feat(security): #328 delete old sessions forgot password [tbs]
Some checks failed
Build Docker Image / Build-Docker-Image (push) Failing after 41s
Some checks failed
Build Docker Image / Build-Docker-Image (push) Failing after 41s
This commit is contained in:
62
main_test.go
62
main_test.go
@@ -11,6 +11,7 @@ import (
|
||||
"testing"
|
||||
"time"
|
||||
|
||||
"me-fit/db"
|
||||
"me-fit/service"
|
||||
"me-fit/types"
|
||||
|
||||
@@ -215,7 +216,7 @@ func TestIntegrationAuth(t *testing.T) {
|
||||
assert.Equal(t, http.StatusOK, resp.StatusCode)
|
||||
|
||||
var sessionIds []string
|
||||
sessions, err := db.Query("SELECT session_id FROM session ORDER BY session_id")
|
||||
sessions, err := db.Query(`SELECT session_id FROM session WHERE NOT user_id = ? ORDER BY session_id`, uuid.Nil)
|
||||
assert.Nil(t, err)
|
||||
for sessions.Next() {
|
||||
var sessionId string
|
||||
@@ -228,69 +229,68 @@ func TestIntegrationAuth(t *testing.T) {
|
||||
assert.Equal(t, "other", sessionIds[0])
|
||||
assert.Equal(t, "session-id", sessionIds[1])
|
||||
})
|
||||
t.Run("should forget password and invalidate other sessions from user", func(t *testing.T) {
|
||||
t.Run("should forget password and invalidate all user sessions", func(t *testing.T) {
|
||||
t.Parallel()
|
||||
|
||||
db, basePath, ctx := setupIntegrationTest(t)
|
||||
d, basePath, ctx := setupIntegrationTest(t)
|
||||
userId := uuid.New()
|
||||
|
||||
pass := service.GetHashPassword("password", []byte("salt"))
|
||||
_, err := db.Exec(`
|
||||
_, err := d.Exec(`
|
||||
INSERT INTO user (user_id, email, email_verified, is_admin, password, salt, created_at)
|
||||
VALUES (?, "mail@mail.de", FALSE, FALSE, ?, ?, datetime())`, userId, pass, []byte("salt"))
|
||||
|
||||
sessionId := "session-id"
|
||||
assert.Nil(t, err)
|
||||
_, err = db.Exec(`
|
||||
_, err = d.Exec(`
|
||||
INSERT INTO session (session_id, user_id, created_at, expires_at)
|
||||
VALUES (?, ?, datetime(), datetime("now", "+1 day"))`, sessionId, userId)
|
||||
assert.Nil(t, err)
|
||||
_, err = db.Exec(`
|
||||
INSERT INTO session (session_id, user_id, created_at, expires_at)
|
||||
VALUES ("second", ?, datetime(), datetime("now", "+1 day"))`, userId)
|
||||
VALUES ("session-id", ?, datetime(), datetime("now", "+1 day"))`, userId)
|
||||
assert.Nil(t, err)
|
||||
|
||||
req, err := http.NewRequestWithContext(ctx, "GET", basePath+"/auth/change-password", nil)
|
||||
req, err := http.NewRequestWithContext(ctx, "GET", basePath+"/auth/forgot-password", nil)
|
||||
assert.Nil(t, err)
|
||||
req.Header.Set("Cookie", "id="+sessionId)
|
||||
resp, err := httpClient.Do(req)
|
||||
assert.Nil(t, err)
|
||||
|
||||
sessionId := findCookie(resp, "id").Value
|
||||
html, err := html.Parse(resp.Body)
|
||||
assert.Nil(t, err)
|
||||
|
||||
csrfToken := findCsrfToken(html)
|
||||
assert.NotEqual(t, "", csrfToken)
|
||||
|
||||
formData := url.Values{
|
||||
"current-password": {"password"},
|
||||
"new-password": {"MyNewSecurePassword1!"},
|
||||
"csrf-token": {csrfToken},
|
||||
"email": {"mail@mail.de"},
|
||||
"csrf-token": {csrfToken},
|
||||
}
|
||||
|
||||
req, err = http.NewRequestWithContext(ctx, "POST", basePath+"/api/auth/change-password", strings.NewReader(formData.Encode()))
|
||||
req, err = http.NewRequestWithContext(ctx, "POST", basePath+"/api/auth/forgot-password", strings.NewReader(formData.Encode()))
|
||||
assert.Nil(t, err)
|
||||
req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
|
||||
req.Header.Set("Cookie", "id="+sessionId)
|
||||
req.Header.Set("HX-Request", "true")
|
||||
resp, err = httpClient.Do(req)
|
||||
assert.Nil(t, err)
|
||||
|
||||
assert.Equal(t, http.StatusOK, resp.StatusCode)
|
||||
|
||||
var sessionIds []string
|
||||
sessions, err := db.Query("SELECT session_id FROM session ORDER BY session_id")
|
||||
var token string
|
||||
err = d.QueryRow("SELECT token FROM token WHERE type = ?", db.TokenTypePasswordReset).Scan(&token)
|
||||
assert.Nil(t, err)
|
||||
for sessions.Next() {
|
||||
var sessionId string
|
||||
err = sessions.Scan(&sessionId)
|
||||
assert.Nil(t, err)
|
||||
sessionIds = append(sessionIds, sessionId)
|
||||
}
|
||||
|
||||
assert.Equal(t, 2, len(sessionIds))
|
||||
assert.Equal(t, "other", sessionIds[0])
|
||||
assert.Equal(t, "session-id", sessionIds[1])
|
||||
formData = url.Values{
|
||||
"new-password": {"MyNewSecurePassword1!"},
|
||||
"csrf-token": {csrfToken},
|
||||
}
|
||||
req, err = http.NewRequestWithContext(ctx, "POST", basePath+"/api/auth/forgot-password-actual", strings.NewReader(formData.Encode()))
|
||||
assert.Nil(t, err)
|
||||
req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
|
||||
req.Header.Set("Cookie", "id="+sessionId)
|
||||
req.Header.Set("HX-Request", "true")
|
||||
req.Header.Set("HX-Current-URL", basePath+"/auth/change-password?token="+url.QueryEscape(token))
|
||||
resp, err = httpClient.Do(req)
|
||||
assert.Nil(t, err)
|
||||
assert.Equal(t, http.StatusOK, resp.StatusCode)
|
||||
|
||||
sessions, err := d.Query("SELECT session_id FROM session WHERE user_id = ?", userId)
|
||||
assert.Nil(t, err)
|
||||
assert.False(t, sessions.Next())
|
||||
})
|
||||
}
|
||||
|
||||
|
||||
Reference in New Issue
Block a user