chore(auth): #331 add change password tests
All checks were successful
Build Docker Image / Build-Docker-Image (push) Successful in 47s
All checks were successful
Build Docker Image / Build-Docker-Image (push) Successful in 47s
This commit is contained in:
@@ -45,8 +45,8 @@ func (handler AuthImpl) Handle(router *http.ServeMux) {
|
|||||||
router.Handle("/auth/delete-account", handler.handleDeleteAccountPage())
|
router.Handle("/auth/delete-account", handler.handleDeleteAccountPage())
|
||||||
router.Handle("/api/auth/delete-account", handler.handleDeleteAccountComp())
|
router.Handle("/api/auth/delete-account", handler.handleDeleteAccountComp())
|
||||||
|
|
||||||
router.Handle("/auth/change-password", handler.handleChangePasswordPage())
|
router.Handle("GET /auth/change-password", handler.handleChangePasswordPage())
|
||||||
router.Handle("/api/auth/change-password", handler.handleChangePasswordComp())
|
router.Handle("POST /api/auth/change-password", handler.handleChangePasswordComp())
|
||||||
|
|
||||||
router.Handle("/auth/forgot-password", handler.handleForgotPasswordPage())
|
router.Handle("/auth/forgot-password", handler.handleForgotPasswordPage())
|
||||||
router.Handle("/api/auth/forgot-password", handler.handleForgotPasswordComp())
|
router.Handle("/api/auth/forgot-password", handler.handleForgotPasswordComp())
|
||||||
@@ -307,7 +307,7 @@ func (handler AuthImpl) handleChangePasswordComp() http.HandlerFunc {
|
|||||||
session := middleware.GetSession(r)
|
session := middleware.GetSession(r)
|
||||||
user := middleware.GetUser(r)
|
user := middleware.GetUser(r)
|
||||||
if session == nil || user == nil {
|
if session == nil || user == nil {
|
||||||
utils.DoRedirect(w, r, "/auth/signin")
|
utils.TriggerToast(w, r, "error", "Unathorized", http.StatusUnauthorized)
|
||||||
return
|
return
|
||||||
}
|
}
|
||||||
|
|
||||||
@@ -316,7 +316,7 @@ func (handler AuthImpl) handleChangePasswordComp() http.HandlerFunc {
|
|||||||
|
|
||||||
err := handler.service.ChangePassword(user, session.Id, currPass, newPass)
|
err := handler.service.ChangePassword(user, session.Id, currPass, newPass)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
utils.TriggerToast(w, r, "error", "Password not correct", http.StatusUnauthorized)
|
utils.TriggerToast(w, r, "error", "Password not correct", http.StatusBadRequest)
|
||||||
return
|
return
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|||||||
180
main_test.go
180
main_test.go
@@ -933,7 +933,187 @@ func TestIntegrationAuth(t *testing.T) {
|
|||||||
assert.Equal(t, 0, rows)
|
assert.Equal(t, 0, rows)
|
||||||
})
|
})
|
||||||
})
|
})
|
||||||
|
|
||||||
t.Run("ChangePassword", func(t *testing.T) {
|
t.Run("ChangePassword", func(t *testing.T) {
|
||||||
|
t.Run(`should redirect to "/" if not signed in`, func(t *testing.T) {
|
||||||
|
t.Parallel()
|
||||||
|
|
||||||
|
_, basePath, ctx := setupIntegrationTest(t)
|
||||||
|
|
||||||
|
req, err := http.NewRequestWithContext(ctx, "GET", basePath+"/auth/change-password", nil)
|
||||||
|
assert.Nil(t, err)
|
||||||
|
resp, err := httpClient.Do(req)
|
||||||
|
assert.Nil(t, err)
|
||||||
|
|
||||||
|
assert.Equal(t, http.StatusSeeOther, resp.StatusCode)
|
||||||
|
assert.Equal(t, "/auth/signin", resp.Header.Get("Location"))
|
||||||
|
})
|
||||||
|
t.Run(`should throw unautohorized if not signed in`, func(t *testing.T) {
|
||||||
|
t.Parallel()
|
||||||
|
|
||||||
|
_, basePath, ctx := setupIntegrationTest(t)
|
||||||
|
|
||||||
|
req, err := http.NewRequestWithContext(ctx, "GET", basePath+"/auth/signin", nil)
|
||||||
|
assert.Nil(t, err)
|
||||||
|
resp, err := httpClient.Do(req)
|
||||||
|
assert.Nil(t, err)
|
||||||
|
html, err := html.Parse(resp.Body)
|
||||||
|
assert.Nil(t, err)
|
||||||
|
anonymousCsrfToken := findCsrfToken(html)
|
||||||
|
assert.NotEqual(t, "", anonymousCsrfToken)
|
||||||
|
anonymousSessionId := findCookie(resp, "id").Value
|
||||||
|
assert.NotEqual(t, "", anonymousSessionId)
|
||||||
|
|
||||||
|
formData := url.Values{
|
||||||
|
"current-password": {"password"},
|
||||||
|
"new-password": {"MyNewSecurePassword1!"},
|
||||||
|
"csrf-token": {anonymousCsrfToken},
|
||||||
|
}
|
||||||
|
req, err = http.NewRequestWithContext(ctx, "POST", basePath+"/api/auth/change-password", strings.NewReader(formData.Encode()))
|
||||||
|
assert.Nil(t, err)
|
||||||
|
req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
|
||||||
|
req.Header.Set("Cookie", "id="+anonymousSessionId)
|
||||||
|
req.Header.Set("HX-Request", "true")
|
||||||
|
resp, err = httpClient.Do(req)
|
||||||
|
assert.Nil(t, err)
|
||||||
|
|
||||||
|
assert.Equal(t, http.StatusUnauthorized, resp.StatusCode)
|
||||||
|
})
|
||||||
|
t.Run(`should fail if csrf token is invalid`, func(t *testing.T) {
|
||||||
|
t.Parallel()
|
||||||
|
|
||||||
|
db, basePath, ctx := setupIntegrationTest(t)
|
||||||
|
userId := uuid.New()
|
||||||
|
|
||||||
|
pass := service.GetHashPassword("password", []byte("salt"))
|
||||||
|
_, err := db.Exec(`
|
||||||
|
INSERT INTO user (user_id, email, email_verified, is_admin, password, salt, created_at)
|
||||||
|
VALUES (?, "mail@mail.de", FALSE, FALSE, ?, ?, datetime())`, userId, pass, []byte("salt"))
|
||||||
|
|
||||||
|
sessionId := "session-id"
|
||||||
|
assert.Nil(t, err)
|
||||||
|
_, err = db.Exec(`
|
||||||
|
INSERT INTO session (session_id, user_id, created_at, expires_at)
|
||||||
|
VALUES (?, ?, datetime(), datetime("now", "+1 day"))`, sessionId, userId)
|
||||||
|
assert.Nil(t, err)
|
||||||
|
|
||||||
|
formData := url.Values{
|
||||||
|
"current-password": {"password"},
|
||||||
|
"new-password": {"MyNewSecurePassword1!"},
|
||||||
|
"csrf-token": {"invalid-csrf-token"},
|
||||||
|
}
|
||||||
|
|
||||||
|
req, err := http.NewRequestWithContext(ctx, "POST", basePath+"/api/auth/change-password", strings.NewReader(formData.Encode()))
|
||||||
|
assert.Nil(t, err)
|
||||||
|
req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
|
||||||
|
req.Header.Set("Cookie", "id="+sessionId)
|
||||||
|
req.Header.Set("HX-Request", "true")
|
||||||
|
resp, err := httpClient.Do(req)
|
||||||
|
assert.Nil(t, err)
|
||||||
|
|
||||||
|
assert.Equal(t, http.StatusBadRequest, resp.StatusCode)
|
||||||
|
|
||||||
|
var rows int
|
||||||
|
err = db.QueryRow("SELECT COUNT(*) FROM user WHERE user_id = ? AND password = ?", userId, pass).Scan(&rows)
|
||||||
|
assert.Nil(t, err)
|
||||||
|
assert.Equal(t, 1, rows)
|
||||||
|
})
|
||||||
|
t.Run("should fail if current password does not match", func(t *testing.T) {
|
||||||
|
t.Parallel()
|
||||||
|
|
||||||
|
db, basePath, ctx := setupIntegrationTest(t)
|
||||||
|
userId := uuid.New()
|
||||||
|
pass := service.GetHashPassword("password", []byte("salt"))
|
||||||
|
|
||||||
|
_, err := db.Exec(`
|
||||||
|
INSERT INTO user (user_id, email, email_verified, is_admin, password, salt, created_at)
|
||||||
|
VALUES (?, "mail@mail.de", FALSE, FALSE, ?, ?, datetime())`, userId, pass, []byte("salt"))
|
||||||
|
|
||||||
|
sessionId := "session-id"
|
||||||
|
assert.Nil(t, err)
|
||||||
|
_, err = db.Exec(`
|
||||||
|
INSERT INTO session (session_id, user_id, created_at, expires_at)
|
||||||
|
VALUES (?, ?, datetime(), datetime("now", "+1 day"))`, sessionId, userId)
|
||||||
|
assert.Nil(t, err)
|
||||||
|
|
||||||
|
req, err := http.NewRequestWithContext(ctx, "GET", basePath+"/auth/change-password", nil)
|
||||||
|
assert.Nil(t, err)
|
||||||
|
req.Header.Set("Cookie", "id="+sessionId)
|
||||||
|
resp, err := httpClient.Do(req)
|
||||||
|
assert.Nil(t, err)
|
||||||
|
html, err := html.Parse(resp.Body)
|
||||||
|
assert.Nil(t, err)
|
||||||
|
csrfToken := findCsrfToken(html)
|
||||||
|
assert.NotEqual(t, "", csrfToken)
|
||||||
|
|
||||||
|
formData := url.Values{
|
||||||
|
"current-password": {"wrong-password"},
|
||||||
|
"new-password": {"MyNewSecurePassword1!"},
|
||||||
|
"csrf-token": {csrfToken},
|
||||||
|
}
|
||||||
|
req, err = http.NewRequestWithContext(ctx, "POST", basePath+"/api/auth/change-password", strings.NewReader(formData.Encode()))
|
||||||
|
assert.Nil(t, err)
|
||||||
|
req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
|
||||||
|
req.Header.Set("Cookie", "id="+sessionId)
|
||||||
|
req.Header.Set("HX-Request", "true")
|
||||||
|
resp, err = httpClient.Do(req)
|
||||||
|
assert.Nil(t, err)
|
||||||
|
|
||||||
|
assert.Equal(t, http.StatusBadRequest, resp.StatusCode)
|
||||||
|
|
||||||
|
var rows int
|
||||||
|
err = db.QueryRow("SELECT COUNT(*) FROM user WHERE user_id = ? AND password = ?", userId, pass).Scan(&rows)
|
||||||
|
assert.Nil(t, err)
|
||||||
|
assert.Equal(t, 1, rows)
|
||||||
|
})
|
||||||
|
t.Run("should fail if new password is insecure", func(t *testing.T) {
|
||||||
|
t.Parallel()
|
||||||
|
|
||||||
|
db, basePath, ctx := setupIntegrationTest(t)
|
||||||
|
userId := uuid.New()
|
||||||
|
pass := service.GetHashPassword("password", []byte("salt"))
|
||||||
|
|
||||||
|
_, err := db.Exec(`
|
||||||
|
INSERT INTO user (user_id, email, email_verified, is_admin, password, salt, created_at)
|
||||||
|
VALUES (?, "mail@mail.de", FALSE, FALSE, ?, ?, datetime())`, userId, pass, []byte("salt"))
|
||||||
|
|
||||||
|
sessionId := "session-id"
|
||||||
|
assert.Nil(t, err)
|
||||||
|
_, err = db.Exec(`
|
||||||
|
INSERT INTO session (session_id, user_id, created_at, expires_at)
|
||||||
|
VALUES (?, ?, datetime(), datetime("now", "+1 day"))`, sessionId, userId)
|
||||||
|
assert.Nil(t, err)
|
||||||
|
|
||||||
|
req, err := http.NewRequestWithContext(ctx, "GET", basePath+"/auth/change-password", nil)
|
||||||
|
assert.Nil(t, err)
|
||||||
|
req.Header.Set("Cookie", "id="+sessionId)
|
||||||
|
resp, err := httpClient.Do(req)
|
||||||
|
assert.Nil(t, err)
|
||||||
|
html, err := html.Parse(resp.Body)
|
||||||
|
assert.Nil(t, err)
|
||||||
|
csrfToken := findCsrfToken(html)
|
||||||
|
assert.NotEqual(t, "", csrfToken)
|
||||||
|
|
||||||
|
formData := url.Values{
|
||||||
|
"current-password": {"password"},
|
||||||
|
"new-password": {"insecure-password"},
|
||||||
|
"csrf-token": {csrfToken},
|
||||||
|
}
|
||||||
|
req, err = http.NewRequestWithContext(ctx, "POST", basePath+"/api/auth/change-password", strings.NewReader(formData.Encode()))
|
||||||
|
assert.Nil(t, err)
|
||||||
|
req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
|
||||||
|
req.Header.Set("Cookie", "id="+sessionId)
|
||||||
|
req.Header.Set("HX-Request", "true")
|
||||||
|
resp, err = httpClient.Do(req)
|
||||||
|
assert.Nil(t, err)
|
||||||
|
|
||||||
|
assert.Equal(t, http.StatusBadRequest, resp.StatusCode)
|
||||||
|
|
||||||
|
var rows int
|
||||||
|
err = db.QueryRow("SELECT COUNT(*) FROM user WHERE user_id = ? AND password = ?", userId, pass).Scan(&rows)
|
||||||
|
assert.Nil(t, err)
|
||||||
|
assert.Equal(t, 1, rows)
|
||||||
|
})
|
||||||
t.Run("should change password and invalidate all other user sessions", func(t *testing.T) {
|
t.Run("should change password and invalidate all other user sessions", func(t *testing.T) {
|
||||||
t.Parallel()
|
t.Parallel()
|
||||||
|
|
||||||
|
|||||||
Reference in New Issue
Block a user