server/tests/api/users/two-factor.ts

   1 /* eslint-disable @typescript-eslint/no-unused-expressions,@typescript-eslint/require-await */
   2
   3 import { expect } from 'chai'
   4 import { expectStartWith } from '@server/tests/shared'
   5 import { HttpStatusCode } from '@shared/models'
   6 import { cleanupTests, createSingleServer, PeerTubeServer, setAccessTokensToServers, TwoFactorCommand } from '@shared/server-commands'
   7
   8 async function login (options: {
   9   server: PeerTubeServer
  10   username: string
  11   password: string
  12   otpToken?: string
  13   expectedStatus?: HttpStatusCode
  14 }) {
  15   const { server, username, password, otpToken, expectedStatus } = options
  16
  17   const user = { username, password }
  18   const { res, body: { access_token: token } } = await server.login.loginAndGetResponse({ user, otpToken, expectedStatus })
  19
  20   return { res, token }
  21 }
  22
  23 describe('Test users', function () {
  24   let server: PeerTubeServer
  25   let otpSecret: string
  26   let requestToken: string
  27
  28   const userUsername = 'user1'
  29   let userId: number
  30   let userPassword: string
  31   let userToken: string
  32
  33   before(async function () {
  34     this.timeout(30000)
  35
  36     server = await createSingleServer(1)
  37
  38     await setAccessTokensToServers([ server ])
  39     const res = await server.users.generate(userUsername)
  40     userId = res.userId
  41     userPassword = res.password
  42     userToken = res.token
  43   })
  44
  45   it('Should not add the header on login if two factor is not enabled', async function () {
  46     const { res, token } = await login({ server, username: userUsername, password: userPassword })
  47
  48     expect(res.header['x-peertube-otp']).to.not.exist
  49
  50     await server.users.getMyInfo({ token })
  51   })
  52
  53   it('Should request two factor and get the secret and uri', async function () {
  54     const { otpRequest } = await server.twoFactor.request({ userId, token: userToken, currentPassword: userPassword })
  55
  56     expect(otpRequest.requestToken).to.exist
  57
  58     expect(otpRequest.secret).to.exist
  59     expect(otpRequest.secret).to.have.lengthOf(32)
  60
  61     expect(otpRequest.uri).to.exist
  62     expectStartWith(otpRequest.uri, 'otpauth://')
  63     expect(otpRequest.uri).to.include(otpRequest.secret)
  64
  65     requestToken = otpRequest.requestToken
  66     otpSecret = otpRequest.secret
  67   })
  68
  69   it('Should not have two factor confirmed yet', async function () {
  70     const { twoFactorEnabled } = await server.users.getMyInfo({ token: userToken })
  71     expect(twoFactorEnabled).to.be.false
  72   })
  73
  74   it('Should confirm two factor', async function () {
  75     await server.twoFactor.confirmRequest({
  76       userId,
  77       token: userToken,
  78       otpToken: TwoFactorCommand.buildOTP({ secret: otpSecret }).generate(),
  79       requestToken
  80     })
  81   })
  82
  83   it('Should not add the header on login if two factor is enabled and password is incorrect', async function () {
  84     const { res, token } = await login({ server, username: userUsername, password: 'fake', expectedStatus: HttpStatusCode.BAD_REQUEST_400 })
  85
  86     expect(res.header['x-peertube-otp']).to.not.exist
  87     expect(token).to.not.exist
  88   })
  89
  90   it('Should add the header on login if two factor is enabled and password is correct', async function () {
  91     const { res, token } = await login({
  92       server,
  93       username: userUsername,
  94       password: userPassword,
  95       expectedStatus: HttpStatusCode.UNAUTHORIZED_401
  96     })
  97
  98     expect(res.header['x-peertube-otp']).to.exist
  99     expect(token).to.not.exist
 100
 101     await server.users.getMyInfo({ token })
 102   })
 103
 104   it('Should not login with correct password and incorrect otp secret', async function () {
 105     const otp = TwoFactorCommand.buildOTP({ secret: 'a'.repeat(32) })
 106
 107     const { res, token } = await login({
 108       server,
 109       username: userUsername,
 110       password: userPassword,
 111       otpToken: otp.generate(),
 112       expectedStatus: HttpStatusCode.BAD_REQUEST_400
 113     })
 114
 115     expect(res.header['x-peertube-otp']).to.not.exist
 116     expect(token).to.not.exist
 117   })
 118
 119   it('Should not login with correct password and incorrect otp code', async function () {
 120     const { res, token } = await login({
 121       server,
 122       username: userUsername,
 123       password: userPassword,
 124       otpToken: '123456',
 125       expectedStatus: HttpStatusCode.BAD_REQUEST_400
 126     })
 127
 128     expect(res.header['x-peertube-otp']).to.not.exist
 129     expect(token).to.not.exist
 130   })
 131
 132   it('Should not login with incorrect password and correct otp code', async function () {
 133     const otpToken = TwoFactorCommand.buildOTP({ secret: otpSecret }).generate()
 134
 135     const { res, token } = await login({
 136       server,
 137       username: userUsername,
 138       password: 'fake',
 139       otpToken,
 140       expectedStatus: HttpStatusCode.BAD_REQUEST_400
 141     })
 142
 143     expect(res.header['x-peertube-otp']).to.not.exist
 144     expect(token).to.not.exist
 145   })
 146
 147   it('Should correctly login with correct password and otp code', async function () {
 148     const otpToken = TwoFactorCommand.buildOTP({ secret: otpSecret }).generate()
 149
 150     const { res, token } = await login({ server, username: userUsername, password: userPassword, otpToken })
 151
 152     expect(res.header['x-peertube-otp']).to.not.exist
 153     expect(token).to.exist
 154
 155     await server.users.getMyInfo({ token })
 156   })
 157
 158   it('Should have two factor enabled when getting my info', async function () {
 159     const { twoFactorEnabled } = await server.users.getMyInfo({ token: userToken })
 160     expect(twoFactorEnabled).to.be.true
 161   })
 162
 163   it('Should disable two factor and be able to login without otp token', async function () {
 164     await server.twoFactor.disable({ userId, token: userToken, currentPassword: userPassword })
 165
 166     const { res, token } = await login({ server, username: userUsername, password: userPassword })
 167     expect(res.header['x-peertube-otp']).to.not.exist
 168
 169     await server.users.getMyInfo({ token })
 170   })
 171
 172   it('Should have two factor disabled when getting my info', async function () {
 173     const { twoFactorEnabled } = await server.users.getMyInfo({ token: userToken })
 174     expect(twoFactorEnabled).to.be.false
 175   })
 176
 177   it('Should enable two factor auth without password from an admin', async function () {
 178     const { otpRequest } = await server.twoFactor.request({ userId })
 179
 180     await server.twoFactor.confirmRequest({
 181       userId,
 182       otpToken: TwoFactorCommand.buildOTP({ secret: otpRequest.secret }).generate(),
 183       requestToken: otpRequest.requestToken
 184     })
 185
 186     const { twoFactorEnabled } = await server.users.getMyInfo({ token: userToken })
 187     expect(twoFactorEnabled).to.be.true
 188   })
 189
 190   it('Should disable two factor auth without password from an admin', async function () {
 191     await server.twoFactor.disable({ userId })
 192
 193     const { twoFactorEnabled } = await server.users.getMyInfo({ token: userToken })
 194     expect(twoFactorEnabled).to.be.false
 195   })
 196
 197   after(async function () {
 198     await cleanupTests([ server ])
 199   })
 200 })