aboutsummaryrefslogtreecommitdiffhomepage
path: root/server/tests/api
diff options
context:
space:
mode:
authorChocobozzz <me@florianbigard.com>2022-10-07 14:23:42 +0200
committerChocobozzz <me@florianbigard.com>2022-10-07 14:28:35 +0200
commit2166c058f34dff6f91566930d12448805d829de7 (patch)
tree2b9100b8eccbac287d1105c765901f966a354986 /server/tests/api
parentd12b40fb96d56786a96c06a621f3d8e0a0d24f4a (diff)
downloadPeerTube-2166c058f34dff6f91566930d12448805d829de7.tar.gz
PeerTube-2166c058f34dff6f91566930d12448805d829de7.tar.zst
PeerTube-2166c058f34dff6f91566930d12448805d829de7.zip
Allow admins to disable two factor auth
Diffstat (limited to 'server/tests/api')
-rw-r--r--server/tests/api/check-params/two-factor.ts29
-rw-r--r--server/tests/api/users/two-factor.ts95
2 files changed, 92 insertions, 32 deletions
diff --git a/server/tests/api/check-params/two-factor.ts b/server/tests/api/check-params/two-factor.ts
index e7ca5490c..f8365f1b5 100644
--- a/server/tests/api/check-params/two-factor.ts
+++ b/server/tests/api/check-params/two-factor.ts
@@ -86,6 +86,15 @@ describe('Test two factor API validators', function () {
86 }) 86 })
87 }) 87 })
88 88
89 it('Should succeed to request two factor without a password when targeting a remote user with an admin account', async function () {
90 await server.twoFactor.request({ userId })
91 })
92
93 it('Should fail to request two factor without a password when targeting myself with an admin account', async function () {
94 await server.twoFactor.request({ userId: rootId, expectedStatus: HttpStatusCode.BAD_REQUEST_400 })
95 await server.twoFactor.request({ userId: rootId, currentPassword: 'bad', expectedStatus: HttpStatusCode.FORBIDDEN_403 })
96 })
97
89 it('Should succeed to request my two factor auth', async function () { 98 it('Should succeed to request my two factor auth', async function () {
90 { 99 {
91 const { otpRequest } = await server.twoFactor.request({ userId, token: userToken, currentPassword: userPassword }) 100 const { otpRequest } = await server.twoFactor.request({ userId, token: userToken, currentPassword: userPassword })
@@ -234,7 +243,7 @@ describe('Test two factor API validators', function () {
234 }) 243 })
235 }) 244 })
236 245
237 it('Should fail to disabled two factor with an incorrect password', async function () { 246 it('Should fail to disable two factor with an incorrect password', async function () {
238 await server.twoFactor.disable({ 247 await server.twoFactor.disable({
239 userId, 248 userId,
240 token: userToken, 249 token: userToken,
@@ -243,16 +252,20 @@ describe('Test two factor API validators', function () {
243 }) 252 })
244 }) 253 })
245 254
255 it('Should succeed to disable two factor without a password when targeting a remote user with an admin account', async function () {
256 await server.twoFactor.disable({ userId })
257 await server.twoFactor.requestAndConfirm({ userId })
258 })
259
260 it('Should fail to disable two factor without a password when targeting myself with an admin account', async function () {
261 await server.twoFactor.disable({ userId: rootId, expectedStatus: HttpStatusCode.BAD_REQUEST_400 })
262 await server.twoFactor.disable({ userId: rootId, currentPassword: 'bad', expectedStatus: HttpStatusCode.FORBIDDEN_403 })
263 })
264
246 it('Should succeed to disable another user two factor with the appropriate rights', async function () { 265 it('Should succeed to disable another user two factor with the appropriate rights', async function () {
247 await server.twoFactor.disable({ userId, currentPassword: rootPassword }) 266 await server.twoFactor.disable({ userId, currentPassword: rootPassword })
248 267
249 // Reinit 268 await server.twoFactor.requestAndConfirm({ userId })
250 const { otpRequest } = await server.twoFactor.request({ userId, currentPassword: rootPassword })
251 await server.twoFactor.confirmRequest({
252 userId,
253 requestToken: otpRequest.requestToken,
254 otpToken: TwoFactorCommand.buildOTP({ secret: otpRequest.secret }).generate()
255 })
256 }) 269 })
257 270
258 it('Should succeed to update my two factor auth', async function () { 271 it('Should succeed to update my two factor auth', async function () {
diff --git a/server/tests/api/users/two-factor.ts b/server/tests/api/users/two-factor.ts
index 450aac4dc..0dcab9e17 100644
--- a/server/tests/api/users/two-factor.ts
+++ b/server/tests/api/users/two-factor.ts
@@ -7,13 +7,14 @@ import { cleanupTests, createSingleServer, PeerTubeServer, setAccessTokensToServ
7 7
8async function login (options: { 8async function login (options: {
9 server: PeerTubeServer 9 server: PeerTubeServer
10 password?: string 10 username: string
11 password: string
11 otpToken?: string 12 otpToken?: string
12 expectedStatus?: HttpStatusCode 13 expectedStatus?: HttpStatusCode
13}) { 14}) {
14 const { server, password = server.store.user.password, otpToken, expectedStatus } = options 15 const { server, username, password, otpToken, expectedStatus } = options
15 16
16 const user = { username: server.store.user.username, password } 17 const user = { username, password }
17 const { res, body: { access_token: token } } = await server.login.loginAndGetResponse({ user, otpToken, expectedStatus }) 18 const { res, body: { access_token: token } } = await server.login.loginAndGetResponse({ user, otpToken, expectedStatus })
18 19
19 return { res, token } 20 return { res, token }
@@ -21,23 +22,28 @@ async function login (options: {
21 22
22describe('Test users', function () { 23describe('Test users', function () {
23 let server: PeerTubeServer 24 let server: PeerTubeServer
24 let rootId: number
25 let otpSecret: string 25 let otpSecret: string
26 let requestToken: string 26 let requestToken: string
27 27
28 const userUsername = 'user1'
29 let userId: number
30 let userPassword: string
31 let userToken: string
32
28 before(async function () { 33 before(async function () {
29 this.timeout(30000) 34 this.timeout(30000)
30 35
31 server = await createSingleServer(1) 36 server = await createSingleServer(1)
32 37
33 await setAccessTokensToServers([ server ]) 38 await setAccessTokensToServers([ server ])
34 39 const res = await server.users.generate(userUsername)
35 const { id } = await server.users.getMyInfo() 40 userId = res.userId
36 rootId = id 41 userPassword = res.password
42 userToken = res.token
37 }) 43 })
38 44
39 it('Should not add the header on login if two factor is not enabled', async function () { 45 it('Should not add the header on login if two factor is not enabled', async function () {
40 const { res, token } = await login({ server }) 46 const { res, token } = await login({ server, username: userUsername, password: userPassword })
41 47
42 expect(res.header['x-peertube-otp']).to.not.exist 48 expect(res.header['x-peertube-otp']).to.not.exist
43 49
@@ -45,10 +51,7 @@ describe('Test users', function () {
45 }) 51 })
46 52
47 it('Should request two factor and get the secret and uri', async function () { 53 it('Should request two factor and get the secret and uri', async function () {
48 const { otpRequest } = await server.twoFactor.request({ 54 const { otpRequest } = await server.twoFactor.request({ userId, token: userToken, currentPassword: userPassword })
49 userId: rootId,
50 currentPassword: server.store.user.password
51 })
52 55
53 expect(otpRequest.requestToken).to.exist 56 expect(otpRequest.requestToken).to.exist
54 57
@@ -64,27 +67,33 @@ describe('Test users', function () {
64 }) 67 })
65 68
66 it('Should not have two factor confirmed yet', async function () { 69 it('Should not have two factor confirmed yet', async function () {
67 const { twoFactorEnabled } = await server.users.getMyInfo() 70 const { twoFactorEnabled } = await server.users.getMyInfo({ token: userToken })
68 expect(twoFactorEnabled).to.be.false 71 expect(twoFactorEnabled).to.be.false
69 }) 72 })
70 73
71 it('Should confirm two factor', async function () { 74 it('Should confirm two factor', async function () {
72 await server.twoFactor.confirmRequest({ 75 await server.twoFactor.confirmRequest({
73 userId: rootId, 76 userId,
77 token: userToken,
74 otpToken: TwoFactorCommand.buildOTP({ secret: otpSecret }).generate(), 78 otpToken: TwoFactorCommand.buildOTP({ secret: otpSecret }).generate(),
75 requestToken 79 requestToken
76 }) 80 })
77 }) 81 })
78 82
79 it('Should not add the header on login if two factor is enabled and password is incorrect', async function () { 83 it('Should not add the header on login if two factor is enabled and password is incorrect', async function () {
80 const { res, token } = await login({ server, password: 'fake', expectedStatus: HttpStatusCode.BAD_REQUEST_400 }) 84 const { res, token } = await login({ server, username: userUsername, password: 'fake', expectedStatus: HttpStatusCode.BAD_REQUEST_400 })
81 85
82 expect(res.header['x-peertube-otp']).to.not.exist 86 expect(res.header['x-peertube-otp']).to.not.exist
83 expect(token).to.not.exist 87 expect(token).to.not.exist
84 }) 88 })
85 89
86 it('Should add the header on login if two factor is enabled and password is correct', async function () { 90 it('Should add the header on login if two factor is enabled and password is correct', async function () {
87 const { res, token } = await login({ server, expectedStatus: HttpStatusCode.UNAUTHORIZED_401 }) 91 const { res, token } = await login({
92 server,
93 username: userUsername,
94 password: userPassword,
95 expectedStatus: HttpStatusCode.UNAUTHORIZED_401
96 })
88 97
89 expect(res.header['x-peertube-otp']).to.exist 98 expect(res.header['x-peertube-otp']).to.exist
90 expect(token).to.not.exist 99 expect(token).to.not.exist
@@ -95,14 +104,26 @@ describe('Test users', function () {
95 it('Should not login with correct password and incorrect otp secret', async function () { 104 it('Should not login with correct password and incorrect otp secret', async function () {
96 const otp = TwoFactorCommand.buildOTP({ secret: 'a'.repeat(32) }) 105 const otp = TwoFactorCommand.buildOTP({ secret: 'a'.repeat(32) })
97 106
98 const { res, token } = await login({ server, otpToken: otp.generate(), expectedStatus: HttpStatusCode.BAD_REQUEST_400 }) 107 const { res, token } = await login({
108 server,
109 username: userUsername,
110 password: userPassword,
111 otpToken: otp.generate(),
112 expectedStatus: HttpStatusCode.BAD_REQUEST_400
113 })
99 114
100 expect(res.header['x-peertube-otp']).to.not.exist 115 expect(res.header['x-peertube-otp']).to.not.exist
101 expect(token).to.not.exist 116 expect(token).to.not.exist
102 }) 117 })
103 118
104 it('Should not login with correct password and incorrect otp code', async function () { 119 it('Should not login with correct password and incorrect otp code', async function () {
105 const { res, token } = await login({ server, otpToken: '123456', expectedStatus: HttpStatusCode.BAD_REQUEST_400 }) 120 const { res, token } = await login({
121 server,
122 username: userUsername,
123 password: userPassword,
124 otpToken: '123456',
125 expectedStatus: HttpStatusCode.BAD_REQUEST_400
126 })
106 127
107 expect(res.header['x-peertube-otp']).to.not.exist 128 expect(res.header['x-peertube-otp']).to.not.exist
108 expect(token).to.not.exist 129 expect(token).to.not.exist
@@ -111,7 +132,13 @@ describe('Test users', function () {
111 it('Should not login with incorrect password and correct otp code', async function () { 132 it('Should not login with incorrect password and correct otp code', async function () {
112 const otpToken = TwoFactorCommand.buildOTP({ secret: otpSecret }).generate() 133 const otpToken = TwoFactorCommand.buildOTP({ secret: otpSecret }).generate()
113 134
114 const { res, token } = await login({ server, password: 'fake', otpToken, expectedStatus: HttpStatusCode.BAD_REQUEST_400 }) 135 const { res, token } = await login({
136 server,
137 username: userUsername,
138 password: 'fake',
139 otpToken,
140 expectedStatus: HttpStatusCode.BAD_REQUEST_400
141 })
115 142
116 expect(res.header['x-peertube-otp']).to.not.exist 143 expect(res.header['x-peertube-otp']).to.not.exist
117 expect(token).to.not.exist 144 expect(token).to.not.exist
@@ -120,7 +147,7 @@ describe('Test users', function () {
120 it('Should correctly login with correct password and otp code', async function () { 147 it('Should correctly login with correct password and otp code', async function () {
121 const otpToken = TwoFactorCommand.buildOTP({ secret: otpSecret }).generate() 148 const otpToken = TwoFactorCommand.buildOTP({ secret: otpSecret }).generate()
122 149
123 const { res, token } = await login({ server, otpToken }) 150 const { res, token } = await login({ server, username: userUsername, password: userPassword, otpToken })
124 151
125 expect(res.header['x-peertube-otp']).to.not.exist 152 expect(res.header['x-peertube-otp']).to.not.exist
126 expect(token).to.exist 153 expect(token).to.exist
@@ -129,21 +156,41 @@ describe('Test users', function () {
129 }) 156 })
130 157
131 it('Should have two factor enabled when getting my info', async function () { 158 it('Should have two factor enabled when getting my info', async function () {
132 const { twoFactorEnabled } = await server.users.getMyInfo() 159 const { twoFactorEnabled } = await server.users.getMyInfo({ token: userToken })
133 expect(twoFactorEnabled).to.be.true 160 expect(twoFactorEnabled).to.be.true
134 }) 161 })
135 162
136 it('Should disable two factor and be able to login without otp token', async function () { 163 it('Should disable two factor and be able to login without otp token', async function () {
137 await server.twoFactor.disable({ userId: rootId, currentPassword: server.store.user.password }) 164 await server.twoFactor.disable({ userId, token: userToken, currentPassword: userPassword })
138 165
139 const { res, token } = await login({ server }) 166 const { res, token } = await login({ server, username: userUsername, password: userPassword })
140 expect(res.header['x-peertube-otp']).to.not.exist 167 expect(res.header['x-peertube-otp']).to.not.exist
141 168
142 await server.users.getMyInfo({ token }) 169 await server.users.getMyInfo({ token })
143 }) 170 })
144 171
145 it('Should have two factor disabled when getting my info', async function () { 172 it('Should have two factor disabled when getting my info', async function () {
146 const { twoFactorEnabled } = await server.users.getMyInfo() 173 const { twoFactorEnabled } = await server.users.getMyInfo({ token: userToken })
174 expect(twoFactorEnabled).to.be.false
175 })
176
177 it('Should enable two factor auth without password from an admin', async function () {
178 const { otpRequest } = await server.twoFactor.request({ userId })
179
180 await server.twoFactor.confirmRequest({
181 userId,
182 otpToken: TwoFactorCommand.buildOTP({ secret: otpRequest.secret }).generate(),
183 requestToken: otpRequest.requestToken
184 })
185
186 const { twoFactorEnabled } = await server.users.getMyInfo({ token: userToken })
187 expect(twoFactorEnabled).to.be.true
188 })
189
190 it('Should disable two factor auth without password from an admin', async function () {
191 await server.twoFactor.disable({ userId })
192
193 const { twoFactorEnabled } = await server.users.getMyInfo({ token: userToken })
147 expect(twoFactorEnabled).to.be.false 194 expect(twoFactorEnabled).to.be.false
148 }) 195 })
149 196