x/web-app-template
Archived
Template
2
0
Fork 0
Code Issues 13 Pull Requests 4 Actions Packages Activity

chore(auth): #331 add change password tests #354

Merged
tim merged 1 commits from 331-test-change-password into prod 2024-12-25 21:20:52 +00:00
Conversation 0 Commits 1 Files Changed 2 +190 -4
2 changed files with 190 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
handler/auth.go
View File

@@ -45,8 +45,8 @@ func (handler AuthImpl) Handle(router *http.ServeMux) {
router.Handle("/auth/delete-account", handler.handleDeleteAccountPage()) router.Handle("/auth/delete-account", handler.handleDeleteAccountPage())
router.Handle("/api/auth/delete-account", handler.handleDeleteAccountComp()) router.Handle("/api/auth/delete-account", handler.handleDeleteAccountComp())
router.Handle("/auth/change-password", handler.handleChangePasswordPage()) router.Handle("GET /auth/change-password", handler.handleChangePasswordPage())
router.Handle("/api/auth/change-password", handler.handleChangePasswordComp()) router.Handle("POST /api/auth/change-password", handler.handleChangePasswordComp())
router.Handle("/auth/forgot-password", handler.handleForgotPasswordPage()) router.Handle("/auth/forgot-password", handler.handleForgotPasswordPage())
router.Handle("/api/auth/forgot-password", handler.handleForgotPasswordComp()) router.Handle("/api/auth/forgot-password", handler.handleForgotPasswordComp())
@@ -307,7 +307,7 @@ func (handler AuthImpl) handleChangePasswordComp() http.HandlerFunc {
session := middleware.GetSession(r) session := middleware.GetSession(r)
user := middleware.GetUser(r) user := middleware.GetUser(r)
if session == nil || user == nil { if session == nil || user == nil {
utils.DoRedirect(w, r, "/auth/signin") utils.TriggerToast(w, r, "error", "Unathorized", http.StatusUnauthorized)
return return
} }
@@ -316,7 +316,7 @@ func (handler AuthImpl) handleChangePasswordComp() http.HandlerFunc {
err := handler.service.ChangePassword(user, session.Id, currPass, newPass) err := handler.service.ChangePassword(user, session.Id, currPass, newPass)
if err != nil { if err != nil {
utils.TriggerToast(w, r, "error", "Password not correct", http.StatusUnauthorized) utils.TriggerToast(w, r, "error", "Password not correct", http.StatusBadRequest)
return return
} }

186
main_test.go
View File

@@ -933,7 +933,187 @@ func TestIntegrationAuth(t *testing.T) {
assert.Equal(t, 0, rows) assert.Equal(t, 0, rows)
}) })
}) })
t.Run("ChangePassword", func(t *testing.T) { t.Run("ChangePassword", func(t *testing.T) {
t.Run(`should redirect to "/" if not signed in`, func(t *testing.T) {
t.Parallel()
_, basePath, ctx := setupIntegrationTest(t)
req, err := http.NewRequestWithContext(ctx, "GET", basePath+"/auth/change-password", nil)
assert.Nil(t, err)
resp, err := httpClient.Do(req)
assert.Nil(t, err)
assert.Equal(t, http.StatusSeeOther, resp.StatusCode)
assert.Equal(t, "/auth/signin", resp.Header.Get("Location"))
})
t.Run(`should throw unautohorized if not signed in`, func(t *testing.T) {
t.Parallel()
_, basePath, ctx := setupIntegrationTest(t)
req, err := http.NewRequestWithContext(ctx, "GET", basePath+"/auth/signin", nil)
assert.Nil(t, err)
resp, err := httpClient.Do(req)
assert.Nil(t, err)
html, err := html.Parse(resp.Body)
assert.Nil(t, err)
anonymousCsrfToken := findCsrfToken(html)
assert.NotEqual(t, "", anonymousCsrfToken)
anonymousSessionId := findCookie(resp, "id").Value
assert.NotEqual(t, "", anonymousSessionId)
formData := url.Values{
"current-password": {"password"},
"new-password": {"MyNewSecurePassword1!"},
"csrf-token": {anonymousCsrfToken},
}
req, err = http.NewRequestWithContext(ctx, "POST", basePath+"/api/auth/change-password", strings.NewReader(formData.Encode()))
assert.Nil(t, err)
req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
req.Header.Set("Cookie", "id="+anonymousSessionId)
req.Header.Set("HX-Request", "true")
resp, err = httpClient.Do(req)
assert.Nil(t, err)
assert.Equal(t, http.StatusUnauthorized, resp.StatusCode)
})
t.Run(`should fail if csrf token is invalid`, func(t *testing.T) {
t.Parallel()
db, basePath, ctx := setupIntegrationTest(t)
userId := uuid.New()
pass := service.GetHashPassword("password", []byte("salt"))
_, err := db.Exec(`
INSERT INTO user (user_id, email, email_verified, is_admin, password, salt, created_at)
VALUES (?, "mail@mail.de", FALSE, FALSE, ?, ?, datetime())`, userId, pass, []byte("salt"))
sessionId := "session-id"
assert.Nil(t, err)
_, err = db.Exec(`
INSERT INTO session (session_id, user_id, created_at, expires_at)
VALUES (?, ?, datetime(), datetime("now", "+1 day"))`, sessionId, userId)
assert.Nil(t, err)
formData := url.Values{
"current-password": {"password"},
"new-password": {"MyNewSecurePassword1!"},
"csrf-token": {"invalid-csrf-token"},
}
req, err := http.NewRequestWithContext(ctx, "POST", basePath+"/api/auth/change-password", strings.NewReader(formData.Encode()))
assert.Nil(t, err)
req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
req.Header.Set("Cookie", "id="+sessionId)
req.Header.Set("HX-Request", "true")
resp, err := httpClient.Do(req)
assert.Nil(t, err)
assert.Equal(t, http.StatusBadRequest, resp.StatusCode)
var rows int
err = db.QueryRow("SELECT COUNT(*) FROM user WHERE user_id = ? AND password = ?", userId, pass).Scan(&rows)
assert.Nil(t, err)
assert.Equal(t, 1, rows)
})
t.Run("should fail if current password does not match", func(t *testing.T) {
t.Parallel()
db, basePath, ctx := setupIntegrationTest(t)
userId := uuid.New()
pass := service.GetHashPassword("password", []byte("salt"))
_, err := db.Exec(`
INSERT INTO user (user_id, email, email_verified, is_admin, password, salt, created_at)
VALUES (?, "mail@mail.de", FALSE, FALSE, ?, ?, datetime())`, userId, pass, []byte("salt"))
sessionId := "session-id"
assert.Nil(t, err)
_, err = db.Exec(`
INSERT INTO session (session_id, user_id, created_at, expires_at)
VALUES (?, ?, datetime(), datetime("now", "+1 day"))`, sessionId, userId)
assert.Nil(t, err)
req, err := http.NewRequestWithContext(ctx, "GET", basePath+"/auth/change-password", nil)
assert.Nil(t, err)
req.Header.Set("Cookie", "id="+sessionId)
resp, err := httpClient.Do(req)
assert.Nil(t, err)
html, err := html.Parse(resp.Body)
assert.Nil(t, err)
csrfToken := findCsrfToken(html)
assert.NotEqual(t, "", csrfToken)
formData := url.Values{
"current-password": {"wrong-password"},
"new-password": {"MyNewSecurePassword1!"},
"csrf-token": {csrfToken},
}
req, err = http.NewRequestWithContext(ctx, "POST", basePath+"/api/auth/change-password", strings.NewReader(formData.Encode()))
assert.Nil(t, err)
req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
req.Header.Set("Cookie", "id="+sessionId)
req.Header.Set("HX-Request", "true")
resp, err = httpClient.Do(req)
assert.Nil(t, err)
assert.Equal(t, http.StatusBadRequest, resp.StatusCode)
var rows int
err = db.QueryRow("SELECT COUNT(*) FROM user WHERE user_id = ? AND password = ?", userId, pass).Scan(&rows)
assert.Nil(t, err)
assert.Equal(t, 1, rows)
})
t.Run("should fail if new password is insecure", func(t *testing.T) {
t.Parallel()
db, basePath, ctx := setupIntegrationTest(t)
userId := uuid.New()
pass := service.GetHashPassword("password", []byte("salt"))
_, err := db.Exec(`
INSERT INTO user (user_id, email, email_verified, is_admin, password, salt, created_at)
VALUES (?, "mail@mail.de", FALSE, FALSE, ?, ?, datetime())`, userId, pass, []byte("salt"))
sessionId := "session-id"
assert.Nil(t, err)
_, err = db.Exec(`
INSERT INTO session (session_id, user_id, created_at, expires_at)
VALUES (?, ?, datetime(), datetime("now", "+1 day"))`, sessionId, userId)
assert.Nil(t, err)
req, err := http.NewRequestWithContext(ctx, "GET", basePath+"/auth/change-password", nil)
assert.Nil(t, err)
req.Header.Set("Cookie", "id="+sessionId)
resp, err := httpClient.Do(req)
assert.Nil(t, err)
html, err := html.Parse(resp.Body)
assert.Nil(t, err)
csrfToken := findCsrfToken(html)
assert.NotEqual(t, "", csrfToken)
formData := url.Values{
"current-password": {"password"},
"new-password": {"insecure-password"},
"csrf-token": {csrfToken},
}
req, err = http.NewRequestWithContext(ctx, "POST", basePath+"/api/auth/change-password", strings.NewReader(formData.Encode()))
assert.Nil(t, err)
req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
req.Header.Set("Cookie", "id="+sessionId)
req.Header.Set("HX-Request", "true")
resp, err = httpClient.Do(req)
assert.Nil(t, err)
assert.Equal(t, http.StatusBadRequest, resp.StatusCode)
var rows int
err = db.QueryRow("SELECT COUNT(*) FROM user WHERE user_id = ? AND password = ?", userId, pass).Scan(&rows)
assert.Nil(t, err)
assert.Equal(t, 1, rows)
})
t.Run("should change password and invalidate all other user sessions", func(t *testing.T) { t.Run("should change password and invalidate all other user sessions", func(t *testing.T) {
t.Parallel() t.Parallel()
@@ -989,6 +1169,12 @@ func TestIntegrationAuth(t *testing.T) {
assert.Equal(t, http.StatusOK, resp.StatusCode) assert.Equal(t, http.StatusOK, resp.StatusCode)
pass = service.GetHashPassword("MyNewSecurePassword1!", []byte("salt"))
var rows int
err = db.QueryRow("SELECT COUNT(*) FROM user WHERE user_id = ? AND password = ?", userId, pass).Scan(&rows)
assert.Nil(t, err)
assert.Equal(t, 1, rows)
var sessionIds []string var sessionIds []string
sessions, err := db.Query(`SELECT session_id FROM session WHERE NOT user_id = ? ORDER BY session_id`, uuid.Nil) sessions, err := db.Query(`SELECT session_id FROM session WHERE NOT user_id = ? ORDER BY session_id`, uuid.Nil)
assert.Nil(t, err) assert.Nil(t, err)