server/tests/api/check-params/users-admin.ts

   1 /* eslint-disable @typescript-eslint/no-unused-expressions,@typescript-eslint/require-await */
   2
   3 import 'mocha'
   4 import { omit } from 'lodash'
   5 import { checkBadCountPagination, checkBadSortPagination, checkBadStartPagination, MockSmtpServer } from '@server/tests/shared'
   6 import { HttpStatusCode, UserAdminFlag, UserRole } from '@shared/models'
   7 import {
   8   cleanupTests,
   9   createSingleServer,
  10   killallServers,
  11   makeGetRequest,
  12   makePostBodyRequest,
  13   makePutBodyRequest,
  14   PeerTubeServer,
  15   setAccessTokensToServers
  16 } from '@shared/server-commands'
  17
  18 describe('Test users admin API validators', function () {
  19   const path = '/api/v1/users/'
  20   let userId: number
  21   let rootId: number
  22   let moderatorId: number
  23   let server: PeerTubeServer
  24   let userToken = ''
  25   let moderatorToken = ''
  26   let emailPort: number
  27
  28   // ---------------------------------------------------------------
  29
  30   before(async function () {
  31     this.timeout(30000)
  32
  33     const emails: object[] = []
  34     emailPort = await MockSmtpServer.Instance.collectEmails(emails)
  35
  36     {
  37       server = await createSingleServer(1)
  38
  39       await setAccessTokensToServers([ server ])
  40     }
  41
  42     {
  43       const result = await server.users.generate('user1')
  44       userToken = result.token
  45       userId = result.userId
  46     }
  47
  48     {
  49       const result = await server.users.generate('moderator1', UserRole.MODERATOR)
  50       moderatorToken = result.token
  51     }
  52
  53     {
  54       const result = await server.users.generate('moderator2', UserRole.MODERATOR)
  55       moderatorId = result.userId
  56     }
  57   })
  58
  59   describe('When listing users', function () {
  60     it('Should fail with a bad start pagination', async function () {
  61       await checkBadStartPagination(server.url, path, server.accessToken)
  62     })
  63
  64     it('Should fail with a bad count pagination', async function () {
  65       await checkBadCountPagination(server.url, path, server.accessToken)
  66     })
  67
  68     it('Should fail with an incorrect sort', async function () {
  69       await checkBadSortPagination(server.url, path, server.accessToken)
  70     })
  71
  72     it('Should fail with a non authenticated user', async function () {
  73       await makeGetRequest({
  74         url: server.url,
  75         path,
  76         expectedStatus: HttpStatusCode.UNAUTHORIZED_401
  77       })
  78     })
  79
  80     it('Should fail with a non admin user', async function () {
  81       await makeGetRequest({
  82         url: server.url,
  83         path,
  84         token: userToken,
  85         expectedStatus: HttpStatusCode.FORBIDDEN_403
  86       })
  87     })
  88   })
  89
  90   describe('When adding a new user', function () {
  91     const baseCorrectParams = {
  92       username: 'user2',
  93       email: 'test@example.com',
  94       password: 'my super password',
  95       videoQuota: -1,
  96       videoQuotaDaily: -1,
  97       role: UserRole.USER,
  98       adminFlags: UserAdminFlag.BYPASS_VIDEO_AUTO_BLACKLIST
  99     }
 100
 101     it('Should fail with a too small username', async function () {
 102       const fields = { ...baseCorrectParams, username: '' }
 103
 104       await makePostBodyRequest({ url: server.url, path, token: server.accessToken, fields })
 105     })
 106
 107     it('Should fail with a too long username', async function () {
 108       const fields = { ...baseCorrectParams, username: 'super'.repeat(50) }
 109
 110       await makePostBodyRequest({ url: server.url, path, token: server.accessToken, fields })
 111     })
 112
 113     it('Should fail with a not lowercase username', async function () {
 114       const fields = { ...baseCorrectParams, username: 'Toto' }
 115
 116       await makePostBodyRequest({ url: server.url, path, token: server.accessToken, fields })
 117     })
 118
 119     it('Should fail with an incorrect username', async function () {
 120       const fields = { ...baseCorrectParams, username: 'my username' }
 121
 122       await makePostBodyRequest({ url: server.url, path, token: server.accessToken, fields })
 123     })
 124
 125     it('Should fail with a missing email', async function () {
 126       const fields = omit(baseCorrectParams, 'email')
 127
 128       await makePostBodyRequest({ url: server.url, path, token: server.accessToken, fields })
 129     })
 130
 131     it('Should fail with an invalid email', async function () {
 132       const fields = { ...baseCorrectParams, email: 'test_example.com' }
 133
 134       await makePostBodyRequest({ url: server.url, path, token: server.accessToken, fields })
 135     })
 136
 137     it('Should fail with a too small password', async function () {
 138       const fields = { ...baseCorrectParams, password: 'bla' }
 139
 140       await makePostBodyRequest({ url: server.url, path, token: server.accessToken, fields })
 141     })
 142
 143     it('Should fail with a too long password', async function () {
 144       const fields = { ...baseCorrectParams, password: 'super'.repeat(61) }
 145
 146       await makePostBodyRequest({ url: server.url, path, token: server.accessToken, fields })
 147     })
 148
 149     it('Should fail with empty password and no smtp configured', async function () {
 150       const fields = { ...baseCorrectParams, password: '' }
 151
 152       await makePostBodyRequest({ url: server.url, path, token: server.accessToken, fields })
 153     })
 154
 155     it('Should succeed with no password on a server with smtp enabled', async function () {
 156       this.timeout(20000)
 157
 158       await killallServers([ server ])
 159
 160       const config = {
 161         smtp: {
 162           hostname: 'localhost',
 163           port: emailPort
 164         }
 165       }
 166       await server.run(config)
 167
 168       const fields = {
 169         ...baseCorrectParams,
 170
 171         password: '',
 172         username: 'create_password',
 173         email: 'create_password@example.com'
 174       }
 175
 176       await makePostBodyRequest({
 177         url: server.url,
 178         path,
 179         token: server.accessToken,
 180         fields,
 181         expectedStatus: HttpStatusCode.OK_200
 182       })
 183     })
 184
 185     it('Should fail with invalid admin flags', async function () {
 186       const fields = { ...baseCorrectParams, adminFlags: 'toto' }
 187
 188       await makePostBodyRequest({ url: server.url, path, token: server.accessToken, fields })
 189     })
 190
 191     it('Should fail with an non authenticated user', async function () {
 192       await makePostBodyRequest({
 193         url: server.url,
 194         path,
 195         token: 'super token',
 196         fields: baseCorrectParams,
 197         expectedStatus: HttpStatusCode.UNAUTHORIZED_401
 198       })
 199     })
 200
 201     it('Should fail if we add a user with the same username', async function () {
 202       const fields = { ...baseCorrectParams, username: 'user1' }
 203
 204       await makePostBodyRequest({
 205         url: server.url,
 206         path,
 207         token: server.accessToken,
 208         fields,
 209         expectedStatus: HttpStatusCode.CONFLICT_409
 210       })
 211     })
 212
 213     it('Should fail if we add a user with the same email', async function () {
 214       const fields = { ...baseCorrectParams, email: 'user1@example.com' }
 215
 216       await makePostBodyRequest({
 217         url: server.url,
 218         path,
 219         token: server.accessToken,
 220         fields,
 221         expectedStatus: HttpStatusCode.CONFLICT_409
 222       })
 223     })
 224
 225     it('Should fail without a videoQuota', async function () {
 226       const fields = omit(baseCorrectParams, 'videoQuota')
 227
 228       await makePostBodyRequest({ url: server.url, path, token: server.accessToken, fields })
 229     })
 230
 231     it('Should fail without a videoQuotaDaily', async function () {
 232       const fields = omit(baseCorrectParams, 'videoQuotaDaily')
 233
 234       await makePostBodyRequest({ url: server.url, path, token: server.accessToken, fields })
 235     })
 236
 237     it('Should fail with an invalid videoQuota', async function () {
 238       const fields = { ...baseCorrectParams, videoQuota: -5 }
 239
 240       await makePostBodyRequest({ url: server.url, path, token: server.accessToken, fields })
 241     })
 242
 243     it('Should fail with an invalid videoQuotaDaily', async function () {
 244       const fields = { ...baseCorrectParams, videoQuotaDaily: -7 }
 245
 246       await makePostBodyRequest({ url: server.url, path, token: server.accessToken, fields })
 247     })
 248
 249     it('Should fail without a user role', async function () {
 250       const fields = omit(baseCorrectParams, 'role')
 251
 252       await makePostBodyRequest({ url: server.url, path, token: server.accessToken, fields })
 253     })
 254
 255     it('Should fail with an invalid user role', async function () {
 256       const fields = { ...baseCorrectParams, role: 88989 }
 257
 258       await makePostBodyRequest({ url: server.url, path, token: server.accessToken, fields })
 259     })
 260
 261     it('Should fail with a "peertube" username', async function () {
 262       const fields = { ...baseCorrectParams, username: 'peertube' }
 263
 264       await makePostBodyRequest({
 265         url: server.url,
 266         path,
 267         token: server.accessToken,
 268         fields,
 269         expectedStatus: HttpStatusCode.CONFLICT_409
 270       })
 271     })
 272
 273     it('Should fail to create a moderator or an admin with a moderator', async function () {
 274       for (const role of [ UserRole.MODERATOR, UserRole.ADMINISTRATOR ]) {
 275         const fields = { ...baseCorrectParams, role }
 276
 277         await makePostBodyRequest({
 278           url: server.url,
 279           path,
 280           token: moderatorToken,
 281           fields,
 282           expectedStatus: HttpStatusCode.FORBIDDEN_403
 283         })
 284       }
 285     })
 286
 287     it('Should succeed to create a user with a moderator', async function () {
 288       const fields = { ...baseCorrectParams, username: 'a4656', email: 'a4656@example.com', role: UserRole.USER }
 289
 290       await makePostBodyRequest({
 291         url: server.url,
 292         path,
 293         token: moderatorToken,
 294         fields,
 295         expectedStatus: HttpStatusCode.OK_200
 296       })
 297     })
 298
 299     it('Should succeed with the correct params', async function () {
 300       await makePostBodyRequest({
 301         url: server.url,
 302         path,
 303         token: server.accessToken,
 304         fields: baseCorrectParams,
 305         expectedStatus: HttpStatusCode.OK_200
 306       })
 307     })
 308
 309     it('Should fail with a non admin user', async function () {
 310       const user = { username: 'user1' }
 311       userToken = await server.login.getAccessToken(user)
 312
 313       const fields = {
 314         username: 'user3',
 315         email: 'test@example.com',
 316         password: 'my super password',
 317         videoQuota: 42000000
 318       }
 319       await makePostBodyRequest({ url: server.url, path, token: userToken, fields, expectedStatus: HttpStatusCode.FORBIDDEN_403 })
 320     })
 321   })
 322
 323   describe('When getting a user', function () {
 324
 325     it('Should fail with an non authenticated user', async function () {
 326       await makeGetRequest({
 327         url: server.url,
 328         path: path + userId,
 329         token: 'super token',
 330         expectedStatus: HttpStatusCode.UNAUTHORIZED_401
 331       })
 332     })
 333
 334     it('Should fail with a non admin user', async function () {
 335       await makeGetRequest({ url: server.url, path, token: userToken, expectedStatus: HttpStatusCode.FORBIDDEN_403 })
 336     })
 337
 338     it('Should succeed with the correct params', async function () {
 339       await makeGetRequest({ url: server.url, path: path + userId, token: server.accessToken, expectedStatus: HttpStatusCode.OK_200 })
 340     })
 341   })
 342
 343   describe('When updating a user', function () {
 344
 345     it('Should fail with an invalid email attribute', async function () {
 346       const fields = {
 347         email: 'blabla'
 348       }
 349
 350       await makePutBodyRequest({ url: server.url, path: path + userId, token: server.accessToken, fields })
 351     })
 352
 353     it('Should fail with an invalid emailVerified attribute', async function () {
 354       const fields = {
 355         emailVerified: 'yes'
 356       }
 357
 358       await makePutBodyRequest({ url: server.url, path: path + userId, token: server.accessToken, fields })
 359     })
 360
 361     it('Should fail with an invalid videoQuota attribute', async function () {
 362       const fields = {
 363         videoQuota: -90
 364       }
 365
 366       await makePutBodyRequest({ url: server.url, path: path + userId, token: server.accessToken, fields })
 367     })
 368
 369     it('Should fail with an invalid user role attribute', async function () {
 370       const fields = {
 371         role: 54878
 372       }
 373
 374       await makePutBodyRequest({ url: server.url, path: path + userId, token: server.accessToken, fields })
 375     })
 376
 377     it('Should fail with a too small password', async function () {
 378       const fields = {
 379         currentPassword: 'password',
 380         password: 'bla'
 381       }
 382
 383       await makePutBodyRequest({ url: server.url, path: path + userId, token: server.accessToken, fields })
 384     })
 385
 386     it('Should fail with a too long password', async function () {
 387       const fields = {
 388         currentPassword: 'password',
 389         password: 'super'.repeat(61)
 390       }
 391
 392       await makePutBodyRequest({ url: server.url, path: path + userId, token: server.accessToken, fields })
 393     })
 394
 395     it('Should fail with an non authenticated user', async function () {
 396       const fields = {
 397         videoQuota: 42
 398       }
 399
 400       await makePutBodyRequest({
 401         url: server.url,
 402         path: path + userId,
 403         token: 'super token',
 404         fields,
 405         expectedStatus: HttpStatusCode.UNAUTHORIZED_401
 406       })
 407     })
 408
 409     it('Should fail when updating root role', async function () {
 410       const fields = {
 411         role: UserRole.MODERATOR
 412       }
 413
 414       await makePutBodyRequest({ url: server.url, path: path + rootId, token: server.accessToken, fields })
 415     })
 416
 417     it('Should fail with invalid admin flags', async function () {
 418       const fields = { adminFlags: 'toto' }
 419
 420       await makePutBodyRequest({ url: server.url, path, token: server.accessToken, fields })
 421     })
 422
 423     it('Should fail to update an admin with a moderator', async function () {
 424       const fields = {
 425         videoQuota: 42
 426       }
 427
 428       await makePutBodyRequest({
 429         url: server.url,
 430         path: path + moderatorId,
 431         token: moderatorToken,
 432         fields,
 433         expectedStatus: HttpStatusCode.FORBIDDEN_403
 434       })
 435     })
 436
 437     it('Should succeed to update a user with a moderator', async function () {
 438       const fields = {
 439         videoQuota: 42
 440       }
 441
 442       await makePutBodyRequest({
 443         url: server.url,
 444         path: path + userId,
 445         token: moderatorToken,
 446         fields,
 447         expectedStatus: HttpStatusCode.NO_CONTENT_204
 448       })
 449     })
 450
 451     it('Should succeed with the correct params', async function () {
 452       const fields = {
 453         email: 'email@example.com',
 454         emailVerified: true,
 455         videoQuota: 42,
 456         role: UserRole.USER
 457       }
 458
 459       await makePutBodyRequest({
 460         url: server.url,
 461         path: path + userId,
 462         token: server.accessToken,
 463         fields,
 464         expectedStatus: HttpStatusCode.NO_CONTENT_204
 465       })
 466     })
 467   })
 468
 469   after(async function () {
 470     MockSmtpServer.Instance.kill()
 471
 472     await cleanupTests([ server ])
 473   })
 474 })