From 2166c058f34dff6f91566930d12448805d829de7 Mon Sep 17 00:00:00 2001 From: Chocobozzz Date: Fri, 7 Oct 2022 14:23:42 +0200 Subject: Allow admins to disable two factor auth --- server/tests/api/check-params/two-factor.ts | 29 ++++++--- server/tests/api/users/two-factor.ts | 95 +++++++++++++++++++++-------- 2 files changed, 92 insertions(+), 32 deletions(-) (limited to 'server/tests/api') diff --git a/server/tests/api/check-params/two-factor.ts b/server/tests/api/check-params/two-factor.ts index e7ca5490c..f8365f1b5 100644 --- a/server/tests/api/check-params/two-factor.ts +++ b/server/tests/api/check-params/two-factor.ts @@ -86,6 +86,15 @@ describe('Test two factor API validators', function () { }) }) + it('Should succeed to request two factor without a password when targeting a remote user with an admin account', async function () { + await server.twoFactor.request({ userId }) + }) + + it('Should fail to request two factor without a password when targeting myself with an admin account', async function () { + await server.twoFactor.request({ userId: rootId, expectedStatus: HttpStatusCode.BAD_REQUEST_400 }) + await server.twoFactor.request({ userId: rootId, currentPassword: 'bad', expectedStatus: HttpStatusCode.FORBIDDEN_403 }) + }) + it('Should succeed to request my two factor auth', async function () { { const { otpRequest } = await server.twoFactor.request({ userId, token: userToken, currentPassword: userPassword }) @@ -234,7 +243,7 @@ describe('Test two factor API validators', function () { }) }) - it('Should fail to disabled two factor with an incorrect password', async function () { + it('Should fail to disable two factor with an incorrect password', async function () { await server.twoFactor.disable({ userId, token: userToken, @@ -243,16 +252,20 @@ describe('Test two factor API validators', function () { }) }) + it('Should succeed to disable two factor without a password when targeting a remote user with an admin account', async function () { + await server.twoFactor.disable({ userId }) + await server.twoFactor.requestAndConfirm({ userId }) + }) + + it('Should fail to disable two factor without a password when targeting myself with an admin account', async function () { + await server.twoFactor.disable({ userId: rootId, expectedStatus: HttpStatusCode.BAD_REQUEST_400 }) + await server.twoFactor.disable({ userId: rootId, currentPassword: 'bad', expectedStatus: HttpStatusCode.FORBIDDEN_403 }) + }) + it('Should succeed to disable another user two factor with the appropriate rights', async function () { await server.twoFactor.disable({ userId, currentPassword: rootPassword }) - // Reinit - const { otpRequest } = await server.twoFactor.request({ userId, currentPassword: rootPassword }) - await server.twoFactor.confirmRequest({ - userId, - requestToken: otpRequest.requestToken, - otpToken: TwoFactorCommand.buildOTP({ secret: otpRequest.secret }).generate() - }) + await server.twoFactor.requestAndConfirm({ userId }) }) it('Should succeed to update my two factor auth', async function () { diff --git a/server/tests/api/users/two-factor.ts b/server/tests/api/users/two-factor.ts index 450aac4dc..0dcab9e17 100644 --- a/server/tests/api/users/two-factor.ts +++ b/server/tests/api/users/two-factor.ts @@ -7,13 +7,14 @@ import { cleanupTests, createSingleServer, PeerTubeServer, setAccessTokensToServ async function login (options: { server: PeerTubeServer - password?: string + username: string + password: string otpToken?: string expectedStatus?: HttpStatusCode }) { - const { server, password = server.store.user.password, otpToken, expectedStatus } = options + const { server, username, password, otpToken, expectedStatus } = options - const user = { username: server.store.user.username, password } + const user = { username, password } const { res, body: { access_token: token } } = await server.login.loginAndGetResponse({ user, otpToken, expectedStatus }) return { res, token } @@ -21,23 +22,28 @@ async function login (options: { describe('Test users', function () { let server: PeerTubeServer - let rootId: number let otpSecret: string let requestToken: string + const userUsername = 'user1' + let userId: number + let userPassword: string + let userToken: string + before(async function () { this.timeout(30000) server = await createSingleServer(1) await setAccessTokensToServers([ server ]) - - const { id } = await server.users.getMyInfo() - rootId = id + const res = await server.users.generate(userUsername) + userId = res.userId + userPassword = res.password + userToken = res.token }) it('Should not add the header on login if two factor is not enabled', async function () { - const { res, token } = await login({ server }) + const { res, token } = await login({ server, username: userUsername, password: userPassword }) expect(res.header['x-peertube-otp']).to.not.exist @@ -45,10 +51,7 @@ describe('Test users', function () { }) it('Should request two factor and get the secret and uri', async function () { - const { otpRequest } = await server.twoFactor.request({ - userId: rootId, - currentPassword: server.store.user.password - }) + const { otpRequest } = await server.twoFactor.request({ userId, token: userToken, currentPassword: userPassword }) expect(otpRequest.requestToken).to.exist @@ -64,27 +67,33 @@ describe('Test users', function () { }) it('Should not have two factor confirmed yet', async function () { - const { twoFactorEnabled } = await server.users.getMyInfo() + const { twoFactorEnabled } = await server.users.getMyInfo({ token: userToken }) expect(twoFactorEnabled).to.be.false }) it('Should confirm two factor', async function () { await server.twoFactor.confirmRequest({ - userId: rootId, + userId, + token: userToken, otpToken: TwoFactorCommand.buildOTP({ secret: otpSecret }).generate(), requestToken }) }) it('Should not add the header on login if two factor is enabled and password is incorrect', async function () { - const { res, token } = await login({ server, password: 'fake', expectedStatus: HttpStatusCode.BAD_REQUEST_400 }) + const { res, token } = await login({ server, username: userUsername, password: 'fake', expectedStatus: HttpStatusCode.BAD_REQUEST_400 }) expect(res.header['x-peertube-otp']).to.not.exist expect(token).to.not.exist }) it('Should add the header on login if two factor is enabled and password is correct', async function () { - const { res, token } = await login({ server, expectedStatus: HttpStatusCode.UNAUTHORIZED_401 }) + const { res, token } = await login({ + server, + username: userUsername, + password: userPassword, + expectedStatus: HttpStatusCode.UNAUTHORIZED_401 + }) expect(res.header['x-peertube-otp']).to.exist expect(token).to.not.exist @@ -95,14 +104,26 @@ describe('Test users', function () { it('Should not login with correct password and incorrect otp secret', async function () { const otp = TwoFactorCommand.buildOTP({ secret: 'a'.repeat(32) }) - const { res, token } = await login({ server, otpToken: otp.generate(), expectedStatus: HttpStatusCode.BAD_REQUEST_400 }) + const { res, token } = await login({ + server, + username: userUsername, + password: userPassword, + otpToken: otp.generate(), + expectedStatus: HttpStatusCode.BAD_REQUEST_400 + }) expect(res.header['x-peertube-otp']).to.not.exist expect(token).to.not.exist }) it('Should not login with correct password and incorrect otp code', async function () { - const { res, token } = await login({ server, otpToken: '123456', expectedStatus: HttpStatusCode.BAD_REQUEST_400 }) + const { res, token } = await login({ + server, + username: userUsername, + password: userPassword, + otpToken: '123456', + expectedStatus: HttpStatusCode.BAD_REQUEST_400 + }) expect(res.header['x-peertube-otp']).to.not.exist expect(token).to.not.exist @@ -111,7 +132,13 @@ describe('Test users', function () { it('Should not login with incorrect password and correct otp code', async function () { const otpToken = TwoFactorCommand.buildOTP({ secret: otpSecret }).generate() - const { res, token } = await login({ server, password: 'fake', otpToken, expectedStatus: HttpStatusCode.BAD_REQUEST_400 }) + const { res, token } = await login({ + server, + username: userUsername, + password: 'fake', + otpToken, + expectedStatus: HttpStatusCode.BAD_REQUEST_400 + }) expect(res.header['x-peertube-otp']).to.not.exist expect(token).to.not.exist @@ -120,7 +147,7 @@ describe('Test users', function () { it('Should correctly login with correct password and otp code', async function () { const otpToken = TwoFactorCommand.buildOTP({ secret: otpSecret }).generate() - const { res, token } = await login({ server, otpToken }) + const { res, token } = await login({ server, username: userUsername, password: userPassword, otpToken }) expect(res.header['x-peertube-otp']).to.not.exist expect(token).to.exist @@ -129,21 +156,41 @@ describe('Test users', function () { }) it('Should have two factor enabled when getting my info', async function () { - const { twoFactorEnabled } = await server.users.getMyInfo() + const { twoFactorEnabled } = await server.users.getMyInfo({ token: userToken }) expect(twoFactorEnabled).to.be.true }) it('Should disable two factor and be able to login without otp token', async function () { - await server.twoFactor.disable({ userId: rootId, currentPassword: server.store.user.password }) + await server.twoFactor.disable({ userId, token: userToken, currentPassword: userPassword }) - const { res, token } = await login({ server }) + const { res, token } = await login({ server, username: userUsername, password: userPassword }) expect(res.header['x-peertube-otp']).to.not.exist await server.users.getMyInfo({ token }) }) it('Should have two factor disabled when getting my info', async function () { - const { twoFactorEnabled } = await server.users.getMyInfo() + const { twoFactorEnabled } = await server.users.getMyInfo({ token: userToken }) + expect(twoFactorEnabled).to.be.false + }) + + it('Should enable two factor auth without password from an admin', async function () { + const { otpRequest } = await server.twoFactor.request({ userId }) + + await server.twoFactor.confirmRequest({ + userId, + otpToken: TwoFactorCommand.buildOTP({ secret: otpRequest.secret }).generate(), + requestToken: otpRequest.requestToken + }) + + const { twoFactorEnabled } = await server.users.getMyInfo({ token: userToken }) + expect(twoFactorEnabled).to.be.true + }) + + it('Should disable two factor auth without password from an admin', async function () { + await server.twoFactor.disable({ userId }) + + const { twoFactorEnabled } = await server.users.getMyInfo({ token: userToken }) expect(twoFactorEnabled).to.be.false }) -- cgit v1.2.3