2016-10-16 16:43:38 +03:00
|
|
|
'use strict';
|
2017-02-17 21:55:19 -07:00
|
|
|
|
2016-10-16 16:43:38 +03:00
|
|
|
|
2021-02-04 00:06:15 -07:00
|
|
|
const assert = require('assert');
|
2021-04-14 16:20:09 -04:00
|
|
|
const url = require('url');
|
2021-02-04 00:06:15 -07:00
|
|
|
const nconf = require('nconf');
|
2016-10-16 16:43:38 +03:00
|
|
|
|
2021-02-04 00:06:15 -07:00
|
|
|
const db = require('./mocks/databasemock');
|
2025-10-01 13:51:04 -04:00
|
|
|
const request = require('../src/request');
|
2021-02-04 00:06:15 -07:00
|
|
|
const user = require('../src/user');
|
|
|
|
|
const utils = require('../src/utils');
|
|
|
|
|
const meta = require('../src/meta');
|
2023-02-13 12:15:45 -05:00
|
|
|
const plugins = require('../src/plugins');
|
2021-02-04 00:06:15 -07:00
|
|
|
const privileges = require('../src/privileges');
|
2023-05-10 15:57:46 -04:00
|
|
|
const api = require('../src/api');
|
2021-02-04 00:06:15 -07:00
|
|
|
const helpers = require('./helpers');
|
2016-10-16 16:43:38 +03:00
|
|
|
|
2021-02-04 00:01:39 -07:00
|
|
|
describe('authentication', () => {
|
2021-02-04 00:06:15 -07:00
|
|
|
const jar = request.jar();
|
|
|
|
|
let regularUid;
|
2023-02-13 12:15:45 -05:00
|
|
|
const dummyEmailerHook = async (data) => {};
|
|
|
|
|
|
2021-02-04 00:01:39 -07:00
|
|
|
before((done) => {
|
2023-02-13 12:15:45 -05:00
|
|
|
// Attach an emailer hook so related requests do not error
|
|
|
|
|
plugins.hooks.register('authentication-test', {
|
2023-12-05 10:41:23 -05:00
|
|
|
hook: 'static:email.send',
|
2023-02-13 12:15:45 -05:00
|
|
|
method: dummyEmailerHook,
|
|
|
|
|
});
|
|
|
|
|
|
2021-02-04 00:01:39 -07:00
|
|
|
user.create({ username: 'regular', password: 'regularpwd', email: 'regular@nodebb.org' }, (err, uid) => {
|
2016-10-16 17:42:14 +03:00
|
|
|
assert.ifError(err);
|
2016-12-15 14:47:42 +03:00
|
|
|
regularUid = uid;
|
2021-11-22 23:20:31 -05:00
|
|
|
assert.strictEqual(uid, 1);
|
2016-10-16 17:36:24 +03:00
|
|
|
done();
|
|
|
|
|
});
|
|
|
|
|
});
|
|
|
|
|
|
2023-02-13 12:15:45 -05:00
|
|
|
after(() => {
|
2023-12-05 10:41:23 -05:00
|
|
|
plugins.hooks.unregister('authentication-test', 'static:email.send');
|
2023-02-13 12:15:45 -05:00
|
|
|
});
|
|
|
|
|
|
2021-11-22 23:20:31 -05:00
|
|
|
it('should allow login with email for uid 1', async () => {
|
|
|
|
|
const oldValue = meta.config.allowLoginWith;
|
2021-11-23 15:16:41 -05:00
|
|
|
meta.config.allowLoginWith = 'username-email';
|
2023-12-18 12:08:34 -05:00
|
|
|
const { response } = await helpers.loginUser('regular@nodebb.org', 'regularpwd');
|
|
|
|
|
assert.strictEqual(response.statusCode, 200);
|
2021-11-22 23:20:31 -05:00
|
|
|
meta.config.allowLoginWith = oldValue;
|
|
|
|
|
});
|
|
|
|
|
|
|
|
|
|
it('second user should fail to login with email since email is not confirmed', async () => {
|
|
|
|
|
const oldValue = meta.config.allowLoginWith;
|
2021-11-23 15:16:41 -05:00
|
|
|
meta.config.allowLoginWith = 'username-email';
|
2021-11-22 23:20:31 -05:00
|
|
|
const uid = await user.create({ username: '2nduser', password: '2ndpassword', email: '2nduser@nodebb.org' });
|
2023-12-18 12:08:34 -05:00
|
|
|
const { response, body } = await helpers.loginUser('2nduser@nodebb.org', '2ndpassword');
|
2025-10-01 13:51:04 -04:00
|
|
|
assert.strictEqual(response.statusCode, 400);
|
|
|
|
|
assert.strictEqual(body, '[[error:invalid-email]]');
|
2021-11-22 23:20:31 -05:00
|
|
|
meta.config.allowLoginWith = oldValue;
|
|
|
|
|
});
|
|
|
|
|
|
2023-12-18 12:08:34 -05:00
|
|
|
it('should fail to create user if username is too short', async () => {
|
|
|
|
|
const { response, body } = await helpers.registerUser({
|
2017-09-01 18:40:34 -04:00
|
|
|
username: 'a',
|
|
|
|
|
password: '123456',
|
|
|
|
|
});
|
2023-12-18 12:08:34 -05:00
|
|
|
assert.equal(response.statusCode, 400);
|
|
|
|
|
assert.equal(body, '[[error:username-too-short]]');
|
2017-09-01 18:40:34 -04:00
|
|
|
});
|
|
|
|
|
|
2023-12-18 12:08:34 -05:00
|
|
|
it('should fail to create user if userslug is too short', async () => {
|
|
|
|
|
const { response, body } = await helpers.registerUser({
|
2017-09-01 18:40:34 -04:00
|
|
|
username: '----a-----',
|
|
|
|
|
password: '123456',
|
|
|
|
|
});
|
2023-12-18 12:08:34 -05:00
|
|
|
assert.equal(response.statusCode, 400);
|
|
|
|
|
assert.equal(body, '[[error:username-too-short]]');
|
2017-09-01 18:40:34 -04:00
|
|
|
});
|
|
|
|
|
|
2023-12-18 12:08:34 -05:00
|
|
|
it('should fail to create user if userslug is too short', async () => {
|
|
|
|
|
const { response, body } = await helpers.registerUser({
|
2017-09-01 18:40:34 -04:00
|
|
|
username: ' a',
|
|
|
|
|
password: '123456',
|
|
|
|
|
});
|
2023-12-18 12:08:34 -05:00
|
|
|
assert.equal(response.statusCode, 400);
|
|
|
|
|
assert.equal(body, '[[error:username-too-short]]');
|
2017-09-01 18:40:34 -04:00
|
|
|
});
|
|
|
|
|
|
2023-12-18 12:08:34 -05:00
|
|
|
it('should fail to create user if userslug is too short', async () => {
|
|
|
|
|
const { response, body } = await helpers.registerUser({
|
2017-09-01 18:40:34 -04:00
|
|
|
username: 'a ',
|
|
|
|
|
password: '123456',
|
|
|
|
|
});
|
2023-12-18 12:08:34 -05:00
|
|
|
assert.equal(response.statusCode, 400);
|
|
|
|
|
assert.equal(body, '[[error:username-too-short]]');
|
2017-09-01 18:40:34 -04:00
|
|
|
});
|
|
|
|
|
|
2023-12-18 12:08:34 -05:00
|
|
|
it('should register and login a user', async () => {
|
|
|
|
|
const jar = request.jar();
|
|
|
|
|
const csrf_token = await helpers.getCsrfToken(jar);
|
|
|
|
|
|
|
|
|
|
const { body } = await request.post(`${nconf.get('url')}/register`, {
|
|
|
|
|
jar,
|
|
|
|
|
body: {
|
|
|
|
|
email: 'admin@nodebb.org',
|
|
|
|
|
username: 'admin',
|
|
|
|
|
password: 'adminpwd',
|
|
|
|
|
'password-confirm': 'adminpwd',
|
|
|
|
|
userLang: 'it',
|
|
|
|
|
gdpr_consent: true,
|
|
|
|
|
},
|
|
|
|
|
headers: {
|
|
|
|
|
'x-csrf-token': csrf_token,
|
|
|
|
|
},
|
|
|
|
|
});
|
|
|
|
|
|
|
|
|
|
const validationPending = await user.email.isValidationPending(body.uid, 'admin@nodebb.org');
|
|
|
|
|
assert.strictEqual(validationPending, true);
|
|
|
|
|
|
|
|
|
|
assert(body);
|
|
|
|
|
assert(body.hasOwnProperty('uid') && body.uid > 0);
|
|
|
|
|
const newUid = body.uid;
|
|
|
|
|
const { body: self } = await request.get(`${nconf.get('url')}/api/self`, {
|
|
|
|
|
jar,
|
|
|
|
|
});
|
|
|
|
|
assert(self);
|
|
|
|
|
assert.equal(self.username, 'admin');
|
|
|
|
|
assert.equal(self.uid, newUid);
|
|
|
|
|
const settings = await user.getSettings(body.uid);
|
|
|
|
|
assert.equal(settings.userLang, 'it');
|
|
|
|
|
});
|
|
|
|
|
|
|
|
|
|
it('should logout a user', async () => {
|
|
|
|
|
await helpers.logoutUser(jar);
|
2016-10-16 16:43:38 +03:00
|
|
|
|
2023-12-18 12:08:34 -05:00
|
|
|
const { response, body } = await request.get(`${nconf.get('url')}/api/me`, {
|
|
|
|
|
jar: jar,
|
2016-10-16 16:43:38 +03:00
|
|
|
});
|
2023-12-18 12:08:34 -05:00
|
|
|
assert.equal(response.statusCode, 401);
|
|
|
|
|
assert.strictEqual(body.status.code, 'not-authorised');
|
2016-10-16 16:43:38 +03:00
|
|
|
});
|
|
|
|
|
|
2021-04-14 11:38:09 -04:00
|
|
|
it('should regenerate the session identifier on successful login', async () => {
|
|
|
|
|
const matchRegexp = /express\.sid=s%3A(.+?);/;
|
2021-04-14 16:20:09 -04:00
|
|
|
const { hostname, path } = url.parse(nconf.get('url'));
|
2023-12-18 12:08:34 -05:00
|
|
|
const sid = String(jar.store.idx[hostname][path]['express.sid']).match(matchRegexp)[1];
|
2021-11-22 19:23:51 -05:00
|
|
|
await helpers.logoutUser(jar);
|
|
|
|
|
const newJar = (await helpers.loginUser('regular', 'regularpwd')).jar;
|
2023-12-18 12:08:34 -05:00
|
|
|
const newSid = String(newJar.store.idx[hostname][path]['express.sid']).match(matchRegexp)[1];
|
2021-04-14 11:38:09 -04:00
|
|
|
|
|
|
|
|
assert.notStrictEqual(newSid, sid);
|
|
|
|
|
});
|
|
|
|
|
|
2023-12-18 12:08:34 -05:00
|
|
|
|
|
|
|
|
it('should revoke all sessions', async () => {
|
2021-02-04 00:06:15 -07:00
|
|
|
const socketAdmin = require('../src/socket.io/admin');
|
2023-12-18 12:08:34 -05:00
|
|
|
let sessionCount = await db.sortedSetCard(`uid:${regularUid}:sessions`);
|
|
|
|
|
assert(sessionCount);
|
|
|
|
|
await socketAdmin.deleteAllSessions({ uid: 1 }, {});
|
|
|
|
|
sessionCount = await db.sortedSetCard(`uid:${regularUid}:sessions`);
|
|
|
|
|
assert(!sessionCount);
|
2016-12-15 14:47:42 +03:00
|
|
|
});
|
|
|
|
|
|
2023-01-05 14:10:02 -05:00
|
|
|
describe('login', () => {
|
|
|
|
|
let username;
|
|
|
|
|
let password;
|
|
|
|
|
let uid;
|
|
|
|
|
|
2023-12-18 12:08:34 -05:00
|
|
|
function getCookieExpiry(response) {
|
|
|
|
|
const { headers } = response;
|
|
|
|
|
assert(headers['set-cookie']);
|
|
|
|
|
assert.strictEqual(headers['set-cookie'].includes('Expires'), true);
|
2023-01-05 14:10:02 -05:00
|
|
|
|
2023-12-18 12:08:34 -05:00
|
|
|
const values = headers['set-cookie'].split(';');
|
2023-01-05 14:10:02 -05:00
|
|
|
return values.reduce((memo, cur) => {
|
|
|
|
|
if (!memo) {
|
|
|
|
|
const [name, value] = cur.split('=');
|
|
|
|
|
if (name === ' Expires') {
|
|
|
|
|
memo = new Date(value);
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return memo;
|
|
|
|
|
}, undefined);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
beforeEach(async () => {
|
|
|
|
|
([username, password] = [utils.generateUUID().slice(0, 10), utils.generateUUID()]);
|
|
|
|
|
uid = await user.create({ username, password });
|
|
|
|
|
});
|
|
|
|
|
|
|
|
|
|
it('should login a user', async () => {
|
|
|
|
|
const { jar, body: loginBody } = await helpers.loginUser(username, password);
|
|
|
|
|
assert(loginBody);
|
2023-12-18 12:08:34 -05:00
|
|
|
const { body } = await request.get(`${nconf.get('url')}/api/self`, {
|
2023-01-05 14:10:02 -05:00
|
|
|
jar,
|
|
|
|
|
});
|
|
|
|
|
assert(body);
|
|
|
|
|
assert.equal(body.username, username);
|
2024-06-26 17:34:04 -04:00
|
|
|
const sessions = await db.getSortedSetRange(`uid:${uid}:sessions`, 0, -1);
|
2023-01-05 14:10:02 -05:00
|
|
|
assert(sessions);
|
|
|
|
|
assert(Object.keys(sessions).length > 0);
|
|
|
|
|
});
|
|
|
|
|
|
|
|
|
|
it('should set a cookie that only lasts for the life of the browser session', async () => {
|
2023-12-18 12:08:34 -05:00
|
|
|
const { response } = await helpers.loginUser(username, password);
|
2023-01-05 14:10:02 -05:00
|
|
|
|
2023-12-18 12:08:34 -05:00
|
|
|
assert(response.headers);
|
|
|
|
|
assert(response.headers['set-cookie']);
|
|
|
|
|
assert.strictEqual(response.headers['set-cookie'].includes('Expires'), false);
|
2023-01-05 14:10:02 -05:00
|
|
|
});
|
|
|
|
|
|
|
|
|
|
it('should set a different expiry if sessionDuration is set', async () => {
|
|
|
|
|
const _sessionDuration = meta.config.sessionDuration;
|
|
|
|
|
const days = 1;
|
|
|
|
|
meta.config.sessionDuration = days * 24 * 60 * 60;
|
|
|
|
|
|
2023-12-18 12:08:34 -05:00
|
|
|
const { response } = await helpers.loginUser(username, password);
|
2023-01-05 14:10:02 -05:00
|
|
|
|
2023-12-18 12:08:34 -05:00
|
|
|
const expiry = getCookieExpiry(response);
|
2023-01-05 14:10:02 -05:00
|
|
|
const expected = new Date();
|
|
|
|
|
expected.setUTCDate(expected.getUTCDate() + days);
|
|
|
|
|
|
|
|
|
|
assert.strictEqual(expiry.getUTCDate(), expected.getUTCDate());
|
|
|
|
|
|
|
|
|
|
meta.config.sessionDuration = _sessionDuration;
|
|
|
|
|
});
|
|
|
|
|
|
|
|
|
|
it('should set a cookie that lasts for x days where x is loginDays setting, if asked to remember', async () => {
|
2023-12-18 12:08:34 -05:00
|
|
|
const { response } = await helpers.loginUser(username, password, { remember: 'on' });
|
2023-01-05 14:10:02 -05:00
|
|
|
|
2023-12-18 12:08:34 -05:00
|
|
|
const expiry = getCookieExpiry(response);
|
2023-01-05 14:10:02 -05:00
|
|
|
const expected = new Date();
|
|
|
|
|
expected.setUTCDate(expected.getUTCDate() + meta.config.loginDays);
|
|
|
|
|
|
|
|
|
|
assert.strictEqual(expiry.getUTCDate(), expected.getUTCDate());
|
|
|
|
|
});
|
|
|
|
|
|
|
|
|
|
it('should set the cookie expiry properly if loginDays setting is changed', async () => {
|
|
|
|
|
const _loginDays = meta.config.loginDays;
|
|
|
|
|
meta.config.loginDays = 5;
|
|
|
|
|
|
2023-12-18 12:08:34 -05:00
|
|
|
const { response } = await helpers.loginUser(username, password, { remember: 'on' });
|
2023-01-05 14:10:02 -05:00
|
|
|
|
2023-12-18 12:08:34 -05:00
|
|
|
const expiry = getCookieExpiry(response);
|
2023-01-05 14:10:02 -05:00
|
|
|
const expected = new Date();
|
|
|
|
|
expected.setUTCDate(expected.getUTCDate() + meta.config.loginDays);
|
|
|
|
|
|
|
|
|
|
assert.strictEqual(expiry.getUTCDate(), expected.getUTCDate());
|
|
|
|
|
|
|
|
|
|
meta.config.loginDays = _loginDays;
|
|
|
|
|
});
|
|
|
|
|
|
|
|
|
|
it('should ignore loginDays if loginSeconds is truthy', async () => {
|
|
|
|
|
const _loginSeconds = meta.config.loginSeconds;
|
|
|
|
|
meta.config.loginSeconds = 60;
|
|
|
|
|
|
2023-12-18 12:08:34 -05:00
|
|
|
const { response } = await helpers.loginUser(username, password, { remember: 'on' });
|
2023-01-05 14:10:02 -05:00
|
|
|
|
2023-12-18 12:08:34 -05:00
|
|
|
const expiry = getCookieExpiry(response);
|
2023-01-05 14:10:02 -05:00
|
|
|
const expected = new Date();
|
|
|
|
|
expected.setUTCSeconds(expected.getUTCSeconds() + meta.config.loginSeconds);
|
|
|
|
|
|
|
|
|
|
assert.strictEqual(expiry.getUTCDate(), expected.getUTCDate());
|
|
|
|
|
assert.strictEqual(expiry.getUTCMinutes(), expected.getUTCMinutes());
|
|
|
|
|
|
|
|
|
|
meta.config.loginSeconds = _loginSeconds;
|
|
|
|
|
});
|
|
|
|
|
});
|
|
|
|
|
|
2023-12-18 12:08:34 -05:00
|
|
|
it('should fail to login if ip address is invalid', async () => {
|
2021-02-04 00:06:15 -07:00
|
|
|
const jar = request.jar();
|
2023-12-18 12:08:34 -05:00
|
|
|
const csrf_token = await helpers.getCsrfToken(jar);
|
|
|
|
|
|
|
|
|
|
const { response } = await request.post(`${nconf.get('url')}/login`, {
|
|
|
|
|
body: {
|
|
|
|
|
username: 'regular',
|
|
|
|
|
password: 'regularpwd',
|
|
|
|
|
},
|
2017-11-30 14:24:13 -05:00
|
|
|
jar: jar,
|
2023-12-18 12:08:34 -05:00
|
|
|
headers: {
|
|
|
|
|
'x-csrf-token': csrf_token,
|
|
|
|
|
'x-forwarded-for': '<script>alert("xss")</script>',
|
|
|
|
|
},
|
2017-11-30 14:24:13 -05:00
|
|
|
});
|
2023-12-18 12:08:34 -05:00
|
|
|
assert.equal(response.status, 500);
|
2017-11-30 14:24:13 -05:00
|
|
|
});
|
|
|
|
|
|
2023-01-04 16:07:25 -05:00
|
|
|
it('should fail to login if user does not exist', async () => {
|
2023-12-18 12:08:34 -05:00
|
|
|
const { response, body } = await helpers.loginUser('doesnotexist', 'nopassword');
|
|
|
|
|
assert.equal(response.statusCode, 403);
|
2023-01-04 16:07:25 -05:00
|
|
|
assert.equal(body, '[[error:invalid-login-credentials]]');
|
2017-05-23 15:37:32 -04:00
|
|
|
});
|
2017-05-19 16:18:18 -04:00
|
|
|
|
2023-01-04 16:07:25 -05:00
|
|
|
it('should fail to login if username is empty', async () => {
|
2023-12-18 12:08:34 -05:00
|
|
|
const { response, body } = await helpers.loginUser('', 'some password');
|
|
|
|
|
assert.equal(response.statusCode, 403);
|
2023-01-04 16:07:25 -05:00
|
|
|
assert.equal(body, '[[error:invalid-username-or-password]]');
|
2017-05-19 16:18:18 -04:00
|
|
|
});
|
|
|
|
|
|
2023-01-04 16:07:25 -05:00
|
|
|
it('should fail to login if password is empty', async () => {
|
2023-12-18 12:08:34 -05:00
|
|
|
const { response, body } = await helpers.loginUser('someuser', '');
|
|
|
|
|
assert.equal(response.statusCode, 403);
|
2023-01-04 16:07:25 -05:00
|
|
|
assert.equal(body, '[[error:invalid-username-or-password]]');
|
2017-05-23 15:37:32 -04:00
|
|
|
});
|
|
|
|
|
|
2023-01-04 16:07:25 -05:00
|
|
|
it('should fail to login if username and password are empty', async () => {
|
2023-12-18 12:08:34 -05:00
|
|
|
const { response, body } = await helpers.loginUser('', '');
|
|
|
|
|
assert.equal(response.statusCode, 403);
|
2023-01-04 16:07:25 -05:00
|
|
|
assert.equal(body, '[[error:invalid-username-or-password]]');
|
2017-05-23 15:37:32 -04:00
|
|
|
});
|
|
|
|
|
|
2023-01-04 16:07:25 -05:00
|
|
|
it('should fail to login if user does not have password field in db', async () => {
|
|
|
|
|
await user.create({ username: 'hasnopassword', email: 'no@pass.org' });
|
2023-12-18 12:08:34 -05:00
|
|
|
const { response, body } = await helpers.loginUser('hasnopassword', 'doesntmatter');
|
|
|
|
|
assert.equal(response.statusCode, 403);
|
2023-01-04 16:07:25 -05:00
|
|
|
assert.equal(body, '[[error:invalid-login-credentials]]');
|
2018-09-06 14:32:44 -04:00
|
|
|
});
|
|
|
|
|
|
2023-01-04 16:07:25 -05:00
|
|
|
it('should fail to login if password is longer than 4096', async () => {
|
2023-12-18 12:08:34 -05:00
|
|
|
let longPassword = '';
|
2021-02-04 00:06:15 -07:00
|
|
|
for (let i = 0; i < 5000; i++) {
|
2017-05-23 15:37:32 -04:00
|
|
|
longPassword += 'a';
|
|
|
|
|
}
|
2023-12-18 12:08:34 -05:00
|
|
|
const { response, body } = await helpers.loginUser('someuser', longPassword);
|
|
|
|
|
assert.equal(response.statusCode, 403);
|
2023-01-04 16:07:25 -05:00
|
|
|
assert.equal(body, '[[error:password-too-long]]');
|
2017-05-23 15:37:32 -04:00
|
|
|
});
|
|
|
|
|
|
2023-01-04 16:07:25 -05:00
|
|
|
it('should fail to login if local login is disabled', async () => {
|
|
|
|
|
await privileges.global.rescind(['groups:local:login'], 'registered-users');
|
2023-12-18 12:08:34 -05:00
|
|
|
const { response, body } = await helpers.loginUser('regular', 'regularpwd');
|
|
|
|
|
assert.equal(response.statusCode, 403);
|
2023-01-04 16:07:25 -05:00
|
|
|
assert.equal(body, '[[error:local-login-disabled]]');
|
|
|
|
|
await privileges.global.give(['groups:local:login'], 'registered-users');
|
2017-05-23 15:37:32 -04:00
|
|
|
});
|
2016-10-16 16:43:38 +03:00
|
|
|
|
2023-12-18 12:08:34 -05:00
|
|
|
it('should fail to register if registraton is disabled', async () => {
|
2017-05-23 17:37:16 -04:00
|
|
|
meta.config.registrationType = 'disabled';
|
2023-12-18 12:08:34 -05:00
|
|
|
const { response, body } = await helpers.registerUser({
|
2021-06-28 15:07:19 -04:00
|
|
|
username: 'someuser',
|
|
|
|
|
password: 'somepassword',
|
2017-05-23 17:37:16 -04:00
|
|
|
});
|
2023-12-18 12:08:34 -05:00
|
|
|
assert.equal(response.statusCode, 403);
|
|
|
|
|
assert.equal(body, 'Forbidden');
|
2017-05-23 17:37:16 -04:00
|
|
|
});
|
|
|
|
|
|
2023-12-18 12:08:34 -05:00
|
|
|
it('should return error if invitation is not valid', async () => {
|
2017-05-23 17:37:16 -04:00
|
|
|
meta.config.registrationType = 'invite-only';
|
2023-12-18 12:08:34 -05:00
|
|
|
const { response, body } = await helpers.registerUser({
|
2021-06-28 15:07:19 -04:00
|
|
|
username: 'someuser',
|
|
|
|
|
password: 'somepassword',
|
2017-05-23 17:37:16 -04:00
|
|
|
});
|
2023-12-18 12:08:34 -05:00
|
|
|
meta.config.registrationType = 'normal';
|
|
|
|
|
assert.equal(response.statusCode, 400);
|
|
|
|
|
assert.equal(body, '[[register:invite.error-invite-only]]');
|
2017-05-23 17:37:16 -04:00
|
|
|
});
|
|
|
|
|
|
2023-12-18 12:08:34 -05:00
|
|
|
it('should fail to register if username is falsy or too short', async () => {
|
|
|
|
|
const userData = [
|
|
|
|
|
{ username: '', password: 'somepassword' },
|
|
|
|
|
{ username: 'a', password: 'somepassword' },
|
|
|
|
|
];
|
|
|
|
|
for (const user of userData) {
|
|
|
|
|
// eslint-disable-next-line no-await-in-loop
|
|
|
|
|
const { response, body } = await helpers.registerUser(user);
|
2017-05-23 17:37:16 -04:00
|
|
|
assert.equal(response.statusCode, 400);
|
|
|
|
|
assert.equal(body, '[[error:username-too-short]]');
|
2023-12-18 12:08:34 -05:00
|
|
|
}
|
2017-05-23 17:37:16 -04:00
|
|
|
});
|
|
|
|
|
|
2023-12-18 12:08:34 -05:00
|
|
|
it('should fail to register if username is too long', async () => {
|
|
|
|
|
const { response, body } = await helpers.registerUser({
|
2021-06-28 15:07:19 -04:00
|
|
|
username: 'thisisareallylongusername',
|
|
|
|
|
password: '123456',
|
2017-05-23 17:37:16 -04:00
|
|
|
});
|
2023-12-18 12:08:34 -05:00
|
|
|
|
|
|
|
|
assert.equal(response.statusCode, 400);
|
|
|
|
|
assert.equal(body, '[[error:username-too-long]]');
|
2017-05-23 17:37:16 -04:00
|
|
|
});
|
|
|
|
|
|
2023-12-18 12:08:34 -05:00
|
|
|
it('should queue user if ip is used before', async () => {
|
2019-06-04 11:10:20 -04:00
|
|
|
meta.config.registrationApprovalType = 'admin-approval-ip';
|
2023-12-18 12:08:34 -05:00
|
|
|
const { response, body } = await helpers.registerUser({
|
2021-06-28 15:07:19 -04:00
|
|
|
email: 'another@user.com',
|
|
|
|
|
username: 'anotheruser',
|
|
|
|
|
password: 'anotherpwd',
|
|
|
|
|
gdpr_consent: 1,
|
2017-05-23 22:09:25 -04:00
|
|
|
});
|
2023-12-18 12:08:34 -05:00
|
|
|
meta.config.registrationApprovalType = 'normal';
|
|
|
|
|
assert.equal(response.statusCode, 200);
|
|
|
|
|
assert.equal(body.message, '[[register:registration-added-to-queue]]');
|
2017-05-23 22:09:25 -04:00
|
|
|
});
|
|
|
|
|
|
|
|
|
|
|
2021-06-28 15:07:19 -04:00
|
|
|
it('should be able to login with email', async () => {
|
2022-08-03 13:02:21 -04:00
|
|
|
const email = 'ginger@nodebb.org';
|
|
|
|
|
const uid = await user.create({ username: 'ginger', password: '123456', email });
|
|
|
|
|
await user.setUserField(uid, 'email', email);
|
2021-06-28 15:07:19 -04:00
|
|
|
await user.email.confirmByUid(uid);
|
2023-12-18 12:08:34 -05:00
|
|
|
const { response } = await helpers.loginUser('ginger@nodebb.org', '123456');
|
|
|
|
|
assert.equal(response.statusCode, 200);
|
2017-05-23 22:09:25 -04:00
|
|
|
});
|
|
|
|
|
|
2023-01-04 16:07:25 -05:00
|
|
|
it('should fail to login if login type is username and an email is sent', async () => {
|
2017-05-23 22:09:25 -04:00
|
|
|
meta.config.allowLoginWith = 'username';
|
2023-12-18 12:08:34 -05:00
|
|
|
const { response, body } = await helpers.loginUser('ginger@nodebb.org', '123456');
|
2023-01-04 16:07:25 -05:00
|
|
|
meta.config.allowLoginWith = 'username-email';
|
2023-12-18 12:08:34 -05:00
|
|
|
assert.equal(response.statusCode, 400);
|
2023-01-04 16:07:25 -05:00
|
|
|
assert.equal(body, '[[error:wrong-login-type-username]]');
|
2017-05-23 22:09:25 -04:00
|
|
|
});
|
|
|
|
|
|
2023-12-18 12:08:34 -05:00
|
|
|
it('should send 200 if not logged in', async () => {
|
2021-02-04 00:06:15 -07:00
|
|
|
const jar = request.jar();
|
2023-12-18 12:08:34 -05:00
|
|
|
const csrf_token = await helpers.getCsrfToken(jar);
|
2017-05-23 22:09:25 -04:00
|
|
|
|
2023-12-18 12:08:34 -05:00
|
|
|
const { response, body } = await request.post(`${nconf.get('url')}/logout`, {
|
|
|
|
|
data: {},
|
|
|
|
|
jar: jar,
|
|
|
|
|
headers: {
|
|
|
|
|
'x-csrf-token': csrf_token,
|
|
|
|
|
},
|
2017-05-23 22:09:25 -04:00
|
|
|
});
|
2023-12-18 12:08:34 -05:00
|
|
|
|
|
|
|
|
assert.equal(response.statusCode, 200);
|
|
|
|
|
assert.equal(body, 'not-logged-in');
|
2017-05-23 22:09:25 -04:00
|
|
|
});
|
|
|
|
|
|
2021-02-04 00:01:39 -07:00
|
|
|
describe('banned user authentication', () => {
|
2020-12-14 09:20:41 +03:00
|
|
|
const bannedUser = {
|
|
|
|
|
username: 'banme',
|
|
|
|
|
pw: '123456',
|
|
|
|
|
uid: null,
|
|
|
|
|
};
|
|
|
|
|
|
2021-02-04 00:01:39 -07:00
|
|
|
before(async () => {
|
2020-12-14 09:20:41 +03:00
|
|
|
bannedUser.uid = await user.create({ username: 'banme', password: '123456', email: 'ban@me.com' });
|
|
|
|
|
});
|
|
|
|
|
|
2023-01-04 16:07:25 -05:00
|
|
|
it('should prevent banned user from logging in', async () => {
|
|
|
|
|
await user.bans.ban(bannedUser.uid, 0, 'spammer');
|
2023-12-18 12:08:34 -05:00
|
|
|
const { response: res1, body: body1 } = await helpers.loginUser(bannedUser.username, bannedUser.pw);
|
2023-01-04 16:07:25 -05:00
|
|
|
assert.equal(res1.statusCode, 403);
|
|
|
|
|
delete body1.timestamp;
|
|
|
|
|
assert.deepStrictEqual(body1, {
|
|
|
|
|
banned_until: 0,
|
|
|
|
|
banned_until_readable: '',
|
|
|
|
|
expiry: 0,
|
|
|
|
|
expiry_readable: '',
|
|
|
|
|
reason: 'spammer',
|
|
|
|
|
uid: bannedUser.uid,
|
2017-05-23 22:09:25 -04:00
|
|
|
});
|
2023-01-04 16:07:25 -05:00
|
|
|
await user.bans.unban(bannedUser.uid);
|
|
|
|
|
const expiry = Date.now() + 10000;
|
|
|
|
|
await user.bans.ban(bannedUser.uid, expiry, '');
|
2023-12-18 12:08:34 -05:00
|
|
|
const { response: res2, body: body2 } = await helpers.loginUser(bannedUser.username, bannedUser.pw);
|
2023-01-04 16:07:25 -05:00
|
|
|
assert.equal(res2.statusCode, 403);
|
|
|
|
|
assert(body2.banned_until);
|
|
|
|
|
assert(body2.reason, '[[user:info.banned-no-reason]]');
|
2017-05-23 22:09:25 -04:00
|
|
|
});
|
2020-12-14 09:20:41 +03:00
|
|
|
|
2021-02-04 00:01:39 -07:00
|
|
|
it('should allow banned user to log in if the "banned-users" group has "local-login" privilege', async () => {
|
2020-12-14 09:20:41 +03:00
|
|
|
await privileges.global.give(['groups:local:login'], 'banned-users');
|
2023-12-18 12:08:34 -05:00
|
|
|
const { response } = await helpers.loginUser(bannedUser.username, bannedUser.pw);
|
|
|
|
|
assert.strictEqual(response.statusCode, 200);
|
2020-12-14 09:20:41 +03:00
|
|
|
});
|
|
|
|
|
|
2021-02-04 00:01:39 -07:00
|
|
|
it('should allow banned user to log in if the user herself has "local-login" privilege', async () => {
|
2020-12-14 09:20:41 +03:00
|
|
|
await privileges.global.rescind(['groups:local:login'], 'banned-users');
|
|
|
|
|
await privileges.categories.give(['local:login'], 0, bannedUser.uid);
|
2023-12-18 12:08:34 -05:00
|
|
|
const { response } = await helpers.loginUser(bannedUser.username, bannedUser.pw);
|
|
|
|
|
assert.strictEqual(response.statusCode, 200);
|
2020-12-14 09:20:41 +03:00
|
|
|
});
|
2017-05-23 22:09:25 -04:00
|
|
|
});
|
|
|
|
|
|
2023-09-22 11:44:32 -04:00
|
|
|
it('should lockout account on 3 failed login attempts', async () => {
|
2017-05-23 22:47:40 -04:00
|
|
|
meta.config.loginAttempts = 3;
|
2023-09-22 11:44:32 -04:00
|
|
|
const uid = await user.create({ username: 'lockme', password: '123456' });
|
|
|
|
|
await helpers.loginUser('lockme', 'abcdef');
|
|
|
|
|
await helpers.loginUser('lockme', 'abcdef');
|
|
|
|
|
await helpers.loginUser('lockme', 'abcdef');
|
|
|
|
|
let data = await helpers.loginUser('lockme', 'abcdef');
|
|
|
|
|
|
|
|
|
|
meta.config.loginAttempts = 5;
|
2023-12-18 12:08:34 -05:00
|
|
|
assert.equal(data.response.statusCode, 403);
|
2023-09-22 11:44:32 -04:00
|
|
|
assert.equal(data.body, '[[error:account-locked]]');
|
|
|
|
|
data = await helpers.loginUser('lockme', 'abcdef');
|
2023-12-18 12:08:34 -05:00
|
|
|
assert.equal(data.response.statusCode, 403);
|
2023-09-22 11:44:32 -04:00
|
|
|
assert.equal(data.body, '[[error:account-locked]]');
|
|
|
|
|
const locked = await db.exists(`lockout:${uid}`);
|
|
|
|
|
assert(locked);
|
2017-05-23 22:47:40 -04:00
|
|
|
});
|
2021-06-14 11:50:32 -04:00
|
|
|
|
|
|
|
|
it('should clear all reset tokens upon successful login', async () => {
|
|
|
|
|
const code = await user.reset.generate(regularUid);
|
2021-11-22 23:20:31 -05:00
|
|
|
await helpers.loginUser('regular', 'regularpwd');
|
2021-06-14 11:50:32 -04:00
|
|
|
const valid = await user.reset.validate(code);
|
|
|
|
|
assert.strictEqual(valid, false);
|
|
|
|
|
});
|
2021-11-26 18:59:29 -05:00
|
|
|
|
|
|
|
|
describe('api tokens', () => {
|
|
|
|
|
let newUid;
|
|
|
|
|
let userToken;
|
|
|
|
|
let masterToken;
|
|
|
|
|
before(async () => {
|
|
|
|
|
newUid = await user.create({ username: 'apiUserTarget' });
|
2023-05-10 15:57:46 -04:00
|
|
|
userToken = await api.utils.tokens.generate({
|
2021-11-26 18:59:29 -05:00
|
|
|
uid: newUid,
|
|
|
|
|
description: `api token for uid ${newUid}`,
|
2023-05-10 15:57:46 -04:00
|
|
|
});
|
|
|
|
|
masterToken = await api.utils.tokens.generate({
|
2021-11-26 18:59:29 -05:00
|
|
|
uid: 0,
|
|
|
|
|
description: 'api master token',
|
2023-05-10 15:57:46 -04:00
|
|
|
});
|
2021-11-26 18:59:29 -05:00
|
|
|
});
|
|
|
|
|
|
|
|
|
|
it('should fail with invalid token', async () => {
|
2023-12-18 12:08:34 -05:00
|
|
|
const { response, body } = await helpers.request('get', `/api/self?_uid${newUid}`, {
|
2021-11-26 18:59:29 -05:00
|
|
|
jar: jar,
|
|
|
|
|
headers: {
|
|
|
|
|
Authorization: `Bearer sdfhaskfdja-jahfdaksdf`,
|
|
|
|
|
},
|
|
|
|
|
});
|
2023-12-18 12:08:34 -05:00
|
|
|
assert.strictEqual(response.statusCode, 401);
|
2021-11-26 18:59:29 -05:00
|
|
|
assert.strictEqual(body, 'not-authorized');
|
|
|
|
|
});
|
|
|
|
|
|
|
|
|
|
it('should use a token tied to an uid', async () => {
|
2023-12-18 12:08:34 -05:00
|
|
|
const { response, body } = await helpers.request('get', `/api/self`, {
|
2021-11-26 18:59:29 -05:00
|
|
|
headers: {
|
2023-05-10 15:57:46 -04:00
|
|
|
Authorization: `Bearer ${userToken}`,
|
2021-11-26 18:59:29 -05:00
|
|
|
},
|
|
|
|
|
});
|
|
|
|
|
|
2023-12-18 12:08:34 -05:00
|
|
|
assert.strictEqual(response.statusCode, 200);
|
2021-11-26 18:59:29 -05:00
|
|
|
assert.strictEqual(body.username, 'apiUserTarget');
|
|
|
|
|
});
|
|
|
|
|
|
|
|
|
|
it('should fail if _uid is not passed in with master token', async () => {
|
2023-12-18 12:08:34 -05:00
|
|
|
const { response, body } = await helpers.request('get', `/api/self`, {
|
2021-11-26 18:59:29 -05:00
|
|
|
headers: {
|
2023-05-10 15:57:46 -04:00
|
|
|
Authorization: `Bearer ${masterToken}`,
|
2021-11-26 18:59:29 -05:00
|
|
|
},
|
|
|
|
|
});
|
|
|
|
|
|
2023-12-18 12:08:34 -05:00
|
|
|
assert.strictEqual(response.statusCode, 500);
|
2021-11-26 18:59:29 -05:00
|
|
|
assert.strictEqual(body.error, '[[error:api.master-token-no-uid]]');
|
|
|
|
|
});
|
|
|
|
|
|
|
|
|
|
it('should use master api token and _uid', async () => {
|
2023-12-18 12:08:34 -05:00
|
|
|
const { response, body } = await helpers.request('get', `/api/self?_uid=${newUid}`, {
|
2021-11-26 18:59:29 -05:00
|
|
|
headers: {
|
2023-05-10 15:57:46 -04:00
|
|
|
Authorization: `Bearer ${masterToken}`,
|
2021-11-26 18:59:29 -05:00
|
|
|
},
|
|
|
|
|
});
|
|
|
|
|
|
2023-12-18 12:08:34 -05:00
|
|
|
assert.strictEqual(response.statusCode, 200);
|
2021-11-26 18:59:29 -05:00
|
|
|
assert.strictEqual(body.username, 'apiUserTarget');
|
|
|
|
|
});
|
|
|
|
|
});
|
2016-10-16 16:43:38 +03:00
|
|
|
});
|
