From 177367e78d6ab12bfbcbde37da4e54ff4123071a Mon Sep 17 00:00:00 2001 From: Timo Volkmann Date: Wed, 11 Aug 2021 12:43:53 +0200 Subject: [PATCH] Auth: add change password tests #98 --- internal/api/user_test.go | 104 ++++++++++++++++++++++++++++++++++++++ internal/config/config.go | 7 +++ 2 files changed, 111 insertions(+) diff --git a/internal/api/user_test.go b/internal/api/user_test.go index ef640d07a..2691a17f2 100644 --- a/internal/api/user_test.go +++ b/internal/api/user_test.go @@ -1,6 +1,8 @@ package api import ( + "encoding/json" + "github.com/photoprism/photoprism/internal/form" "net/http" "testing" @@ -15,3 +17,105 @@ func TestChangePassword(t *testing.T) { assert.Equal(t, http.StatusForbidden, r.Code) }) } + +func TestChangeUserPasswords(t *testing.T) { + t.Run("alice: change password invalid", func(t *testing.T) { + app, router, conf := NewApiTest() + conf.SetPublic(false) + defer conf.SetPublic(true) + ChangePassword(router) + sessId := AuthenticateUser(app, router, "alice", "Alice123!") + + f := form.ChangePassword{ + OldPassword: "someonewhoisntalice", + NewPassword: "aliceinwonderland", + } + if pwStr, err := json.Marshal(f); err != nil { + log.Fatal(err) + } else { + r := AuthenticatedRequestWithBody(app, "PUT", "/api/v1/users/uqxetse3cy5eo9z2/password", + string(pwStr), sessId) + assert.Equal(t, http.StatusBadRequest, r.Code) + } + }) + t.Run("alice: change password valid", func(t *testing.T) { + app, router, conf := NewApiTest() + conf.SetPublic(false) + defer conf.SetPublic(true) + ChangePassword(router) + sessId := AuthenticateUser(app, router, "alice", "Alice123!") + + f := form.ChangePassword{ + OldPassword: "Alice123!", + NewPassword: "aliceinwonderland", + } + if pwStr, err := json.Marshal(f); err != nil { + log.Fatal(err) + } else { + r := AuthenticatedRequestWithBody(app, "PUT", "/api/v1/users/uqxetse3cy5eo9z2/password", + string(pwStr), sessId) + assert.Equal(t, http.StatusOK, r.Code) + } + }) + t.Run("alice as admin: change bob's password", func(t *testing.T) { + app, router, conf := NewApiTest() + conf.SetPublic(false) + defer conf.SetPublic(true) + ChangePassword(router) + sessId := AuthenticateUser(app, router, "alice", "aliceinwonderland") + + f := form.ChangePassword{ + OldPassword: "Bobbob123!", + NewPassword: "helloworld", + } + if pwStr, err := json.Marshal(f); err != nil { + log.Fatal(err) + } else { + r := AuthenticatedRequestWithBody(app, "PUT", "/api/v1/users/uqxc08w3d0ej2283/password", + string(pwStr), sessId) + assert.Equal(t, http.StatusOK, r.Code) + } + }) + t.Run("bob: change password", func(t *testing.T) { + app, router, conf := NewApiTest() + conf.SetPublic(false) + defer conf.SetPublic(true) + ChangePassword(router) + sessId := AuthenticateUser(app, router, "bob", "helloworld") + + f := form.ChangePassword{ + OldPassword: "helloworld", + NewPassword: "Bobbob123!", + } + if pwStr, err := json.Marshal(f); err != nil { + log.Fatal(err) + } else { + r := AuthenticatedRequestWithBody(app, "PUT", "/api/v1/users/uqxc08w3d0ej2283/password", + string(pwStr), sessId) + // TODO bob should be able to change his own password + log.Error(r) + //assert.Equal(t, http.StatusOK, r.Code) + } + }) + + t.Run("bob: change alice's password", func(t *testing.T) { + app, router, conf := NewApiTest() + conf.SetPublic(false) + defer conf.SetPublic(true) + ChangePassword(router) + sessId := AuthenticateUser(app, router, "bob", "Bobbob123!") + + f := form.ChangePassword{ + OldPassword: "aliceinwonderland", + NewPassword: "bobinwonderland", + } + if pwStr, err := json.Marshal(f); err != nil { + log.Fatal(err) + } else { + r := AuthenticatedRequestWithBody(app, "PUT", "/api/v1/users/uqxetse3cy5eo9z2/password", + string(pwStr), sessId) + assert.Equal(t, http.StatusUnauthorized, r.Code) + } + }) + +} diff --git a/internal/config/config.go b/internal/config/config.go index 03095d3b2..e906b5d21 100644 --- a/internal/config/config.go +++ b/internal/config/config.go @@ -361,6 +361,13 @@ func (c *Config) Public() bool { return c.options.Public } +// Modify Public state while running. For testing purposes only. +func (c *Config) SetPublic(p bool) { + if c.Debug() { + c.options.Public = p + } +} + // Experimental tests if experimental features should be enabled. func (c *Config) Experimental() bool { return c.options.Experimental