diff options
author | Chocobozzz <me@florianbigard.com> | 2022-10-07 14:23:42 +0200 |
---|---|---|
committer | Chocobozzz <me@florianbigard.com> | 2022-10-07 14:28:35 +0200 |
commit | 2166c058f34dff6f91566930d12448805d829de7 (patch) | |
tree | 2b9100b8eccbac287d1105c765901f966a354986 /server/tests/api/users | |
parent | d12b40fb96d56786a96c06a621f3d8e0a0d24f4a (diff) | |
download | PeerTube-2166c058f34dff6f91566930d12448805d829de7.tar.gz PeerTube-2166c058f34dff6f91566930d12448805d829de7.tar.zst PeerTube-2166c058f34dff6f91566930d12448805d829de7.zip |
Allow admins to disable two factor auth
Diffstat (limited to 'server/tests/api/users')
-rw-r--r-- | server/tests/api/users/two-factor.ts | 95 |
1 files changed, 71 insertions, 24 deletions
diff --git a/server/tests/api/users/two-factor.ts b/server/tests/api/users/two-factor.ts index 450aac4dc..0dcab9e17 100644 --- a/server/tests/api/users/two-factor.ts +++ b/server/tests/api/users/two-factor.ts | |||
@@ -7,13 +7,14 @@ import { cleanupTests, createSingleServer, PeerTubeServer, setAccessTokensToServ | |||
7 | 7 | ||
8 | async function login (options: { | 8 | async function login (options: { |
9 | server: PeerTubeServer | 9 | server: PeerTubeServer |
10 | password?: string | 10 | username: string |
11 | password: string | ||
11 | otpToken?: string | 12 | otpToken?: string |
12 | expectedStatus?: HttpStatusCode | 13 | expectedStatus?: HttpStatusCode |
13 | }) { | 14 | }) { |
14 | const { server, password = server.store.user.password, otpToken, expectedStatus } = options | 15 | const { server, username, password, otpToken, expectedStatus } = options |
15 | 16 | ||
16 | const user = { username: server.store.user.username, password } | 17 | const user = { username, password } |
17 | const { res, body: { access_token: token } } = await server.login.loginAndGetResponse({ user, otpToken, expectedStatus }) | 18 | const { res, body: { access_token: token } } = await server.login.loginAndGetResponse({ user, otpToken, expectedStatus }) |
18 | 19 | ||
19 | return { res, token } | 20 | return { res, token } |
@@ -21,23 +22,28 @@ async function login (options: { | |||
21 | 22 | ||
22 | describe('Test users', function () { | 23 | describe('Test users', function () { |
23 | let server: PeerTubeServer | 24 | let server: PeerTubeServer |
24 | let rootId: number | ||
25 | let otpSecret: string | 25 | let otpSecret: string |
26 | let requestToken: string | 26 | let requestToken: string |
27 | 27 | ||
28 | const userUsername = 'user1' | ||
29 | let userId: number | ||
30 | let userPassword: string | ||
31 | let userToken: string | ||
32 | |||
28 | before(async function () { | 33 | before(async function () { |
29 | this.timeout(30000) | 34 | this.timeout(30000) |
30 | 35 | ||
31 | server = await createSingleServer(1) | 36 | server = await createSingleServer(1) |
32 | 37 | ||
33 | await setAccessTokensToServers([ server ]) | 38 | await setAccessTokensToServers([ server ]) |
34 | 39 | const res = await server.users.generate(userUsername) | |
35 | const { id } = await server.users.getMyInfo() | 40 | userId = res.userId |
36 | rootId = id | 41 | userPassword = res.password |
42 | userToken = res.token | ||
37 | }) | 43 | }) |
38 | 44 | ||
39 | it('Should not add the header on login if two factor is not enabled', async function () { | 45 | it('Should not add the header on login if two factor is not enabled', async function () { |
40 | const { res, token } = await login({ server }) | 46 | const { res, token } = await login({ server, username: userUsername, password: userPassword }) |
41 | 47 | ||
42 | expect(res.header['x-peertube-otp']).to.not.exist | 48 | expect(res.header['x-peertube-otp']).to.not.exist |
43 | 49 | ||
@@ -45,10 +51,7 @@ describe('Test users', function () { | |||
45 | }) | 51 | }) |
46 | 52 | ||
47 | it('Should request two factor and get the secret and uri', async function () { | 53 | it('Should request two factor and get the secret and uri', async function () { |
48 | const { otpRequest } = await server.twoFactor.request({ | 54 | const { otpRequest } = await server.twoFactor.request({ userId, token: userToken, currentPassword: userPassword }) |
49 | userId: rootId, | ||
50 | currentPassword: server.store.user.password | ||
51 | }) | ||
52 | 55 | ||
53 | expect(otpRequest.requestToken).to.exist | 56 | expect(otpRequest.requestToken).to.exist |
54 | 57 | ||
@@ -64,27 +67,33 @@ describe('Test users', function () { | |||
64 | }) | 67 | }) |
65 | 68 | ||
66 | it('Should not have two factor confirmed yet', async function () { | 69 | it('Should not have two factor confirmed yet', async function () { |
67 | const { twoFactorEnabled } = await server.users.getMyInfo() | 70 | const { twoFactorEnabled } = await server.users.getMyInfo({ token: userToken }) |
68 | expect(twoFactorEnabled).to.be.false | 71 | expect(twoFactorEnabled).to.be.false |
69 | }) | 72 | }) |
70 | 73 | ||
71 | it('Should confirm two factor', async function () { | 74 | it('Should confirm two factor', async function () { |
72 | await server.twoFactor.confirmRequest({ | 75 | await server.twoFactor.confirmRequest({ |
73 | userId: rootId, | 76 | userId, |
77 | token: userToken, | ||
74 | otpToken: TwoFactorCommand.buildOTP({ secret: otpSecret }).generate(), | 78 | otpToken: TwoFactorCommand.buildOTP({ secret: otpSecret }).generate(), |
75 | requestToken | 79 | requestToken |
76 | }) | 80 | }) |
77 | }) | 81 | }) |
78 | 82 | ||
79 | it('Should not add the header on login if two factor is enabled and password is incorrect', async function () { | 83 | it('Should not add the header on login if two factor is enabled and password is incorrect', async function () { |
80 | const { res, token } = await login({ server, password: 'fake', expectedStatus: HttpStatusCode.BAD_REQUEST_400 }) | 84 | const { res, token } = await login({ server, username: userUsername, password: 'fake', expectedStatus: HttpStatusCode.BAD_REQUEST_400 }) |
81 | 85 | ||
82 | expect(res.header['x-peertube-otp']).to.not.exist | 86 | expect(res.header['x-peertube-otp']).to.not.exist |
83 | expect(token).to.not.exist | 87 | expect(token).to.not.exist |
84 | }) | 88 | }) |
85 | 89 | ||
86 | it('Should add the header on login if two factor is enabled and password is correct', async function () { | 90 | it('Should add the header on login if two factor is enabled and password is correct', async function () { |
87 | const { res, token } = await login({ server, expectedStatus: HttpStatusCode.UNAUTHORIZED_401 }) | 91 | const { res, token } = await login({ |
92 | server, | ||
93 | username: userUsername, | ||
94 | password: userPassword, | ||
95 | expectedStatus: HttpStatusCode.UNAUTHORIZED_401 | ||
96 | }) | ||
88 | 97 | ||
89 | expect(res.header['x-peertube-otp']).to.exist | 98 | expect(res.header['x-peertube-otp']).to.exist |
90 | expect(token).to.not.exist | 99 | expect(token).to.not.exist |
@@ -95,14 +104,26 @@ describe('Test users', function () { | |||
95 | it('Should not login with correct password and incorrect otp secret', async function () { | 104 | it('Should not login with correct password and incorrect otp secret', async function () { |
96 | const otp = TwoFactorCommand.buildOTP({ secret: 'a'.repeat(32) }) | 105 | const otp = TwoFactorCommand.buildOTP({ secret: 'a'.repeat(32) }) |
97 | 106 | ||
98 | const { res, token } = await login({ server, otpToken: otp.generate(), expectedStatus: HttpStatusCode.BAD_REQUEST_400 }) | 107 | const { res, token } = await login({ |
108 | server, | ||
109 | username: userUsername, | ||
110 | password: userPassword, | ||
111 | otpToken: otp.generate(), | ||
112 | expectedStatus: HttpStatusCode.BAD_REQUEST_400 | ||
113 | }) | ||
99 | 114 | ||
100 | expect(res.header['x-peertube-otp']).to.not.exist | 115 | expect(res.header['x-peertube-otp']).to.not.exist |
101 | expect(token).to.not.exist | 116 | expect(token).to.not.exist |
102 | }) | 117 | }) |
103 | 118 | ||
104 | it('Should not login with correct password and incorrect otp code', async function () { | 119 | it('Should not login with correct password and incorrect otp code', async function () { |
105 | const { res, token } = await login({ server, otpToken: '123456', expectedStatus: HttpStatusCode.BAD_REQUEST_400 }) | 120 | const { res, token } = await login({ |
121 | server, | ||
122 | username: userUsername, | ||
123 | password: userPassword, | ||
124 | otpToken: '123456', | ||
125 | expectedStatus: HttpStatusCode.BAD_REQUEST_400 | ||
126 | }) | ||
106 | 127 | ||
107 | expect(res.header['x-peertube-otp']).to.not.exist | 128 | expect(res.header['x-peertube-otp']).to.not.exist |
108 | expect(token).to.not.exist | 129 | expect(token).to.not.exist |
@@ -111,7 +132,13 @@ describe('Test users', function () { | |||
111 | it('Should not login with incorrect password and correct otp code', async function () { | 132 | it('Should not login with incorrect password and correct otp code', async function () { |
112 | const otpToken = TwoFactorCommand.buildOTP({ secret: otpSecret }).generate() | 133 | const otpToken = TwoFactorCommand.buildOTP({ secret: otpSecret }).generate() |
113 | 134 | ||
114 | const { res, token } = await login({ server, password: 'fake', otpToken, expectedStatus: HttpStatusCode.BAD_REQUEST_400 }) | 135 | const { res, token } = await login({ |
136 | server, | ||
137 | username: userUsername, | ||
138 | password: 'fake', | ||
139 | otpToken, | ||
140 | expectedStatus: HttpStatusCode.BAD_REQUEST_400 | ||
141 | }) | ||
115 | 142 | ||
116 | expect(res.header['x-peertube-otp']).to.not.exist | 143 | expect(res.header['x-peertube-otp']).to.not.exist |
117 | expect(token).to.not.exist | 144 | expect(token).to.not.exist |
@@ -120,7 +147,7 @@ describe('Test users', function () { | |||
120 | it('Should correctly login with correct password and otp code', async function () { | 147 | it('Should correctly login with correct password and otp code', async function () { |
121 | const otpToken = TwoFactorCommand.buildOTP({ secret: otpSecret }).generate() | 148 | const otpToken = TwoFactorCommand.buildOTP({ secret: otpSecret }).generate() |
122 | 149 | ||
123 | const { res, token } = await login({ server, otpToken }) | 150 | const { res, token } = await login({ server, username: userUsername, password: userPassword, otpToken }) |
124 | 151 | ||
125 | expect(res.header['x-peertube-otp']).to.not.exist | 152 | expect(res.header['x-peertube-otp']).to.not.exist |
126 | expect(token).to.exist | 153 | expect(token).to.exist |
@@ -129,21 +156,41 @@ describe('Test users', function () { | |||
129 | }) | 156 | }) |
130 | 157 | ||
131 | it('Should have two factor enabled when getting my info', async function () { | 158 | it('Should have two factor enabled when getting my info', async function () { |
132 | const { twoFactorEnabled } = await server.users.getMyInfo() | 159 | const { twoFactorEnabled } = await server.users.getMyInfo({ token: userToken }) |
133 | expect(twoFactorEnabled).to.be.true | 160 | expect(twoFactorEnabled).to.be.true |
134 | }) | 161 | }) |
135 | 162 | ||
136 | it('Should disable two factor and be able to login without otp token', async function () { | 163 | it('Should disable two factor and be able to login without otp token', async function () { |
137 | await server.twoFactor.disable({ userId: rootId, currentPassword: server.store.user.password }) | 164 | await server.twoFactor.disable({ userId, token: userToken, currentPassword: userPassword }) |
138 | 165 | ||
139 | const { res, token } = await login({ server }) | 166 | const { res, token } = await login({ server, username: userUsername, password: userPassword }) |
140 | expect(res.header['x-peertube-otp']).to.not.exist | 167 | expect(res.header['x-peertube-otp']).to.not.exist |
141 | 168 | ||
142 | await server.users.getMyInfo({ token }) | 169 | await server.users.getMyInfo({ token }) |
143 | }) | 170 | }) |
144 | 171 | ||
145 | it('Should have two factor disabled when getting my info', async function () { | 172 | it('Should have two factor disabled when getting my info', async function () { |
146 | const { twoFactorEnabled } = await server.users.getMyInfo() | 173 | const { twoFactorEnabled } = await server.users.getMyInfo({ token: userToken }) |
174 | expect(twoFactorEnabled).to.be.false | ||
175 | }) | ||
176 | |||
177 | it('Should enable two factor auth without password from an admin', async function () { | ||
178 | const { otpRequest } = await server.twoFactor.request({ userId }) | ||
179 | |||
180 | await server.twoFactor.confirmRequest({ | ||
181 | userId, | ||
182 | otpToken: TwoFactorCommand.buildOTP({ secret: otpRequest.secret }).generate(), | ||
183 | requestToken: otpRequest.requestToken | ||
184 | }) | ||
185 | |||
186 | const { twoFactorEnabled } = await server.users.getMyInfo({ token: userToken }) | ||
187 | expect(twoFactorEnabled).to.be.true | ||
188 | }) | ||
189 | |||
190 | it('Should disable two factor auth without password from an admin', async function () { | ||
191 | await server.twoFactor.disable({ userId }) | ||
192 | |||
193 | const { twoFactorEnabled } = await server.users.getMyInfo({ token: userToken }) | ||
147 | expect(twoFactorEnabled).to.be.false | 194 | expect(twoFactorEnabled).to.be.false |
148 | }) | 195 | }) |
149 | 196 | ||