photoprism/internal/api/user_password_test.go

141 lines
3.9 KiB
Go
Raw Permalink Normal View History

package api
import (
2021-08-11 12:43:53 +02:00
"encoding/json"
"net/http"
"testing"
2020-11-21 18:08:41 +01:00
2021-08-11 13:23:17 +02:00
"github.com/photoprism/photoprism/internal/form"
2020-11-21 18:08:41 +01:00
"github.com/stretchr/testify/assert"
)
func TestChangePassword(t *testing.T) {
t.Run("not existing user", func(t *testing.T) {
app, router, _ := NewApiTest()
ChangePassword(router)
r := PerformRequestWithBody(app, "PUT", "/api/v1/users/xxx/password", `{}`)
assert.Equal(t, http.StatusForbidden, r.Code)
})
}
2021-08-11 12:43:53 +02:00
func TestChangeUserPasswords(t *testing.T) {
t.Run("alice: change password invalid", func(t *testing.T) {
app, router, conf := NewApiTest()
conf.SetPublic(false)
defer conf.SetPublic(true)
ChangePassword(router)
sessId := AuthenticateUser(app, router, "alice", "Alice123!")
f := form.ChangePassword{
OldPassword: "someonewhoisntalice",
NewPassword: "aliceinwonderland",
}
if pwStr, err := json.Marshal(f); err != nil {
log.Fatal(err)
} else {
r := AuthenticatedRequestWithBody(app, "PUT", "/api/v1/users/uqxetse3cy5eo9z2/password",
string(pwStr), sessId)
assert.Equal(t, http.StatusBadRequest, r.Code)
}
})
t.Run("alice: change password valid", func(t *testing.T) {
app, router, conf := NewApiTest()
conf.SetPublic(false)
defer conf.SetPublic(true)
ChangePassword(router)
sessId := AuthenticateUser(app, router, "alice", "Alice123!")
f := form.ChangePassword{
OldPassword: "Alice123!",
NewPassword: "aliceinwonderland",
}
if pwStr, err := json.Marshal(f); err != nil {
log.Fatal(err)
} else {
r := AuthenticatedRequestWithBody(app, "PUT", "/api/v1/users/uqxetse3cy5eo9z2/password",
string(pwStr), sessId)
assert.Equal(t, http.StatusOK, r.Code)
}
})
t.Run("alice as admin: change bob's password", func(t *testing.T) {
app, router, conf := NewApiTest()
conf.SetPublic(false)
defer conf.SetPublic(true)
ChangePassword(router)
sessId := AuthenticateUser(app, router, "alice", "aliceinwonderland")
f := form.ChangePassword{
OldPassword: "Bobbob123!",
NewPassword: "helloworld",
}
if pwStr, err := json.Marshal(f); err != nil {
log.Fatal(err)
} else {
r := AuthenticatedRequestWithBody(app, "PUT", "/api/v1/users/uqxc08w3d0ej2283/password",
string(pwStr), sessId)
2021-08-12 20:29:15 +02:00
assert.Equal(t, http.StatusUnauthorized, r.Code)
2021-08-11 12:43:53 +02:00
}
})
2021-08-12 20:29:15 +02:00
t.Run("bob: change wrong password", func(t *testing.T) {
2021-08-11 12:43:53 +02:00
app, router, conf := NewApiTest()
conf.SetPublic(false)
defer conf.SetPublic(true)
ChangePassword(router)
2021-08-12 20:29:15 +02:00
sessId := AuthenticateUser(app, router, "bob", "Bobbob123!")
2021-08-11 12:43:53 +02:00
f := form.ChangePassword{
OldPassword: "helloworld",
NewPassword: "Bobbob123!",
}
if pwStr, err := json.Marshal(f); err != nil {
log.Fatal(err)
} else {
r := AuthenticatedRequestWithBody(app, "PUT", "/api/v1/users/uqxc08w3d0ej2283/password",
string(pwStr), sessId)
2021-08-12 20:29:15 +02:00
assert.Equal(t, http.StatusBadRequest, r.Code)
}
})
t.Run("friend: change password to same", func(t *testing.T) {
app, router, conf := NewApiTest()
conf.SetPublic(false)
defer conf.SetPublic(true)
ChangePassword(router)
sessId := AuthenticateUser(app, router, "friend", "!Friend321")
f := form.ChangePassword{
OldPassword: "!Friend321",
NewPassword: "!Friend321",
}
if pwStr, err := json.Marshal(f); err != nil {
log.Fatal(err)
} else {
r := AuthenticatedRequestWithBody(app, "PUT", "/api/v1/users/uqxqg7i1kperxvu7/password",
string(pwStr), sessId)
assert.Equal(t, http.StatusOK, r.Code)
2021-08-11 12:43:53 +02:00
}
})
t.Run("bob: change alice's password", func(t *testing.T) {
app, router, conf := NewApiTest()
conf.SetPublic(false)
defer conf.SetPublic(true)
ChangePassword(router)
sessId := AuthenticateUser(app, router, "bob", "Bobbob123!")
f := form.ChangePassword{
OldPassword: "aliceinwonderland",
NewPassword: "bobinwonderland",
}
if pwStr, err := json.Marshal(f); err != nil {
log.Fatal(err)
} else {
r := AuthenticatedRequestWithBody(app, "PUT", "/api/v1/users/uqxetse3cy5eo9z2/password",
string(pwStr), sessId)
assert.Equal(t, http.StatusUnauthorized, r.Code)
}
})
}