearchParams({ passwordResetToken: invalidToken, password: 'a-password', }), }) expect(response.status).to.equal(404) }) }) describe('password reset', function () { it('should return 200 if email field is valid', async function () { response = await userHelper.fetch(`/user/password/reset`, { method: 'POST', body: new URLSearchParams({ email }), }) expect(response.status).to.equal(200) }) it('should return 400 if email field is missing', async function () { response = await userHelper.fetch(`/user/password/reset`, { method: 'POST', body: new URLSearchParams({ mail: email }), }) expect(response.status).to.equal(400) }) }) describe('password set', function () { it('should return 200 if password and passwordResetToken fields are valid', async function () { response = await userHelper.fetch(`/user/password/set`, { method: 'POST', body: new URLSearchParams({ password: 'new-password', passwordResetToken: token, }), }) expect(response.status).to.equal(200) }) it('should return 400 if password field is missing', async function () { response = await userHelper.fetch(`/user/password/set`, { method: 'POST', body: new URLSearchParams({ passwordResetToken: token, }), }) expect(response.status).to.equal(400) }) it('should return 400 if passwordResetToken field is missing', async function () { response = await userHelper.fetch(`/user/password/set`, { method: 'POST', body: new URLSearchParams({ password: 'new-password', }), }) expect(response.status).to.equal(400) }) }) })