[github/Chocobozzz/PeerTube.git] / server / tests / api / check-params / two-factor.ts

/* eslint-disable @typescript-eslint/no-unused-expressions,@typescript-eslint/require-await */

import { HttpStatusCode } from '@shared/models'
import { cleanupTests, createSingleServer, PeerTubeServer, setAccessTokensToServers, TwoFactorCommand } from '@shared/server-commands'

describe('Test two factor API validators', function () {
  let server: PeerTubeServer

  let rootId: number
  let rootPassword: string
  let rootRequestToken: string
  let rootOTPToken: string

  let userId: number
  let userToken = ''
  let userPassword: string
  let userRequestToken: string
  let userOTPToken: string

  // ---------------------------------------------------------------

  before(async function () {
    this.timeout(30000)

    {
      server = await createSingleServer(1)
      await setAccessTokensToServers([ server ])
    }

    {
      const result = await server.users.generate('user1')
      userToken = result.token
      userId = result.userId
      userPassword = result.password
    }

    {
      const { id } = await server.users.getMyInfo()
      rootId = id
      rootPassword = server.store.user.password
    }
  })

  describe('When requesting two factor', function () {

    it('Should fail with an unknown user id', async function () {
      await server.twoFactor.request({ userId: 42, currentPassword: rootPassword, expectedStatus: HttpStatusCode.NOT_FOUND_404 })
    })

    it('Should fail with an invalid user id', async function () {
      await server.twoFactor.request({
        userId: 'invalid' as any,
        currentPassword: rootPassword,
        expectedStatus: HttpStatusCode.BAD_REQUEST_400
      })
    })

    it('Should fail to request another user two factor without the appropriate rights', async function () {
      await server.twoFactor.request({
        userId: rootId,
        token: userToken,
        currentPassword: userPassword,
        expectedStatus: HttpStatusCode.FORBIDDEN_403
      })
    })

    it('Should succeed to request another user two factor with the appropriate rights', async function () {
      await server.twoFactor.request({ userId, currentPassword: rootPassword })
    })

    it('Should fail to request two factor without a password', async function () {
      await server.twoFactor.request({
        userId,
        token: userToken,
        currentPassword: undefined,
        expectedStatus: HttpStatusCode.BAD_REQUEST_400
      })
    })

    it('Should fail to request two factor with an incorrect password', async function () {
      await server.twoFactor.request({
        userId,
        token: userToken,
        currentPassword: rootPassword,
        expectedStatus: HttpStatusCode.FORBIDDEN_403
      })
    })

    it('Should succeed to request two factor without a password when targeting a remote user with an admin account', async function () {
      await server.twoFactor.request({ userId })
    })

    it('Should fail to request two factor without a password when targeting myself with an admin account', async function () {
      await server.twoFactor.request({ userId: rootId, expectedStatus: HttpStatusCode.BAD_REQUEST_400 })
      await server.twoFactor.request({ userId: rootId, currentPassword: 'bad', expectedStatus: HttpStatusCode.FORBIDDEN_403 })
    })

    it('Should succeed to request my two factor auth', async function () {
      {
        const { otpRequest } = await server.twoFactor.request({ userId, token: userToken, currentPassword: userPassword })
        userRequestToken = otpRequest.requestToken
        userOTPToken = TwoFactorCommand.buildOTP({ secret: otpRequest.secret }).generate()
      }

      {
        const { otpRequest } = await server.twoFactor.request({ userId: rootId, currentPassword: rootPassword })
        rootRequestToken = otpRequest.requestToken
        rootOTPToken = TwoFactorCommand.buildOTP({ secret: otpRequest.secret }).generate()
      }
    })
  })

  describe('When confirming two factor request', function () {

    it('Should fail with an unknown user id', async function () {
      await server.twoFactor.confirmRequest({
        userId: 42,
        requestToken: rootRequestToken,
        otpToken: rootOTPToken,
        expectedStatus: HttpStatusCode.NOT_FOUND_404
      })
    })

    it('Should fail with an invalid user id', async function () {
      await server.twoFactor.confirmRequest({
        userId: 'invalid' as any,
        requestToken: rootRequestToken,
        otpToken: rootOTPToken,
        expectedStatus: HttpStatusCode.BAD_REQUEST_400
      })
    })

    it('Should fail to confirm another user two factor request without the appropriate rights', async function () {
      await server.twoFactor.confirmRequest({
        userId: rootId,
        token: userToken,
        requestToken: rootRequestToken,
        otpToken: rootOTPToken,
        expectedStatus: HttpStatusCode.FORBIDDEN_403
      })
    })

    it('Should fail without request token', async function () {
      await server.twoFactor.confirmRequest({
        userId,
        requestToken: undefined,
        otpToken: userOTPToken,
        expectedStatus: HttpStatusCode.BAD_REQUEST_400
      })
    })

    it('Should fail with an invalid request token', async function () {
      await server.twoFactor.confirmRequest({
        userId,
        requestToken: 'toto',
        otpToken: userOTPToken,
        expectedStatus: HttpStatusCode.FORBIDDEN_403
      })
    })

    it('Should fail with request token of another user', async function () {
      await server.twoFactor.confirmRequest({
        userId,
        requestToken: rootRequestToken,
        otpToken: userOTPToken,
        expectedStatus: HttpStatusCode.FORBIDDEN_403
      })
    })

    it('Should fail without an otp token', async function () {
      await server.twoFactor.confirmRequest({
        userId,
        requestToken: userRequestToken,
        otpToken: undefined,
        expectedStatus: HttpStatusCode.BAD_REQUEST_400
      })
    })

    it('Should fail with a bad otp token', async function () {
      await server.twoFactor.confirmRequest({
        userId,
        requestToken: userRequestToken,
        otpToken: '123456',
        expectedStatus: HttpStatusCode.FORBIDDEN_403
      })
    })

    it('Should succeed to confirm another user two factor request with the appropriate rights', async function () {
      await server.twoFactor.confirmRequest({
        userId,
        requestToken: userRequestToken,
        otpToken: userOTPToken
      })

      // Reinit
      await server.twoFactor.disable({ userId, currentPassword: rootPassword })
    })

    it('Should succeed to confirm my two factor request', async function () {
      await server.twoFactor.confirmRequest({
        userId,
        token: userToken,
        requestToken: userRequestToken,
        otpToken: userOTPToken
      })
    })

    it('Should fail to confirm again two factor request', async function () {
      await server.twoFactor.confirmRequest({
        userId,
        token: userToken,
        requestToken: userRequestToken,
        otpToken: userOTPToken,
        expectedStatus: HttpStatusCode.BAD_REQUEST_400
      })
    })
  })

  describe('When disabling two factor', function () {

    it('Should fail with an unknown user id', async function () {
      await server.twoFactor.disable({
        userId: 42,
        currentPassword: rootPassword,
        expectedStatus: HttpStatusCode.NOT_FOUND_404
      })
    })

    it('Should fail with an invalid user id', async function () {
      await server.twoFactor.disable({
        userId: 'invalid' as any,
        currentPassword: rootPassword,
        expectedStatus: HttpStatusCode.BAD_REQUEST_400
      })
    })

    it('Should fail to disable another user two factor without the appropriate rights', async function () {
      await server.twoFactor.disable({
        userId: rootId,
        token: userToken,
        currentPassword: userPassword,
        expectedStatus: HttpStatusCode.FORBIDDEN_403
      })
    })

    it('Should fail to disable two factor with an incorrect password', async function () {
      await server.twoFactor.disable({
        userId,
        token: userToken,
        currentPassword: rootPassword,
        expectedStatus: HttpStatusCode.FORBIDDEN_403
      })
    })

    it('Should succeed to disable two factor without a password when targeting a remote user with an admin account', async function () {
      await server.twoFactor.disable({ userId })
      await server.twoFactor.requestAndConfirm({ userId })
    })

    it('Should fail to disable two factor without a password when targeting myself with an admin account', async function () {
      await server.twoFactor.disable({ userId: rootId, expectedStatus: HttpStatusCode.BAD_REQUEST_400 })
      await server.twoFactor.disable({ userId: rootId, currentPassword: 'bad', expectedStatus: HttpStatusCode.FORBIDDEN_403 })
    })

    it('Should succeed to disable another user two factor with the appropriate rights', async function () {
      await server.twoFactor.disable({ userId, currentPassword: rootPassword })

      await server.twoFactor.requestAndConfirm({ userId })
    })

    it('Should succeed to update my two factor auth', async function () {
      await server.twoFactor.disable({ userId, token: userToken, currentPassword: userPassword })
    })

    it('Should fail to disable again two factor', async function () {
      await server.twoFactor.disable({
        userId,
        token: userToken,
        currentPassword: userPassword,
        expectedStatus: HttpStatusCode.BAD_REQUEST_400
      })
    })
  })

  after(async function () {
    await cleanupTests([ server ])
  })
})
Commit	Line	Data
56f47830 C	1	/* eslint-disable @typescript-eslint/no-unused-expressions,@typescript-eslint/require-await */
	2
	3	import { HttpStatusCode } from '@shared/models'
	4	import { cleanupTests, createSingleServer, PeerTubeServer, setAccessTokensToServers, TwoFactorCommand } from '@shared/server-commands'
	5
	6	describe('Test two factor API validators', function () {
	7	let server: PeerTubeServer
	8
	9	let rootId: number
	10	let rootPassword: string
	11	let rootRequestToken: string
	12	let rootOTPToken: string
	13
	14	let userId: number
	15	let userToken = ''
	16	let userPassword: string
	17	let userRequestToken: string
	18	let userOTPToken: string
	19
	20	// ---------------------------------------------------------------
	21
	22	before(async function () {
	23	this.timeout(30000)
	24
	25	{
	26	server = await createSingleServer(1)
	27	await setAccessTokensToServers([ server ])
	28	}
	29
	30	{
	31	const result = await server.users.generate('user1')
	32	userToken = result.token
	33	userId = result.userId
	34	userPassword = result.password
	35	}
	36
	37	{
	38	const { id } = await server.users.getMyInfo()
	39	rootId = id
	40	rootPassword = server.store.user.password
	41	}
	42	})
	43
	44	describe('When requesting two factor', function () {
	45
	46	it('Should fail with an unknown user id', async function () {
	47	await server.twoFactor.request({ userId: 42, currentPassword: rootPassword, expectedStatus: HttpStatusCode.NOT_FOUND_404 })
	48	})
	49
	50	it('Should fail with an invalid user id', async function () {
	51	await server.twoFactor.request({
	52	userId: 'invalid' as any,
	53	currentPassword: rootPassword,
	54	expectedStatus: HttpStatusCode.BAD_REQUEST_400
	55	})
	56	})
	57
	58	it('Should fail to request another user two factor without the appropriate rights', async function () {
	59	await server.twoFactor.request({
	60	userId: rootId,
	61	token: userToken,
	62	currentPassword: userPassword,
	63	expectedStatus: HttpStatusCode.FORBIDDEN_403
	64	})
65	})
66
67	it('Should succeed to request another user two factor with the appropriate rights', async function () {
68	await server.twoFactor.request({ userId, currentPassword: rootPassword })
69	})
70
71	it('Should fail to request two factor without a password', async function () {
72	await server.twoFactor.request({
73	userId,
74	token: userToken,
75	currentPassword: undefined,
76	expectedStatus: HttpStatusCode.BAD_REQUEST_400
77	})
78	})
79
80	it('Should fail to request two factor with an incorrect password', async function () {
81	await server.twoFactor.request({
82	userId,
83	token: userToken,
84	currentPassword: rootPassword,
85	expectedStatus: HttpStatusCode.FORBIDDEN_403
86	})
87	})
88
2166c058 C	89	it('Should succeed to request two factor without a password when targeting a remote user with an admin account', async function () {
	90	await server.twoFactor.request({ userId })
	91	})
	92
	93	it('Should fail to request two factor without a password when targeting myself with an admin account', async function () {
	94	await server.twoFactor.request({ userId: rootId, expectedStatus: HttpStatusCode.BAD_REQUEST_400 })
	95	await server.twoFactor.request({ userId: rootId, currentPassword: 'bad', expectedStatus: HttpStatusCode.FORBIDDEN_403 })
	96	})
	97
56f47830 C	98	it('Should succeed to request my two factor auth', async function () {
	99	{
	100	const { otpRequest } = await server.twoFactor.request({ userId, token: userToken, currentPassword: userPassword })
	101	userRequestToken = otpRequest.requestToken
	102	userOTPToken = TwoFactorCommand.buildOTP({ secret: otpRequest.secret }).generate()
	103	}
	104
	105	{
	106	const { otpRequest } = await server.twoFactor.request({ userId: rootId, currentPassword: rootPassword })
	107	rootRequestToken = otpRequest.requestToken
	108	rootOTPToken = TwoFactorCommand.buildOTP({ secret: otpRequest.secret }).generate()
	109	}
	110	})
	111	})
	112
	113	describe('When confirming two factor request', function () {
	114
	115	it('Should fail with an unknown user id', async function () {
	116	await server.twoFactor.confirmRequest({
	117	userId: 42,
	118	requestToken: rootRequestToken,
	119	otpToken: rootOTPToken,
	120	expectedStatus: HttpStatusCode.NOT_FOUND_404
	121	})
	122	})
	123
	124	it('Should fail with an invalid user id', async function () {
	125	await server.twoFactor.confirmRequest({
	126	userId: 'invalid' as any,
	127	requestToken: rootRequestToken,
	128	otpToken: rootOTPToken,
	129	expectedStatus: HttpStatusCode.BAD_REQUEST_400
	130	})
	131	})
	132
	133	it('Should fail to confirm another user two factor request without the appropriate rights', async function () {
	134	await server.twoFactor.confirmRequest({
	135	userId: rootId,
	136	token: userToken,
	137	requestToken: rootRequestToken,
	138	otpToken: rootOTPToken,
	139	expectedStatus: HttpStatusCode.FORBIDDEN_403
	140	})
	141	})
	142
	143	it('Should fail without request token', async function () {
	144	await server.twoFactor.confirmRequest({
	145	userId,
	146	requestToken: undefined,
	147	otpToken: userOTPToken,
	148	expectedStatus: HttpStatusCode.BAD_REQUEST_400
	149	})
	150	})
	151
	152	it('Should fail with an invalid request token', async function () {
	153	await server.twoFactor.confirmRequest({
	154	userId,
	155	requestToken: 'toto',
	156	otpToken: userOTPToken,
	157	expectedStatus: HttpStatusCode.FORBIDDEN_403
	158	})
	159	})
	160
	161	it('Should fail with request token of another user', async function () {
162	await server.twoFactor.confirmRequest({
163	userId,
164	requestToken: rootRequestToken,
165	otpToken: userOTPToken,
166	expectedStatus: HttpStatusCode.FORBIDDEN_403
167	})
168	})
169
170	it('Should fail without an otp token', async function () {
171	await server.twoFactor.confirmRequest({
172	userId,
173	requestToken: userRequestToken,
174	otpToken: undefined,
175	expectedStatus: HttpStatusCode.BAD_REQUEST_400
176	})
177	})
178
179	it('Should fail with a bad otp token', async function () {
180	await server.twoFactor.confirmRequest({
181	userId,
182	requestToken: userRequestToken,
183	otpToken: '123456',
184	expectedStatus: HttpStatusCode.FORBIDDEN_403
185	})
186	})
187
188	it('Should succeed to confirm another user two factor request with the appropriate rights', async function () {
189	await server.twoFactor.confirmRequest({
190	userId,
191	requestToken: userRequestToken,
192	otpToken: userOTPToken
193	})
194
195	// Reinit
196	await server.twoFactor.disable({ userId, currentPassword: rootPassword })
197	})
198
199	it('Should succeed to confirm my two factor request', async function () {
200	await server.twoFactor.confirmRequest({
201	userId,
202	token: userToken,
203	requestToken: userRequestToken,
204	otpToken: userOTPToken
205	})
206	})
207
208	it('Should fail to confirm again two factor request', async function () {
209	await server.twoFactor.confirmRequest({
210	userId,
211	token: userToken,
212	requestToken: userRequestToken,
213	otpToken: userOTPToken,
214	expectedStatus: HttpStatusCode.BAD_REQUEST_400
215	})
216	})
217	})
218
219	describe('When disabling two factor', function () {
220
221	it('Should fail with an unknown user id', async function () {
222	await server.twoFactor.disable({
223	userId: 42,
224	currentPassword: rootPassword,
225	expectedStatus: HttpStatusCode.NOT_FOUND_404
226	})
227	})
228
229	it('Should fail with an invalid user id', async function () {
230	await server.twoFactor.disable({
231	userId: 'invalid' as any,
232	currentPassword: rootPassword,
233	expectedStatus: HttpStatusCode.BAD_REQUEST_400
234	})
235	})
236
237	it('Should fail to disable another user two factor without the appropriate rights', async function () {
238	await server.twoFactor.disable({
239	userId: rootId,
240	token: userToken,
241	currentPassword: userPassword,
242	expectedStatus: HttpStatusCode.FORBIDDEN_403
243	})
244	})
245
2166c058	246	it('Should fail to disable two factor with an incorrect password', async function () {
56f47830 C	247	await server.twoFactor.disable({
	248	userId,
	249	token: userToken,
	250	currentPassword: rootPassword,
	251	expectedStatus: HttpStatusCode.FORBIDDEN_403
	252	})
	253	})
	254
2166c058 C	255	it('Should succeed to disable two factor without a password when targeting a remote user with an admin account', async function () {
	256	await server.twoFactor.disable({ userId })
	257	await server.twoFactor.requestAndConfirm({ userId })
	258	})
	259
	260	it('Should fail to disable two factor without a password when targeting myself with an admin account', async function () {
	261	await server.twoFactor.disable({ userId: rootId, expectedStatus: HttpStatusCode.BAD_REQUEST_400 })
	262	await server.twoFactor.disable({ userId: rootId, currentPassword: 'bad', expectedStatus: HttpStatusCode.FORBIDDEN_403 })
	263	})
	264
56f47830 C	265	it('Should succeed to disable another user two factor with the appropriate rights', async function () {
	266	await server.twoFactor.disable({ userId, currentPassword: rootPassword })
	267
2166c058	268	await server.twoFactor.requestAndConfirm({ userId })
56f47830 C	269	})
	270
	271	it('Should succeed to update my two factor auth', async function () {
	272	await server.twoFactor.disable({ userId, token: userToken, currentPassword: userPassword })
	273	})
	274
	275	it('Should fail to disable again two factor', async function () {
	276	await server.twoFactor.disable({
	277	userId,
	278	token: userToken,
	279	currentPassword: userPassword,
	280	expectedStatus: HttpStatusCode.BAD_REQUEST_400
	281	})
	282	})
	283	})
	284
	285	after(async function () {
	286	await cleanupTests([ server ])
	287	})
	288	})