PeerTube/server/tests/api/check-params/two-factor.ts

289 lines
9.4 KiB
TypeScript
Raw Normal View History

/* eslint-disable @typescript-eslint/no-unused-expressions,@typescript-eslint/require-await */
import { HttpStatusCode } from '@shared/models'
import { cleanupTests, createSingleServer, PeerTubeServer, setAccessTokensToServers, TwoFactorCommand } from '@shared/server-commands'
describe('Test two factor API validators', function () {
let server: PeerTubeServer
let rootId: number
let rootPassword: string
let rootRequestToken: string
let rootOTPToken: string
let userId: number
let userToken = ''
let userPassword: string
let userRequestToken: string
let userOTPToken: string
// ---------------------------------------------------------------
before(async function () {
this.timeout(30000)
{
server = await createSingleServer(1)
await setAccessTokensToServers([ server ])
}
{
const result = await server.users.generate('user1')
userToken = result.token
userId = result.userId
userPassword = result.password
}
{
const { id } = await server.users.getMyInfo()
rootId = id
rootPassword = server.store.user.password
}
})
describe('When requesting two factor', function () {
it('Should fail with an unknown user id', async function () {
await server.twoFactor.request({ userId: 42, currentPassword: rootPassword, expectedStatus: HttpStatusCode.NOT_FOUND_404 })
})
it('Should fail with an invalid user id', async function () {
await server.twoFactor.request({
userId: 'invalid' as any,
currentPassword: rootPassword,
expectedStatus: HttpStatusCode.BAD_REQUEST_400
})
})
it('Should fail to request another user two factor without the appropriate rights', async function () {
await server.twoFactor.request({
userId: rootId,
token: userToken,
currentPassword: userPassword,
expectedStatus: HttpStatusCode.FORBIDDEN_403
})
})
it('Should succeed to request another user two factor with the appropriate rights', async function () {
await server.twoFactor.request({ userId, currentPassword: rootPassword })
})
it('Should fail to request two factor without a password', async function () {
await server.twoFactor.request({
userId,
token: userToken,
currentPassword: undefined,
expectedStatus: HttpStatusCode.BAD_REQUEST_400
})
})
it('Should fail to request two factor with an incorrect password', async function () {
await server.twoFactor.request({
userId,
token: userToken,
currentPassword: rootPassword,
expectedStatus: HttpStatusCode.FORBIDDEN_403
})
})
it('Should succeed to request two factor without a password when targeting a remote user with an admin account', async function () {
await server.twoFactor.request({ userId })
})
it('Should fail to request two factor without a password when targeting myself with an admin account', async function () {
await server.twoFactor.request({ userId: rootId, expectedStatus: HttpStatusCode.BAD_REQUEST_400 })
await server.twoFactor.request({ userId: rootId, currentPassword: 'bad', expectedStatus: HttpStatusCode.FORBIDDEN_403 })
})
it('Should succeed to request my two factor auth', async function () {
{
const { otpRequest } = await server.twoFactor.request({ userId, token: userToken, currentPassword: userPassword })
userRequestToken = otpRequest.requestToken
userOTPToken = TwoFactorCommand.buildOTP({ secret: otpRequest.secret }).generate()
}
{
const { otpRequest } = await server.twoFactor.request({ userId: rootId, currentPassword: rootPassword })
rootRequestToken = otpRequest.requestToken
rootOTPToken = TwoFactorCommand.buildOTP({ secret: otpRequest.secret }).generate()
}
})
})
describe('When confirming two factor request', function () {
it('Should fail with an unknown user id', async function () {
await server.twoFactor.confirmRequest({
userId: 42,
requestToken: rootRequestToken,
otpToken: rootOTPToken,
expectedStatus: HttpStatusCode.NOT_FOUND_404
})
})
it('Should fail with an invalid user id', async function () {
await server.twoFactor.confirmRequest({
userId: 'invalid' as any,
requestToken: rootRequestToken,
otpToken: rootOTPToken,
expectedStatus: HttpStatusCode.BAD_REQUEST_400
})
})
it('Should fail to confirm another user two factor request without the appropriate rights', async function () {
await server.twoFactor.confirmRequest({
userId: rootId,
token: userToken,
requestToken: rootRequestToken,
otpToken: rootOTPToken,
expectedStatus: HttpStatusCode.FORBIDDEN_403
})
})
it('Should fail without request token', async function () {
await server.twoFactor.confirmRequest({
userId,
requestToken: undefined,
otpToken: userOTPToken,
expectedStatus: HttpStatusCode.BAD_REQUEST_400
})
})
it('Should fail with an invalid request token', async function () {
await server.twoFactor.confirmRequest({
userId,
requestToken: 'toto',
otpToken: userOTPToken,
expectedStatus: HttpStatusCode.FORBIDDEN_403
})
})
it('Should fail with request token of another user', async function () {
await server.twoFactor.confirmRequest({
userId,
requestToken: rootRequestToken,
otpToken: userOTPToken,
expectedStatus: HttpStatusCode.FORBIDDEN_403
})
})
it('Should fail without an otp token', async function () {
await server.twoFactor.confirmRequest({
userId,
requestToken: userRequestToken,
otpToken: undefined,
expectedStatus: HttpStatusCode.BAD_REQUEST_400
})
})
it('Should fail with a bad otp token', async function () {
await server.twoFactor.confirmRequest({
userId,
requestToken: userRequestToken,
otpToken: '123456',
expectedStatus: HttpStatusCode.FORBIDDEN_403
})
})
it('Should succeed to confirm another user two factor request with the appropriate rights', async function () {
await server.twoFactor.confirmRequest({
userId,
requestToken: userRequestToken,
otpToken: userOTPToken
})
// Reinit
await server.twoFactor.disable({ userId, currentPassword: rootPassword })
})
it('Should succeed to confirm my two factor request', async function () {
await server.twoFactor.confirmRequest({
userId,
token: userToken,
requestToken: userRequestToken,
otpToken: userOTPToken
})
})
it('Should fail to confirm again two factor request', async function () {
await server.twoFactor.confirmRequest({
userId,
token: userToken,
requestToken: userRequestToken,
otpToken: userOTPToken,
expectedStatus: HttpStatusCode.BAD_REQUEST_400
})
})
})
describe('When disabling two factor', function () {
it('Should fail with an unknown user id', async function () {
await server.twoFactor.disable({
userId: 42,
currentPassword: rootPassword,
expectedStatus: HttpStatusCode.NOT_FOUND_404
})
})
it('Should fail with an invalid user id', async function () {
await server.twoFactor.disable({
userId: 'invalid' as any,
currentPassword: rootPassword,
expectedStatus: HttpStatusCode.BAD_REQUEST_400
})
})
it('Should fail to disable another user two factor without the appropriate rights', async function () {
await server.twoFactor.disable({
userId: rootId,
token: userToken,
currentPassword: userPassword,
expectedStatus: HttpStatusCode.FORBIDDEN_403
})
})
it('Should fail to disable two factor with an incorrect password', async function () {
await server.twoFactor.disable({
userId,
token: userToken,
currentPassword: rootPassword,
expectedStatus: HttpStatusCode.FORBIDDEN_403
})
})
it('Should succeed to disable two factor without a password when targeting a remote user with an admin account', async function () {
await server.twoFactor.disable({ userId })
await server.twoFactor.requestAndConfirm({ userId })
})
it('Should fail to disable two factor without a password when targeting myself with an admin account', async function () {
await server.twoFactor.disable({ userId: rootId, expectedStatus: HttpStatusCode.BAD_REQUEST_400 })
await server.twoFactor.disable({ userId: rootId, currentPassword: 'bad', expectedStatus: HttpStatusCode.FORBIDDEN_403 })
})
it('Should succeed to disable another user two factor with the appropriate rights', async function () {
await server.twoFactor.disable({ userId, currentPassword: rootPassword })
await server.twoFactor.requestAndConfirm({ userId })
})
it('Should succeed to update my two factor auth', async function () {
await server.twoFactor.disable({ userId, token: userToken, currentPassword: userPassword })
})
it('Should fail to disable again two factor', async function () {
await server.twoFactor.disable({
userId,
token: userToken,
currentPassword: userPassword,
expectedStatus: HttpStatusCode.BAD_REQUEST_400
})
})
})
after(async function () {
await cleanupTests([ server ])
})
})