photoprism/internal/api/auth_password_test.go

package api

import (
	"encoding/json"
	"net/http"
	"testing"

	"github.com/stretchr/testify/assert"

	"github.com/photoprism/photoprism/internal/config"
	"github.com/photoprism/photoprism/internal/form"
)

func TestChangePassword(t *testing.T) {
	t.Run("NonExistentUser", func(t *testing.T) {
		app, router, _ := NewApiTest()
		ChangePassword(router)
		r := PerformRequestWithBody(app, "PUT", "/api/v1/users/xxx/password", `{}`)
		assert.Equal(t, http.StatusForbidden, r.Code)
	})

	t.Run("AliceProvidesWrongPassword", func(t *testing.T) {
		app, router, conf := NewApiTest()
		conf.SetAuthMode(config.AuthModePasswd)
		defer conf.SetAuthMode(config.AuthModePublic)
		ChangePassword(router)
		sessId := AuthenticateUser(app, router, "alice", "Alice123!")

		f := form.ChangePassword{
			OldPassword: "someonewhoisntalice",
			NewPassword: "aliceinwonderland",
		}
		if pwStr, err := json.Marshal(f); err != nil {
			log.Fatal(err)
		} else {
			r := AuthenticatedRequestWithBody(app, "PUT", "/api/v1/users/uqxetse3cy5eo9z2/password",
				string(pwStr), sessId)
			assert.Equal(t, http.StatusBadRequest, r.Code)
		}
	})

	t.Run("Ok", func(t *testing.T) {
		app, router, conf := NewApiTest()
		conf.SetAuthMode(config.AuthModePasswd)
		defer conf.SetAuthMode(config.AuthModePublic)
		ChangePassword(router)

		oldPassword := "PleaseChange$42"
		newPassword := "SoftwareDevelopmentIsAYoungProfession1234567890!@#$%^&*()_+[]{}|:<>?/.,"

		sessId := AuthenticateUser(app, router, "fowler", oldPassword)

		frm := form.ChangePassword{
			OldPassword: oldPassword,
			NewPassword: newPassword,
		}

		if jsonFrm, err := json.Marshal(frm); err != nil {
			log.Fatal(err)
		} else {
			r := AuthenticatedRequestWithBody(app, "PUT", "/api/v1/users/urinotv3d6jedvlm/password",
				string(jsonFrm), sessId)
			assert.Equal(t, http.StatusOK, r.Code)
		}

		frm = form.ChangePassword{
			OldPassword: newPassword,
			NewPassword: oldPassword,
		}

		if jsonFrm, err := json.Marshal(frm); err != nil {
			log.Fatal(err)
		} else {
			r := AuthenticatedRequestWithBody(app, "PUT", "/api/v1/users/urinotv3d6jedvlm/password",
				string(jsonFrm), sessId)
			assert.Equal(t, http.StatusOK, r.Code)
		}
	})

	t.Run("AliceChangesOtherUsersPassword", func(t *testing.T) {
		app, router, conf := NewApiTest()
		conf.SetAuthMode(config.AuthModePasswd)
		defer conf.SetAuthMode(config.AuthModePublic)
		ChangePassword(router)
		sessId := AuthenticateUser(app, router, "alice", "Alice123!")

		f := form.ChangePassword{
			OldPassword: "Bobbob123!",
			NewPassword: "helloworld",
		}
		if pwStr, err := json.Marshal(f); err != nil {
			log.Fatal(err)
		} else {
			r := AuthenticatedRequestWithBody(app, "PUT", "/api/v1/users/uqxc08w3d0ej2283/password",
				string(pwStr), sessId)
			assert.Equal(t, http.StatusForbidden, r.Code)
		}
	})

	t.Run("BobProvidesWrongPassword", func(t *testing.T) {
		app, router, conf := NewApiTest()
		conf.SetAuthMode(config.AuthModePasswd)
		defer conf.SetAuthMode(config.AuthModePublic)
		ChangePassword(router)
		sessId := AuthenticateUser(app, router, "bob", "Bobbob123!")

		f := form.ChangePassword{
			OldPassword: "helloworld",
			NewPassword: "Bobbob123!",
		}
		if pwStr, err := json.Marshal(f); err != nil {
			log.Fatal(err)
		} else {
			r := AuthenticatedRequestWithBody(app, "PUT", "/api/v1/users/uqxc08w3d0ej2283/password",
				string(pwStr), sessId)
			assert.Equal(t, http.StatusBadRequest, r.Code)
		}
	})

	t.Run("SameNewPassword", func(t *testing.T) {
		app, router, conf := NewApiTest()
		conf.SetAuthMode(config.AuthModePasswd)
		defer conf.SetAuthMode(config.AuthModePublic)
		ChangePassword(router)
		sessId := AuthenticateUser(app, router, "friend", "!Friend321")

		f := form.ChangePassword{
			OldPassword: "!Friend321",
			NewPassword: "!Friend321",
		}
		if pwStr, err := json.Marshal(f); err != nil {
			log.Fatal(err)
		} else {
			r := AuthenticatedRequestWithBody(app, "PUT", "/api/v1/users/uqxqg7i1kperxvu7/password",
				string(pwStr), sessId)
			assert.Equal(t, http.StatusOK, r.Code)
		}
	})

	t.Run("BobChangesOtherUsersPassword", func(t *testing.T) {
		app, router, conf := NewApiTest()
		conf.SetAuthMode(config.AuthModePasswd)
		defer conf.SetAuthMode(config.AuthModePublic)
		ChangePassword(router)
		sessId := AuthenticateUser(app, router, "bob", "Bobbob123!")

		f := form.ChangePassword{
			OldPassword: "aliceinwonderland",
			NewPassword: "bobinwonderland",
		}
		if pwStr, err := json.Marshal(f); err != nil {
			log.Fatal(err)
		} else {
			r := AuthenticatedRequestWithBody(app, "PUT", "/api/v1/users/uqxetse3cy5eo9z2/password",
				string(pwStr), sessId)
			assert.Equal(t, http.StatusForbidden, r.Code)
		}
	})

}
Backend: Add unit tests for internal/api 2020-07-14 17:59:50 +02:00			`package api`

			`import (`
Auth: add change password tests #98 2021-08-11 12:43:53 +02:00			`"encoding/json"`
Backend: Add unit tests for internal/api 2020-07-14 17:59:50 +02:00			`"net/http"`
			`"testing"`
Backend: Format go imports 2020-11-21 18:08:41 +01:00
			`"github.com/stretchr/testify/assert"`
API: Refactor authentication tests to use conf.SetAuthMode() #98 Signed-off-by: Michael Mayer <michael@photoprism.app> 2022-10-12 18:11:20 +02:00
			`"github.com/photoprism/photoprism/internal/config"`
			`"github.com/photoprism/photoprism/internal/form"`
Backend: Add unit tests for internal/api 2020-07-14 17:59:50 +02:00			`)`

			`func TestChangePassword(t *testing.T) {`
Auth: Session and ACL enhancements #98 #1746 Signed-off-by: Michael Mayer <michael@photoprism.app> 2022-09-28 09:01:17 +02:00			`t.Run("NonExistentUser", func(t *testing.T) {`
Backend: Add unit tests for internal/api 2020-07-14 17:59:50 +02:00			`app, router, _ := NewApiTest()`
			`ChangePassword(router)`
			r := PerformRequestWithBody(app, "PUT", "/api/v1/users/xxx/password", `{}`)
Backend: Add unit tests for internal/api 2020-07-14 18:08:39 +02:00			`assert.Equal(t, http.StatusForbidden, r.Code)`
Backend: Add unit tests for internal/api 2020-07-14 17:59:50 +02:00			`})`
Auth: add change password tests #98 2021-08-11 12:43:53 +02:00
Auth: Session and ACL enhancements #98 #1746 Signed-off-by: Michael Mayer <michael@photoprism.app> 2022-09-28 09:01:17 +02:00			`t.Run("AliceProvidesWrongPassword", func(t *testing.T) {`
Auth: add change password tests #98 2021-08-11 12:43:53 +02:00			`app, router, conf := NewApiTest()`
API: Refactor authentication tests to use conf.SetAuthMode() #98 Signed-off-by: Michael Mayer <michael@photoprism.app> 2022-10-12 18:11:20 +02:00			`conf.SetAuthMode(config.AuthModePasswd)`
			`defer conf.SetAuthMode(config.AuthModePublic)`
Auth: add change password tests #98 2021-08-11 12:43:53 +02:00			`ChangePassword(router)`
			`sessId := AuthenticateUser(app, router, "alice", "Alice123!")`

			`f := form.ChangePassword{`
			`OldPassword: "someonewhoisntalice",`
			`NewPassword: "aliceinwonderland",`
			`}`
			`if pwStr, err := json.Marshal(f); err != nil {`
			`log.Fatal(err)`
			`} else {`
			`r := AuthenticatedRequestWithBody(app, "PUT", "/api/v1/users/uqxetse3cy5eo9z2/password",`
			`string(pwStr), sessId)`
			`assert.Equal(t, http.StatusBadRequest, r.Code)`
			`}`
			`})`
Auth: Session and ACL enhancements #98 #1746 Signed-off-by: Michael Mayer <michael@photoprism.app> 2022-09-28 09:01:17 +02:00
Security: Use individual preview tokens for each user account #98 Signed-off-by: Michael Mayer <michael@photoprism.app> 2022-10-13 22:11:02 +02:00			`t.Run("Ok", func(t *testing.T) {`
Auth: add change password tests #98 2021-08-11 12:43:53 +02:00			`app, router, conf := NewApiTest()`
API: Refactor authentication tests to use conf.SetAuthMode() #98 Signed-off-by: Michael Mayer <michael@photoprism.app> 2022-10-12 18:11:20 +02:00			`conf.SetAuthMode(config.AuthModePasswd)`
			`defer conf.SetAuthMode(config.AuthModePublic)`
Auth: add change password tests #98 2021-08-11 12:43:53 +02:00			`ChangePassword(router)`

Auth: Session and ACL enhancements #98 #1746 Signed-off-by: Michael Mayer <michael@photoprism.app> 2022-09-28 09:01:17 +02:00			`oldPassword := "PleaseChange$42"`
			`newPassword := "SoftwareDevelopmentIsAYoungProfession1234567890!@#$%^&*()_+[]{}\|:<>?/.,"`

			`sessId := AuthenticateUser(app, router, "fowler", oldPassword)`

			`frm := form.ChangePassword{`
			`OldPassword: oldPassword,`
			`NewPassword: newPassword,`
Auth: add change password tests #98 2021-08-11 12:43:53 +02:00			`}`
Auth: Session and ACL enhancements #98 #1746 Signed-off-by: Michael Mayer <michael@photoprism.app> 2022-09-28 09:01:17 +02:00
			`if jsonFrm, err := json.Marshal(frm); err != nil {`
Auth: add change password tests #98 2021-08-11 12:43:53 +02:00			`log.Fatal(err)`
			`} else {`
Auth: Session and ACL enhancements #98 #1746 Signed-off-by: Michael Mayer <michael@photoprism.app> 2022-09-28 09:01:17 +02:00			`r := AuthenticatedRequestWithBody(app, "PUT", "/api/v1/users/urinotv3d6jedvlm/password",`
			`string(jsonFrm), sessId)`
			`assert.Equal(t, http.StatusOK, r.Code)`
			`}`

			`frm = form.ChangePassword{`
			`OldPassword: newPassword,`
			`NewPassword: oldPassword,`
			`}`

			`if jsonFrm, err := json.Marshal(frm); err != nil {`
			`log.Fatal(err)`
			`} else {`
			`r := AuthenticatedRequestWithBody(app, "PUT", "/api/v1/users/urinotv3d6jedvlm/password",`
			`string(jsonFrm), sessId)`
Auth: add change password tests #98 2021-08-11 12:43:53 +02:00			`assert.Equal(t, http.StatusOK, r.Code)`
			`}`
			`})`
Auth: Session and ACL enhancements #98 #1746 Signed-off-by: Michael Mayer <michael@photoprism.app> 2022-09-28 09:01:17 +02:00
			`t.Run("AliceChangesOtherUsersPassword", func(t *testing.T) {`
Auth: add change password tests #98 2021-08-11 12:43:53 +02:00			`app, router, conf := NewApiTest()`
API: Refactor authentication tests to use conf.SetAuthMode() #98 Signed-off-by: Michael Mayer <michael@photoprism.app> 2022-10-12 18:11:20 +02:00			`conf.SetAuthMode(config.AuthModePasswd)`
			`defer conf.SetAuthMode(config.AuthModePublic)`
Auth: add change password tests #98 2021-08-11 12:43:53 +02:00			`ChangePassword(router)`
Auth: Session and ACL enhancements #98 #1746 Signed-off-by: Michael Mayer <michael@photoprism.app> 2022-09-28 09:01:17 +02:00			`sessId := AuthenticateUser(app, router, "alice", "Alice123!")`
Auth: add change password tests #98 2021-08-11 12:43:53 +02:00
			`f := form.ChangePassword{`
			`OldPassword: "Bobbob123!",`
			`NewPassword: "helloworld",`
			`}`
			`if pwStr, err := json.Marshal(f); err != nil {`
			`log.Fatal(err)`
			`} else {`
			`r := AuthenticatedRequestWithBody(app, "PUT", "/api/v1/users/uqxc08w3d0ej2283/password",`
			`string(pwStr), sessId)`
Auth: Session and ACL enhancements #98 #1746 Signed-off-by: Michael Mayer <michael@photoprism.app> 2022-09-28 09:01:17 +02:00			`assert.Equal(t, http.StatusForbidden, r.Code)`
Auth: add change password tests #98 2021-08-11 12:43:53 +02:00			`}`
			`})`
Auth: Session and ACL enhancements #98 #1746 Signed-off-by: Michael Mayer <michael@photoprism.app> 2022-09-28 09:01:17 +02:00
			`t.Run("BobProvidesWrongPassword", func(t *testing.T) {`
Auth: add change password tests #98 2021-08-11 12:43:53 +02:00			`app, router, conf := NewApiTest()`
API: Refactor authentication tests to use conf.SetAuthMode() #98 Signed-off-by: Michael Mayer <michael@photoprism.app> 2022-10-12 18:11:20 +02:00			`conf.SetAuthMode(config.AuthModePasswd)`
			`defer conf.SetAuthMode(config.AuthModePublic)`
Auth: add change password tests #98 2021-08-11 12:43:53 +02:00			`ChangePassword(router)`
Auth: adapt tests for recent changes 2021-08-12 20:29:15 +02:00			`sessId := AuthenticateUser(app, router, "bob", "Bobbob123!")`
Auth: add change password tests #98 2021-08-11 12:43:53 +02:00
			`f := form.ChangePassword{`
			`OldPassword: "helloworld",`
			`NewPassword: "Bobbob123!",`
			`}`
			`if pwStr, err := json.Marshal(f); err != nil {`
			`log.Fatal(err)`
			`} else {`
			`r := AuthenticatedRequestWithBody(app, "PUT", "/api/v1/users/uqxc08w3d0ej2283/password",`
			`string(pwStr), sessId)`
Auth: adapt tests for recent changes 2021-08-12 20:29:15 +02:00			`assert.Equal(t, http.StatusBadRequest, r.Code)`
			`}`
			`})`

Auth: Session and ACL enhancements #98 #1746 Signed-off-by: Michael Mayer <michael@photoprism.app> 2022-09-28 09:01:17 +02:00			`t.Run("SameNewPassword", func(t *testing.T) {`
Auth: adapt tests for recent changes 2021-08-12 20:29:15 +02:00			`app, router, conf := NewApiTest()`
API: Refactor authentication tests to use conf.SetAuthMode() #98 Signed-off-by: Michael Mayer <michael@photoprism.app> 2022-10-12 18:11:20 +02:00			`conf.SetAuthMode(config.AuthModePasswd)`
			`defer conf.SetAuthMode(config.AuthModePublic)`
Auth: adapt tests for recent changes 2021-08-12 20:29:15 +02:00			`ChangePassword(router)`
			`sessId := AuthenticateUser(app, router, "friend", "!Friend321")`

			`f := form.ChangePassword{`
			`OldPassword: "!Friend321",`
			`NewPassword: "!Friend321",`
			`}`
			`if pwStr, err := json.Marshal(f); err != nil {`
			`log.Fatal(err)`
			`} else {`
			`r := AuthenticatedRequestWithBody(app, "PUT", "/api/v1/users/uqxqg7i1kperxvu7/password",`
			`string(pwStr), sessId)`
			`assert.Equal(t, http.StatusOK, r.Code)`
Auth: add change password tests #98 2021-08-11 12:43:53 +02:00			`}`
			`})`

Auth: Session and ACL enhancements #98 #1746 Signed-off-by: Michael Mayer <michael@photoprism.app> 2022-09-28 09:01:17 +02:00			`t.Run("BobChangesOtherUsersPassword", func(t *testing.T) {`
Auth: add change password tests #98 2021-08-11 12:43:53 +02:00			`app, router, conf := NewApiTest()`
API: Refactor authentication tests to use conf.SetAuthMode() #98 Signed-off-by: Michael Mayer <michael@photoprism.app> 2022-10-12 18:11:20 +02:00			`conf.SetAuthMode(config.AuthModePasswd)`
			`defer conf.SetAuthMode(config.AuthModePublic)`
Auth: add change password tests #98 2021-08-11 12:43:53 +02:00			`ChangePassword(router)`
			`sessId := AuthenticateUser(app, router, "bob", "Bobbob123!")`

			`f := form.ChangePassword{`
			`OldPassword: "aliceinwonderland",`
			`NewPassword: "bobinwonderland",`
			`}`
			`if pwStr, err := json.Marshal(f); err != nil {`
			`log.Fatal(err)`
			`} else {`
			`r := AuthenticatedRequestWithBody(app, "PUT", "/api/v1/users/uqxetse3cy5eo9z2/password",`
			`string(pwStr), sessId)`
Auth: Session and ACL enhancements #98 #1746 Signed-off-by: Michael Mayer <michael@photoprism.app> 2022-09-28 09:01:17 +02:00			`assert.Equal(t, http.StatusForbidden, r.Code)`
Auth: add change password tests #98 2021-08-11 12:43:53 +02:00			`}`
			`})`

			`}`