2020-07-14 17:59:50 +02:00
|
|
|
package api
|
|
|
|
|
|
|
|
|
|
import (
|
2021-08-11 12:43:53 +02:00
|
|
|
"encoding/json"
|
2020-07-14 17:59:50 +02:00
|
|
|
"net/http"
|
|
|
|
|
"testing"
|
2020-11-21 18:08:41 +01:00
|
|
|
|
|
|
|
|
"github.com/stretchr/testify/assert"
|
2022-10-12 18:11:20 +02:00
|
|
|
|
|
|
|
|
"github.com/photoprism/photoprism/internal/config"
|
|
|
|
|
"github.com/photoprism/photoprism/internal/form"
|
2020-07-14 17:59:50 +02:00
|
|
|
)
|
|
|
|
|
|
|
|
|
|
func TestChangePassword(t *testing.T) {
|
2022-09-28 09:01:17 +02:00
|
|
|
t.Run("NonExistentUser", func(t *testing.T) {
|
2020-07-14 17:59:50 +02:00
|
|
|
app, router, _ := NewApiTest()
|
2022-10-17 19:07:38 +02:00
|
|
|
UpdateUserPassword(router)
|
2020-07-14 17:59:50 +02:00
|
|
|
r := PerformRequestWithBody(app, "PUT", "/api/v1/users/xxx/password", `{}`)
|
2020-07-14 18:08:39 +02:00
|
|
|
assert.Equal(t, http.StatusForbidden, r.Code)
|
2020-07-14 17:59:50 +02:00
|
|
|
})
|
2021-08-11 12:43:53 +02:00
|
|
|
|
2022-09-28 09:01:17 +02:00
|
|
|
t.Run("AliceProvidesWrongPassword", func(t *testing.T) {
|
2021-08-11 12:43:53 +02:00
|
|
|
app, router, conf := NewApiTest()
|
2022-10-12 18:11:20 +02:00
|
|
|
conf.SetAuthMode(config.AuthModePasswd)
|
|
|
|
|
defer conf.SetAuthMode(config.AuthModePublic)
|
2022-10-17 19:07:38 +02:00
|
|
|
UpdateUserPassword(router)
|
2021-08-11 12:43:53 +02:00
|
|
|
sessId := AuthenticateUser(app, router, "alice", "Alice123!")
|
|
|
|
|
|
|
|
|
|
f := form.ChangePassword{
|
|
|
|
|
OldPassword: "someonewhoisntalice",
|
|
|
|
|
NewPassword: "aliceinwonderland",
|
|
|
|
|
}
|
|
|
|
|
if pwStr, err := json.Marshal(f); err != nil {
|
|
|
|
|
log.Fatal(err)
|
|
|
|
|
} else {
|
|
|
|
|
r := AuthenticatedRequestWithBody(app, "PUT", "/api/v1/users/uqxetse3cy5eo9z2/password",
|
|
|
|
|
string(pwStr), sessId)
|
|
|
|
|
assert.Equal(t, http.StatusBadRequest, r.Code)
|
|
|
|
|
}
|
|
|
|
|
})
|
2022-09-28 09:01:17 +02:00
|
|
|
|
2022-10-13 22:11:02 +02:00
|
|
|
t.Run("Ok", func(t *testing.T) {
|
2021-08-11 12:43:53 +02:00
|
|
|
app, router, conf := NewApiTest()
|
2022-10-12 18:11:20 +02:00
|
|
|
conf.SetAuthMode(config.AuthModePasswd)
|
|
|
|
|
defer conf.SetAuthMode(config.AuthModePublic)
|
2022-10-17 19:07:38 +02:00
|
|
|
UpdateUserPassword(router)
|
2021-08-11 12:43:53 +02:00
|
|
|
|
2022-09-28 09:01:17 +02:00
|
|
|
oldPassword := "PleaseChange$42"
|
|
|
|
|
newPassword := "SoftwareDevelopmentIsAYoungProfession1234567890!@#$%^&*()_+[]{}|:<>?/.,"
|
|
|
|
|
|
|
|
|
|
sessId := AuthenticateUser(app, router, "fowler", oldPassword)
|
|
|
|
|
|
|
|
|
|
frm := form.ChangePassword{
|
|
|
|
|
OldPassword: oldPassword,
|
|
|
|
|
NewPassword: newPassword,
|
2021-08-11 12:43:53 +02:00
|
|
|
}
|
2022-09-28 09:01:17 +02:00
|
|
|
|
|
|
|
|
if jsonFrm, err := json.Marshal(frm); err != nil {
|
2021-08-11 12:43:53 +02:00
|
|
|
log.Fatal(err)
|
|
|
|
|
} else {
|
2022-09-28 09:01:17 +02:00
|
|
|
r := AuthenticatedRequestWithBody(app, "PUT", "/api/v1/users/urinotv3d6jedvlm/password",
|
|
|
|
|
string(jsonFrm), sessId)
|
|
|
|
|
assert.Equal(t, http.StatusOK, r.Code)
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
frm = form.ChangePassword{
|
|
|
|
|
OldPassword: newPassword,
|
|
|
|
|
NewPassword: oldPassword,
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if jsonFrm, err := json.Marshal(frm); err != nil {
|
|
|
|
|
log.Fatal(err)
|
|
|
|
|
} else {
|
|
|
|
|
r := AuthenticatedRequestWithBody(app, "PUT", "/api/v1/users/urinotv3d6jedvlm/password",
|
|
|
|
|
string(jsonFrm), sessId)
|
2021-08-11 12:43:53 +02:00
|
|
|
assert.Equal(t, http.StatusOK, r.Code)
|
|
|
|
|
}
|
|
|
|
|
})
|
2022-09-28 09:01:17 +02:00
|
|
|
|
|
|
|
|
t.Run("AliceChangesOtherUsersPassword", func(t *testing.T) {
|
2021-08-11 12:43:53 +02:00
|
|
|
app, router, conf := NewApiTest()
|
2022-10-12 18:11:20 +02:00
|
|
|
conf.SetAuthMode(config.AuthModePasswd)
|
|
|
|
|
defer conf.SetAuthMode(config.AuthModePublic)
|
2022-10-17 19:07:38 +02:00
|
|
|
UpdateUserPassword(router)
|
2022-09-28 09:01:17 +02:00
|
|
|
sessId := AuthenticateUser(app, router, "alice", "Alice123!")
|
2021-08-11 12:43:53 +02:00
|
|
|
|
|
|
|
|
f := form.ChangePassword{
|
|
|
|
|
OldPassword: "Bobbob123!",
|
|
|
|
|
NewPassword: "helloworld",
|
|
|
|
|
}
|
|
|
|
|
if pwStr, err := json.Marshal(f); err != nil {
|
|
|
|
|
log.Fatal(err)
|
|
|
|
|
} else {
|
|
|
|
|
r := AuthenticatedRequestWithBody(app, "PUT", "/api/v1/users/uqxc08w3d0ej2283/password",
|
|
|
|
|
string(pwStr), sessId)
|
2022-09-28 09:01:17 +02:00
|
|
|
assert.Equal(t, http.StatusForbidden, r.Code)
|
2021-08-11 12:43:53 +02:00
|
|
|
}
|
|
|
|
|
})
|
2022-09-28 09:01:17 +02:00
|
|
|
|
|
|
|
|
t.Run("BobProvidesWrongPassword", func(t *testing.T) {
|
2021-08-11 12:43:53 +02:00
|
|
|
app, router, conf := NewApiTest()
|
2022-10-12 18:11:20 +02:00
|
|
|
conf.SetAuthMode(config.AuthModePasswd)
|
|
|
|
|
defer conf.SetAuthMode(config.AuthModePublic)
|
2022-10-17 19:07:38 +02:00
|
|
|
UpdateUserPassword(router)
|
2021-08-12 20:29:15 +02:00
|
|
|
sessId := AuthenticateUser(app, router, "bob", "Bobbob123!")
|
2021-08-11 12:43:53 +02:00
|
|
|
|
|
|
|
|
f := form.ChangePassword{
|
|
|
|
|
OldPassword: "helloworld",
|
|
|
|
|
NewPassword: "Bobbob123!",
|
|
|
|
|
}
|
|
|
|
|
if pwStr, err := json.Marshal(f); err != nil {
|
|
|
|
|
log.Fatal(err)
|
|
|
|
|
} else {
|
|
|
|
|
r := AuthenticatedRequestWithBody(app, "PUT", "/api/v1/users/uqxc08w3d0ej2283/password",
|
|
|
|
|
string(pwStr), sessId)
|
2021-08-12 20:29:15 +02:00
|
|
|
assert.Equal(t, http.StatusBadRequest, r.Code)
|
|
|
|
|
}
|
|
|
|
|
})
|
|
|
|
|
|
2022-09-28 09:01:17 +02:00
|
|
|
t.Run("SameNewPassword", func(t *testing.T) {
|
2021-08-12 20:29:15 +02:00
|
|
|
app, router, conf := NewApiTest()
|
2022-10-12 18:11:20 +02:00
|
|
|
conf.SetAuthMode(config.AuthModePasswd)
|
|
|
|
|
defer conf.SetAuthMode(config.AuthModePublic)
|
2022-10-17 19:07:38 +02:00
|
|
|
UpdateUserPassword(router)
|
2021-08-12 20:29:15 +02:00
|
|
|
sessId := AuthenticateUser(app, router, "friend", "!Friend321")
|
|
|
|
|
|
|
|
|
|
f := form.ChangePassword{
|
|
|
|
|
OldPassword: "!Friend321",
|
|
|
|
|
NewPassword: "!Friend321",
|
|
|
|
|
}
|
|
|
|
|
if pwStr, err := json.Marshal(f); err != nil {
|
|
|
|
|
log.Fatal(err)
|
|
|
|
|
} else {
|
|
|
|
|
r := AuthenticatedRequestWithBody(app, "PUT", "/api/v1/users/uqxqg7i1kperxvu7/password",
|
|
|
|
|
string(pwStr), sessId)
|
|
|
|
|
assert.Equal(t, http.StatusOK, r.Code)
|
2021-08-11 12:43:53 +02:00
|
|
|
}
|
|
|
|
|
})
|
|
|
|
|
|
2022-09-28 09:01:17 +02:00
|
|
|
t.Run("BobChangesOtherUsersPassword", func(t *testing.T) {
|
2021-08-11 12:43:53 +02:00
|
|
|
app, router, conf := NewApiTest()
|
2022-10-12 18:11:20 +02:00
|
|
|
conf.SetAuthMode(config.AuthModePasswd)
|
|
|
|
|
defer conf.SetAuthMode(config.AuthModePublic)
|
2022-10-17 19:07:38 +02:00
|
|
|
UpdateUserPassword(router)
|
2021-08-11 12:43:53 +02:00
|
|
|
sessId := AuthenticateUser(app, router, "bob", "Bobbob123!")
|
|
|
|
|
|
|
|
|
|
f := form.ChangePassword{
|
|
|
|
|
OldPassword: "aliceinwonderland",
|
|
|
|
|
NewPassword: "bobinwonderland",
|
|
|
|
|
}
|
|
|
|
|
if pwStr, err := json.Marshal(f); err != nil {
|
|
|
|
|
log.Fatal(err)
|
|
|
|
|
} else {
|
|
|
|
|
r := AuthenticatedRequestWithBody(app, "PUT", "/api/v1/users/uqxetse3cy5eo9z2/password",
|
|
|
|
|
string(pwStr), sessId)
|
2022-09-28 09:01:17 +02:00
|
|
|
assert.Equal(t, http.StatusForbidden, r.Code)
|
2021-08-11 12:43:53 +02:00
|
|
|
}
|
|
|
|
|
})
|
|
|
|
|
|
|
|
|
|
}
|
