server/tests/api/users/two-factor.ts


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200

/* eslint-disable @typescript-eslint/no-unused-expressions,@typescript-eslint/require-await */

import { expect } from 'chai'
import { expectStartWith } from '@server/tests/shared'
import { HttpStatusCode } from '@shared/models'
import { cleanupTests, createSingleServer, PeerTubeServer, setAccessTokensToServers, TwoFactorCommand } from '@shared/server-commands'

async function login (options: {
  server: PeerTubeServer
  username: string
  password: string
  otpToken?: string
  expectedStatus?: HttpStatusCode
}) {
  const { server, username, password, otpToken, expectedStatus } = options

  const user = { username, password }
  const { res, body: { access_token: token } } = await server.login.loginAndGetResponse({ user, otpToken, expectedStatus })

  return { res, token }
}

describe('Test users', function () {
  let server: PeerTubeServer
  let otpSecret: string
  let requestToken: string

  const userUsername = 'user1'
  let userId: number
  let userPassword: string
  let userToken: string

  before(async function () {
    this.timeout(30000)

    server = await createSingleServer(1)

    await setAccessTokensToServers([ server ])
    const res = await server.users.generate(userUsername)
    userId = res.userId
    userPassword = res.password
    userToken = res.token
  })

  it('Should not add the header on login if two factor is not enabled', async function () {
    const { res, token } = await login({ server, username: userUsername, password: userPassword })

    expect(res.header['x-peertube-otp']).to.not.exist

    await server.users.getMyInfo({ token })
  })

  it('Should request two factor and get the secret and uri', async function () {
    const { otpRequest } = await server.twoFactor.request({ userId, token: userToken, currentPassword: userPassword })

    expect(otpRequest.requestToken).to.exist

    expect(otpRequest.secret).to.exist
    expect(otpRequest.secret).to.have.lengthOf(32)

    expect(otpRequest.uri).to.exist
    expectStartWith(otpRequest.uri, 'otpauth://')
    expect(otpRequest.uri).to.include(otpRequest.secret)

    requestToken = otpRequest.requestToken
    otpSecret = otpRequest.secret
  })

  it('Should not have two factor confirmed yet', async function () {
    const { twoFactorEnabled } = await server.users.getMyInfo({ token: userToken })
    expect(twoFactorEnabled).to.be.false
  })

  it('Should confirm two factor', async function () {
    await server.twoFactor.confirmRequest({
      userId,
      token: userToken,
      otpToken: TwoFactorCommand.buildOTP({ secret: otpSecret }).generate(),
      requestToken
    })
  })

  it('Should not add the header on login if two factor is enabled and password is incorrect', async function () {
    const { res, token } = await login({ server, username: userUsername, password: 'fake', expectedStatus: HttpStatusCode.BAD_REQUEST_400 })

    expect(res.header['x-peertube-otp']).to.not.exist
    expect(token).to.not.exist
  })

  it('Should add the header on login if two factor is enabled and password is correct', async function () {
    const { res, token } = await login({
      server,
      username: userUsername,
      password: userPassword,
      expectedStatus: HttpStatusCode.UNAUTHORIZED_401
    })

    expect(res.header['x-peertube-otp']).to.exist
    expect(token).to.not.exist

    await server.users.getMyInfo({ token })
  })

  it('Should not login with correct password and incorrect otp secret', async function () {
    const otp = TwoFactorCommand.buildOTP({ secret: 'a'.repeat(32) })

    const { res, token } = await login({
      server,
      username: userUsername,
      password: userPassword,
      otpToken: otp.generate(),
      expectedStatus: HttpStatusCode.BAD_REQUEST_400
    })

    expect(res.header['x-peertube-otp']).to.not.exist
    expect(token).to.not.exist
  })

  it('Should not login with correct password and incorrect otp code', async function () {
    const { res, token } = await login({
      server,
      username: userUsername,
      password: userPassword,
      otpToken: '123456',
      expectedStatus: HttpStatusCode.BAD_REQUEST_400
    })

    expect(res.header['x-peertube-otp']).to.not.exist
    expect(token).to.not.exist
  })

  it('Should not login with incorrect password and correct otp code', async function () {
    const otpToken = TwoFactorCommand.buildOTP({ secret: otpSecret }).generate()

    const { res, token } = await login({
      server,
      username: userUsername,
      password: 'fake',
      otpToken,
      expectedStatus: HttpStatusCode.BAD_REQUEST_400
    })

    expect(res.header['x-peertube-otp']).to.not.exist
    expect(token).to.not.exist
  })

  it('Should correctly login with correct password and otp code', async function () {
    const otpToken = TwoFactorCommand.buildOTP({ secret: otpSecret }).generate()

    const { res, token } = await login({ server, username: userUsername, password: userPassword, otpToken })

    expect(res.header['x-peertube-otp']).to.not.exist
    expect(token).to.exist

    await server.users.getMyInfo({ token })
  })

  it('Should have two factor enabled when getting my info', async function () {
    const { twoFactorEnabled } = await server.users.getMyInfo({ token: userToken })
    expect(twoFactorEnabled).to.be.true
  })

  it('Should disable two factor and be able to login without otp token', async function () {
    await server.twoFactor.disable({ userId, token: userToken, currentPassword: userPassword })

    const { res, token } = await login({ server, username: userUsername, password: userPassword })
    expect(res.header['x-peertube-otp']).to.not.exist

    await server.users.getMyInfo({ token })
  })

  it('Should have two factor disabled when getting my info', async function () {
    const { twoFactorEnabled } = await server.users.getMyInfo({ token: userToken })
    expect(twoFactorEnabled).to.be.false
  })

  it('Should enable two factor auth without password from an admin', async function () {
    const { otpRequest } = await server.twoFactor.request({ userId })

    await server.twoFactor.confirmRequest({
      userId,
      otpToken: TwoFactorCommand.buildOTP({ secret: otpRequest.secret }).generate(),
      requestToken: otpRequest.requestToken
    })

    const { twoFactorEnabled } = await server.users.getMyInfo({ token: userToken })
    expect(twoFactorEnabled).to.be.true
  })

  it('Should disable two factor auth without password from an admin', async function () {
    await server.twoFactor.disable({ userId })

    const { twoFactorEnabled } = await server.users.getMyInfo({ token: userToken })
    expect(twoFactorEnabled).to.be.false
  })

  after(async function () {
    await cleanupTests([ server ])
  })
})