Merge branch 'feature/otp' into develop

author: Chocobozzz <me@florianbigard.com> 2022-10-10 11:19:58 +0200
committer: Chocobozzz <me@florianbigard.com> 2022-10-10 11:19:58 +0200
commit: 63fa260a81a8930c157b73c897fe8696a8cc90d4 (patch)
tree: 705ebfae42f9c59b2a1ac97779e4037102dfed1c /server/tests/api
parent: 9b99d32804e99462c6f22df3ec3db9ec5bf8a18c (diff)
parent: 1ea868a9456439108fbd87255537093ed8bd456f (diff)
download: PeerTube-63fa260a81a8930c157b73c897fe8696a8cc90d4.tar.gz
PeerTube-63fa260a81a8930c157b73c897fe8696a8cc90d4.tar.zst
PeerTube-63fa260a81a8930c157b73c897fe8696a8cc90d4.zip
4 files changed, 492 insertions, 2 deletions
diff --git a/server/tests/api/check-params/index.ts b/server/tests/api/check-params/index.ts
index cd7a38459..33dc8fb76 100644
--- a/server/tests/api/check-params/index.ts
+++ b/server/tests/api/check-params/index.ts
@@ -2,6 +2,7 @@ import './abuses'
 import './accounts'
 import './blocklist'
 import './bulk'
+import './channel-import-videos'
 import './config'
 import './contact-form'
 import './custom-pages'
@@ -17,6 +18,7 @@ import './redundancy'
 import './search'
 import './services'
 import './transcoding'
+import './two-factor'
 import './upload-quota'
 import './user-notifications'
 import './user-subscriptions'
@@ -24,12 +26,11 @@ import './users-admin'
 import './users'
 import './video-blacklist'
 import './video-captions'
+import './video-channel-syncs'
 import './video-channels'
 import './video-comments'
 import './video-files'
 import './video-imports'
-import './video-channel-syncs'
-import './channel-import-videos'
 import './video-playlists'
 import './video-source'
 import './video-studio'
diff --git a/server/tests/api/check-params/two-factor.ts b/server/tests/api/check-params/two-factor.ts
new file mode 100644
index 000000000..f8365f1b5
--- /dev/null
+++ b/server/tests/api/check-params/two-factor.ts
@@ -0,0 +1,288 @@
+/* eslint-disable @typescript-eslint/no-unused-expressions,@typescript-eslint/require-await */
+import { HttpStatusCode } from '@shared/models'
+import { cleanupTests, createSingleServer, PeerTubeServer, setAccessTokensToServers, TwoFactorCommand } from '@shared/server-commands'
+describe('Test two factor API validators', function () {
+  let server: PeerTubeServer
+  let rootId: number
+  let rootPassword: string
+  let rootRequestToken: string
+  let rootOTPToken: string
+  let userId: number
+  let userToken = ''
+  let userPassword: string
+  let userRequestToken: string
+  let userOTPToken: string
+  // ---------------------------------------------------------------
+  before(async function () {
+    this.timeout(30000)
+    {
+      server = await createSingleServer(1)
+      await setAccessTokensToServers([ server ])
+    }
+    {
+      const result = await server.users.generate('user1')
+      userToken = result.token
+      userId = result.userId
+      userPassword = result.password
+    }
+    {
+      const { id } = await server.users.getMyInfo()
+      rootId = id
+      rootPassword = server.store.user.password
+    }
+  })
+  describe('When requesting two factor', function () {
+    it('Should fail with an unknown user id', async function () {
+      await server.twoFactor.request({ userId: 42, currentPassword: rootPassword, expectedStatus: HttpStatusCode.NOT_FOUND_404 })
+    })
+    it('Should fail with an invalid user id', async function () {
+      await server.twoFactor.request({
+        userId: 'invalid' as any,
+        currentPassword: rootPassword,
+        expectedStatus: HttpStatusCode.BAD_REQUEST_400
+      })
+    })
+    it('Should fail to request another user two factor without the appropriate rights', async function () {
+      await server.twoFactor.request({
+        userId: rootId,
+        token: userToken,
+        currentPassword: userPassword,
+        expectedStatus: HttpStatusCode.FORBIDDEN_403
+      })
+    })
+    it('Should succeed to request another user two factor with the appropriate rights', async function () {
+      await server.twoFactor.request({ userId, currentPassword: rootPassword })
+    })
+    it('Should fail to request two factor without a password', async function () {
+      await server.twoFactor.request({
+        userId,
+        token: userToken,
+        currentPassword: undefined,
+        expectedStatus: HttpStatusCode.BAD_REQUEST_400
+      })
+    })
+    it('Should fail to request two factor with an incorrect password', async function () {
+      await server.twoFactor.request({
+        userId,
+        token: userToken,
+        currentPassword: rootPassword,
+        expectedStatus: HttpStatusCode.FORBIDDEN_403
+      })
+    })
+    it('Should succeed to request two factor without a password when targeting a remote user with an admin account', async function () {
+      await server.twoFactor.request({ userId })
+    })
+    it('Should fail to request two factor without a password when targeting myself with an admin account', async function () {
+      await server.twoFactor.request({ userId: rootId, expectedStatus: HttpStatusCode.BAD_REQUEST_400 })
+      await server.twoFactor.request({ userId: rootId, currentPassword: 'bad', expectedStatus: HttpStatusCode.FORBIDDEN_403 })
+    })
+    it('Should succeed to request my two factor auth', async function () {
+      {
+        const { otpRequest } = await server.twoFactor.request({ userId, token: userToken, currentPassword: userPassword })
+        userRequestToken = otpRequest.requestToken
+        userOTPToken = TwoFactorCommand.buildOTP({ secret: otpRequest.secret }).generate()
+      }
+      {
+        const { otpRequest } = await server.twoFactor.request({ userId: rootId, currentPassword: rootPassword })
+        rootRequestToken = otpRequest.requestToken
+        rootOTPToken = TwoFactorCommand.buildOTP({ secret: otpRequest.secret }).generate()
+      }
+    })
+  })
+  describe('When confirming two factor request', function () {
+    it('Should fail with an unknown user id', async function () {
+      await server.twoFactor.confirmRequest({
+        userId: 42,
+        requestToken: rootRequestToken,
+        otpToken: rootOTPToken,
+        expectedStatus: HttpStatusCode.NOT_FOUND_404
+      })
+    })
+    it('Should fail with an invalid user id', async function () {
+      await server.twoFactor.confirmRequest({
+        userId: 'invalid' as any,
+        requestToken: rootRequestToken,
+        otpToken: rootOTPToken,
+        expectedStatus: HttpStatusCode.BAD_REQUEST_400
+      })
+    })
+    it('Should fail to confirm another user two factor request without the appropriate rights', async function () {
+      await server.twoFactor.confirmRequest({
+        userId: rootId,
+        token: userToken,
+        requestToken: rootRequestToken,
+        otpToken: rootOTPToken,
+        expectedStatus: HttpStatusCode.FORBIDDEN_403
+      })
+    })
+    it('Should fail without request token', async function () {
+      await server.twoFactor.confirmRequest({
+        userId,
+        requestToken: undefined,
+        otpToken: userOTPToken,
+        expectedStatus: HttpStatusCode.BAD_REQUEST_400
+      })
+    })
+    it('Should fail with an invalid request token', async function () {
+      await server.twoFactor.confirmRequest({
+        userId,
+        requestToken: 'toto',
+        otpToken: userOTPToken,
+        expectedStatus: HttpStatusCode.FORBIDDEN_403
+      })
+    })
+    it('Should fail with request token of another user', async function () {
+      await server.twoFactor.confirmRequest({
+        userId,
+        requestToken: rootRequestToken,
+        otpToken: userOTPToken,
+        expectedStatus: HttpStatusCode.FORBIDDEN_403
+      })
+    })
+    it('Should fail without an otp token', async function () {
+      await server.twoFactor.confirmRequest({
+        userId,
+        requestToken: userRequestToken,
+        otpToken: undefined,
+        expectedStatus: HttpStatusCode.BAD_REQUEST_400
+      })
+    })
+    it('Should fail with a bad otp token', async function () {
+      await server.twoFactor.confirmRequest({
+        userId,
+        requestToken: userRequestToken,
+        otpToken: '123456',
+        expectedStatus: HttpStatusCode.FORBIDDEN_403
+      })
+    })
+    it('Should succeed to confirm another user two factor request with the appropriate rights', async function () {
+      await server.twoFactor.confirmRequest({
+        userId,
+        requestToken: userRequestToken,
+        otpToken: userOTPToken
+      })
+      // Reinit
+      await server.twoFactor.disable({ userId, currentPassword: rootPassword })
+    })
+    it('Should succeed to confirm my two factor request', async function () {
+      await server.twoFactor.confirmRequest({
+        userId,
+        token: userToken,
+        requestToken: userRequestToken,
+        otpToken: userOTPToken
+      })
+    })
+    it('Should fail to confirm again two factor request', async function () {
+      await server.twoFactor.confirmRequest({
+        userId,
+        token: userToken,
+        requestToken: userRequestToken,
+        otpToken: userOTPToken,
+        expectedStatus: HttpStatusCode.BAD_REQUEST_400
+      })
+    })
+  })
+  describe('When disabling two factor', function () {
+    it('Should fail with an unknown user id', async function () {
+      await server.twoFactor.disable({
+        userId: 42,
+        currentPassword: rootPassword,
+        expectedStatus: HttpStatusCode.NOT_FOUND_404
+      })
+    })
+    it('Should fail with an invalid user id', async function () {
+      await server.twoFactor.disable({
+        userId: 'invalid' as any,
+        currentPassword: rootPassword,
+        expectedStatus: HttpStatusCode.BAD_REQUEST_400
+      })
+    })
+    it('Should fail to disable another user two factor without the appropriate rights', async function () {
+      await server.twoFactor.disable({
+        userId: rootId,
+        token: userToken,
+        currentPassword: userPassword,
+        expectedStatus: HttpStatusCode.FORBIDDEN_403
+      })
+    })
+    it('Should fail to disable two factor with an incorrect password', async function () {
+      await server.twoFactor.disable({
+        userId,
+        token: userToken,
+        currentPassword: rootPassword,
+        expectedStatus: HttpStatusCode.FORBIDDEN_403
+      })
+    })
+    it('Should succeed to disable two factor without a password when targeting a remote user with an admin account', async function () {
+      await server.twoFactor.disable({ userId })
+      await server.twoFactor.requestAndConfirm({ userId })
+    })
+    it('Should fail to disable two factor without a password when targeting myself with an admin account', async function () {
+      await server.twoFactor.disable({ userId: rootId, expectedStatus: HttpStatusCode.BAD_REQUEST_400 })
+      await server.twoFactor.disable({ userId: rootId, currentPassword: 'bad', expectedStatus: HttpStatusCode.FORBIDDEN_403 })
+    })
+    it('Should succeed to disable another user two factor with the appropriate rights', async function () {
+      await server.twoFactor.disable({ userId, currentPassword: rootPassword })
+      await server.twoFactor.requestAndConfirm({ userId })
+    })
+    it('Should succeed to update my two factor auth', async function () {
+      await server.twoFactor.disable({ userId, token: userToken, currentPassword: userPassword })
+    })
+    it('Should fail to disable again two factor', async function () {
+      await server.twoFactor.disable({
+        userId,
+        token: userToken,
+        currentPassword: userPassword,
+        expectedStatus: HttpStatusCode.BAD_REQUEST_400
+      })
+    })
+  })
+  after(async function () {
+    await cleanupTests([ server ])
+  })
+})
diff --git a/server/tests/api/users/index.ts b/server/tests/api/users/index.ts
index c65152c6f..643f1a531 100644
--- a/server/tests/api/users/index.ts
+++ b/server/tests/api/users/index.ts
@@ -1,3 +1,4 @@
+import './two-factor'
 import './user-subscriptions'
 import './user-videos'
 import './users'
diff --git a/server/tests/api/users/two-factor.ts b/server/tests/api/users/two-factor.ts
new file mode 100644
index 000000000..0dcab9e17
--- /dev/null
+++ b/server/tests/api/users/two-factor.ts
@@ -0,0 +1,200 @@
+/* eslint-disable @typescript-eslint/no-unused-expressions,@typescript-eslint/require-await */
+import { expect } from 'chai'
+import { expectStartWith } from '@server/tests/shared'
+import { HttpStatusCode } from '@shared/models'
+import { cleanupTests, createSingleServer, PeerTubeServer, setAccessTokensToServers, TwoFactorCommand } from '@shared/server-commands'
+async function login (options: {
+  server: PeerTubeServer
+  username: string
+  password: string
+  otpToken?: string
+  expectedStatus?: HttpStatusCode
+}) {
+  const { server, username, password, otpToken, expectedStatus } = options
+  const user = { username, password }
+  const { res, body: { access_token: token } } = await server.login.loginAndGetResponse({ user, otpToken, expectedStatus })
+  return { res, token }
+}
+describe('Test users', function () {
+  let server: PeerTubeServer
+  let otpSecret: string
+  let requestToken: string
+  const userUsername = 'user1'
+  let userId: number
+  let userPassword: string
+  let userToken: string
+  before(async function () {
+    this.timeout(30000)
+    server = await createSingleServer(1)
+    await setAccessTokensToServers([ server ])
+    const res = await server.users.generate(userUsername)
+    userId = res.userId
+    userPassword = res.password
+    userToken = res.token
+  })
+  it('Should not add the header on login if two factor is not enabled', async function () {
+    const { res, token } = await login({ server, username: userUsername, password: userPassword })
+    expect(res.header['x-peertube-otp']).to.not.exist
+    await server.users.getMyInfo({ token })
+  })
+  it('Should request two factor and get the secret and uri', async function () {
+    const { otpRequest } = await server.twoFactor.request({ userId, token: userToken, currentPassword: userPassword })
+    expect(otpRequest.requestToken).to.exist
+    expect(otpRequest.secret).to.exist
+    expect(otpRequest.secret).to.have.lengthOf(32)
+    expect(otpRequest.uri).to.exist
+    expectStartWith(otpRequest.uri, 'otpauth://')
+    expect(otpRequest.uri).to.include(otpRequest.secret)
+    requestToken = otpRequest.requestToken
+    otpSecret = otpRequest.secret
+  })
+  it('Should not have two factor confirmed yet', async function () {
+    const { twoFactorEnabled } = await server.users.getMyInfo({ token: userToken })
+    expect(twoFactorEnabled).to.be.false
+  })
+  it('Should confirm two factor', async function () {
+    await server.twoFactor.confirmRequest({
+      userId,
+      token: userToken,
+      otpToken: TwoFactorCommand.buildOTP({ secret: otpSecret }).generate(),
+      requestToken
+    })
+  })
+  it('Should not add the header on login if two factor is enabled and password is incorrect', async function () {
+    const { res, token } = await login({ server, username: userUsername, password: 'fake', expectedStatus: HttpStatusCode.BAD_REQUEST_400 })
+    expect(res.header['x-peertube-otp']).to.not.exist
+    expect(token).to.not.exist
+  })
+  it('Should add the header on login if two factor is enabled and password is correct', async function () {
+    const { res, token } = await login({
+      server,
+      username: userUsername,
+      password: userPassword,
+      expectedStatus: HttpStatusCode.UNAUTHORIZED_401
+    })
+    expect(res.header['x-peertube-otp']).to.exist
+    expect(token).to.not.exist
+    await server.users.getMyInfo({ token })
+  })
+  it('Should not login with correct password and incorrect otp secret', async function () {
+    const otp = TwoFactorCommand.buildOTP({ secret: 'a'.repeat(32) })
+    const { res, token } = await login({
+      server,
+      username: userUsername,
+      password: userPassword,
+      otpToken: otp.generate(),
+      expectedStatus: HttpStatusCode.BAD_REQUEST_400
+    })
+    expect(res.header['x-peertube-otp']).to.not.exist
+    expect(token).to.not.exist
+  })
+  it('Should not login with correct password and incorrect otp code', async function () {
+    const { res, token } = await login({
+      server,
+      username: userUsername,
+      password: userPassword,
+      otpToken: '123456',
+      expectedStatus: HttpStatusCode.BAD_REQUEST_400
+    })
+    expect(res.header['x-peertube-otp']).to.not.exist
+    expect(token).to.not.exist
+  })
+  it('Should not login with incorrect password and correct otp code', async function () {
+    const otpToken = TwoFactorCommand.buildOTP({ secret: otpSecret }).generate()
+    const { res, token } = await login({
+      server,
+      username: userUsername,
+      password: 'fake',
+      otpToken,
+      expectedStatus: HttpStatusCode.BAD_REQUEST_400
+    })
+    expect(res.header['x-peertube-otp']).to.not.exist
+    expect(token).to.not.exist
+  })
+  it('Should correctly login with correct password and otp code', async function () {
+    const otpToken = TwoFactorCommand.buildOTP({ secret: otpSecret }).generate()
+    const { res, token } = await login({ server, username: userUsername, password: userPassword, otpToken })
+    expect(res.header['x-peertube-otp']).to.not.exist
+    expect(token).to.exist
+    await server.users.getMyInfo({ token })
+  })
+  it('Should have two factor enabled when getting my info', async function () {
+    const { twoFactorEnabled } = await server.users.getMyInfo({ token: userToken })
+    expect(twoFactorEnabled).to.be.true
+  })
+  it('Should disable two factor and be able to login without otp token', async function () {
+    await server.twoFactor.disable({ userId, token: userToken, currentPassword: userPassword })
+    const { res, token } = await login({ server, username: userUsername, password: userPassword })
+    expect(res.header['x-peertube-otp']).to.not.exist
+    await server.users.getMyInfo({ token })
+  })
+  it('Should have two factor disabled when getting my info', async function () {
+    const { twoFactorEnabled } = await server.users.getMyInfo({ token: userToken })
+    expect(twoFactorEnabled).to.be.false
+  })
+  it('Should enable two factor auth without password from an admin', async function () {
+    const { otpRequest } = await server.twoFactor.request({ userId })
+    await server.twoFactor.confirmRequest({
+      userId,
+      otpToken: TwoFactorCommand.buildOTP({ secret: otpRequest.secret }).generate(),
+      requestToken: otpRequest.requestToken
+    })
+    const { twoFactorEnabled } = await server.users.getMyInfo({ token: userToken })
+    expect(twoFactorEnabled).to.be.true
+  })
+  it('Should disable two factor auth without password from an admin', async function () {
+    await server.twoFactor.disable({ userId })
+    const { twoFactorEnabled } = await server.users.getMyInfo({ token: userToken })
+    expect(twoFactorEnabled).to.be.false
+  })
+  after(async function () {
+    await cleanupTests([ server ])
+  })
+})
author	Chocobozzz <me@florianbigard.com>	2022-10-10 11:19:58 +0200
committer	Chocobozzz <me@florianbigard.com>	2022-10-10 11:19:58 +0200
commit	63fa260a81a8930c157b73c897fe8696a8cc90d4 (patch)
tree	705ebfae42f9c59b2a1ac97779e4037102dfed1c /server/tests/api
parent	9b99d32804e99462c6f22df3ec3db9ec5bf8a18c (diff)
parent	1ea868a9456439108fbd87255537093ed8bd456f (diff)
download	PeerTube-63fa260a81a8930c157b73c897fe8696a8cc90d4.tar.gz PeerTube-63fa260a81a8930c157b73c897fe8696a8cc90d4.tar.zst PeerTube-63fa260a81a8930c157b73c897fe8696a8cc90d4.zip

diff --git a/server/tests/api/check-params/index.ts b/server/tests/api/check-params/index.ts index cd7a38459..33dc8fb76 100644 --- a/server/tests/api/check-params/index.ts +++ b/server/tests/api/check-params/index.ts
@@ -2,6 +2,7 @@ import './abuses'
2	import './accounts'	2	import './accounts'
3	import './blocklist'	3	import './blocklist'
4	import './bulk'	4	import './bulk'
		5	import './channel-import-videos'
5	import './config'	6	import './config'
6	import './contact-form'	7	import './contact-form'
7	import './custom-pages'	8	import './custom-pages'
@@ -17,6 +18,7 @@ import './redundancy'
17	import './search'	18	import './search'
18	import './services'	19	import './services'
19	import './transcoding'	20	import './transcoding'
		21	import './two-factor'
20	import './upload-quota'	22	import './upload-quota'
21	import './user-notifications'	23	import './user-notifications'
22	import './user-subscriptions'	24	import './user-subscriptions'
@@ -24,12 +26,11 @@ import './users-admin'
24	import './users'	26	import './users'
25	import './video-blacklist'	27	import './video-blacklist'
26	import './video-captions'	28	import './video-captions'
		29	import './video-channel-syncs'
27	import './video-channels'	30	import './video-channels'
28	import './video-comments'	31	import './video-comments'
29	import './video-files'	32	import './video-files'
30	import './video-imports'	33	import './video-imports'
31	import './video-channel-syncs'
32	import './channel-import-videos'
33	import './video-playlists'	34	import './video-playlists'
34	import './video-source'	35	import './video-source'
35	import './video-studio'	36	import './video-studio'


diff --git a/server/tests/api/check-params/two-factor.ts b/server/tests/api/check-params/two-factor.ts new file mode 100644 index 000000000..f8365f1b5 --- /dev/null +++ b/server/tests/api/check-params/two-factor.ts
@@ -0,0 +1,288 @@
		1	/* eslint-disable @typescript-eslint/no-unused-expressions,@typescript-eslint/require-await */
		2
		3	import { HttpStatusCode } from '@shared/models'
		4	import { cleanupTests, createSingleServer, PeerTubeServer, setAccessTokensToServers, TwoFactorCommand } from '@shared/server-commands'
		5
		6	describe('Test two factor API validators', function () {
		7	let server: PeerTubeServer
		8
		9	let rootId: number
		10	let rootPassword: string
		11	let rootRequestToken: string
		12	let rootOTPToken: string
		13
		14	let userId: number
		15	let userToken = ''
		16	let userPassword: string
		17	let userRequestToken: string
		18	let userOTPToken: string
		19
		20	// ---------------------------------------------------------------
		21
		22	before(async function () {
		23	this.timeout(30000)
		24
		25	{
		26	server = await createSingleServer(1)
		27	await setAccessTokensToServers([ server ])
		28	}
		29
		30	{
		31	const result = await server.users.generate('user1')
		32	userToken = result.token
		33	userId = result.userId
		34	userPassword = result.password
		35	}
		36
		37	{
		38	const { id } = await server.users.getMyInfo()
		39	rootId = id
		40	rootPassword = server.store.user.password
		41	}
		42	})
		43
		44	describe('When requesting two factor', function () {
		45
		46	it('Should fail with an unknown user id', async function () {
		47	await server.twoFactor.request({ userId: 42, currentPassword: rootPassword, expectedStatus: HttpStatusCode.NOT_FOUND_404 })
		48	})
		49
		50	it('Should fail with an invalid user id', async function () {
		51	await server.twoFactor.request({
		52	userId: 'invalid' as any,
		53	currentPassword: rootPassword,
		54	expectedStatus: HttpStatusCode.BAD_REQUEST_400
		55	})
		56	})
		57
		58	it('Should fail to request another user two factor without the appropriate rights', async function () {
		59	await server.twoFactor.request({
		60	userId: rootId,
		61	token: userToken,
		62	currentPassword: userPassword,
		63	expectedStatus: HttpStatusCode.FORBIDDEN_403
		64	})
		65	})
		66
		67	it('Should succeed to request another user two factor with the appropriate rights', async function () {
		68	await server.twoFactor.request({ userId, currentPassword: rootPassword })
		69	})
		70
		71	it('Should fail to request two factor without a password', async function () {
		72	await server.twoFactor.request({
		73	userId,
		74	token: userToken,
		75	currentPassword: undefined,
		76	expectedStatus: HttpStatusCode.BAD_REQUEST_400
		77	})
		78	})
		79
		80	it('Should fail to request two factor with an incorrect password', async function () {
		81	await server.twoFactor.request({
		82	userId,
		83	token: userToken,
		84	currentPassword: rootPassword,
		85	expectedStatus: HttpStatusCode.FORBIDDEN_403
		86	})
		87	})
		88
		89	it('Should succeed to request two factor without a password when targeting a remote user with an admin account', async function () {
		90	await server.twoFactor.request({ userId })
		91	})
		92
		93	it('Should fail to request two factor without a password when targeting myself with an admin account', async function () {
		94	await server.twoFactor.request({ userId: rootId, expectedStatus: HttpStatusCode.BAD_REQUEST_400 })
		95	await server.twoFactor.request({ userId: rootId, currentPassword: 'bad', expectedStatus: HttpStatusCode.FORBIDDEN_403 })
		96	})
		97
		98	it('Should succeed to request my two factor auth', async function () {
		99	{
		100	const { otpRequest } = await server.twoFactor.request({ userId, token: userToken, currentPassword: userPassword })
		101	userRequestToken = otpRequest.requestToken
		102	userOTPToken = TwoFactorCommand.buildOTP({ secret: otpRequest.secret }).generate()
		103	}
		104
		105	{
		106	const { otpRequest } = await server.twoFactor.request({ userId: rootId, currentPassword: rootPassword })
		107	rootRequestToken = otpRequest.requestToken
		108	rootOTPToken = TwoFactorCommand.buildOTP({ secret: otpRequest.secret }).generate()
		109	}
		110	})
		111	})
		112
		113	describe('When confirming two factor request', function () {
		114
		115	it('Should fail with an unknown user id', async function () {
		116	await server.twoFactor.confirmRequest({
		117	userId: 42,
		118	requestToken: rootRequestToken,
		119	otpToken: rootOTPToken,
		120	expectedStatus: HttpStatusCode.NOT_FOUND_404
		121	})
		122	})
		123
		124	it('Should fail with an invalid user id', async function () {
		125	await server.twoFactor.confirmRequest({
		126	userId: 'invalid' as any,
		127	requestToken: rootRequestToken,
		128	otpToken: rootOTPToken,
		129	expectedStatus: HttpStatusCode.BAD_REQUEST_400
		130	})
		131	})
		132
		133	it('Should fail to confirm another user two factor request without the appropriate rights', async function () {
		134	await server.twoFactor.confirmRequest({
		135	userId: rootId,
		136	token: userToken,
		137	requestToken: rootRequestToken,
		138	otpToken: rootOTPToken,
		139	expectedStatus: HttpStatusCode.FORBIDDEN_403
		140	})
		141	})
		142
		143	it('Should fail without request token', async function () {
		144	await server.twoFactor.confirmRequest({
		145	userId,
		146	requestToken: undefined,
		147	otpToken: userOTPToken,
		148	expectedStatus: HttpStatusCode.BAD_REQUEST_400
		149	})
		150	})
		151
		152	it('Should fail with an invalid request token', async function () {
		153	await server.twoFactor.confirmRequest({
		154	userId,
		155	requestToken: 'toto',
		156	otpToken: userOTPToken,
		157	expectedStatus: HttpStatusCode.FORBIDDEN_403
		158	})
		159	})
		160
		161	it('Should fail with request token of another user', async function () {
		162	await server.twoFactor.confirmRequest({
		163	userId,
		164	requestToken: rootRequestToken,
		165	otpToken: userOTPToken,
		166	expectedStatus: HttpStatusCode.FORBIDDEN_403
		167	})
		168	})
		169
		170	it('Should fail without an otp token', async function () {
		171	await server.twoFactor.confirmRequest({
		172	userId,
		173	requestToken: userRequestToken,
		174	otpToken: undefined,
		175	expectedStatus: HttpStatusCode.BAD_REQUEST_400
		176	})
		177	})
		178
		179	it('Should fail with a bad otp token', async function () {
		180	await server.twoFactor.confirmRequest({
		181	userId,
		182	requestToken: userRequestToken,
		183	otpToken: '123456',
		184	expectedStatus: HttpStatusCode.FORBIDDEN_403
		185	})
		186	})
		187
		188	it('Should succeed to confirm another user two factor request with the appropriate rights', async function () {
		189	await server.twoFactor.confirmRequest({
		190	userId,
		191	requestToken: userRequestToken,
		192	otpToken: userOTPToken
		193	})
		194
		195	// Reinit
		196	await server.twoFactor.disable({ userId, currentPassword: rootPassword })
		197	})
		198
		199	it('Should succeed to confirm my two factor request', async function () {
		200	await server.twoFactor.confirmRequest({
		201	userId,
		202	token: userToken,
		203	requestToken: userRequestToken,
		204	otpToken: userOTPToken
		205	})
		206	})
		207
		208	it('Should fail to confirm again two factor request', async function () {
		209	await server.twoFactor.confirmRequest({
		210	userId,
		211	token: userToken,
		212	requestToken: userRequestToken,
		213	otpToken: userOTPToken,
		214	expectedStatus: HttpStatusCode.BAD_REQUEST_400
		215	})
		216	})
		217	})
		218
		219	describe('When disabling two factor', function () {
		220
		221	it('Should fail with an unknown user id', async function () {
		222	await server.twoFactor.disable({
		223	userId: 42,
		224	currentPassword: rootPassword,
		225	expectedStatus: HttpStatusCode.NOT_FOUND_404
		226	})
		227	})
		228
		229	it('Should fail with an invalid user id', async function () {
		230	await server.twoFactor.disable({
		231	userId: 'invalid' as any,
		232	currentPassword: rootPassword,
		233	expectedStatus: HttpStatusCode.BAD_REQUEST_400
		234	})
		235	})
		236
		237	it('Should fail to disable another user two factor without the appropriate rights', async function () {
		238	await server.twoFactor.disable({
		239	userId: rootId,
		240	token: userToken,
		241	currentPassword: userPassword,
		242	expectedStatus: HttpStatusCode.FORBIDDEN_403
		243	})
		244	})
		245
		246	it('Should fail to disable two factor with an incorrect password', async function () {
		247	await server.twoFactor.disable({
		248	userId,
		249	token: userToken,
		250	currentPassword: rootPassword,
		251	expectedStatus: HttpStatusCode.FORBIDDEN_403
		252	})
		253	})
		254
		255	it('Should succeed to disable two factor without a password when targeting a remote user with an admin account', async function () {
		256	await server.twoFactor.disable({ userId })
		257	await server.twoFactor.requestAndConfirm({ userId })
		258	})
		259
		260	it('Should fail to disable two factor without a password when targeting myself with an admin account', async function () {
		261	await server.twoFactor.disable({ userId: rootId, expectedStatus: HttpStatusCode.BAD_REQUEST_400 })
		262	await server.twoFactor.disable({ userId: rootId, currentPassword: 'bad', expectedStatus: HttpStatusCode.FORBIDDEN_403 })
		263	})
		264
		265	it('Should succeed to disable another user two factor with the appropriate rights', async function () {
		266	await server.twoFactor.disable({ userId, currentPassword: rootPassword })
		267
		268	await server.twoFactor.requestAndConfirm({ userId })
		269	})
		270
		271	it('Should succeed to update my two factor auth', async function () {
		272	await server.twoFactor.disable({ userId, token: userToken, currentPassword: userPassword })
		273	})
		274
		275	it('Should fail to disable again two factor', async function () {
		276	await server.twoFactor.disable({
		277	userId,
		278	token: userToken,
		279	currentPassword: userPassword,
		280	expectedStatus: HttpStatusCode.BAD_REQUEST_400
		281	})
		282	})
		283	})
		284
		285	after(async function () {
		286	await cleanupTests([ server ])
		287	})
		288	})


diff --git a/server/tests/api/users/index.ts b/server/tests/api/users/index.ts index c65152c6f..643f1a531 100644 --- a/server/tests/api/users/index.ts +++ b/server/tests/api/users/index.ts
@@ -1,3 +1,4 @@
		1	import './two-factor'
1	import './user-subscriptions'	2	import './user-subscriptions'
2	import './user-videos'	3	import './user-videos'
3	import './users'	4	import './users'


diff --git a/server/tests/api/users/two-factor.ts b/server/tests/api/users/two-factor.ts new file mode 100644 index 000000000..0dcab9e17 --- /dev/null +++ b/server/tests/api/users/two-factor.ts
@@ -0,0 +1,200 @@
		1	/* eslint-disable @typescript-eslint/no-unused-expressions,@typescript-eslint/require-await */
		2
		3	import { expect } from 'chai'
		4	import { expectStartWith } from '@server/tests/shared'
		5	import { HttpStatusCode } from '@shared/models'
		6	import { cleanupTests, createSingleServer, PeerTubeServer, setAccessTokensToServers, TwoFactorCommand } from '@shared/server-commands'
		7
		8	async function login (options: {
		9	server: PeerTubeServer
		10	username: string
		11	password: string
		12	otpToken?: string
		13	expectedStatus?: HttpStatusCode
		14	}) {
		15	const { server, username, password, otpToken, expectedStatus } = options
		16
		17	const user = { username, password }
		18	const { res, body: { access_token: token } } = await server.login.loginAndGetResponse({ user, otpToken, expectedStatus })
		19
		20	return { res, token }
		21	}
		22
		23	describe('Test users', function () {
		24	let server: PeerTubeServer
		25	let otpSecret: string
		26	let requestToken: string
		27
		28	const userUsername = 'user1'
		29	let userId: number
		30	let userPassword: string
		31	let userToken: string
		32
		33	before(async function () {
		34	this.timeout(30000)
		35
		36	server = await createSingleServer(1)
		37
		38	await setAccessTokensToServers([ server ])
		39	const res = await server.users.generate(userUsername)
		40	userId = res.userId
		41	userPassword = res.password
		42	userToken = res.token
		43	})
		44
		45	it('Should not add the header on login if two factor is not enabled', async function () {
		46	const { res, token } = await login({ server, username: userUsername, password: userPassword })
		47
		48	expect(res.header['x-peertube-otp']).to.not.exist
		49
		50	await server.users.getMyInfo({ token })
		51	})
		52
		53	it('Should request two factor and get the secret and uri', async function () {
		54	const { otpRequest } = await server.twoFactor.request({ userId, token: userToken, currentPassword: userPassword })
		55
		56	expect(otpRequest.requestToken).to.exist
		57
		58	expect(otpRequest.secret).to.exist
		59	expect(otpRequest.secret).to.have.lengthOf(32)
		60
		61	expect(otpRequest.uri).to.exist
		62	expectStartWith(otpRequest.uri, 'otpauth://')
		63	expect(otpRequest.uri).to.include(otpRequest.secret)
		64
		65	requestToken = otpRequest.requestToken
		66	otpSecret = otpRequest.secret
		67	})
		68
		69	it('Should not have two factor confirmed yet', async function () {
		70	const { twoFactorEnabled } = await server.users.getMyInfo({ token: userToken })
		71	expect(twoFactorEnabled).to.be.false
		72	})
		73
		74	it('Should confirm two factor', async function () {
		75	await server.twoFactor.confirmRequest({
		76	userId,
		77	token: userToken,
		78	otpToken: TwoFactorCommand.buildOTP({ secret: otpSecret }).generate(),
		79	requestToken
		80	})
		81	})
		82
		83	it('Should not add the header on login if two factor is enabled and password is incorrect', async function () {
		84	const { res, token } = await login({ server, username: userUsername, password: 'fake', expectedStatus: HttpStatusCode.BAD_REQUEST_400 })
		85
		86	expect(res.header['x-peertube-otp']).to.not.exist
		87	expect(token).to.not.exist
		88	})
		89
		90	it('Should add the header on login if two factor is enabled and password is correct', async function () {
		91	const { res, token } = await login({
		92	server,
		93	username: userUsername,
		94	password: userPassword,
		95	expectedStatus: HttpStatusCode.UNAUTHORIZED_401
		96	})
		97
		98	expect(res.header['x-peertube-otp']).to.exist
		99	expect(token).to.not.exist
		100
		101	await server.users.getMyInfo({ token })
		102	})
		103
		104	it('Should not login with correct password and incorrect otp secret', async function () {
		105	const otp = TwoFactorCommand.buildOTP({ secret: 'a'.repeat(32) })
		106
		107	const { res, token } = await login({
		108	server,
		109	username: userUsername,
		110	password: userPassword,
		111	otpToken: otp.generate(),
		112	expectedStatus: HttpStatusCode.BAD_REQUEST_400
		113	})
		114
		115	expect(res.header['x-peertube-otp']).to.not.exist
		116	expect(token).to.not.exist
		117	})
		118
		119	it('Should not login with correct password and incorrect otp code', async function () {
		120	const { res, token } = await login({
		121	server,
		122	username: userUsername,
		123	password: userPassword,
		124	otpToken: '123456',
		125	expectedStatus: HttpStatusCode.BAD_REQUEST_400
		126	})
		127
		128	expect(res.header['x-peertube-otp']).to.not.exist
		129	expect(token).to.not.exist
		130	})
		131
		132	it('Should not login with incorrect password and correct otp code', async function () {
		133	const otpToken = TwoFactorCommand.buildOTP({ secret: otpSecret }).generate()
		134
		135	const { res, token } = await login({
		136	server,
		137	username: userUsername,
		138	password: 'fake',
		139	otpToken,
		140	expectedStatus: HttpStatusCode.BAD_REQUEST_400
		141	})
		142
		143	expect(res.header['x-peertube-otp']).to.not.exist
		144	expect(token).to.not.exist
		145	})
		146
		147	it('Should correctly login with correct password and otp code', async function () {
		148	const otpToken = TwoFactorCommand.buildOTP({ secret: otpSecret }).generate()
		149
		150	const { res, token } = await login({ server, username: userUsername, password: userPassword, otpToken })
		151
		152	expect(res.header['x-peertube-otp']).to.not.exist
		153	expect(token).to.exist
		154
		155	await server.users.getMyInfo({ token })
		156	})
		157
		158	it('Should have two factor enabled when getting my info', async function () {
		159	const { twoFactorEnabled } = await server.users.getMyInfo({ token: userToken })
		160	expect(twoFactorEnabled).to.be.true
		161	})
		162
		163	it('Should disable two factor and be able to login without otp token', async function () {
		164	await server.twoFactor.disable({ userId, token: userToken, currentPassword: userPassword })
		165
		166	const { res, token } = await login({ server, username: userUsername, password: userPassword })
		167	expect(res.header['x-peertube-otp']).to.not.exist
		168
		169	await server.users.getMyInfo({ token })
		170	})
		171
		172	it('Should have two factor disabled when getting my info', async function () {
		173	const { twoFactorEnabled } = await server.users.getMyInfo({ token: userToken })
		174	expect(twoFactorEnabled).to.be.false
		175	})
		176
		177	it('Should enable two factor auth without password from an admin', async function () {
		178	const { otpRequest } = await server.twoFactor.request({ userId })
		179
		180	await server.twoFactor.confirmRequest({
		181	userId,
		182	otpToken: TwoFactorCommand.buildOTP({ secret: otpRequest.secret }).generate(),
		183	requestToken: otpRequest.requestToken
		184	})
		185
		186	const { twoFactorEnabled } = await server.users.getMyInfo({ token: userToken })
		187	expect(twoFactorEnabled).to.be.true
		188	})
		189
		190	it('Should disable two factor auth without password from an admin', async function () {
		191	await server.twoFactor.disable({ userId })
		192
		193	const { twoFactorEnabled } = await server.users.getMyInfo({ token: userToken })
		194	expect(twoFactorEnabled).to.be.false
		195	})
		196
		197	after(async function () {
		198	await cleanupTests([ server ])
		199	})
		200	})