server/tests/api/check-params/users-admin.ts

   1 /* eslint-disable @typescript-eslint/no-unused-expressions,@typescript-eslint/require-await */
   2
   3 import 'mocha'
   4 import { omit } from 'lodash'
   5 import {
   6   checkBadCountPagination,
   7   checkBadSortPagination,
   8   checkBadStartPagination,
   9   cleanupTests,
  10   createSingleServer,
  11   killallServers,
  12   makeGetRequest,
  13   makePostBodyRequest,
  14   makePutBodyRequest,
  15   MockSmtpServer,
  16   PeerTubeServer,
  17   setAccessTokensToServers
  18 } from '@shared/extra-utils'
  19 import { HttpStatusCode, UserAdminFlag, UserRole } from '@shared/models'
  20
  21 describe('Test users admin API validators', function () {
  22   const path = '/api/v1/users/'
  23   let userId: number
  24   let rootId: number
  25   let moderatorId: number
  26   let server: PeerTubeServer
  27   let userToken = ''
  28   let moderatorToken = ''
  29   let emailPort: number
  30
  31   // ---------------------------------------------------------------
  32
  33   before(async function () {
  34     this.timeout(30000)
  35
  36     const emails: object[] = []
  37     emailPort = await MockSmtpServer.Instance.collectEmails(emails)
  38
  39     {
  40       server = await createSingleServer(1)
  41
  42       await setAccessTokensToServers([ server ])
  43     }
  44
  45     {
  46       const result = await server.users.generate('user1')
  47       userToken = result.token
  48       userId = result.userId
  49     }
  50
  51     {
  52       const result = await server.users.generate('moderator1', UserRole.MODERATOR)
  53       moderatorToken = result.token
  54     }
  55
  56     {
  57       const result = await server.users.generate('moderator2', UserRole.MODERATOR)
  58       moderatorId = result.userId
  59     }
  60   })
  61
  62   describe('When listing users', function () {
  63     it('Should fail with a bad start pagination', async function () {
  64       await checkBadStartPagination(server.url, path, server.accessToken)
  65     })
  66
  67     it('Should fail with a bad count pagination', async function () {
  68       await checkBadCountPagination(server.url, path, server.accessToken)
  69     })
  70
  71     it('Should fail with an incorrect sort', async function () {
  72       await checkBadSortPagination(server.url, path, server.accessToken)
  73     })
  74
  75     it('Should fail with a non authenticated user', async function () {
  76       await makeGetRequest({
  77         url: server.url,
  78         path,
  79         expectedStatus: HttpStatusCode.UNAUTHORIZED_401
  80       })
  81     })
  82
  83     it('Should fail with a non admin user', async function () {
  84       await makeGetRequest({
  85         url: server.url,
  86         path,
  87         token: userToken,
  88         expectedStatus: HttpStatusCode.FORBIDDEN_403
  89       })
  90     })
  91   })
  92
  93   describe('When adding a new user', function () {
  94     const baseCorrectParams = {
  95       username: 'user2',
  96       email: 'test@example.com',
  97       password: 'my super password',
  98       videoQuota: -1,
  99       videoQuotaDaily: -1,
 100       role: UserRole.USER,
 101       adminFlags: UserAdminFlag.BYPASS_VIDEO_AUTO_BLACKLIST
 102     }
 103
 104     it('Should fail with a too small username', async function () {
 105       const fields = { ...baseCorrectParams, username: '' }
 106
 107       await makePostBodyRequest({ url: server.url, path, token: server.accessToken, fields })
 108     })
 109
 110     it('Should fail with a too long username', async function () {
 111       const fields = { ...baseCorrectParams, username: 'super'.repeat(50) }
 112
 113       await makePostBodyRequest({ url: server.url, path, token: server.accessToken, fields })
 114     })
 115
 116     it('Should fail with a not lowercase username', async function () {
 117       const fields = { ...baseCorrectParams, username: 'Toto' }
 118
 119       await makePostBodyRequest({ url: server.url, path, token: server.accessToken, fields })
 120     })
 121
 122     it('Should fail with an incorrect username', async function () {
 123       const fields = { ...baseCorrectParams, username: 'my username' }
 124
 125       await makePostBodyRequest({ url: server.url, path, token: server.accessToken, fields })
 126     })
 127
 128     it('Should fail with a missing email', async function () {
 129       const fields = omit(baseCorrectParams, 'email')
 130
 131       await makePostBodyRequest({ url: server.url, path, token: server.accessToken, fields })
 132     })
 133
 134     it('Should fail with an invalid email', async function () {
 135       const fields = { ...baseCorrectParams, email: 'test_example.com' }
 136
 137       await makePostBodyRequest({ url: server.url, path, token: server.accessToken, fields })
 138     })
 139
 140     it('Should fail with a too small password', async function () {
 141       const fields = { ...baseCorrectParams, password: 'bla' }
 142
 143       await makePostBodyRequest({ url: server.url, path, token: server.accessToken, fields })
 144     })
 145
 146     it('Should fail with a too long password', async function () {
 147       const fields = { ...baseCorrectParams, password: 'super'.repeat(61) }
 148
 149       await makePostBodyRequest({ url: server.url, path, token: server.accessToken, fields })
 150     })
 151
 152     it('Should fail with empty password and no smtp configured', async function () {
 153       const fields = { ...baseCorrectParams, password: '' }
 154
 155       await makePostBodyRequest({ url: server.url, path, token: server.accessToken, fields })
 156     })
 157
 158     it('Should succeed with no password on a server with smtp enabled', async function () {
 159       this.timeout(20000)
 160
 161       await killallServers([ server ])
 162
 163       const config = {
 164         smtp: {
 165           hostname: 'localhost',
 166           port: emailPort
 167         }
 168       }
 169       await server.run(config)
 170
 171       const fields = {
 172         ...baseCorrectParams,
 173
 174         password: '',
 175         username: 'create_password',
 176         email: 'create_password@example.com'
 177       }
 178
 179       await makePostBodyRequest({
 180         url: server.url,
 181         path: path,
 182         token: server.accessToken,
 183         fields,
 184         expectedStatus: HttpStatusCode.OK_200
 185       })
 186     })
 187
 188     it('Should fail with invalid admin flags', async function () {
 189       const fields = { ...baseCorrectParams, adminFlags: 'toto' }
 190
 191       await makePostBodyRequest({ url: server.url, path, token: server.accessToken, fields })
 192     })
 193
 194     it('Should fail with an non authenticated user', async function () {
 195       await makePostBodyRequest({
 196         url: server.url,
 197         path,
 198         token: 'super token',
 199         fields: baseCorrectParams,
 200         expectedStatus: HttpStatusCode.UNAUTHORIZED_401
 201       })
 202     })
 203
 204     it('Should fail if we add a user with the same username', async function () {
 205       const fields = { ...baseCorrectParams, username: 'user1' }
 206
 207       await makePostBodyRequest({
 208         url: server.url,
 209         path,
 210         token: server.accessToken,
 211         fields,
 212         expectedStatus: HttpStatusCode.CONFLICT_409
 213       })
 214     })
 215
 216     it('Should fail if we add a user with the same email', async function () {
 217       const fields = { ...baseCorrectParams, email: 'user1@example.com' }
 218
 219       await makePostBodyRequest({
 220         url: server.url,
 221         path,
 222         token: server.accessToken,
 223         fields,
 224         expectedStatus: HttpStatusCode.CONFLICT_409
 225       })
 226     })
 227
 228     it('Should fail without a videoQuota', async function () {
 229       const fields = omit(baseCorrectParams, 'videoQuota')
 230
 231       await makePostBodyRequest({ url: server.url, path, token: server.accessToken, fields })
 232     })
 233
 234     it('Should fail without a videoQuotaDaily', async function () {
 235       const fields = omit(baseCorrectParams, 'videoQuotaDaily')
 236
 237       await makePostBodyRequest({ url: server.url, path, token: server.accessToken, fields })
 238     })
 239
 240     it('Should fail with an invalid videoQuota', async function () {
 241       const fields = { ...baseCorrectParams, videoQuota: -5 }
 242
 243       await makePostBodyRequest({ url: server.url, path, token: server.accessToken, fields })
 244     })
 245
 246     it('Should fail with an invalid videoQuotaDaily', async function () {
 247       const fields = { ...baseCorrectParams, videoQuotaDaily: -7 }
 248
 249       await makePostBodyRequest({ url: server.url, path, token: server.accessToken, fields })
 250     })
 251
 252     it('Should fail without a user role', async function () {
 253       const fields = omit(baseCorrectParams, 'role')
 254
 255       await makePostBodyRequest({ url: server.url, path, token: server.accessToken, fields })
 256     })
 257
 258     it('Should fail with an invalid user role', async function () {
 259       const fields = { ...baseCorrectParams, role: 88989 }
 260
 261       await makePostBodyRequest({ url: server.url, path, token: server.accessToken, fields })
 262     })
 263
 264     it('Should fail with a "peertube" username', async function () {
 265       const fields = { ...baseCorrectParams, username: 'peertube' }
 266
 267       await makePostBodyRequest({
 268         url: server.url,
 269         path,
 270         token: server.accessToken,
 271         fields,
 272         expectedStatus: HttpStatusCode.CONFLICT_409
 273       })
 274     })
 275
 276     it('Should fail to create a moderator or an admin with a moderator', async function () {
 277       for (const role of [ UserRole.MODERATOR, UserRole.ADMINISTRATOR ]) {
 278         const fields = { ...baseCorrectParams, role }
 279
 280         await makePostBodyRequest({
 281           url: server.url,
 282           path,
 283           token: moderatorToken,
 284           fields,
 285           expectedStatus: HttpStatusCode.FORBIDDEN_403
 286         })
 287       }
 288     })
 289
 290     it('Should succeed to create a user with a moderator', async function () {
 291       const fields = { ...baseCorrectParams, username: 'a4656', email: 'a4656@example.com', role: UserRole.USER }
 292
 293       await makePostBodyRequest({
 294         url: server.url,
 295         path,
 296         token: moderatorToken,
 297         fields,
 298         expectedStatus: HttpStatusCode.OK_200
 299       })
 300     })
 301
 302     it('Should succeed with the correct params', async function () {
 303       await makePostBodyRequest({
 304         url: server.url,
 305         path,
 306         token: server.accessToken,
 307         fields: baseCorrectParams,
 308         expectedStatus: HttpStatusCode.OK_200
 309       })
 310     })
 311
 312     it('Should fail with a non admin user', async function () {
 313       const user = { username: 'user1' }
 314       userToken = await server.login.getAccessToken(user)
 315
 316       const fields = {
 317         username: 'user3',
 318         email: 'test@example.com',
 319         password: 'my super password',
 320         videoQuota: 42000000
 321       }
 322       await makePostBodyRequest({ url: server.url, path, token: userToken, fields, expectedStatus: HttpStatusCode.FORBIDDEN_403 })
 323     })
 324   })
 325
 326   describe('When getting a user', function () {
 327
 328     it('Should fail with an non authenticated user', async function () {
 329       await makeGetRequest({
 330         url: server.url,
 331         path: path + userId,
 332         token: 'super token',
 333         expectedStatus: HttpStatusCode.UNAUTHORIZED_401
 334       })
 335     })
 336
 337     it('Should fail with a non admin user', async function () {
 338       await makeGetRequest({ url: server.url, path, token: userToken, expectedStatus: HttpStatusCode.FORBIDDEN_403 })
 339     })
 340
 341     it('Should succeed with the correct params', async function () {
 342       await makeGetRequest({ url: server.url, path: path + userId, token: server.accessToken, expectedStatus: HttpStatusCode.OK_200 })
 343     })
 344   })
 345
 346   describe('When updating a user', function () {
 347
 348     it('Should fail with an invalid email attribute', async function () {
 349       const fields = {
 350         email: 'blabla'
 351       }
 352
 353       await makePutBodyRequest({ url: server.url, path: path + userId, token: server.accessToken, fields })
 354     })
 355
 356     it('Should fail with an invalid emailVerified attribute', async function () {
 357       const fields = {
 358         emailVerified: 'yes'
 359       }
 360
 361       await makePutBodyRequest({ url: server.url, path: path + userId, token: server.accessToken, fields })
 362     })
 363
 364     it('Should fail with an invalid videoQuota attribute', async function () {
 365       const fields = {
 366         videoQuota: -90
 367       }
 368
 369       await makePutBodyRequest({ url: server.url, path: path + userId, token: server.accessToken, fields })
 370     })
 371
 372     it('Should fail with an invalid user role attribute', async function () {
 373       const fields = {
 374         role: 54878
 375       }
 376
 377       await makePutBodyRequest({ url: server.url, path: path + userId, token: server.accessToken, fields })
 378     })
 379
 380     it('Should fail with a too small password', async function () {
 381       const fields = {
 382         currentPassword: 'password',
 383         password: 'bla'
 384       }
 385
 386       await makePutBodyRequest({ url: server.url, path: path + userId, token: server.accessToken, fields })
 387     })
 388
 389     it('Should fail with a too long password', async function () {
 390       const fields = {
 391         currentPassword: 'password',
 392         password: 'super'.repeat(61)
 393       }
 394
 395       await makePutBodyRequest({ url: server.url, path: path + userId, token: server.accessToken, fields })
 396     })
 397
 398     it('Should fail with an non authenticated user', async function () {
 399       const fields = {
 400         videoQuota: 42
 401       }
 402
 403       await makePutBodyRequest({
 404         url: server.url,
 405         path: path + userId,
 406         token: 'super token',
 407         fields,
 408         expectedStatus: HttpStatusCode.UNAUTHORIZED_401
 409       })
 410     })
 411
 412     it('Should fail when updating root role', async function () {
 413       const fields = {
 414         role: UserRole.MODERATOR
 415       }
 416
 417       await makePutBodyRequest({ url: server.url, path: path + rootId, token: server.accessToken, fields })
 418     })
 419
 420     it('Should fail with invalid admin flags', async function () {
 421       const fields = { adminFlags: 'toto' }
 422
 423       await makePutBodyRequest({ url: server.url, path, token: server.accessToken, fields })
 424     })
 425
 426     it('Should fail to update an admin with a moderator', async function () {
 427       const fields = {
 428         videoQuota: 42
 429       }
 430
 431       await makePutBodyRequest({
 432         url: server.url,
 433         path: path + moderatorId,
 434         token: moderatorToken,
 435         fields,
 436         expectedStatus: HttpStatusCode.FORBIDDEN_403
 437       })
 438     })
 439
 440     it('Should succeed to update a user with a moderator', async function () {
 441       const fields = {
 442         videoQuota: 42
 443       }
 444
 445       await makePutBodyRequest({
 446         url: server.url,
 447         path: path + userId,
 448         token: moderatorToken,
 449         fields,
 450         expectedStatus: HttpStatusCode.NO_CONTENT_204
 451       })
 452     })
 453
 454     it('Should succeed with the correct params', async function () {
 455       const fields = {
 456         email: 'email@example.com',
 457         emailVerified: true,
 458         videoQuota: 42,
 459         role: UserRole.USER
 460       }
 461
 462       await makePutBodyRequest({
 463         url: server.url,
 464         path: path + userId,
 465         token: server.accessToken,
 466         fields,
 467         expectedStatus: HttpStatusCode.NO_CONTENT_204
 468       })
 469     })
 470   })
 471
 472   after(async function () {
 473     MockSmtpServer.Instance.kill()
 474
 475     await cleanupTests([ server ])
 476   })
 477 })