Support two factor authentication in backend

author: Chocobozzz <me@florianbigard.com> 2022-10-05 15:37:15 +0200
committer: Chocobozzz <me@florianbigard.com> 2022-10-07 10:51:16 +0200
commit: 56f47830758ff8e92abcfcc5f35d474ab12fe215 (patch)
tree: 854e57ec1b800d6ad740c8e42bee00cbd21e1724 /server/tests/api/users
parent: 7dd7ff4cebc290b09fe00d82046bb58e4e8a800d (diff)
download: PeerTube-56f47830758ff8e92abcfcc5f35d474ab12fe215.tar.gz
PeerTube-56f47830758ff8e92abcfcc5f35d474ab12fe215.tar.zst
PeerTube-56f47830758ff8e92abcfcc5f35d474ab12fe215.zip
2 files changed, 154 insertions, 0 deletions
diff --git a/server/tests/api/users/index.ts b/server/tests/api/users/index.ts
index c65152c6f..643f1a531 100644
--- a/server/tests/api/users/index.ts
+++ b/server/tests/api/users/index.ts
@@ -1,3 +1,4 @@
+import './two-factor'
 import './user-subscriptions'
 import './user-videos'
 import './users'
diff --git a/server/tests/api/users/two-factor.ts b/server/tests/api/users/two-factor.ts
new file mode 100644
index 000000000..450aac4dc
--- /dev/null
+++ b/server/tests/api/users/two-factor.ts
@@ -0,0 +1,153 @@
+/* eslint-disable @typescript-eslint/no-unused-expressions,@typescript-eslint/require-await */
+import { expect } from 'chai'
+import { expectStartWith } from '@server/tests/shared'
+import { HttpStatusCode } from '@shared/models'
+import { cleanupTests, createSingleServer, PeerTubeServer, setAccessTokensToServers, TwoFactorCommand } from '@shared/server-commands'
+async function login (options: {
+  server: PeerTubeServer
+  password?: string
+  otpToken?: string
+  expectedStatus?: HttpStatusCode
+}) {
+  const { server, password = server.store.user.password, otpToken, expectedStatus } = options
+  const user = { username: server.store.user.username, password }
+  const { res, body: { access_token: token } } = await server.login.loginAndGetResponse({ user, otpToken, expectedStatus })
+  return { res, token }
+}
+describe('Test users', function () {
+  let server: PeerTubeServer
+  let rootId: number
+  let otpSecret: string
+  let requestToken: string
+  before(async function () {
+    this.timeout(30000)
+    server = await createSingleServer(1)
+    await setAccessTokensToServers([ server ])
+    const { id } = await server.users.getMyInfo()
+    rootId = id
+  })
+  it('Should not add the header on login if two factor is not enabled', async function () {
+    const { res, token } = await login({ server })
+    expect(res.header['x-peertube-otp']).to.not.exist
+    await server.users.getMyInfo({ token })
+  })
+  it('Should request two factor and get the secret and uri', async function () {
+    const { otpRequest } = await server.twoFactor.request({
+      userId: rootId,
+      currentPassword: server.store.user.password
+    })
+    expect(otpRequest.requestToken).to.exist
+    expect(otpRequest.secret).to.exist
+    expect(otpRequest.secret).to.have.lengthOf(32)
+    expect(otpRequest.uri).to.exist
+    expectStartWith(otpRequest.uri, 'otpauth://')
+    expect(otpRequest.uri).to.include(otpRequest.secret)
+    requestToken = otpRequest.requestToken
+    otpSecret = otpRequest.secret
+  })
+  it('Should not have two factor confirmed yet', async function () {
+    const { twoFactorEnabled } = await server.users.getMyInfo()
+    expect(twoFactorEnabled).to.be.false
+  })
+  it('Should confirm two factor', async function () {
+    await server.twoFactor.confirmRequest({
+      userId: rootId,
+      otpToken: TwoFactorCommand.buildOTP({ secret: otpSecret }).generate(),
+      requestToken
+    })
+  })
+  it('Should not add the header on login if two factor is enabled and password is incorrect', async function () {
+    const { res, token } = await login({ server, password: 'fake', expectedStatus: HttpStatusCode.BAD_REQUEST_400 })
+    expect(res.header['x-peertube-otp']).to.not.exist
+    expect(token).to.not.exist
+  })
+  it('Should add the header on login if two factor is enabled and password is correct', async function () {
+    const { res, token } = await login({ server, expectedStatus: HttpStatusCode.UNAUTHORIZED_401 })
+    expect(res.header['x-peertube-otp']).to.exist
+    expect(token).to.not.exist
+    await server.users.getMyInfo({ token })
+  })
+  it('Should not login with correct password and incorrect otp secret', async function () {
+    const otp = TwoFactorCommand.buildOTP({ secret: 'a'.repeat(32) })
+    const { res, token } = await login({ server, otpToken: otp.generate(), expectedStatus: HttpStatusCode.BAD_REQUEST_400 })
+    expect(res.header['x-peertube-otp']).to.not.exist
+    expect(token).to.not.exist
+  })
+  it('Should not login with correct password and incorrect otp code', async function () {
+    const { res, token } = await login({ server, otpToken: '123456', expectedStatus: HttpStatusCode.BAD_REQUEST_400 })
+    expect(res.header['x-peertube-otp']).to.not.exist
+    expect(token).to.not.exist
+  })
+  it('Should not login with incorrect password and correct otp code', async function () {
+    const otpToken = TwoFactorCommand.buildOTP({ secret: otpSecret }).generate()
+    const { res, token } = await login({ server, password: 'fake', otpToken, expectedStatus: HttpStatusCode.BAD_REQUEST_400 })
+    expect(res.header['x-peertube-otp']).to.not.exist
+    expect(token).to.not.exist
+  })
+  it('Should correctly login with correct password and otp code', async function () {
+    const otpToken = TwoFactorCommand.buildOTP({ secret: otpSecret }).generate()
+    const { res, token } = await login({ server, otpToken })
+    expect(res.header['x-peertube-otp']).to.not.exist
+    expect(token).to.exist
+    await server.users.getMyInfo({ token })
+  })
+  it('Should have two factor enabled when getting my info', async function () {
+    const { twoFactorEnabled } = await server.users.getMyInfo()
+    expect(twoFactorEnabled).to.be.true
+  })
+  it('Should disable two factor and be able to login without otp token', async function () {
+    await server.twoFactor.disable({ userId: rootId, currentPassword: server.store.user.password })
+    const { res, token } = await login({ server })
+    expect(res.header['x-peertube-otp']).to.not.exist
+    await server.users.getMyInfo({ token })
+  })
+  it('Should have two factor disabled when getting my info', async function () {
+    const { twoFactorEnabled } = await server.users.getMyInfo()
+    expect(twoFactorEnabled).to.be.false
+  })
+  after(async function () {
+    await cleanupTests([ server ])
+  })
+})
author	Chocobozzz <me@florianbigard.com>	2022-10-05 15:37:15 +0200
committer	Chocobozzz <me@florianbigard.com>	2022-10-07 10:51:16 +0200
commit	56f47830758ff8e92abcfcc5f35d474ab12fe215 (patch)
tree	854e57ec1b800d6ad740c8e42bee00cbd21e1724 /server/tests/api/users
parent	7dd7ff4cebc290b09fe00d82046bb58e4e8a800d (diff)
download	PeerTube-56f47830758ff8e92abcfcc5f35d474ab12fe215.tar.gz PeerTube-56f47830758ff8e92abcfcc5f35d474ab12fe215.tar.zst PeerTube-56f47830758ff8e92abcfcc5f35d474ab12fe215.zip

diff --git a/server/tests/api/users/index.ts b/server/tests/api/users/index.ts index c65152c6f..643f1a531 100644 --- a/server/tests/api/users/index.ts +++ b/server/tests/api/users/index.ts
@@ -1,3 +1,4 @@
		1	import './two-factor'
1	import './user-subscriptions'	2	import './user-subscriptions'
2	import './user-videos'	3	import './user-videos'
3	import './users'	4	import './users'


diff --git a/server/tests/api/users/two-factor.ts b/server/tests/api/users/two-factor.ts new file mode 100644 index 000000000..450aac4dc --- /dev/null +++ b/server/tests/api/users/two-factor.ts
@@ -0,0 +1,153 @@
		1	/* eslint-disable @typescript-eslint/no-unused-expressions,@typescript-eslint/require-await */
		2
		3	import { expect } from 'chai'
		4	import { expectStartWith } from '@server/tests/shared'
		5	import { HttpStatusCode } from '@shared/models'
		6	import { cleanupTests, createSingleServer, PeerTubeServer, setAccessTokensToServers, TwoFactorCommand } from '@shared/server-commands'
		7
		8	async function login (options: {
		9	server: PeerTubeServer
		10	password?: string
		11	otpToken?: string
		12	expectedStatus?: HttpStatusCode
		13	}) {
		14	const { server, password = server.store.user.password, otpToken, expectedStatus } = options
		15
		16	const user = { username: server.store.user.username, password }
		17	const { res, body: { access_token: token } } = await server.login.loginAndGetResponse({ user, otpToken, expectedStatus })
		18
		19	return { res, token }
		20	}
		21
		22	describe('Test users', function () {
		23	let server: PeerTubeServer
		24	let rootId: number
		25	let otpSecret: string
		26	let requestToken: string
		27
		28	before(async function () {
		29	this.timeout(30000)
		30
		31	server = await createSingleServer(1)
		32
		33	await setAccessTokensToServers([ server ])
		34
		35	const { id } = await server.users.getMyInfo()
		36	rootId = id
		37	})
		38
		39	it('Should not add the header on login if two factor is not enabled', async function () {
		40	const { res, token } = await login({ server })
		41
		42	expect(res.header['x-peertube-otp']).to.not.exist
		43
		44	await server.users.getMyInfo({ token })
		45	})
		46
		47	it('Should request two factor and get the secret and uri', async function () {
		48	const { otpRequest } = await server.twoFactor.request({
		49	userId: rootId,
		50	currentPassword: server.store.user.password
		51	})
		52
		53	expect(otpRequest.requestToken).to.exist
		54
		55	expect(otpRequest.secret).to.exist
		56	expect(otpRequest.secret).to.have.lengthOf(32)
		57
		58	expect(otpRequest.uri).to.exist
		59	expectStartWith(otpRequest.uri, 'otpauth://')
		60	expect(otpRequest.uri).to.include(otpRequest.secret)
		61
		62	requestToken = otpRequest.requestToken
		63	otpSecret = otpRequest.secret
		64	})
		65
		66	it('Should not have two factor confirmed yet', async function () {
		67	const { twoFactorEnabled } = await server.users.getMyInfo()
		68	expect(twoFactorEnabled).to.be.false
		69	})
		70
		71	it('Should confirm two factor', async function () {
		72	await server.twoFactor.confirmRequest({
		73	userId: rootId,
		74	otpToken: TwoFactorCommand.buildOTP({ secret: otpSecret }).generate(),
		75	requestToken
		76	})
		77	})
		78
		79	it('Should not add the header on login if two factor is enabled and password is incorrect', async function () {
		80	const { res, token } = await login({ server, password: 'fake', expectedStatus: HttpStatusCode.BAD_REQUEST_400 })
		81
		82	expect(res.header['x-peertube-otp']).to.not.exist
		83	expect(token).to.not.exist
		84	})
		85
		86	it('Should add the header on login if two factor is enabled and password is correct', async function () {
		87	const { res, token } = await login({ server, expectedStatus: HttpStatusCode.UNAUTHORIZED_401 })
		88
		89	expect(res.header['x-peertube-otp']).to.exist
		90	expect(token).to.not.exist
		91
		92	await server.users.getMyInfo({ token })
		93	})
		94
		95	it('Should not login with correct password and incorrect otp secret', async function () {
		96	const otp = TwoFactorCommand.buildOTP({ secret: 'a'.repeat(32) })
		97
		98	const { res, token } = await login({ server, otpToken: otp.generate(), expectedStatus: HttpStatusCode.BAD_REQUEST_400 })
		99
		100	expect(res.header['x-peertube-otp']).to.not.exist
		101	expect(token).to.not.exist
		102	})
		103
		104	it('Should not login with correct password and incorrect otp code', async function () {
		105	const { res, token } = await login({ server, otpToken: '123456', expectedStatus: HttpStatusCode.BAD_REQUEST_400 })
		106
		107	expect(res.header['x-peertube-otp']).to.not.exist
		108	expect(token).to.not.exist
		109	})
		110
		111	it('Should not login with incorrect password and correct otp code', async function () {
		112	const otpToken = TwoFactorCommand.buildOTP({ secret: otpSecret }).generate()
		113
		114	const { res, token } = await login({ server, password: 'fake', otpToken, expectedStatus: HttpStatusCode.BAD_REQUEST_400 })
		115
		116	expect(res.header['x-peertube-otp']).to.not.exist
		117	expect(token).to.not.exist
		118	})
		119
		120	it('Should correctly login with correct password and otp code', async function () {
		121	const otpToken = TwoFactorCommand.buildOTP({ secret: otpSecret }).generate()
		122
		123	const { res, token } = await login({ server, otpToken })
		124
		125	expect(res.header['x-peertube-otp']).to.not.exist
		126	expect(token).to.exist
		127
		128	await server.users.getMyInfo({ token })
		129	})
		130
		131	it('Should have two factor enabled when getting my info', async function () {
		132	const { twoFactorEnabled } = await server.users.getMyInfo()
		133	expect(twoFactorEnabled).to.be.true
		134	})
		135
		136	it('Should disable two factor and be able to login without otp token', async function () {
		137	await server.twoFactor.disable({ userId: rootId, currentPassword: server.store.user.password })
		138
		139	const { res, token } = await login({ server })
		140	expect(res.header['x-peertube-otp']).to.not.exist
		141
		142	await server.users.getMyInfo({ token })
		143	})
		144
		145	it('Should have two factor disabled when getting my info', async function () {
		146	const { twoFactorEnabled } = await server.users.getMyInfo()
		147	expect(twoFactorEnabled).to.be.false
		148	})
		149
		150	after(async function () {
		151	await cleanupTests([ server ])
		152	})
		153	})