1 /* eslint-disable @typescript-eslint/no-unused-expressions,@typescript-eslint/require-await */
3 import { HttpStatusCode } from '@shared/models'
4 import { cleanupTests, createSingleServer, PeerTubeServer, setAccessTokensToServers, TwoFactorCommand } from '@shared/server-commands'
6 describe('Test two factor API validators', function () {
7 let server: PeerTubeServer
10 let rootPassword: string
11 let rootRequestToken: string
12 let rootOTPToken: string
16 let userPassword: string
17 let userRequestToken: string
18 let userOTPToken: string
20 // ---------------------------------------------------------------
22 before(async function () {
26 server = await createSingleServer(1)
27 await setAccessTokensToServers([ server ])
31 const result = await server.users.generate('user1')
32 userToken = result.token
33 userId = result.userId
34 userPassword = result.password
38 const { id } = await server.users.getMyInfo()
40 rootPassword = server.store.user.password
44 describe('When requesting two factor', function () {
46 it('Should fail with an unknown user id', async function () {
47 await server.twoFactor.request({ userId: 42, currentPassword: rootPassword, expectedStatus: HttpStatusCode.NOT_FOUND_404 })
50 it('Should fail with an invalid user id', async function () {
51 await server.twoFactor.request({
52 userId: 'invalid' as any,
53 currentPassword: rootPassword,
54 expectedStatus: HttpStatusCode.BAD_REQUEST_400
58 it('Should fail to request another user two factor without the appropriate rights', async function () {
59 await server.twoFactor.request({
62 currentPassword: userPassword,
63 expectedStatus: HttpStatusCode.FORBIDDEN_403
67 it('Should succeed to request another user two factor with the appropriate rights', async function () {
68 await server.twoFactor.request({ userId, currentPassword: rootPassword })
71 it('Should fail to request two factor without a password', async function () {
72 await server.twoFactor.request({
75 currentPassword: undefined,
76 expectedStatus: HttpStatusCode.BAD_REQUEST_400
80 it('Should fail to request two factor with an incorrect password', async function () {
81 await server.twoFactor.request({
84 currentPassword: rootPassword,
85 expectedStatus: HttpStatusCode.FORBIDDEN_403
89 it('Should succeed to request my two factor auth', async function () {
91 const { otpRequest } = await server.twoFactor.request({ userId, token: userToken, currentPassword: userPassword })
92 userRequestToken = otpRequest.requestToken
93 userOTPToken = TwoFactorCommand.buildOTP({ secret: otpRequest.secret }).generate()
97 const { otpRequest } = await server.twoFactor.request({ userId: rootId, currentPassword: rootPassword })
98 rootRequestToken = otpRequest.requestToken
99 rootOTPToken = TwoFactorCommand.buildOTP({ secret: otpRequest.secret }).generate()
104 describe('When confirming two factor request', function () {
106 it('Should fail with an unknown user id', async function () {
107 await server.twoFactor.confirmRequest({
109 requestToken: rootRequestToken,
110 otpToken: rootOTPToken,
111 expectedStatus: HttpStatusCode.NOT_FOUND_404
115 it('Should fail with an invalid user id', async function () {
116 await server.twoFactor.confirmRequest({
117 userId: 'invalid' as any,
118 requestToken: rootRequestToken,
119 otpToken: rootOTPToken,
120 expectedStatus: HttpStatusCode.BAD_REQUEST_400
124 it('Should fail to confirm another user two factor request without the appropriate rights', async function () {
125 await server.twoFactor.confirmRequest({
128 requestToken: rootRequestToken,
129 otpToken: rootOTPToken,
130 expectedStatus: HttpStatusCode.FORBIDDEN_403
134 it('Should fail without request token', async function () {
135 await server.twoFactor.confirmRequest({
137 requestToken: undefined,
138 otpToken: userOTPToken,
139 expectedStatus: HttpStatusCode.BAD_REQUEST_400
143 it('Should fail with an invalid request token', async function () {
144 await server.twoFactor.confirmRequest({
146 requestToken: 'toto',
147 otpToken: userOTPToken,
148 expectedStatus: HttpStatusCode.FORBIDDEN_403
152 it('Should fail with request token of another user', async function () {
153 await server.twoFactor.confirmRequest({
155 requestToken: rootRequestToken,
156 otpToken: userOTPToken,
157 expectedStatus: HttpStatusCode.FORBIDDEN_403
161 it('Should fail without an otp token', async function () {
162 await server.twoFactor.confirmRequest({
164 requestToken: userRequestToken,
166 expectedStatus: HttpStatusCode.BAD_REQUEST_400
170 it('Should fail with a bad otp token', async function () {
171 await server.twoFactor.confirmRequest({
173 requestToken: userRequestToken,
175 expectedStatus: HttpStatusCode.FORBIDDEN_403
179 it('Should succeed to confirm another user two factor request with the appropriate rights', async function () {
180 await server.twoFactor.confirmRequest({
182 requestToken: userRequestToken,
183 otpToken: userOTPToken
187 await server.twoFactor.disable({ userId, currentPassword: rootPassword })
190 it('Should succeed to confirm my two factor request', async function () {
191 await server.twoFactor.confirmRequest({
194 requestToken: userRequestToken,
195 otpToken: userOTPToken
199 it('Should fail to confirm again two factor request', async function () {
200 await server.twoFactor.confirmRequest({
203 requestToken: userRequestToken,
204 otpToken: userOTPToken,
205 expectedStatus: HttpStatusCode.BAD_REQUEST_400
210 describe('When disabling two factor', function () {
212 it('Should fail with an unknown user id', async function () {
213 await server.twoFactor.disable({
215 currentPassword: rootPassword,
216 expectedStatus: HttpStatusCode.NOT_FOUND_404
220 it('Should fail with an invalid user id', async function () {
221 await server.twoFactor.disable({
222 userId: 'invalid' as any,
223 currentPassword: rootPassword,
224 expectedStatus: HttpStatusCode.BAD_REQUEST_400
228 it('Should fail to disable another user two factor without the appropriate rights', async function () {
229 await server.twoFactor.disable({
232 currentPassword: userPassword,
233 expectedStatus: HttpStatusCode.FORBIDDEN_403
237 it('Should fail to disabled two factor with an incorrect password', async function () {
238 await server.twoFactor.disable({
241 currentPassword: rootPassword,
242 expectedStatus: HttpStatusCode.FORBIDDEN_403
246 it('Should succeed to disable another user two factor with the appropriate rights', async function () {
247 await server.twoFactor.disable({ userId, currentPassword: rootPassword })
250 const { otpRequest } = await server.twoFactor.request({ userId, currentPassword: rootPassword })
251 await server.twoFactor.confirmRequest({
253 requestToken: otpRequest.requestToken,
254 otpToken: TwoFactorCommand.buildOTP({ secret: otpRequest.secret }).generate()
258 it('Should succeed to update my two factor auth', async function () {
259 await server.twoFactor.disable({ userId, token: userToken, currentPassword: userPassword })
262 it('Should fail to disable again two factor', async function () {
263 await server.twoFactor.disable({
266 currentPassword: userPassword,
267 expectedStatus: HttpStatusCode.BAD_REQUEST_400
272 after(async function () {
273 await cleanupTests([ server ])