server/tests/api/check-params/users-admin.ts

   1 /* eslint-disable @typescript-eslint/no-unused-expressions,@typescript-eslint/require-await */
   2
   3 import { checkBadCountPagination, checkBadSortPagination, checkBadStartPagination, MockSmtpServer } from '@server/tests/shared'
   4 import { omit } from '@shared/core-utils'
   5 import { HttpStatusCode, UserAdminFlag, UserRole } from '@shared/models'
   6 import {
   7   cleanupTests,
   8   ConfigCommand,
   9   createSingleServer,
  10   killallServers,
  11   makeGetRequest,
  12   makePostBodyRequest,
  13   makePutBodyRequest,
  14   PeerTubeServer,
  15   setAccessTokensToServers
  16 } from '@shared/server-commands'
  17
  18 describe('Test users admin API validators', function () {
  19   const path = '/api/v1/users/'
  20   let userId: number
  21   let rootId: number
  22   let moderatorId: number
  23   let server: PeerTubeServer
  24   let userToken = ''
  25   let moderatorToken = ''
  26   let emailPort: number
  27
  28   // ---------------------------------------------------------------
  29
  30   before(async function () {
  31     this.timeout(30000)
  32
  33     const emails: object[] = []
  34     emailPort = await MockSmtpServer.Instance.collectEmails(emails)
  35
  36     {
  37       server = await createSingleServer(1)
  38
  39       await setAccessTokensToServers([ server ])
  40     }
  41
  42     {
  43       const result = await server.users.generate('user1')
  44       userToken = result.token
  45       userId = result.userId
  46     }
  47
  48     {
  49       const result = await server.users.generate('moderator1', UserRole.MODERATOR)
  50       moderatorToken = result.token
  51     }
  52
  53     {
  54       const result = await server.users.generate('moderator2', UserRole.MODERATOR)
  55       moderatorId = result.userId
  56     }
  57   })
  58
  59   describe('When listing users', function () {
  60     it('Should fail with a bad start pagination', async function () {
  61       await checkBadStartPagination(server.url, path, server.accessToken)
  62     })
  63
  64     it('Should fail with a bad count pagination', async function () {
  65       await checkBadCountPagination(server.url, path, server.accessToken)
  66     })
  67
  68     it('Should fail with an incorrect sort', async function () {
  69       await checkBadSortPagination(server.url, path, server.accessToken)
  70     })
  71
  72     it('Should fail with a non authenticated user', async function () {
  73       await makeGetRequest({
  74         url: server.url,
  75         path,
  76         expectedStatus: HttpStatusCode.UNAUTHORIZED_401
  77       })
  78     })
  79
  80     it('Should fail with a non admin user', async function () {
  81       await makeGetRequest({
  82         url: server.url,
  83         path,
  84         token: userToken,
  85         expectedStatus: HttpStatusCode.FORBIDDEN_403
  86       })
  87     })
  88   })
  89
  90   describe('When adding a new user', function () {
  91     const baseCorrectParams = {
  92       username: 'user2',
  93       email: 'test@example.com',
  94       password: 'my super password',
  95       videoQuota: -1,
  96       videoQuotaDaily: -1,
  97       role: UserRole.USER,
  98       adminFlags: UserAdminFlag.BYPASS_VIDEO_AUTO_BLACKLIST
  99     }
 100
 101     it('Should fail with a too small username', async function () {
 102       const fields = { ...baseCorrectParams, username: '' }
 103
 104       await makePostBodyRequest({ url: server.url, path, token: server.accessToken, fields })
 105     })
 106
 107     it('Should fail with a too long username', async function () {
 108       const fields = { ...baseCorrectParams, username: 'super'.repeat(50) }
 109
 110       await makePostBodyRequest({ url: server.url, path, token: server.accessToken, fields })
 111     })
 112
 113     it('Should fail with a not lowercase username', async function () {
 114       const fields = { ...baseCorrectParams, username: 'Toto' }
 115
 116       await makePostBodyRequest({ url: server.url, path, token: server.accessToken, fields })
 117     })
 118
 119     it('Should fail with an incorrect username', async function () {
 120       const fields = { ...baseCorrectParams, username: 'my username' }
 121
 122       await makePostBodyRequest({ url: server.url, path, token: server.accessToken, fields })
 123     })
 124
 125     it('Should fail with a missing email', async function () {
 126       const fields = omit(baseCorrectParams, [ 'email' ])
 127
 128       await makePostBodyRequest({ url: server.url, path, token: server.accessToken, fields })
 129     })
 130
 131     it('Should fail with an invalid email', async function () {
 132       const fields = { ...baseCorrectParams, email: 'test_example.com' }
 133
 134       await makePostBodyRequest({ url: server.url, path, token: server.accessToken, fields })
 135     })
 136
 137     it('Should fail with a too small password', async function () {
 138       const fields = { ...baseCorrectParams, password: 'bla' }
 139
 140       await makePostBodyRequest({ url: server.url, path, token: server.accessToken, fields })
 141     })
 142
 143     it('Should fail with a too long password', async function () {
 144       const fields = { ...baseCorrectParams, password: 'super'.repeat(61) }
 145
 146       await makePostBodyRequest({ url: server.url, path, token: server.accessToken, fields })
 147     })
 148
 149     it('Should fail with empty password and no smtp configured', async function () {
 150       const fields = { ...baseCorrectParams, password: '' }
 151
 152       await makePostBodyRequest({ url: server.url, path, token: server.accessToken, fields })
 153     })
 154
 155     it('Should succeed with no password on a server with smtp enabled', async function () {
 156       this.timeout(20000)
 157
 158       await killallServers([ server ])
 159
 160       await server.run(ConfigCommand.getEmailOverrideConfig(emailPort))
 161
 162       const fields = {
 163         ...baseCorrectParams,
 164
 165         password: '',
 166         username: 'create_password',
 167         email: 'create_password@example.com'
 168       }
 169
 170       await makePostBodyRequest({
 171         url: server.url,
 172         path,
 173         token: server.accessToken,
 174         fields,
 175         expectedStatus: HttpStatusCode.OK_200
 176       })
 177     })
 178
 179     it('Should fail with invalid admin flags', async function () {
 180       const fields = { ...baseCorrectParams, adminFlags: 'toto' }
 181
 182       await makePostBodyRequest({ url: server.url, path, token: server.accessToken, fields })
 183     })
 184
 185     it('Should fail with an non authenticated user', async function () {
 186       await makePostBodyRequest({
 187         url: server.url,
 188         path,
 189         token: 'super token',
 190         fields: baseCorrectParams,
 191         expectedStatus: HttpStatusCode.UNAUTHORIZED_401
 192       })
 193     })
 194
 195     it('Should fail if we add a user with the same username', async function () {
 196       const fields = { ...baseCorrectParams, username: 'user1' }
 197
 198       await makePostBodyRequest({
 199         url: server.url,
 200         path,
 201         token: server.accessToken,
 202         fields,
 203         expectedStatus: HttpStatusCode.CONFLICT_409
 204       })
 205     })
 206
 207     it('Should fail if we add a user with the same email', async function () {
 208       const fields = { ...baseCorrectParams, email: 'user1@example.com' }
 209
 210       await makePostBodyRequest({
 211         url: server.url,
 212         path,
 213         token: server.accessToken,
 214         fields,
 215         expectedStatus: HttpStatusCode.CONFLICT_409
 216       })
 217     })
 218
 219     it('Should fail without a videoQuota', async function () {
 220       const fields = omit(baseCorrectParams, [ 'videoQuota' ])
 221
 222       await makePostBodyRequest({ url: server.url, path, token: server.accessToken, fields })
 223     })
 224
 225     it('Should fail without a videoQuotaDaily', async function () {
 226       const fields = omit(baseCorrectParams, [ 'videoQuotaDaily' ])
 227
 228       await makePostBodyRequest({ url: server.url, path, token: server.accessToken, fields })
 229     })
 230
 231     it('Should fail with an invalid videoQuota', async function () {
 232       const fields = { ...baseCorrectParams, videoQuota: -5 }
 233
 234       await makePostBodyRequest({ url: server.url, path, token: server.accessToken, fields })
 235     })
 236
 237     it('Should fail with an invalid videoQuotaDaily', async function () {
 238       const fields = { ...baseCorrectParams, videoQuotaDaily: -7 }
 239
 240       await makePostBodyRequest({ url: server.url, path, token: server.accessToken, fields })
 241     })
 242
 243     it('Should fail without a user role', async function () {
 244       const fields = omit(baseCorrectParams, [ 'role' ])
 245
 246       await makePostBodyRequest({ url: server.url, path, token: server.accessToken, fields })
 247     })
 248
 249     it('Should fail with an invalid user role', async function () {
 250       const fields = { ...baseCorrectParams, role: 88989 }
 251
 252       await makePostBodyRequest({ url: server.url, path, token: server.accessToken, fields })
 253     })
 254
 255     it('Should fail with a "peertube" username', async function () {
 256       const fields = { ...baseCorrectParams, username: 'peertube' }
 257
 258       await makePostBodyRequest({
 259         url: server.url,
 260         path,
 261         token: server.accessToken,
 262         fields,
 263         expectedStatus: HttpStatusCode.CONFLICT_409
 264       })
 265     })
 266
 267     it('Should fail to create a moderator or an admin with a moderator', async function () {
 268       for (const role of [ UserRole.MODERATOR, UserRole.ADMINISTRATOR ]) {
 269         const fields = { ...baseCorrectParams, role }
 270
 271         await makePostBodyRequest({
 272           url: server.url,
 273           path,
 274           token: moderatorToken,
 275           fields,
 276           expectedStatus: HttpStatusCode.FORBIDDEN_403
 277         })
 278       }
 279     })
 280
 281     it('Should succeed to create a user with a moderator', async function () {
 282       const fields = { ...baseCorrectParams, username: 'a4656', email: 'a4656@example.com', role: UserRole.USER }
 283
 284       await makePostBodyRequest({
 285         url: server.url,
 286         path,
 287         token: moderatorToken,
 288         fields,
 289         expectedStatus: HttpStatusCode.OK_200
 290       })
 291     })
 292
 293     it('Should succeed with the correct params', async function () {
 294       await makePostBodyRequest({
 295         url: server.url,
 296         path,
 297         token: server.accessToken,
 298         fields: baseCorrectParams,
 299         expectedStatus: HttpStatusCode.OK_200
 300       })
 301     })
 302
 303     it('Should fail with a non admin user', async function () {
 304       const user = { username: 'user1' }
 305       userToken = await server.login.getAccessToken(user)
 306
 307       const fields = {
 308         username: 'user3',
 309         email: 'test@example.com',
 310         password: 'my super password',
 311         videoQuota: 42000000
 312       }
 313       await makePostBodyRequest({ url: server.url, path, token: userToken, fields, expectedStatus: HttpStatusCode.FORBIDDEN_403 })
 314     })
 315   })
 316
 317   describe('When getting a user', function () {
 318
 319     it('Should fail with an non authenticated user', async function () {
 320       await makeGetRequest({
 321         url: server.url,
 322         path: path + userId,
 323         token: 'super token',
 324         expectedStatus: HttpStatusCode.UNAUTHORIZED_401
 325       })
 326     })
 327
 328     it('Should fail with a non admin user', async function () {
 329       await makeGetRequest({ url: server.url, path, token: userToken, expectedStatus: HttpStatusCode.FORBIDDEN_403 })
 330     })
 331
 332     it('Should succeed with the correct params', async function () {
 333       await makeGetRequest({ url: server.url, path: path + userId, token: server.accessToken, expectedStatus: HttpStatusCode.OK_200 })
 334     })
 335   })
 336
 337   describe('When updating a user', function () {
 338
 339     it('Should fail with an invalid email attribute', async function () {
 340       const fields = {
 341         email: 'blabla'
 342       }
 343
 344       await makePutBodyRequest({ url: server.url, path: path + userId, token: server.accessToken, fields })
 345     })
 346
 347     it('Should fail with an invalid emailVerified attribute', async function () {
 348       const fields = {
 349         emailVerified: 'yes'
 350       }
 351
 352       await makePutBodyRequest({ url: server.url, path: path + userId, token: server.accessToken, fields })
 353     })
 354
 355     it('Should fail with an invalid videoQuota attribute', async function () {
 356       const fields = {
 357         videoQuota: -90
 358       }
 359
 360       await makePutBodyRequest({ url: server.url, path: path + userId, token: server.accessToken, fields })
 361     })
 362
 363     it('Should fail with an invalid user role attribute', async function () {
 364       const fields = {
 365         role: 54878
 366       }
 367
 368       await makePutBodyRequest({ url: server.url, path: path + userId, token: server.accessToken, fields })
 369     })
 370
 371     it('Should fail with a too small password', async function () {
 372       const fields = {
 373         currentPassword: 'password',
 374         password: 'bla'
 375       }
 376
 377       await makePutBodyRequest({ url: server.url, path: path + userId, token: server.accessToken, fields })
 378     })
 379
 380     it('Should fail with a too long password', async function () {
 381       const fields = {
 382         currentPassword: 'password',
 383         password: 'super'.repeat(61)
 384       }
 385
 386       await makePutBodyRequest({ url: server.url, path: path + userId, token: server.accessToken, fields })
 387     })
 388
 389     it('Should fail with an non authenticated user', async function () {
 390       const fields = {
 391         videoQuota: 42
 392       }
 393
 394       await makePutBodyRequest({
 395         url: server.url,
 396         path: path + userId,
 397         token: 'super token',
 398         fields,
 399         expectedStatus: HttpStatusCode.UNAUTHORIZED_401
 400       })
 401     })
 402
 403     it('Should fail when updating root role', async function () {
 404       const fields = {
 405         role: UserRole.MODERATOR
 406       }
 407
 408       await makePutBodyRequest({ url: server.url, path: path + rootId, token: server.accessToken, fields })
 409     })
 410
 411     it('Should fail with invalid admin flags', async function () {
 412       const fields = { adminFlags: 'toto' }
 413
 414       await makePutBodyRequest({ url: server.url, path, token: server.accessToken, fields })
 415     })
 416
 417     it('Should fail to update an admin with a moderator', async function () {
 418       const fields = {
 419         videoQuota: 42
 420       }
 421
 422       await makePutBodyRequest({
 423         url: server.url,
 424         path: path + moderatorId,
 425         token: moderatorToken,
 426         fields,
 427         expectedStatus: HttpStatusCode.FORBIDDEN_403
 428       })
 429     })
 430
 431     it('Should succeed to update a user with a moderator', async function () {
 432       const fields = {
 433         videoQuota: 42
 434       }
 435
 436       await makePutBodyRequest({
 437         url: server.url,
 438         path: path + userId,
 439         token: moderatorToken,
 440         fields,
 441         expectedStatus: HttpStatusCode.NO_CONTENT_204
 442       })
 443     })
 444
 445     it('Should succeed with the correct params', async function () {
 446       const fields = {
 447         email: 'email@example.com',
 448         emailVerified: true,
 449         videoQuota: 42,
 450         role: UserRole.USER
 451       }
 452
 453       await makePutBodyRequest({
 454         url: server.url,
 455         path: path + userId,
 456         token: server.accessToken,
 457         fields,
 458         expectedStatus: HttpStatusCode.NO_CONTENT_204
 459       })
 460     })
 461   })
 462
 463   after(async function () {
 464     MockSmtpServer.Instance.kill()
 465
 466     await cleanupTests([ server ])
 467   })
 468 })