2 files changed, 92 insertions, 32 deletions
diff --git a/server/tests/api/check-params/two-factor.ts b/server/tests/api/check-params/two-factor.ts
index e7ca5490c..f8365f1b5 100644
--- a/server/tests/api/check-params/two-factor.ts
+++ b/server/tests/api/check-params/two-factor.ts
@@ -86,6 +86,15 @@ describe('Test two factor API validators', function () {
      })
    })
+    it('Should succeed to request two factor without a password when targeting a remote user with an admin account', async function () {
+      await server.twoFactor.request({ userId })
+    })
+    it('Should fail to request two factor without a password when targeting myself with an admin account', async function () {
+      await server.twoFactor.request({ userId: rootId, expectedStatus: HttpStatusCode.BAD_REQUEST_400 })
+      await server.twoFactor.request({ userId: rootId, currentPassword: 'bad', expectedStatus: HttpStatusCode.FORBIDDEN_403 })
+    })
    it('Should succeed to request my two factor auth', async function () {
      {
        const { otpRequest } = await server.twoFactor.request({ userId, token: userToken, currentPassword: userPassword })
@@ -234,7 +243,7 @@ describe('Test two factor API validators', function () {
      })
    })
-    it('Should fail to disabled two factor with an incorrect password', async function () {
+    it('Should fail to disable two factor with an incorrect password', async function () {
      await server.twoFactor.disable({
        userId,
        token: userToken,
@@ -243,16 +252,20 @@ describe('Test two factor API validators', function () {
      })
    })
+    it('Should succeed to disable two factor without a password when targeting a remote user with an admin account', async function () {
+      await server.twoFactor.disable({ userId })
+      await server.twoFactor.requestAndConfirm({ userId })
+    })
+    it('Should fail to disable two factor without a password when targeting myself with an admin account', async function () {
+      await server.twoFactor.disable({ userId: rootId, expectedStatus: HttpStatusCode.BAD_REQUEST_400 })
+      await server.twoFactor.disable({ userId: rootId, currentPassword: 'bad', expectedStatus: HttpStatusCode.FORBIDDEN_403 })
+    })
    it('Should succeed to disable another user two factor with the appropriate rights', async function () {
      await server.twoFactor.disable({ userId, currentPassword: rootPassword })
-      // Reinit
+      await server.twoFactor.requestAndConfirm({ userId })
-      const { otpRequest } = await server.twoFactor.request({ userId, currentPassword: rootPassword })
-      await server.twoFactor.confirmRequest({
-        userId,
-        requestToken: otpRequest.requestToken,
-        otpToken: TwoFactorCommand.buildOTP({ secret: otpRequest.secret }).generate()
-      })
    })
    it('Should succeed to update my two factor auth', async function () {
diff --git a/server/tests/api/users/two-factor.ts b/server/tests/api/users/two-factor.ts
index 450aac4dc..0dcab9e17 100644
--- a/server/tests/api/users/two-factor.ts
+++ b/server/tests/api/users/two-factor.ts
@@ -7,13 +7,14 @@ import { cleanupTests, createSingleServer, PeerTubeServer, setAccessTokensToServ
 async function login (options: {
  server: PeerTubeServer
-  password?: string
+  username: string
+  password: string
  otpToken?: string
  expectedStatus?: HttpStatusCode
 }) {
-  const { server, password = server.store.user.password, otpToken, expectedStatus } = options
+  const { server, username, password, otpToken, expectedStatus } = options
-  const user = { username: server.store.user.username, password }
+  const user = { username, password }
  const { res, body: { access_token: token } } = await server.login.loginAndGetResponse({ user, otpToken, expectedStatus })
  return { res, token }
@@ -21,23 +22,28 @@ async function login (options: {
 describe('Test users', function () {
  let server: PeerTubeServer
-  let rootId: number
  let otpSecret: string
  let requestToken: string
+  const userUsername = 'user1'
+  let userId: number
+  let userPassword: string
+  let userToken: string
  before(async function () {
    this.timeout(30000)
    server = await createSingleServer(1)
    await setAccessTokensToServers([ server ])
+    const res = await server.users.generate(userUsername)
-    const { id } = await server.users.getMyInfo()
+    userId = res.userId
-    rootId = id
+    userPassword = res.password
+    userToken = res.token
  })
  it('Should not add the header on login if two factor is not enabled', async function () {
-    const { res, token } = await login({ server })
+    const { res, token } = await login({ server, username: userUsername, password: userPassword })
    expect(res.header['x-peertube-otp']).to.not.exist
@@ -45,10 +51,7 @@ describe('Test users', function () {
  })
  it('Should request two factor and get the secret and uri', async function () {
-    const { otpRequest } = await server.twoFactor.request({
+    const { otpRequest } = await server.twoFactor.request({ userId, token: userToken, currentPassword: userPassword })
-      userId: rootId,
-      currentPassword: server.store.user.password
-    })
    expect(otpRequest.requestToken).to.exist
@@ -64,27 +67,33 @@ describe('Test users', function () {
  })
  it('Should not have two factor confirmed yet', async function () {
-    const { twoFactorEnabled } = await server.users.getMyInfo()
+    const { twoFactorEnabled } = await server.users.getMyInfo({ token: userToken })
    expect(twoFactorEnabled).to.be.false
  })
  it('Should confirm two factor', async function () {
    await server.twoFactor.confirmRequest({
-      userId: rootId,
+      userId,
+      token: userToken,
      otpToken: TwoFactorCommand.buildOTP({ secret: otpSecret }).generate(),
      requestToken
    })
  })
  it('Should not add the header on login if two factor is enabled and password is incorrect', async function () {
-    const { res, token } = await login({ server, password: 'fake', expectedStatus: HttpStatusCode.BAD_REQUEST_400 })
+    const { res, token } = await login({ server, username: userUsername, password: 'fake', expectedStatus: HttpStatusCode.BAD_REQUEST_400 })
    expect(res.header['x-peertube-otp']).to.not.exist
    expect(token).to.not.exist
  })
  it('Should add the header on login if two factor is enabled and password is correct', async function () {
-    const { res, token } = await login({ server, expectedStatus: HttpStatusCode.UNAUTHORIZED_401 })
+    const { res, token } = await login({
+      server,
+      username: userUsername,
+      password: userPassword,
+      expectedStatus: HttpStatusCode.UNAUTHORIZED_401
+    })
    expect(res.header['x-peertube-otp']).to.exist
    expect(token).to.not.exist
@@ -95,14 +104,26 @@ describe('Test users', function () {
  it('Should not login with correct password and incorrect otp secret', async function () {
    const otp = TwoFactorCommand.buildOTP({ secret: 'a'.repeat(32) })
-    const { res, token } = await login({ server, otpToken: otp.generate(), expectedStatus: HttpStatusCode.BAD_REQUEST_400 })
+    const { res, token } = await login({
+      server,
+      username: userUsername,
+      password: userPassword,
+      otpToken: otp.generate(),
+      expectedStatus: HttpStatusCode.BAD_REQUEST_400
+    })
    expect(res.header['x-peertube-otp']).to.not.exist
    expect(token).to.not.exist
  })
  it('Should not login with correct password and incorrect otp code', async function () {
-    const { res, token } = await login({ server, otpToken: '123456', expectedStatus: HttpStatusCode.BAD_REQUEST_400 })
+    const { res, token } = await login({
+      server,
+      username: userUsername,
+      password: userPassword,
+      otpToken: '123456',
+      expectedStatus: HttpStatusCode.BAD_REQUEST_400
+    })
    expect(res.header['x-peertube-otp']).to.not.exist
    expect(token).to.not.exist
@@ -111,7 +132,13 @@ describe('Test users', function () {
  it('Should not login with incorrect password and correct otp code', async function () {
    const otpToken = TwoFactorCommand.buildOTP({ secret: otpSecret }).generate()
-    const { res, token } = await login({ server, password: 'fake', otpToken, expectedStatus: HttpStatusCode.BAD_REQUEST_400 })
+    const { res, token } = await login({
+      server,
+      username: userUsername,
+      password: 'fake',
+      otpToken,
+      expectedStatus: HttpStatusCode.BAD_REQUEST_400
+    })
    expect(res.header['x-peertube-otp']).to.not.exist
    expect(token).to.not.exist
@@ -120,7 +147,7 @@ describe('Test users', function () {
  it('Should correctly login with correct password and otp code', async function () {
    const otpToken = TwoFactorCommand.buildOTP({ secret: otpSecret }).generate()
-    const { res, token } = await login({ server, otpToken })
+    const { res, token } = await login({ server, username: userUsername, password: userPassword, otpToken })
    expect(res.header['x-peertube-otp']).to.not.exist
    expect(token).to.exist
@@ -129,21 +156,41 @@ describe('Test users', function () {
  })
  it('Should have two factor enabled when getting my info', async function () {
-    const { twoFactorEnabled } = await server.users.getMyInfo()
+    const { twoFactorEnabled } = await server.users.getMyInfo({ token: userToken })
    expect(twoFactorEnabled).to.be.true
  })
  it('Should disable two factor and be able to login without otp token', async function () {
-    await server.twoFactor.disable({ userId: rootId, currentPassword: server.store.user.password })
+    await server.twoFactor.disable({ userId, token: userToken, currentPassword: userPassword })
-    const { res, token } = await login({ server })
+    const { res, token } = await login({ server, username: userUsername, password: userPassword })
    expect(res.header['x-peertube-otp']).to.not.exist
    await server.users.getMyInfo({ token })
  })
  it('Should have two factor disabled when getting my info', async function () {
-    const { twoFactorEnabled } = await server.users.getMyInfo()
+    const { twoFactorEnabled } = await server.users.getMyInfo({ token: userToken })
+    expect(twoFactorEnabled).to.be.false
+  })
+  it('Should enable two factor auth without password from an admin', async function () {
+    const { otpRequest } = await server.twoFactor.request({ userId })
+    await server.twoFactor.confirmRequest({
+      userId,
+      otpToken: TwoFactorCommand.buildOTP({ secret: otpRequest.secret }).generate(),
+      requestToken: otpRequest.requestToken
+    })
+    const { twoFactorEnabled } = await server.users.getMyInfo({ token: userToken })
+    expect(twoFactorEnabled).to.be.true
+  })
+  it('Should disable two factor auth without password from an admin', async function () {
+    await server.twoFactor.disable({ userId })
+    const { twoFactorEnabled } = await server.users.getMyInfo({ token: userToken })
    expect(twoFactorEnabled).to.be.false
  })

diff --git a/server/tests/api/check-params/two-factor.ts b/server/tests/api/check-params/two-factor.ts index e7ca5490c..f8365f1b5 100644 --- a/server/tests/api/check-params/two-factor.ts +++ b/server/tests/api/check-params/two-factor.ts
@@ -86,6 +86,15 @@ describe('Test two factor API validators', function () {
86	})	86	})
87	})	87	})
88		88
		89	it('Should succeed to request two factor without a password when targeting a remote user with an admin account', async function () {
		90	await server.twoFactor.request({ userId })
		91	})
		92
		93	it('Should fail to request two factor without a password when targeting myself with an admin account', async function () {
		94	await server.twoFactor.request({ userId: rootId, expectedStatus: HttpStatusCode.BAD_REQUEST_400 })
		95	await server.twoFactor.request({ userId: rootId, currentPassword: 'bad', expectedStatus: HttpStatusCode.FORBIDDEN_403 })
		96	})
		97
89	it('Should succeed to request my two factor auth', async function () {	98	it('Should succeed to request my two factor auth', async function () {
90	{	99	{
91	const { otpRequest } = await server.twoFactor.request({ userId, token: userToken, currentPassword: userPassword })	100	const { otpRequest } = await server.twoFactor.request({ userId, token: userToken, currentPassword: userPassword })
@@ -234,7 +243,7 @@ describe('Test two factor API validators', function () {
234	})	243	})
235	})	244	})
236		245
237	it('Should fail to disabled two factor with an incorrect password', async function () {	246	it('Should fail to disable two factor with an incorrect password', async function () {
238	await server.twoFactor.disable({	247	await server.twoFactor.disable({
239	userId,	248	userId,
240	token: userToken,	249	token: userToken,
@@ -243,16 +252,20 @@ describe('Test two factor API validators', function () {
243	})	252	})
244	})	253	})
245		254
		255	it('Should succeed to disable two factor without a password when targeting a remote user with an admin account', async function () {
		256	await server.twoFactor.disable({ userId })
		257	await server.twoFactor.requestAndConfirm({ userId })
		258	})
		259
		260	it('Should fail to disable two factor without a password when targeting myself with an admin account', async function () {
		261	await server.twoFactor.disable({ userId: rootId, expectedStatus: HttpStatusCode.BAD_REQUEST_400 })
		262	await server.twoFactor.disable({ userId: rootId, currentPassword: 'bad', expectedStatus: HttpStatusCode.FORBIDDEN_403 })
		263	})
		264
246	it('Should succeed to disable another user two factor with the appropriate rights', async function () {	265	it('Should succeed to disable another user two factor with the appropriate rights', async function () {
247	await server.twoFactor.disable({ userId, currentPassword: rootPassword })	266	await server.twoFactor.disable({ userId, currentPassword: rootPassword })
248		267
249	// Reinit	268	await server.twoFactor.requestAndConfirm({ userId })
250	const { otpRequest } = await server.twoFactor.request({ userId, currentPassword: rootPassword })
251	await server.twoFactor.confirmRequest({
252	userId,
253	requestToken: otpRequest.requestToken,
254	otpToken: TwoFactorCommand.buildOTP({ secret: otpRequest.secret }).generate()
255	})
256	})	269	})
257		270
258	it('Should succeed to update my two factor auth', async function () {	271	it('Should succeed to update my two factor auth', async function () {


diff --git a/server/tests/api/users/two-factor.ts b/server/tests/api/users/two-factor.ts index 450aac4dc..0dcab9e17 100644 --- a/server/tests/api/users/two-factor.ts +++ b/server/tests/api/users/two-factor.ts
@@ -7,13 +7,14 @@ import { cleanupTests, createSingleServer, PeerTubeServer, setAccessTokensToServ
7		7
8	async function login (options: {	8	async function login (options: {
9	server: PeerTubeServer	9	server: PeerTubeServer
10	password?: string	10	username: string
		11	password: string
11	otpToken?: string	12	otpToken?: string
12	expectedStatus?: HttpStatusCode	13	expectedStatus?: HttpStatusCode
13	}) {	14	}) {
14	const { server, password = server.store.user.password, otpToken, expectedStatus } = options	15	const { server, username, password, otpToken, expectedStatus } = options
15		16
16	const user = { username: server.store.user.username, password }	17	const user = { username, password }
17	const { res, body: { access_token: token } } = await server.login.loginAndGetResponse({ user, otpToken, expectedStatus })	18	const { res, body: { access_token: token } } = await server.login.loginAndGetResponse({ user, otpToken, expectedStatus })
18		19
19	return { res, token }	20	return { res, token }
@@ -21,23 +22,28 @@ async function login (options: {
21		22
22	describe('Test users', function () {	23	describe('Test users', function () {
23	let server: PeerTubeServer	24	let server: PeerTubeServer
24	let rootId: number
25	let otpSecret: string	25	let otpSecret: string
26	let requestToken: string	26	let requestToken: string
27		27
		28	const userUsername = 'user1'
		29	let userId: number
		30	let userPassword: string
		31	let userToken: string
		32
28	before(async function () {	33	before(async function () {
29	this.timeout(30000)	34	this.timeout(30000)
30		35
31	server = await createSingleServer(1)	36	server = await createSingleServer(1)
32		37
33	await setAccessTokensToServers([ server ])	38	await setAccessTokensToServers([ server ])
34		39	const res = await server.users.generate(userUsername)
35	const { id } = await server.users.getMyInfo()	40	userId = res.userId
36	rootId = id	41	userPassword = res.password
		42	userToken = res.token
37	})	43	})
38		44
39	it('Should not add the header on login if two factor is not enabled', async function () {	45	it('Should not add the header on login if two factor is not enabled', async function () {
40	const { res, token } = await login({ server })	46	const { res, token } = await login({ server, username: userUsername, password: userPassword })
41		47
42	expect(res.header['x-peertube-otp']).to.not.exist	48	expect(res.header['x-peertube-otp']).to.not.exist
43		49
@@ -45,10 +51,7 @@ describe('Test users', function () {
45	})	51	})
46		52
47	it('Should request two factor and get the secret and uri', async function () {	53	it('Should request two factor and get the secret and uri', async function () {
48	const { otpRequest } = await server.twoFactor.request({	54	const { otpRequest } = await server.twoFactor.request({ userId, token: userToken, currentPassword: userPassword })
49	userId: rootId,
50	currentPassword: server.store.user.password
51	})
52		55
53	expect(otpRequest.requestToken).to.exist	56	expect(otpRequest.requestToken).to.exist
54		57
@@ -64,27 +67,33 @@ describe('Test users', function () {
64	})	67	})
65		68
66	it('Should not have two factor confirmed yet', async function () {	69	it('Should not have two factor confirmed yet', async function () {
67	const { twoFactorEnabled } = await server.users.getMyInfo()	70	const { twoFactorEnabled } = await server.users.getMyInfo({ token: userToken })
68	expect(twoFactorEnabled).to.be.false	71	expect(twoFactorEnabled).to.be.false
69	})	72	})
70		73
71	it('Should confirm two factor', async function () {	74	it('Should confirm two factor', async function () {
72	await server.twoFactor.confirmRequest({	75	await server.twoFactor.confirmRequest({
73	userId: rootId,	76	userId,
		77	token: userToken,
74	otpToken: TwoFactorCommand.buildOTP({ secret: otpSecret }).generate(),	78	otpToken: TwoFactorCommand.buildOTP({ secret: otpSecret }).generate(),
75	requestToken	79	requestToken
76	})	80	})
77	})	81	})
78		82
79	it('Should not add the header on login if two factor is enabled and password is incorrect', async function () {	83	it('Should not add the header on login if two factor is enabled and password is incorrect', async function () {
80	const { res, token } = await login({ server, password: 'fake', expectedStatus: HttpStatusCode.BAD_REQUEST_400 })	84	const { res, token } = await login({ server, username: userUsername, password: 'fake', expectedStatus: HttpStatusCode.BAD_REQUEST_400 })
81		85
82	expect(res.header['x-peertube-otp']).to.not.exist	86	expect(res.header['x-peertube-otp']).to.not.exist
83	expect(token).to.not.exist	87	expect(token).to.not.exist
84	})	88	})
85		89
86	it('Should add the header on login if two factor is enabled and password is correct', async function () {	90	it('Should add the header on login if two factor is enabled and password is correct', async function () {
87	const { res, token } = await login({ server, expectedStatus: HttpStatusCode.UNAUTHORIZED_401 })	91	const { res, token } = await login({
		92	server,
		93	username: userUsername,
		94	password: userPassword,
		95	expectedStatus: HttpStatusCode.UNAUTHORIZED_401
		96	})
88		97
89	expect(res.header['x-peertube-otp']).to.exist	98	expect(res.header['x-peertube-otp']).to.exist
90	expect(token).to.not.exist	99	expect(token).to.not.exist
@@ -95,14 +104,26 @@ describe('Test users', function () {
95	it('Should not login with correct password and incorrect otp secret', async function () {	104	it('Should not login with correct password and incorrect otp secret', async function () {
96	const otp = TwoFactorCommand.buildOTP({ secret: 'a'.repeat(32) })	105	const otp = TwoFactorCommand.buildOTP({ secret: 'a'.repeat(32) })
97		106
98	const { res, token } = await login({ server, otpToken: otp.generate(), expectedStatus: HttpStatusCode.BAD_REQUEST_400 })	107	const { res, token } = await login({
		108	server,
		109	username: userUsername,
		110	password: userPassword,
		111	otpToken: otp.generate(),
		112	expectedStatus: HttpStatusCode.BAD_REQUEST_400
		113	})
99		114
100	expect(res.header['x-peertube-otp']).to.not.exist	115	expect(res.header['x-peertube-otp']).to.not.exist
101	expect(token).to.not.exist	116	expect(token).to.not.exist
102	})	117	})
103		118
104	it('Should not login with correct password and incorrect otp code', async function () {	119	it('Should not login with correct password and incorrect otp code', async function () {
105	const { res, token } = await login({ server, otpToken: '123456', expectedStatus: HttpStatusCode.BAD_REQUEST_400 })	120	const { res, token } = await login({
		121	server,
		122	username: userUsername,
		123	password: userPassword,
		124	otpToken: '123456',
		125	expectedStatus: HttpStatusCode.BAD_REQUEST_400
		126	})
106		127
107	expect(res.header['x-peertube-otp']).to.not.exist	128	expect(res.header['x-peertube-otp']).to.not.exist
108	expect(token).to.not.exist	129	expect(token).to.not.exist
@@ -111,7 +132,13 @@ describe('Test users', function () {
111	it('Should not login with incorrect password and correct otp code', async function () {	132	it('Should not login with incorrect password and correct otp code', async function () {
112	const otpToken = TwoFactorCommand.buildOTP({ secret: otpSecret }).generate()	133	const otpToken = TwoFactorCommand.buildOTP({ secret: otpSecret }).generate()
113		134
114	const { res, token } = await login({ server, password: 'fake', otpToken, expectedStatus: HttpStatusCode.BAD_REQUEST_400 })	135	const { res, token } = await login({
		136	server,
		137	username: userUsername,
		138	password: 'fake',
		139	otpToken,
		140	expectedStatus: HttpStatusCode.BAD_REQUEST_400
		141	})
115		142
116	expect(res.header['x-peertube-otp']).to.not.exist	143	expect(res.header['x-peertube-otp']).to.not.exist
117	expect(token).to.not.exist	144	expect(token).to.not.exist
@@ -120,7 +147,7 @@ describe('Test users', function () {
120	it('Should correctly login with correct password and otp code', async function () {	147	it('Should correctly login with correct password and otp code', async function () {
121	const otpToken = TwoFactorCommand.buildOTP({ secret: otpSecret }).generate()	148	const otpToken = TwoFactorCommand.buildOTP({ secret: otpSecret }).generate()
122		149
123	const { res, token } = await login({ server, otpToken })	150	const { res, token } = await login({ server, username: userUsername, password: userPassword, otpToken })
124		151
125	expect(res.header['x-peertube-otp']).to.not.exist	152	expect(res.header['x-peertube-otp']).to.not.exist
126	expect(token).to.exist	153	expect(token).to.exist
@@ -129,21 +156,41 @@ describe('Test users', function () {
129	})	156	})
130		157
131	it('Should have two factor enabled when getting my info', async function () {	158	it('Should have two factor enabled when getting my info', async function () {
132	const { twoFactorEnabled } = await server.users.getMyInfo()	159	const { twoFactorEnabled } = await server.users.getMyInfo({ token: userToken })
133	expect(twoFactorEnabled).to.be.true	160	expect(twoFactorEnabled).to.be.true
134	})	161	})
135		162
136	it('Should disable two factor and be able to login without otp token', async function () {	163	it('Should disable two factor and be able to login without otp token', async function () {
137	await server.twoFactor.disable({ userId: rootId, currentPassword: server.store.user.password })	164	await server.twoFactor.disable({ userId, token: userToken, currentPassword: userPassword })
138		165
139	const { res, token } = await login({ server })	166	const { res, token } = await login({ server, username: userUsername, password: userPassword })
140	expect(res.header['x-peertube-otp']).to.not.exist	167	expect(res.header['x-peertube-otp']).to.not.exist
141		168
142	await server.users.getMyInfo({ token })	169	await server.users.getMyInfo({ token })
143	})	170	})
144		171
145	it('Should have two factor disabled when getting my info', async function () {	172	it('Should have two factor disabled when getting my info', async function () {
146	const { twoFactorEnabled } = await server.users.getMyInfo()	173	const { twoFactorEnabled } = await server.users.getMyInfo({ token: userToken })
		174	expect(twoFactorEnabled).to.be.false
		175	})
		176
		177	it('Should enable two factor auth without password from an admin', async function () {
		178	const { otpRequest } = await server.twoFactor.request({ userId })
		179
		180	await server.twoFactor.confirmRequest({
		181	userId,
		182	otpToken: TwoFactorCommand.buildOTP({ secret: otpRequest.secret }).generate(),
		183	requestToken: otpRequest.requestToken
		184	})
		185
		186	const { twoFactorEnabled } = await server.users.getMyInfo({ token: userToken })
		187	expect(twoFactorEnabled).to.be.true
		188	})
		189
		190	it('Should disable two factor auth without password from an admin', async function () {
		191	await server.twoFactor.disable({ userId })
		192
		193	const { twoFactorEnabled } = await server.users.getMyInfo({ token: userToken })
147	expect(twoFactorEnabled).to.be.false	194	expect(twoFactorEnabled).to.be.false
148	})	195	})
149		196