[github/Chocobozzz/PeerTube.git] / server / tests / api / check-params / two-factor.ts

/* eslint-disable @typescript-eslint/no-unused-expressions,@typescript-eslint/require-await */

import { HttpStatusCode } from '@shared/models'
import { cleanupTests, createSingleServer, PeerTubeServer, setAccessTokensToServers, TwoFactorCommand } from '@shared/server-commands'

describe('Test two factor API validators', function () {
  let server: PeerTubeServer

  let rootId: number
  let rootPassword: string
  let rootRequestToken: string
  let rootOTPToken: string

  let userId: number
  let userToken = ''
  let userPassword: string
  let userRequestToken: string
  let userOTPToken: string

  // ---------------------------------------------------------------

  before(async function () {
    this.timeout(30000)

    {
      server = await createSingleServer(1)
      await setAccessTokensToServers([ server ])
    }

    {
      const result = await server.users.generate('user1')
      userToken = result.token
      userId = result.userId
      userPassword = result.password
    }

    {
      const { id } = await server.users.getMyInfo()
      rootId = id
      rootPassword = server.store.user.password
    }
  })

  describe('When requesting two factor', function () {

    it('Should fail with an unknown user id', async function () {
      await server.twoFactor.request({ userId: 42, currentPassword: rootPassword, expectedStatus: HttpStatusCode.NOT_FOUND_404 })
    })

    it('Should fail with an invalid user id', async function () {
      await server.twoFactor.request({
        userId: 'invalid' as any,
        currentPassword: rootPassword,
        expectedStatus: HttpStatusCode.BAD_REQUEST_400
      })
    })

    it('Should fail to request another user two factor without the appropriate rights', async function () {
      await server.twoFactor.request({
        userId: rootId,
        token: userToken,
        currentPassword: userPassword,
        expectedStatus: HttpStatusCode.FORBIDDEN_403
      })
    })

    it('Should succeed to request another user two factor with the appropriate rights', async function () {
      await server.twoFactor.request({ userId, currentPassword: rootPassword })
    })

    it('Should fail to request two factor without a password', async function () {
      await server.twoFactor.request({
        userId,
        token: userToken,
        currentPassword: undefined,
        expectedStatus: HttpStatusCode.BAD_REQUEST_400
      })
    })

    it('Should fail to request two factor with an incorrect password', async function () {
      await server.twoFactor.request({
        userId,
        token: userToken,
        currentPassword: rootPassword,
        expectedStatus: HttpStatusCode.FORBIDDEN_403
      })
    })

    it('Should succeed to request my two factor auth', async function () {
      {
        const { otpRequest } = await server.twoFactor.request({ userId, token: userToken, currentPassword: userPassword })
        userRequestToken = otpRequest.requestToken
        userOTPToken = TwoFactorCommand.buildOTP({ secret: otpRequest.secret }).generate()
      }

      {
        const { otpRequest } = await server.twoFactor.request({ userId: rootId, currentPassword: rootPassword })
        rootRequestToken = otpRequest.requestToken
        rootOTPToken = TwoFactorCommand.buildOTP({ secret: otpRequest.secret }).generate()
      }
    })
  })

  describe('When confirming two factor request', function () {

    it('Should fail with an unknown user id', async function () {
      await server.twoFactor.confirmRequest({
        userId: 42,
        requestToken: rootRequestToken,
        otpToken: rootOTPToken,
        expectedStatus: HttpStatusCode.NOT_FOUND_404
      })
    })

    it('Should fail with an invalid user id', async function () {
      await server.twoFactor.confirmRequest({
        userId: 'invalid' as any,
        requestToken: rootRequestToken,
        otpToken: rootOTPToken,
        expectedStatus: HttpStatusCode.BAD_REQUEST_400
      })
    })

    it('Should fail to confirm another user two factor request without the appropriate rights', async function () {
      await server.twoFactor.confirmRequest({
        userId: rootId,
        token: userToken,
        requestToken: rootRequestToken,
        otpToken: rootOTPToken,
        expectedStatus: HttpStatusCode.FORBIDDEN_403
      })
    })

    it('Should fail without request token', async function () {
      await server.twoFactor.confirmRequest({
        userId,
        requestToken: undefined,
        otpToken: userOTPToken,
        expectedStatus: HttpStatusCode.BAD_REQUEST_400
      })
    })

    it('Should fail with an invalid request token', async function () {
      await server.twoFactor.confirmRequest({
        userId,
        requestToken: 'toto',
        otpToken: userOTPToken,
        expectedStatus: HttpStatusCode.FORBIDDEN_403
      })
    })

    it('Should fail with request token of another user', async function () {
      await server.twoFactor.confirmRequest({
        userId,
        requestToken: rootRequestToken,
        otpToken: userOTPToken,
        expectedStatus: HttpStatusCode.FORBIDDEN_403
      })
    })

    it('Should fail without an otp token', async function () {
      await server.twoFactor.confirmRequest({
        userId,
        requestToken: userRequestToken,
        otpToken: undefined,
        expectedStatus: HttpStatusCode.BAD_REQUEST_400
      })
    })

    it('Should fail with a bad otp token', async function () {
      await server.twoFactor.confirmRequest({
        userId,
        requestToken: userRequestToken,
        otpToken: '123456',
        expectedStatus: HttpStatusCode.FORBIDDEN_403
      })
    })

    it('Should succeed to confirm another user two factor request with the appropriate rights', async function () {
      await server.twoFactor.confirmRequest({
        userId,
        requestToken: userRequestToken,
        otpToken: userOTPToken
      })

      // Reinit
      await server.twoFactor.disable({ userId, currentPassword: rootPassword })
    })

    it('Should succeed to confirm my two factor request', async function () {
      await server.twoFactor.confirmRequest({
        userId,
        token: userToken,
        requestToken: userRequestToken,
        otpToken: userOTPToken
      })
    })

    it('Should fail to confirm again two factor request', async function () {
      await server.twoFactor.confirmRequest({
        userId,
        token: userToken,
        requestToken: userRequestToken,
        otpToken: userOTPToken,
        expectedStatus: HttpStatusCode.BAD_REQUEST_400
      })
    })
  })

  describe('When disabling two factor', function () {

    it('Should fail with an unknown user id', async function () {
      await server.twoFactor.disable({
        userId: 42,
        currentPassword: rootPassword,
        expectedStatus: HttpStatusCode.NOT_FOUND_404
      })
    })

    it('Should fail with an invalid user id', async function () {
      await server.twoFactor.disable({
        userId: 'invalid' as any,
        currentPassword: rootPassword,
        expectedStatus: HttpStatusCode.BAD_REQUEST_400
      })
    })

    it('Should fail to disable another user two factor without the appropriate rights', async function () {
      await server.twoFactor.disable({
        userId: rootId,
        token: userToken,
        currentPassword: userPassword,
        expectedStatus: HttpStatusCode.FORBIDDEN_403
      })
    })

    it('Should fail to disabled two factor with an incorrect password', async function () {
      await server.twoFactor.disable({
        userId,
        token: userToken,
        currentPassword: rootPassword,
        expectedStatus: HttpStatusCode.FORBIDDEN_403
      })
    })

    it('Should succeed to disable another user two factor with the appropriate rights', async function () {
      await server.twoFactor.disable({ userId, currentPassword: rootPassword })

      // Reinit
      const { otpRequest } = await server.twoFactor.request({ userId, currentPassword: rootPassword })
      await server.twoFactor.confirmRequest({
        userId,
        requestToken: otpRequest.requestToken,
        otpToken: TwoFactorCommand.buildOTP({ secret: otpRequest.secret }).generate()
      })
    })

    it('Should succeed to update my two factor auth', async function () {
      await server.twoFactor.disable({ userId, token: userToken, currentPassword: userPassword })
    })

    it('Should fail to disable again two factor', async function () {
      await server.twoFactor.disable({
        userId,
        token: userToken,
        currentPassword: userPassword,
        expectedStatus: HttpStatusCode.BAD_REQUEST_400
      })
    })
  })

  after(async function () {
    await cleanupTests([ server ])
  })
})
Commit	Line	Data
56f47830 C	1	/* eslint-disable @typescript-eslint/no-unused-expressions,@typescript-eslint/require-await */
	2
	3	import { HttpStatusCode } from '@shared/models'
	4	import { cleanupTests, createSingleServer, PeerTubeServer, setAccessTokensToServers, TwoFactorCommand } from '@shared/server-commands'
	5
	6	describe('Test two factor API validators', function () {
	7	let server: PeerTubeServer
	8
	9	let rootId: number
	10	let rootPassword: string
	11	let rootRequestToken: string
	12	let rootOTPToken: string
	13
	14	let userId: number
	15	let userToken = ''
	16	let userPassword: string
	17	let userRequestToken: string
	18	let userOTPToken: string
	19
	20	// ---------------------------------------------------------------
	21
	22	before(async function () {
	23	this.timeout(30000)
	24
	25	{
	26	server = await createSingleServer(1)
	27	await setAccessTokensToServers([ server ])
	28	}
	29
	30	{
	31	const result = await server.users.generate('user1')
	32	userToken = result.token
	33	userId = result.userId
	34	userPassword = result.password
	35	}
	36
	37	{
	38	const { id } = await server.users.getMyInfo()
	39	rootId = id
	40	rootPassword = server.store.user.password
	41	}
	42	})
	43
	44	describe('When requesting two factor', function () {
	45
	46	it('Should fail with an unknown user id', async function () {
	47	await server.twoFactor.request({ userId: 42, currentPassword: rootPassword, expectedStatus: HttpStatusCode.NOT_FOUND_404 })
	48	})
	49
	50	it('Should fail with an invalid user id', async function () {
	51	await server.twoFactor.request({
	52	userId: 'invalid' as any,
	53	currentPassword: rootPassword,
	54	expectedStatus: HttpStatusCode.BAD_REQUEST_400
	55	})
	56	})
	57
	58	it('Should fail to request another user two factor without the appropriate rights', async function () {
	59	await server.twoFactor.request({
	60	userId: rootId,
	61	token: userToken,
	62	currentPassword: userPassword,
	63	expectedStatus: HttpStatusCode.FORBIDDEN_403
	64	})
65	})
66
67	it('Should succeed to request another user two factor with the appropriate rights', async function () {
68	await server.twoFactor.request({ userId, currentPassword: rootPassword })
69	})
70
71	it('Should fail to request two factor without a password', async function () {
72	await server.twoFactor.request({
73	userId,
74	token: userToken,
75	currentPassword: undefined,
76	expectedStatus: HttpStatusCode.BAD_REQUEST_400
77	})
78	})
79
80	it('Should fail to request two factor with an incorrect password', async function () {
81	await server.twoFactor.request({
82	userId,
83	token: userToken,
84	currentPassword: rootPassword,
85	expectedStatus: HttpStatusCode.FORBIDDEN_403
86	})
87	})
88
89	it('Should succeed to request my two factor auth', async function () {
90	{
91	const { otpRequest } = await server.twoFactor.request({ userId, token: userToken, currentPassword: userPassword })
92	userRequestToken = otpRequest.requestToken
93	userOTPToken = TwoFactorCommand.buildOTP({ secret: otpRequest.secret }).generate()
94	}
95
96	{
97	const { otpRequest } = await server.twoFactor.request({ userId: rootId, currentPassword: rootPassword })
98	rootRequestToken = otpRequest.requestToken
99	rootOTPToken = TwoFactorCommand.buildOTP({ secret: otpRequest.secret }).generate()
100	}
101	})
102	})
103
104	describe('When confirming two factor request', function () {
105
106	it('Should fail with an unknown user id', async function () {
107	await server.twoFactor.confirmRequest({
108	userId: 42,
109	requestToken: rootRequestToken,
110	otpToken: rootOTPToken,
111	expectedStatus: HttpStatusCode.NOT_FOUND_404
112	})
113	})
114
115	it('Should fail with an invalid user id', async function () {
116	await server.twoFactor.confirmRequest({
117	userId: 'invalid' as any,
118	requestToken: rootRequestToken,
119	otpToken: rootOTPToken,
120	expectedStatus: HttpStatusCode.BAD_REQUEST_400
121	})
122	})
123
124	it('Should fail to confirm another user two factor request without the appropriate rights', async function () {
125	await server.twoFactor.confirmRequest({
126	userId: rootId,
127	token: userToken,
128	requestToken: rootRequestToken,
129	otpToken: rootOTPToken,
130	expectedStatus: HttpStatusCode.FORBIDDEN_403
131	})
132	})
133
134	it('Should fail without request token', async function () {
135	await server.twoFactor.confirmRequest({
136	userId,
137	requestToken: undefined,
138	otpToken: userOTPToken,
139	expectedStatus: HttpStatusCode.BAD_REQUEST_400
140	})
141	})
142
143	it('Should fail with an invalid request token', async function () {
144	await server.twoFactor.confirmRequest({
145	userId,
146	requestToken: 'toto',
147	otpToken: userOTPToken,
148	expectedStatus: HttpStatusCode.FORBIDDEN_403
149	})
150	})
151
152	it('Should fail with request token of another user', async function () {
153	await server.twoFactor.confirmRequest({
154	userId,
155	requestToken: rootRequestToken,
156	otpToken: userOTPToken,
157	expectedStatus: HttpStatusCode.FORBIDDEN_403
158	})
159	})
160
161	it('Should fail without an otp token', async function () {
162	await server.twoFactor.confirmRequest({
163	userId,
164	requestToken: userRequestToken,
165	otpToken: undefined,
166	expectedStatus: HttpStatusCode.BAD_REQUEST_400
167	})
168	})
169
170	it('Should fail with a bad otp token', async function () {
171	await server.twoFactor.confirmRequest({
172	userId,
173	requestToken: userRequestToken,
174	otpToken: '123456',
175	expectedStatus: HttpStatusCode.FORBIDDEN_403
176	})
177	})
178
179	it('Should succeed to confirm another user two factor request with the appropriate rights', async function () {
180	await server.twoFactor.confirmRequest({
181	userId,
182	requestToken: userRequestToken,
183	otpToken: userOTPToken
184	})
185
186	// Reinit
187	await server.twoFactor.disable({ userId, currentPassword: rootPassword })
188	})
189
190	it('Should succeed to confirm my two factor request', async function () {
191	await server.twoFactor.confirmRequest({
192	userId,
193	token: userToken,
194	requestToken: userRequestToken,
195	otpToken: userOTPToken
196	})
197	})
198
199	it('Should fail to confirm again two factor request', async function () {
200	await server.twoFactor.confirmRequest({
201	userId,
202	token: userToken,
203	requestToken: userRequestToken,
204	otpToken: userOTPToken,
205	expectedStatus: HttpStatusCode.BAD_REQUEST_400
206	})
207	})
208	})
209
210	describe('When disabling two factor', function () {
211
212	it('Should fail with an unknown user id', async function () {
213	await server.twoFactor.disable({
214	userId: 42,
215	currentPassword: rootPassword,
216	expectedStatus: HttpStatusCode.NOT_FOUND_404
217	})
218	})
219
220	it('Should fail with an invalid user id', async function () {
221	await server.twoFactor.disable({
222	userId: 'invalid' as any,
223	currentPassword: rootPassword,
224	expectedStatus: HttpStatusCode.BAD_REQUEST_400
225	})
226	})
227
228	it('Should fail to disable another user two factor without the appropriate rights', async function () {
229	await server.twoFactor.disable({
230	userId: rootId,
231	token: userToken,
232	currentPassword: userPassword,
233	expectedStatus: HttpStatusCode.FORBIDDEN_403
234	})
235	})
236
237	it('Should fail to disabled two factor with an incorrect password', async function () {
238	await server.twoFactor.disable({
239	userId,
240	token: userToken,
241	currentPassword: rootPassword,
242	expectedStatus: HttpStatusCode.FORBIDDEN_403
243	})
244	})
245
246	it('Should succeed to disable another user two factor with the appropriate rights', async function () {
247	await server.twoFactor.disable({ userId, currentPassword: rootPassword })
248
249	// Reinit
250	const { otpRequest } = await server.twoFactor.request({ userId, currentPassword: rootPassword })
251	await server.twoFactor.confirmRequest({
252	userId,
253	requestToken: otpRequest.requestToken,
254	otpToken: TwoFactorCommand.buildOTP({ secret: otpRequest.secret }).generate()
255	})
256	})
257
258	it('Should succeed to update my two factor auth', async function () {
259	await server.twoFactor.disable({ userId, token: userToken, currentPassword: userPassword })
260	})
261
262	it('Should fail to disable again two factor', async function () {
263	await server.twoFactor.disable({
264	userId,
265	token: userToken,
266	currentPassword: userPassword,
267	expectedStatus: HttpStatusCode.BAD_REQUEST_400
268	})
269	})
270	})
271
272	after(async function () {
273	await cleanupTests([ server ])
274	})
275	})