Cleanup reset user password by admin

And add some tests
author: Chocobozzz <me@florianbigard.com> 2019-02-11 09:30:29 +0100
committer: Chocobozzz <me@florianbigard.com> 2019-02-11 10:37:27 +0100
commit: b426edd4854adc6e65844d8c54b8998e792b5778 (patch)
tree: b9ef4da0cdb2ab14c0aa1d67a883303f3ed0de14 /server
parent: 67b1d3fed765278bdc876cce393ef56d56942df0 (diff)
download: PeerTube-b426edd4854adc6e65844d8c54b8998e792b5778.tar.gz
PeerTube-b426edd4854adc6e65844d8c54b8998e792b5778.tar.zst
PeerTube-b426edd4854adc6e65844d8c54b8998e792b5778.zip
7 files changed, 51 insertions, 29 deletions
diff --git a/server/controllers/api/users/index.ts b/server/controllers/api/users/index.ts
index beac6d8b1..e3533a7f6 100644
--- a/server/controllers/api/users/index.ts
+++ b/server/controllers/api/users/index.ts
@@ -3,7 +3,6 @@ import * as RateLimit from 'express-rate-limit'
 import { UserCreate, UserRight, UserRole, UserUpdate } from '../../../../shared'
 import { logger } from '../../../helpers/logger'
 import { getFormattedObjects } from '../../../helpers/utils'
-import { pseudoRandomBytesPromise } from '../../../helpers/core-utils'
 import { CONFIG, RATES_LIMIT, sequelizeTypescript } from '../../../initializers'
 import { Emailer } from '../../../lib/emailer'
 import { Redis } from '../../../lib/redis'
@@ -230,7 +229,7 @@ async function unblockUser (req: express.Request, res: express.Response, next: e
  return res.status(204).end()
 }
-async function blockUser (req: express.Request, res: express.Response, next: express.NextFunction) {
+async function blockUser (req: express.Request, res: express.Response) {
  const user: UserModel = res.locals.user
  const reason = req.body.reason
@@ -239,23 +238,23 @@ async function blockUser (req: express.Request, res: express.Response, next: exp
  return res.status(204).end()
 }
-function getUser (req: express.Request, res: express.Response, next: express.NextFunction) {
+function getUser (req: express.Request, res: express.Response) {
  return res.json((res.locals.user as UserModel).toFormattedJSON())
 }
-async function autocompleteUsers (req: express.Request, res: express.Response, next: express.NextFunction) {
+async function autocompleteUsers (req: express.Request, res: express.Response) {
  const resultList = await UserModel.autoComplete(req.query.search as string)
  return res.json(resultList)
 }
-async function listUsers (req: express.Request, res: express.Response, next: express.NextFunction) {
+async function listUsers (req: express.Request, res: express.Response) {
  const resultList = await UserModel.listForApi(req.query.start, req.query.count, req.query.sort, req.query.search)
  return res.json(getFormattedObjects(resultList.data, resultList.total))
 }
-async function removeUser (req: express.Request, res: express.Response, next: express.NextFunction) {
+async function removeUser (req: express.Request, res: express.Response) {
  const user: UserModel = res.locals.user
  await user.destroy()
@@ -265,12 +264,13 @@ async function removeUser (req: express.Request, res: express.Response, next: ex
  return res.sendStatus(204)
 }
-async function updateUser (req: express.Request, res: express.Response, next: express.NextFunction) {
+async function updateUser (req: express.Request, res: express.Response) {
  const body: UserUpdate = req.body
  const userToUpdate = res.locals.user as UserModel
  const oldUserAuditView = new UserAuditView(userToUpdate.toFormattedJSON())
  const roleChanged = body.role !== undefined && body.role !== userToUpdate.role
+  if (body.password !== undefined) userToUpdate.password = body.password
  if (body.email !== undefined) userToUpdate.email = body.email
  if (body.emailVerified !== undefined) userToUpdate.emailVerified = body.emailVerified
  if (body.videoQuota !== undefined) userToUpdate.videoQuota = body.videoQuota
@@ -280,11 +280,11 @@ async function updateUser (req: express.Request, res: express.Response, next: ex
  const user = await userToUpdate.save()
  // Destroy user token to refresh rights
-  if (roleChanged) await deleteUserToken(userToUpdate.id)
+  if (roleChanged || body.password !== undefined) await deleteUserToken(userToUpdate.id)
  auditLogger.update(getAuditIdFromRes(res), new UserAuditView(user.toFormattedJSON()), oldUserAuditView)
-  // Don't need to send this update to followers, these attributes are not propagated
+  // Don't need to send this update to followers, these attributes are not federated
  return res.sendStatus(204)
 }
@@ -294,7 +294,7 @@ async function askResetUserPassword (req: express.Request, res: express.Response
  const verificationString = await Redis.Instance.setResetPasswordVerificationString(user.id)
  const url = CONFIG.WEBSERVER.URL + '/reset-password?userId=' + user.id + '&verificationString=' + verificationString
-  await Emailer.Instance.addForgetPasswordEmailJob(user.email, url)
+  await Emailer.Instance.addPasswordResetEmailJob(user.email, url)
  return res.status(204).end()
 }
diff --git a/server/controllers/api/users/me.ts b/server/controllers/api/users/me.ts
index 94a2b8732..d5e154869 100644
--- a/server/controllers/api/users/me.ts
+++ b/server/controllers/api/users/me.ts
@@ -167,7 +167,7 @@ async function deleteMe (req: express.Request, res: express.Response) {
  return res.sendStatus(204)
 }
-async function updateMe (req: express.Request, res: express.Response, next: express.NextFunction) {
+async function updateMe (req: express.Request, res: express.Response) {
  const body: UserUpdateMe = req.body
  const user: UserModel = res.locals.oauth.token.user
diff --git a/server/initializers/constants.ts b/server/initializers/constants.ts
index 98f8f8694..e5c4c4e63 100644
--- a/server/initializers/constants.ts
+++ b/server/initializers/constants.ts
@@ -711,6 +711,8 @@ if (isTestInstance() === true) {
  CACHE.VIDEO_CAPTIONS.MAX_AGE = 3000
  MEMOIZE_TTL.OVERVIEWS_SAMPLE = 1
  ROUTE_CACHE_LIFETIME.OVERVIEWS.VIDEOS = '0ms'
+  RATES_LIMIT.LOGIN.MAX = 20
 }
 updateWebserverUrls()
diff --git a/server/lib/emailer.ts b/server/lib/emailer.ts
index 7681164b3..672414cc0 100644
--- a/server/lib/emailer.ts
+++ b/server/lib/emailer.ts
@@ -101,22 +101,6 @@ class Emailer {
    return JobQueue.Instance.createJob({ type: 'email', payload: emailPayload })
  }
-  addForceResetPasswordEmailJob (to: string, resetPasswordUrl: string) {
-    const text = `Hi dear user,\n\n` +
-      `Your password has been reset on ${CONFIG.WEBSERVER.HOST}! ` +
-      `Please follow this link to reset it: ${resetPasswordUrl}\n\n` +
-      `Cheers,\n` +
-      `PeerTube.`
-    const emailPayload: EmailPayload = {
-      to: [ to ],
-      subject: 'Reset of your PeerTube password',
-      text
-    }
-    return JobQueue.Instance.createJob({ type: 'email', payload: emailPayload })
-  }
  addNewFollowNotification (to: string[], actorFollow: ActorFollowModel, followType: 'account' | 'channel') {
    const followerName = actorFollow.ActorFollower.Account.getDisplayName()
    const followingName = (actorFollow.ActorFollowing.VideoChannel || actorFollow.ActorFollowing.Account).getDisplayName()
@@ -312,9 +296,9 @@ class Emailer {
    return JobQueue.Instance.createJob({ type: 'email', payload: emailPayload })
  }
-  addForgetPasswordEmailJob (to: string, resetPasswordUrl: string) {
+  addPasswordResetEmailJob (to: string, resetPasswordUrl: string) {
    const text = `Hi dear user,\n\n` +
-      `It seems you forgot your password on ${CONFIG.WEBSERVER.HOST}! ` +
+      `A reset password procedure for your account ${to} has been requested on ${CONFIG.WEBSERVER.HOST} ` +
      `Please follow this link to reset it: ${resetPasswordUrl}\n\n` +
      `If you are not the person who initiated this request, please ignore this email.\n\n` +
      `Cheers,\n` +
diff --git a/server/middlewares/validators/users.ts b/server/middlewares/validators/users.ts
index 1bb0bfb1b..a52e3060a 100644
--- a/server/middlewares/validators/users.ts
+++ b/server/middlewares/validators/users.ts
@@ -113,6 +113,7 @@ const deleteMeValidator = [
 const usersUpdateValidator = [
  param('id').isInt().not().isEmpty().withMessage('Should have a valid id'),
+  body('password').optional().custom(isUserPasswordValid).withMessage('Should have a valid password'),
  body('email').optional().isEmail().withMessage('Should have a valid email attribute'),
  body('emailVerified').optional().isBoolean().withMessage('Should have a valid email verified attribute'),
  body('videoQuota').optional().custom(isUserVideoQuotaValid).withMessage('Should have a valid user quota'),
@@ -233,6 +234,7 @@ const usersAskResetPasswordValidator = [
    logger.debug('Checking usersAskResetPassword parameters', { parameters: req.body })
    if (areValidationErrors(req, res)) return
    const exists = await checkUserEmailExist(req.body.email, res, false)
    if (!exists) {
      logger.debug('User with email %s does not exist (asking reset password).', req.body.email)
diff --git a/server/tests/api/check-params/users.ts b/server/tests/api/check-params/users.ts
index a3e8e2e9c..13be8b460 100644
--- a/server/tests/api/check-params/users.ts
+++ b/server/tests/api/check-params/users.ts
@@ -464,6 +464,24 @@ describe('Test users API validators', function () {
      await makePutBodyRequest({ url: server.url, path: path + userId, token: server.accessToken, fields })
    })
+    it('Should fail with a too small password', async function () {
+      const fields = {
+        currentPassword: 'my super password',
+        password: 'bla'
+      }
+      await makePutBodyRequest({ url: server.url, path: path + userId, token: server.accessToken, fields })
+    })
+    it('Should fail with a too long password', async function () {
+      const fields = {
+        currentPassword: 'my super password',
+        password: 'super'.repeat(61)
+      }
+      await makePutBodyRequest({ url: server.url, path: path + userId, token: server.accessToken, fields })
+    })
    it('Should fail with an non authenticated user', async function () {
      const fields = {
        videoQuota: 42
diff --git a/server/tests/api/users/users.ts b/server/tests/api/users/users.ts
index ad98ab1c7..c4465d541 100644
--- a/server/tests/api/users/users.ts
+++ b/server/tests/api/users/users.ts
@@ -501,6 +501,22 @@ describe('Test users', function () {
    accessTokenUser = await userLogin(server, user)
  })
+  it('Should be able to update another user password', async function () {
+    await updateUser({
+      url: server.url,
+      userId,
+      accessToken,
+      password: 'password updated'
+    })
+    await getMyUserVideoQuotaUsed(server.url, accessTokenUser, 401)
+    await userLogin(server, user, 400)
+    user.password = 'password updated'
+    accessTokenUser = await userLogin(server, user)
+  })
  it('Should be able to list video blacklist by a moderator', async function () {
    await getBlacklistedVideosList(server.url, accessTokenUser)
  })
author	Chocobozzz <me@florianbigard.com>	2019-02-11 09:30:29 +0100
committer	Chocobozzz <me@florianbigard.com>	2019-02-11 10:37:27 +0100
commit	b426edd4854adc6e65844d8c54b8998e792b5778 (patch)
tree	b9ef4da0cdb2ab14c0aa1d67a883303f3ed0de14 /server
parent	67b1d3fed765278bdc876cce393ef56d56942df0 (diff)
download	PeerTube-b426edd4854adc6e65844d8c54b8998e792b5778.tar.gz PeerTube-b426edd4854adc6e65844d8c54b8998e792b5778.tar.zst PeerTube-b426edd4854adc6e65844d8c54b8998e792b5778.zip