aboutsummaryrefslogtreecommitdiffhomepage
path: root/server/tests/api
diff options
context:
space:
mode:
authorChocobozzz <me@florianbigard.com>2022-10-05 15:37:15 +0200
committerChocobozzz <me@florianbigard.com>2022-10-07 10:51:16 +0200
commit56f47830758ff8e92abcfcc5f35d474ab12fe215 (patch)
tree854e57ec1b800d6ad740c8e42bee00cbd21e1724 /server/tests/api
parent7dd7ff4cebc290b09fe00d82046bb58e4e8a800d (diff)
downloadPeerTube-56f47830758ff8e92abcfcc5f35d474ab12fe215.tar.gz
PeerTube-56f47830758ff8e92abcfcc5f35d474ab12fe215.tar.zst
PeerTube-56f47830758ff8e92abcfcc5f35d474ab12fe215.zip
Support two factor authentication in backend
Diffstat (limited to 'server/tests/api')
-rw-r--r--server/tests/api/check-params/index.ts5
-rw-r--r--server/tests/api/check-params/two-factor.ts275
-rw-r--r--server/tests/api/users/index.ts1
-rw-r--r--server/tests/api/users/two-factor.ts153
4 files changed, 432 insertions, 2 deletions
diff --git a/server/tests/api/check-params/index.ts b/server/tests/api/check-params/index.ts
index cd7a38459..33dc8fb76 100644
--- a/server/tests/api/check-params/index.ts
+++ b/server/tests/api/check-params/index.ts
@@ -2,6 +2,7 @@ import './abuses'
2import './accounts' 2import './accounts'
3import './blocklist' 3import './blocklist'
4import './bulk' 4import './bulk'
5import './channel-import-videos'
5import './config' 6import './config'
6import './contact-form' 7import './contact-form'
7import './custom-pages' 8import './custom-pages'
@@ -17,6 +18,7 @@ import './redundancy'
17import './search' 18import './search'
18import './services' 19import './services'
19import './transcoding' 20import './transcoding'
21import './two-factor'
20import './upload-quota' 22import './upload-quota'
21import './user-notifications' 23import './user-notifications'
22import './user-subscriptions' 24import './user-subscriptions'
@@ -24,12 +26,11 @@ import './users-admin'
24import './users' 26import './users'
25import './video-blacklist' 27import './video-blacklist'
26import './video-captions' 28import './video-captions'
29import './video-channel-syncs'
27import './video-channels' 30import './video-channels'
28import './video-comments' 31import './video-comments'
29import './video-files' 32import './video-files'
30import './video-imports' 33import './video-imports'
31import './video-channel-syncs'
32import './channel-import-videos'
33import './video-playlists' 34import './video-playlists'
34import './video-source' 35import './video-source'
35import './video-studio' 36import './video-studio'
diff --git a/server/tests/api/check-params/two-factor.ts b/server/tests/api/check-params/two-factor.ts
new file mode 100644
index 000000000..e7ca5490c
--- /dev/null
+++ b/server/tests/api/check-params/two-factor.ts
@@ -0,0 +1,275 @@
1/* eslint-disable @typescript-eslint/no-unused-expressions,@typescript-eslint/require-await */
2
3import { HttpStatusCode } from '@shared/models'
4import { cleanupTests, createSingleServer, PeerTubeServer, setAccessTokensToServers, TwoFactorCommand } from '@shared/server-commands'
5
6describe('Test two factor API validators', function () {
7 let server: PeerTubeServer
8
9 let rootId: number
10 let rootPassword: string
11 let rootRequestToken: string
12 let rootOTPToken: string
13
14 let userId: number
15 let userToken = ''
16 let userPassword: string
17 let userRequestToken: string
18 let userOTPToken: string
19
20 // ---------------------------------------------------------------
21
22 before(async function () {
23 this.timeout(30000)
24
25 {
26 server = await createSingleServer(1)
27 await setAccessTokensToServers([ server ])
28 }
29
30 {
31 const result = await server.users.generate('user1')
32 userToken = result.token
33 userId = result.userId
34 userPassword = result.password
35 }
36
37 {
38 const { id } = await server.users.getMyInfo()
39 rootId = id
40 rootPassword = server.store.user.password
41 }
42 })
43
44 describe('When requesting two factor', function () {
45
46 it('Should fail with an unknown user id', async function () {
47 await server.twoFactor.request({ userId: 42, currentPassword: rootPassword, expectedStatus: HttpStatusCode.NOT_FOUND_404 })
48 })
49
50 it('Should fail with an invalid user id', async function () {
51 await server.twoFactor.request({
52 userId: 'invalid' as any,
53 currentPassword: rootPassword,
54 expectedStatus: HttpStatusCode.BAD_REQUEST_400
55 })
56 })
57
58 it('Should fail to request another user two factor without the appropriate rights', async function () {
59 await server.twoFactor.request({
60 userId: rootId,
61 token: userToken,
62 currentPassword: userPassword,
63 expectedStatus: HttpStatusCode.FORBIDDEN_403
64 })
65 })
66
67 it('Should succeed to request another user two factor with the appropriate rights', async function () {
68 await server.twoFactor.request({ userId, currentPassword: rootPassword })
69 })
70
71 it('Should fail to request two factor without a password', async function () {
72 await server.twoFactor.request({
73 userId,
74 token: userToken,
75 currentPassword: undefined,
76 expectedStatus: HttpStatusCode.BAD_REQUEST_400
77 })
78 })
79
80 it('Should fail to request two factor with an incorrect password', async function () {
81 await server.twoFactor.request({
82 userId,
83 token: userToken,
84 currentPassword: rootPassword,
85 expectedStatus: HttpStatusCode.FORBIDDEN_403
86 })
87 })
88
89 it('Should succeed to request my two factor auth', async function () {
90 {
91 const { otpRequest } = await server.twoFactor.request({ userId, token: userToken, currentPassword: userPassword })
92 userRequestToken = otpRequest.requestToken
93 userOTPToken = TwoFactorCommand.buildOTP({ secret: otpRequest.secret }).generate()
94 }
95
96 {
97 const { otpRequest } = await server.twoFactor.request({ userId: rootId, currentPassword: rootPassword })
98 rootRequestToken = otpRequest.requestToken
99 rootOTPToken = TwoFactorCommand.buildOTP({ secret: otpRequest.secret }).generate()
100 }
101 })
102 })
103
104 describe('When confirming two factor request', function () {
105
106 it('Should fail with an unknown user id', async function () {
107 await server.twoFactor.confirmRequest({
108 userId: 42,
109 requestToken: rootRequestToken,
110 otpToken: rootOTPToken,
111 expectedStatus: HttpStatusCode.NOT_FOUND_404
112 })
113 })
114
115 it('Should fail with an invalid user id', async function () {
116 await server.twoFactor.confirmRequest({
117 userId: 'invalid' as any,
118 requestToken: rootRequestToken,
119 otpToken: rootOTPToken,
120 expectedStatus: HttpStatusCode.BAD_REQUEST_400
121 })
122 })
123
124 it('Should fail to confirm another user two factor request without the appropriate rights', async function () {
125 await server.twoFactor.confirmRequest({
126 userId: rootId,
127 token: userToken,
128 requestToken: rootRequestToken,
129 otpToken: rootOTPToken,
130 expectedStatus: HttpStatusCode.FORBIDDEN_403
131 })
132 })
133
134 it('Should fail without request token', async function () {
135 await server.twoFactor.confirmRequest({
136 userId,
137 requestToken: undefined,
138 otpToken: userOTPToken,
139 expectedStatus: HttpStatusCode.BAD_REQUEST_400
140 })
141 })
142
143 it('Should fail with an invalid request token', async function () {
144 await server.twoFactor.confirmRequest({
145 userId,
146 requestToken: 'toto',
147 otpToken: userOTPToken,
148 expectedStatus: HttpStatusCode.FORBIDDEN_403
149 })
150 })
151
152 it('Should fail with request token of another user', async function () {
153 await server.twoFactor.confirmRequest({
154 userId,
155 requestToken: rootRequestToken,
156 otpToken: userOTPToken,
157 expectedStatus: HttpStatusCode.FORBIDDEN_403
158 })
159 })
160
161 it('Should fail without an otp token', async function () {
162 await server.twoFactor.confirmRequest({
163 userId,
164 requestToken: userRequestToken,
165 otpToken: undefined,
166 expectedStatus: HttpStatusCode.BAD_REQUEST_400
167 })
168 })
169
170 it('Should fail with a bad otp token', async function () {
171 await server.twoFactor.confirmRequest({
172 userId,
173 requestToken: userRequestToken,
174 otpToken: '123456',
175 expectedStatus: HttpStatusCode.FORBIDDEN_403
176 })
177 })
178
179 it('Should succeed to confirm another user two factor request with the appropriate rights', async function () {
180 await server.twoFactor.confirmRequest({
181 userId,
182 requestToken: userRequestToken,
183 otpToken: userOTPToken
184 })
185
186 // Reinit
187 await server.twoFactor.disable({ userId, currentPassword: rootPassword })
188 })
189
190 it('Should succeed to confirm my two factor request', async function () {
191 await server.twoFactor.confirmRequest({
192 userId,
193 token: userToken,
194 requestToken: userRequestToken,
195 otpToken: userOTPToken
196 })
197 })
198
199 it('Should fail to confirm again two factor request', async function () {
200 await server.twoFactor.confirmRequest({
201 userId,
202 token: userToken,
203 requestToken: userRequestToken,
204 otpToken: userOTPToken,
205 expectedStatus: HttpStatusCode.BAD_REQUEST_400
206 })
207 })
208 })
209
210 describe('When disabling two factor', function () {
211
212 it('Should fail with an unknown user id', async function () {
213 await server.twoFactor.disable({
214 userId: 42,
215 currentPassword: rootPassword,
216 expectedStatus: HttpStatusCode.NOT_FOUND_404
217 })
218 })
219
220 it('Should fail with an invalid user id', async function () {
221 await server.twoFactor.disable({
222 userId: 'invalid' as any,
223 currentPassword: rootPassword,
224 expectedStatus: HttpStatusCode.BAD_REQUEST_400
225 })
226 })
227
228 it('Should fail to disable another user two factor without the appropriate rights', async function () {
229 await server.twoFactor.disable({
230 userId: rootId,
231 token: userToken,
232 currentPassword: userPassword,
233 expectedStatus: HttpStatusCode.FORBIDDEN_403
234 })
235 })
236
237 it('Should fail to disabled two factor with an incorrect password', async function () {
238 await server.twoFactor.disable({
239 userId,
240 token: userToken,
241 currentPassword: rootPassword,
242 expectedStatus: HttpStatusCode.FORBIDDEN_403
243 })
244 })
245
246 it('Should succeed to disable another user two factor with the appropriate rights', async function () {
247 await server.twoFactor.disable({ userId, currentPassword: rootPassword })
248
249 // Reinit
250 const { otpRequest } = await server.twoFactor.request({ userId, currentPassword: rootPassword })
251 await server.twoFactor.confirmRequest({
252 userId,
253 requestToken: otpRequest.requestToken,
254 otpToken: TwoFactorCommand.buildOTP({ secret: otpRequest.secret }).generate()
255 })
256 })
257
258 it('Should succeed to update my two factor auth', async function () {
259 await server.twoFactor.disable({ userId, token: userToken, currentPassword: userPassword })
260 })
261
262 it('Should fail to disable again two factor', async function () {
263 await server.twoFactor.disable({
264 userId,
265 token: userToken,
266 currentPassword: userPassword,
267 expectedStatus: HttpStatusCode.BAD_REQUEST_400
268 })
269 })
270 })
271
272 after(async function () {
273 await cleanupTests([ server ])
274 })
275})
diff --git a/server/tests/api/users/index.ts b/server/tests/api/users/index.ts
index c65152c6f..643f1a531 100644
--- a/server/tests/api/users/index.ts
+++ b/server/tests/api/users/index.ts
@@ -1,3 +1,4 @@
1import './two-factor'
1import './user-subscriptions' 2import './user-subscriptions'
2import './user-videos' 3import './user-videos'
3import './users' 4import './users'
diff --git a/server/tests/api/users/two-factor.ts b/server/tests/api/users/two-factor.ts
new file mode 100644
index 000000000..450aac4dc
--- /dev/null
+++ b/server/tests/api/users/two-factor.ts
@@ -0,0 +1,153 @@
1/* eslint-disable @typescript-eslint/no-unused-expressions,@typescript-eslint/require-await */
2
3import { expect } from 'chai'
4import { expectStartWith } from '@server/tests/shared'
5import { HttpStatusCode } from '@shared/models'
6import { cleanupTests, createSingleServer, PeerTubeServer, setAccessTokensToServers, TwoFactorCommand } from '@shared/server-commands'
7
8async function login (options: {
9 server: PeerTubeServer
10 password?: string
11 otpToken?: string
12 expectedStatus?: HttpStatusCode
13}) {
14 const { server, password = server.store.user.password, otpToken, expectedStatus } = options
15
16 const user = { username: server.store.user.username, password }
17 const { res, body: { access_token: token } } = await server.login.loginAndGetResponse({ user, otpToken, expectedStatus })
18
19 return { res, token }
20}
21
22describe('Test users', function () {
23 let server: PeerTubeServer
24 let rootId: number
25 let otpSecret: string
26 let requestToken: string
27
28 before(async function () {
29 this.timeout(30000)
30
31 server = await createSingleServer(1)
32
33 await setAccessTokensToServers([ server ])
34
35 const { id } = await server.users.getMyInfo()
36 rootId = id
37 })
38
39 it('Should not add the header on login if two factor is not enabled', async function () {
40 const { res, token } = await login({ server })
41
42 expect(res.header['x-peertube-otp']).to.not.exist
43
44 await server.users.getMyInfo({ token })
45 })
46
47 it('Should request two factor and get the secret and uri', async function () {
48 const { otpRequest } = await server.twoFactor.request({
49 userId: rootId,
50 currentPassword: server.store.user.password
51 })
52
53 expect(otpRequest.requestToken).to.exist
54
55 expect(otpRequest.secret).to.exist
56 expect(otpRequest.secret).to.have.lengthOf(32)
57
58 expect(otpRequest.uri).to.exist
59 expectStartWith(otpRequest.uri, 'otpauth://')
60 expect(otpRequest.uri).to.include(otpRequest.secret)
61
62 requestToken = otpRequest.requestToken
63 otpSecret = otpRequest.secret
64 })
65
66 it('Should not have two factor confirmed yet', async function () {
67 const { twoFactorEnabled } = await server.users.getMyInfo()
68 expect(twoFactorEnabled).to.be.false
69 })
70
71 it('Should confirm two factor', async function () {
72 await server.twoFactor.confirmRequest({
73 userId: rootId,
74 otpToken: TwoFactorCommand.buildOTP({ secret: otpSecret }).generate(),
75 requestToken
76 })
77 })
78
79 it('Should not add the header on login if two factor is enabled and password is incorrect', async function () {
80 const { res, token } = await login({ server, password: 'fake', expectedStatus: HttpStatusCode.BAD_REQUEST_400 })
81
82 expect(res.header['x-peertube-otp']).to.not.exist
83 expect(token).to.not.exist
84 })
85
86 it('Should add the header on login if two factor is enabled and password is correct', async function () {
87 const { res, token } = await login({ server, expectedStatus: HttpStatusCode.UNAUTHORIZED_401 })
88
89 expect(res.header['x-peertube-otp']).to.exist
90 expect(token).to.not.exist
91
92 await server.users.getMyInfo({ token })
93 })
94
95 it('Should not login with correct password and incorrect otp secret', async function () {
96 const otp = TwoFactorCommand.buildOTP({ secret: 'a'.repeat(32) })
97
98 const { res, token } = await login({ server, otpToken: otp.generate(), expectedStatus: HttpStatusCode.BAD_REQUEST_400 })
99
100 expect(res.header['x-peertube-otp']).to.not.exist
101 expect(token).to.not.exist
102 })
103
104 it('Should not login with correct password and incorrect otp code', async function () {
105 const { res, token } = await login({ server, otpToken: '123456', expectedStatus: HttpStatusCode.BAD_REQUEST_400 })
106
107 expect(res.header['x-peertube-otp']).to.not.exist
108 expect(token).to.not.exist
109 })
110
111 it('Should not login with incorrect password and correct otp code', async function () {
112 const otpToken = TwoFactorCommand.buildOTP({ secret: otpSecret }).generate()
113
114 const { res, token } = await login({ server, password: 'fake', otpToken, expectedStatus: HttpStatusCode.BAD_REQUEST_400 })
115
116 expect(res.header['x-peertube-otp']).to.not.exist
117 expect(token).to.not.exist
118 })
119
120 it('Should correctly login with correct password and otp code', async function () {
121 const otpToken = TwoFactorCommand.buildOTP({ secret: otpSecret }).generate()
122
123 const { res, token } = await login({ server, otpToken })
124
125 expect(res.header['x-peertube-otp']).to.not.exist
126 expect(token).to.exist
127
128 await server.users.getMyInfo({ token })
129 })
130
131 it('Should have two factor enabled when getting my info', async function () {
132 const { twoFactorEnabled } = await server.users.getMyInfo()
133 expect(twoFactorEnabled).to.be.true
134 })
135
136 it('Should disable two factor and be able to login without otp token', async function () {
137 await server.twoFactor.disable({ userId: rootId, currentPassword: server.store.user.password })
138
139 const { res, token } = await login({ server })
140 expect(res.header['x-peertube-otp']).to.not.exist
141
142 await server.users.getMyInfo({ token })
143 })
144
145 it('Should have two factor disabled when getting my info', async function () {
146 const { twoFactorEnabled } = await server.users.getMyInfo()
147 expect(twoFactorEnabled).to.be.false
148 })
149
150 after(async function () {
151 await cleanupTests([ server ])
152 })
153})