2016-10-16 16:43:38 +03:00
|
|
|
'use strict';
|
2017-02-17 21:55:19 -07:00
|
|
|
|
2016-10-16 16:43:38 +03:00
|
|
|
|
2018-10-16 13:07:13 -04:00
|
|
|
var assert = require('assert');
|
2020-12-14 09:20:41 +03:00
|
|
|
var async = require('async');
|
2016-10-16 16:43:38 +03:00
|
|
|
var nconf = require('nconf');
|
|
|
|
|
var request = require('request');
|
2020-12-14 09:20:41 +03:00
|
|
|
const util = require('util');
|
2016-10-16 16:43:38 +03:00
|
|
|
|
|
|
|
|
var db = require('./mocks/databasemock');
|
2016-10-16 21:51:42 +03:00
|
|
|
var user = require('../src/user');
|
2019-04-05 21:14:49 +03:00
|
|
|
var utils = require('../src/utils');
|
2017-05-23 15:37:32 -04:00
|
|
|
var meta = require('../src/meta');
|
2018-09-29 06:49:41 -04:00
|
|
|
var privileges = require('../src/privileges');
|
2017-05-27 23:32:55 -04:00
|
|
|
var helpers = require('./helpers');
|
2016-10-16 16:43:38 +03:00
|
|
|
|
2021-02-04 00:01:39 -07:00
|
|
|
describe('authentication', () => {
|
2017-05-23 15:37:32 -04:00
|
|
|
function loginUser(username, password, callback) {
|
|
|
|
|
var jar = request.jar();
|
|
|
|
|
request({
|
2021-02-03 23:59:08 -07:00
|
|
|
url: `${nconf.get('url')}/api/config`,
|
2017-05-23 15:37:32 -04:00
|
|
|
json: true,
|
|
|
|
|
jar: jar,
|
2021-02-04 00:01:39 -07:00
|
|
|
}, (err, response, body) => {
|
2017-05-23 15:37:32 -04:00
|
|
|
if (err) {
|
|
|
|
|
return callback(err);
|
|
|
|
|
}
|
|
|
|
|
|
2021-02-03 23:59:08 -07:00
|
|
|
request.post(`${nconf.get('url')}/login`, {
|
2017-05-23 15:37:32 -04:00
|
|
|
form: {
|
|
|
|
|
username: username,
|
|
|
|
|
password: password,
|
|
|
|
|
},
|
|
|
|
|
json: true,
|
|
|
|
|
jar: jar,
|
|
|
|
|
headers: {
|
|
|
|
|
'x-csrf-token': body.csrf_token,
|
|
|
|
|
},
|
2021-02-04 00:01:39 -07:00
|
|
|
}, (err, response, body) => {
|
2017-05-23 15:37:32 -04:00
|
|
|
callback(err, response, body, jar);
|
|
|
|
|
});
|
|
|
|
|
});
|
|
|
|
|
}
|
2020-12-14 09:20:41 +03:00
|
|
|
const loginUserPromisified = util.promisify(loginUser);
|
2017-05-23 15:37:32 -04:00
|
|
|
|
2017-05-23 17:37:16 -04:00
|
|
|
function registerUser(email, username, password, callback) {
|
|
|
|
|
var jar = request.jar();
|
|
|
|
|
request({
|
2021-02-03 23:59:08 -07:00
|
|
|
url: `${nconf.get('url')}/api/config`,
|
2017-05-23 17:37:16 -04:00
|
|
|
json: true,
|
|
|
|
|
jar: jar,
|
2021-02-04 00:01:39 -07:00
|
|
|
}, (err, response, body) => {
|
2017-05-23 17:37:16 -04:00
|
|
|
if (err) {
|
|
|
|
|
return callback(err);
|
|
|
|
|
}
|
|
|
|
|
|
2021-02-03 23:59:08 -07:00
|
|
|
request.post(`${nconf.get('url')}/register`, {
|
2017-05-23 17:37:16 -04:00
|
|
|
form: {
|
|
|
|
|
email: email,
|
|
|
|
|
username: username,
|
|
|
|
|
password: password,
|
2017-07-20 08:51:04 -04:00
|
|
|
'password-confirm': password,
|
2018-04-12 12:51:34 -04:00
|
|
|
gdpr_consent: true,
|
2017-05-23 17:37:16 -04:00
|
|
|
},
|
|
|
|
|
json: true,
|
|
|
|
|
jar: jar,
|
|
|
|
|
headers: {
|
|
|
|
|
'x-csrf-token': body.csrf_token,
|
|
|
|
|
},
|
2021-02-04 00:01:39 -07:00
|
|
|
}, (err, response, body) => {
|
2017-05-23 17:37:16 -04:00
|
|
|
callback(err, response, body, jar);
|
|
|
|
|
});
|
|
|
|
|
});
|
|
|
|
|
}
|
2017-05-23 15:37:32 -04:00
|
|
|
|
2016-10-16 16:43:38 +03:00
|
|
|
var jar = request.jar();
|
2016-12-15 14:47:42 +03:00
|
|
|
var regularUid;
|
2021-02-04 00:01:39 -07:00
|
|
|
before((done) => {
|
|
|
|
|
user.create({ username: 'regular', password: 'regularpwd', email: 'regular@nodebb.org' }, (err, uid) => {
|
2016-10-16 17:42:14 +03:00
|
|
|
assert.ifError(err);
|
2016-12-15 14:47:42 +03:00
|
|
|
regularUid = uid;
|
2016-10-16 17:36:24 +03:00
|
|
|
done();
|
|
|
|
|
});
|
|
|
|
|
});
|
|
|
|
|
|
2021-02-04 00:01:39 -07:00
|
|
|
it('should fail to create user if username is too short', (done) => {
|
2017-09-01 18:40:34 -04:00
|
|
|
helpers.registerUser({
|
|
|
|
|
username: 'a',
|
|
|
|
|
password: '123456',
|
|
|
|
|
'password-confirm': '123456',
|
|
|
|
|
email: 'should@error1.com',
|
2021-02-04 00:01:39 -07:00
|
|
|
}, (err, jar, response, body) => {
|
2017-09-01 18:40:34 -04:00
|
|
|
assert.ifError(err);
|
|
|
|
|
assert.equal(response.statusCode, 400);
|
|
|
|
|
assert.equal(body, '[[error:username-too-short]]');
|
|
|
|
|
done();
|
|
|
|
|
});
|
|
|
|
|
});
|
|
|
|
|
|
2021-02-04 00:01:39 -07:00
|
|
|
it('should fail to create user if userslug is too short', (done) => {
|
2017-09-01 18:40:34 -04:00
|
|
|
helpers.registerUser({
|
|
|
|
|
username: '----a-----',
|
|
|
|
|
password: '123456',
|
|
|
|
|
'password-confirm': '123456',
|
|
|
|
|
email: 'should@error2.com',
|
2021-02-04 00:01:39 -07:00
|
|
|
}, (err, jar, response, body) => {
|
2017-09-01 18:40:34 -04:00
|
|
|
assert.ifError(err);
|
|
|
|
|
assert.equal(response.statusCode, 400);
|
|
|
|
|
assert.equal(body, '[[error:username-too-short]]');
|
|
|
|
|
done();
|
|
|
|
|
});
|
|
|
|
|
});
|
|
|
|
|
|
2021-02-04 00:01:39 -07:00
|
|
|
it('should fail to create user if userslug is too short', (done) => {
|
2017-09-01 18:40:34 -04:00
|
|
|
helpers.registerUser({
|
|
|
|
|
username: ' a',
|
|
|
|
|
password: '123456',
|
|
|
|
|
'password-confirm': '123456',
|
|
|
|
|
email: 'should@error3.com',
|
2021-02-04 00:01:39 -07:00
|
|
|
}, (err, jar, response, body) => {
|
2017-09-01 18:40:34 -04:00
|
|
|
assert.ifError(err);
|
|
|
|
|
assert.equal(response.statusCode, 400);
|
|
|
|
|
assert.equal(body, '[[error:username-too-short]]');
|
|
|
|
|
done();
|
|
|
|
|
});
|
|
|
|
|
});
|
|
|
|
|
|
2021-02-04 00:01:39 -07:00
|
|
|
it('should fail to create user if userslug is too short', (done) => {
|
2017-09-01 18:40:34 -04:00
|
|
|
helpers.registerUser({
|
|
|
|
|
username: 'a ',
|
|
|
|
|
password: '123456',
|
|
|
|
|
'password-confirm': '123456',
|
|
|
|
|
email: 'should@error4.com',
|
2021-02-04 00:01:39 -07:00
|
|
|
}, (err, jar, response, body) => {
|
2017-09-01 18:40:34 -04:00
|
|
|
assert.ifError(err);
|
|
|
|
|
assert.equal(response.statusCode, 400);
|
|
|
|
|
assert.equal(body, '[[error:username-too-short]]');
|
|
|
|
|
done();
|
|
|
|
|
});
|
|
|
|
|
});
|
|
|
|
|
|
|
|
|
|
|
2021-02-04 00:01:39 -07:00
|
|
|
it('should register and login a user', (done) => {
|
2016-10-16 16:43:38 +03:00
|
|
|
request({
|
2021-02-03 23:59:08 -07:00
|
|
|
url: `${nconf.get('url')}/api/config`,
|
2016-10-16 16:43:38 +03:00
|
|
|
json: true,
|
2017-02-17 19:31:21 -07:00
|
|
|
jar: jar,
|
2021-02-04 00:01:39 -07:00
|
|
|
}, (err, response, body) => {
|
2016-10-16 16:43:38 +03:00
|
|
|
assert.ifError(err);
|
|
|
|
|
|
2021-02-03 23:59:08 -07:00
|
|
|
request.post(`${nconf.get('url')}/register`, {
|
2016-10-16 16:43:38 +03:00
|
|
|
form: {
|
|
|
|
|
email: 'admin@nodebb.org',
|
|
|
|
|
username: 'admin',
|
|
|
|
|
password: 'adminpwd',
|
2017-07-20 08:51:04 -04:00
|
|
|
'password-confirm': 'adminpwd',
|
2017-05-23 22:09:25 -04:00
|
|
|
userLang: 'it',
|
2018-04-12 12:51:34 -04:00
|
|
|
gdpr_consent: true,
|
2016-10-16 16:43:38 +03:00
|
|
|
},
|
|
|
|
|
json: true,
|
|
|
|
|
jar: jar,
|
|
|
|
|
headers: {
|
2017-02-17 19:31:21 -07:00
|
|
|
'x-csrf-token': body.csrf_token,
|
|
|
|
|
},
|
2021-02-04 00:01:39 -07:00
|
|
|
}, (err, response, body) => {
|
2016-10-16 16:43:38 +03:00
|
|
|
assert.ifError(err);
|
|
|
|
|
assert(body);
|
|
|
|
|
|
|
|
|
|
request({
|
2021-02-03 23:59:08 -07:00
|
|
|
url: `${nconf.get('url')}/api/self`,
|
2016-10-16 16:43:38 +03:00
|
|
|
json: true,
|
2017-02-17 19:31:21 -07:00
|
|
|
jar: jar,
|
2021-02-04 00:01:39 -07:00
|
|
|
}, (err, response, body) => {
|
2016-10-16 16:43:38 +03:00
|
|
|
assert.ifError(err);
|
|
|
|
|
assert(body);
|
|
|
|
|
assert.equal(body.username, 'admin');
|
|
|
|
|
assert.equal(body.email, 'admin@nodebb.org');
|
2021-02-04 00:01:39 -07:00
|
|
|
user.getSettings(body.uid, (err, settings) => {
|
2017-05-23 22:09:25 -04:00
|
|
|
assert.ifError(err);
|
|
|
|
|
assert.equal(settings.userLang, 'it');
|
|
|
|
|
done();
|
|
|
|
|
});
|
2016-10-16 16:43:38 +03:00
|
|
|
});
|
|
|
|
|
});
|
|
|
|
|
});
|
|
|
|
|
});
|
|
|
|
|
|
2021-02-04 00:01:39 -07:00
|
|
|
it('should logout a user', (done) => {
|
|
|
|
|
helpers.logoutUser(jar, (err) => {
|
2016-10-16 16:43:38 +03:00
|
|
|
assert.ifError(err);
|
2017-05-27 23:32:55 -04:00
|
|
|
request({
|
2021-02-03 23:59:08 -07:00
|
|
|
url: `${nconf.get('url')}/api/me`,
|
2016-10-16 16:43:38 +03:00
|
|
|
json: true,
|
|
|
|
|
jar: jar,
|
2021-02-04 00:01:39 -07:00
|
|
|
}, (err, res, body) => {
|
2016-10-16 16:43:38 +03:00
|
|
|
assert.ifError(err);
|
2017-11-16 15:38:26 -07:00
|
|
|
assert.equal(res.statusCode, 401);
|
2020-10-08 13:30:28 -04:00
|
|
|
assert.strictEqual(body.status.code, 'not-authorised');
|
2017-05-27 23:32:55 -04:00
|
|
|
done();
|
2016-10-16 16:43:38 +03:00
|
|
|
});
|
|
|
|
|
});
|
|
|
|
|
});
|
|
|
|
|
|
2021-02-04 00:01:39 -07:00
|
|
|
it('should login a user', (done) => {
|
|
|
|
|
loginUser('regular', 'regularpwd', (err, response, body, jar) => {
|
2016-10-16 16:43:38 +03:00
|
|
|
assert.ifError(err);
|
2017-05-23 15:37:32 -04:00
|
|
|
assert(body);
|
|
|
|
|
request({
|
2021-02-03 23:59:08 -07:00
|
|
|
url: `${nconf.get('url')}/api/self`,
|
2016-10-16 16:43:38 +03:00
|
|
|
json: true,
|
|
|
|
|
jar: jar,
|
2021-02-04 00:01:39 -07:00
|
|
|
}, (err, response, body) => {
|
2016-10-16 16:43:38 +03:00
|
|
|
assert.ifError(err);
|
|
|
|
|
assert(body);
|
2017-05-23 15:37:32 -04:00
|
|
|
assert.equal(body.username, 'regular');
|
|
|
|
|
assert.equal(body.email, 'regular@nodebb.org');
|
2021-02-04 00:01:39 -07:00
|
|
|
db.getObject(`uid:${regularUid}:sessionUUID:sessionId`, (err, sessions) => {
|
2016-10-16 16:43:38 +03:00
|
|
|
assert.ifError(err);
|
2017-05-23 15:37:32 -04:00
|
|
|
assert(sessions);
|
|
|
|
|
assert(Object.keys(sessions).length > 0);
|
|
|
|
|
done();
|
2016-10-16 16:43:38 +03:00
|
|
|
});
|
|
|
|
|
});
|
|
|
|
|
});
|
|
|
|
|
});
|
|
|
|
|
|
2021-02-04 00:01:39 -07:00
|
|
|
it('should revoke all sessions', (done) => {
|
2016-12-15 14:47:42 +03:00
|
|
|
var socketAdmin = require('../src/socket.io/admin');
|
2021-02-04 00:01:39 -07:00
|
|
|
db.sortedSetCard(`uid:${regularUid}:sessions`, (err, count) => {
|
2016-12-15 14:47:42 +03:00
|
|
|
assert.ifError(err);
|
|
|
|
|
assert(count);
|
2021-02-04 00:01:39 -07:00
|
|
|
socketAdmin.deleteAllSessions({ uid: 1 }, {}, (err) => {
|
2016-12-15 14:47:42 +03:00
|
|
|
assert.ifError(err);
|
2021-02-04 00:01:39 -07:00
|
|
|
db.sortedSetCard(`uid:${regularUid}:sessions`, (err, count) => {
|
2016-12-15 14:47:42 +03:00
|
|
|
assert.ifError(err);
|
|
|
|
|
assert(!count);
|
|
|
|
|
done();
|
|
|
|
|
});
|
|
|
|
|
});
|
|
|
|
|
});
|
|
|
|
|
});
|
|
|
|
|
|
2021-02-04 00:01:39 -07:00
|
|
|
it('should fail to login if ip address is invalid', (done) => {
|
2017-11-30 14:24:13 -05:00
|
|
|
var jar = request.jar();
|
|
|
|
|
request({
|
2021-02-03 23:59:08 -07:00
|
|
|
url: `${nconf.get('url')}/api/config`,
|
2017-11-30 14:24:13 -05:00
|
|
|
json: true,
|
|
|
|
|
jar: jar,
|
2021-02-04 00:01:39 -07:00
|
|
|
}, (err, response, body) => {
|
2017-11-30 14:24:13 -05:00
|
|
|
if (err) {
|
|
|
|
|
return done(err);
|
|
|
|
|
}
|
|
|
|
|
|
2021-02-03 23:59:08 -07:00
|
|
|
request.post(`${nconf.get('url')}/login`, {
|
2017-11-30 14:24:13 -05:00
|
|
|
form: {
|
|
|
|
|
username: 'regular',
|
|
|
|
|
password: 'regularpwd',
|
|
|
|
|
},
|
|
|
|
|
json: true,
|
|
|
|
|
jar: jar,
|
|
|
|
|
headers: {
|
|
|
|
|
'x-csrf-token': body.csrf_token,
|
|
|
|
|
'x-forwarded-for': '<script>alert("xss")</script>',
|
|
|
|
|
},
|
2021-02-04 00:01:39 -07:00
|
|
|
}, (err, response, body) => {
|
2017-11-30 14:24:13 -05:00
|
|
|
assert.ifError(err);
|
|
|
|
|
assert.equal(response.statusCode, 500);
|
|
|
|
|
done();
|
|
|
|
|
});
|
|
|
|
|
});
|
|
|
|
|
});
|
|
|
|
|
|
2021-02-04 00:01:39 -07:00
|
|
|
it('should fail to login if user does not exist', (done) => {
|
|
|
|
|
loginUser('doesnotexist', 'nopassword', (err, response, body) => {
|
2017-05-19 16:18:18 -04:00
|
|
|
assert.ifError(err);
|
2017-05-23 15:37:32 -04:00
|
|
|
assert.equal(response.statusCode, 403);
|
|
|
|
|
assert.equal(body, '[[error:invalid-login-credentials]]');
|
|
|
|
|
done();
|
|
|
|
|
});
|
|
|
|
|
});
|
2017-05-19 16:18:18 -04:00
|
|
|
|
2021-02-04 00:01:39 -07:00
|
|
|
it('should fail to login if username is empty', (done) => {
|
|
|
|
|
loginUser('', 'some password', (err, response, body) => {
|
2017-05-23 15:37:32 -04:00
|
|
|
assert.ifError(err);
|
|
|
|
|
assert.equal(response.statusCode, 403);
|
|
|
|
|
assert.equal(body, '[[error:invalid-username-or-password]]');
|
|
|
|
|
done();
|
2017-05-19 16:18:18 -04:00
|
|
|
});
|
|
|
|
|
});
|
|
|
|
|
|
2021-02-04 00:01:39 -07:00
|
|
|
it('should fail to login if password is empty', (done) => {
|
|
|
|
|
loginUser('someuser', '', (err, response, body) => {
|
2017-05-23 15:37:32 -04:00
|
|
|
assert.ifError(err);
|
|
|
|
|
assert.equal(response.statusCode, 403);
|
|
|
|
|
assert.equal(body, '[[error:invalid-username-or-password]]');
|
|
|
|
|
done();
|
|
|
|
|
});
|
|
|
|
|
});
|
|
|
|
|
|
2021-02-04 00:01:39 -07:00
|
|
|
it('should fail to login if username and password are empty', (done) => {
|
|
|
|
|
loginUser('', '', (err, response, body) => {
|
2017-05-23 15:37:32 -04:00
|
|
|
assert.ifError(err);
|
|
|
|
|
assert.equal(response.statusCode, 403);
|
|
|
|
|
assert.equal(body, '[[error:invalid-username-or-password]]');
|
|
|
|
|
done();
|
|
|
|
|
});
|
|
|
|
|
});
|
|
|
|
|
|
2021-02-04 00:01:39 -07:00
|
|
|
it('should fail to login if user does not have password field in db', (done) => {
|
|
|
|
|
user.create({ username: 'hasnopassword', email: 'no@pass.org' }, (err, uid) => {
|
2018-09-06 14:32:44 -04:00
|
|
|
assert.ifError(err);
|
2021-02-04 00:01:39 -07:00
|
|
|
loginUser('hasnopassword', 'doesntmatter', (err, response, body) => {
|
2018-09-06 14:32:44 -04:00
|
|
|
assert.ifError(err);
|
|
|
|
|
assert.equal(response.statusCode, 403);
|
|
|
|
|
assert.equal(body, '[[error:invalid-login-credentials]]');
|
|
|
|
|
done();
|
|
|
|
|
});
|
|
|
|
|
});
|
|
|
|
|
});
|
|
|
|
|
|
2021-02-04 00:01:39 -07:00
|
|
|
it('should fail to login if password is longer than 4096', (done) => {
|
2017-05-23 15:37:32 -04:00
|
|
|
var longPassword;
|
|
|
|
|
for (var i = 0; i < 5000; i++) {
|
|
|
|
|
longPassword += 'a';
|
|
|
|
|
}
|
2021-02-04 00:01:39 -07:00
|
|
|
loginUser('someuser', longPassword, (err, response, body) => {
|
2017-05-23 15:37:32 -04:00
|
|
|
assert.ifError(err);
|
|
|
|
|
assert.equal(response.statusCode, 403);
|
|
|
|
|
assert.equal(body, '[[error:password-too-long]]');
|
|
|
|
|
done();
|
|
|
|
|
});
|
|
|
|
|
});
|
|
|
|
|
|
2021-02-04 00:01:39 -07:00
|
|
|
it('should fail to login if local login is disabled', (done) => {
|
|
|
|
|
privileges.global.rescind(['groups:local:login'], 'registered-users', (err) => {
|
2017-05-23 15:37:32 -04:00
|
|
|
assert.ifError(err);
|
2021-02-04 00:01:39 -07:00
|
|
|
loginUser('regular', 'regularpwd', (err, response, body) => {
|
2018-09-29 06:49:41 -04:00
|
|
|
assert.ifError(err);
|
|
|
|
|
assert.equal(response.statusCode, 403);
|
|
|
|
|
assert.equal(body, '[[error:local-login-disabled]]');
|
2020-05-26 21:57:38 -04:00
|
|
|
privileges.global.give(['groups:local:login'], 'registered-users', done);
|
2018-09-29 06:49:41 -04:00
|
|
|
});
|
2017-05-23 15:37:32 -04:00
|
|
|
});
|
|
|
|
|
});
|
2016-10-16 16:43:38 +03:00
|
|
|
|
2021-02-04 00:01:39 -07:00
|
|
|
it('should fail to register if registraton is disabled', (done) => {
|
2017-05-23 17:37:16 -04:00
|
|
|
meta.config.registrationType = 'disabled';
|
2021-02-04 00:01:39 -07:00
|
|
|
registerUser('some@user.com', 'someuser', 'somepassword', (err, response, body) => {
|
2017-05-23 17:37:16 -04:00
|
|
|
assert.ifError(err);
|
|
|
|
|
assert.equal(response.statusCode, 403);
|
|
|
|
|
assert.equal(body, 'Forbidden');
|
|
|
|
|
done();
|
|
|
|
|
});
|
|
|
|
|
});
|
|
|
|
|
|
2021-02-04 00:01:39 -07:00
|
|
|
it('should return error if invitation is not valid', (done) => {
|
2017-05-23 17:37:16 -04:00
|
|
|
meta.config.registrationType = 'invite-only';
|
2021-02-04 00:01:39 -07:00
|
|
|
registerUser('some@user.com', 'someuser', 'somepassword', (err, response, body) => {
|
2017-05-23 17:37:16 -04:00
|
|
|
meta.config.registrationType = 'normal';
|
|
|
|
|
assert.ifError(err);
|
|
|
|
|
assert.equal(response.statusCode, 400);
|
2021-01-24 14:11:47 -05:00
|
|
|
assert.equal(body, '[[register:invite.error-invite-only]]');
|
2017-05-23 17:37:16 -04:00
|
|
|
done();
|
|
|
|
|
});
|
|
|
|
|
});
|
|
|
|
|
|
2021-02-04 00:01:39 -07:00
|
|
|
it('should fail to register if email is falsy', (done) => {
|
|
|
|
|
registerUser('', 'someuser', 'somepassword', (err, response, body) => {
|
2017-05-23 17:37:16 -04:00
|
|
|
assert.ifError(err);
|
|
|
|
|
assert.equal(response.statusCode, 400);
|
|
|
|
|
assert.equal(body, '[[error:invalid-email]]');
|
|
|
|
|
done();
|
|
|
|
|
});
|
|
|
|
|
});
|
|
|
|
|
|
2021-02-04 00:01:39 -07:00
|
|
|
it('should fail to register if username is falsy or too short', (done) => {
|
|
|
|
|
registerUser('some@user.com', '', 'somepassword', (err, response, body) => {
|
2017-05-23 17:37:16 -04:00
|
|
|
assert.ifError(err);
|
|
|
|
|
assert.equal(response.statusCode, 400);
|
|
|
|
|
assert.equal(body, '[[error:username-too-short]]');
|
2021-02-04 00:01:39 -07:00
|
|
|
registerUser('some@user.com', 'a', 'somepassword', (err, response, body) => {
|
2017-05-23 17:37:16 -04:00
|
|
|
assert.ifError(err);
|
|
|
|
|
assert.equal(response.statusCode, 400);
|
|
|
|
|
assert.equal(body, '[[error:username-too-short]]');
|
|
|
|
|
done();
|
|
|
|
|
});
|
|
|
|
|
});
|
|
|
|
|
});
|
|
|
|
|
|
2021-02-04 00:01:39 -07:00
|
|
|
it('should fail to register if username is too long', (done) => {
|
|
|
|
|
registerUser('some@user.com', 'thisisareallylongusername', '123456', (err, response, body) => {
|
2017-05-23 17:37:16 -04:00
|
|
|
assert.ifError(err);
|
|
|
|
|
assert.equal(response.statusCode, 400);
|
|
|
|
|
assert.equal(body, '[[error:username-too-long]]');
|
|
|
|
|
done();
|
|
|
|
|
});
|
|
|
|
|
});
|
|
|
|
|
|
2021-02-04 00:01:39 -07:00
|
|
|
it('should queue user if ip is used before', (done) => {
|
2019-06-04 11:10:20 -04:00
|
|
|
meta.config.registrationApprovalType = 'admin-approval-ip';
|
2021-02-04 00:01:39 -07:00
|
|
|
registerUser('another@user.com', 'anotheruser', 'anotherpwd', (err, response, body) => {
|
2019-06-04 11:10:20 -04:00
|
|
|
meta.config.registrationApprovalType = 'normal';
|
2017-05-23 22:09:25 -04:00
|
|
|
assert.ifError(err);
|
|
|
|
|
assert.equal(response.statusCode, 200);
|
|
|
|
|
assert.equal(body.message, '[[register:registration-added-to-queue]]');
|
|
|
|
|
done();
|
|
|
|
|
});
|
|
|
|
|
});
|
|
|
|
|
|
|
|
|
|
|
2021-02-04 00:01:39 -07:00
|
|
|
it('should be able to login with email', (done) => {
|
|
|
|
|
user.create({ username: 'ginger', password: '123456', email: 'ginger@nodebb.org' }, (err) => {
|
2017-05-23 22:09:25 -04:00
|
|
|
assert.ifError(err);
|
2021-02-04 00:01:39 -07:00
|
|
|
loginUser('ginger@nodebb.org', '123456', (err, response) => {
|
2017-05-23 22:09:25 -04:00
|
|
|
assert.ifError(err);
|
|
|
|
|
assert.equal(response.statusCode, 200);
|
|
|
|
|
done();
|
|
|
|
|
});
|
|
|
|
|
});
|
|
|
|
|
});
|
|
|
|
|
|
2021-02-04 00:01:39 -07:00
|
|
|
it('should fail to login if login type is username and an email is sent', (done) => {
|
2017-05-23 22:09:25 -04:00
|
|
|
meta.config.allowLoginWith = 'username';
|
2021-02-04 00:01:39 -07:00
|
|
|
loginUser('ginger@nodebb.org', '123456', (err, response, body) => {
|
2017-05-23 22:09:25 -04:00
|
|
|
meta.config.allowLoginWith = 'username-email';
|
|
|
|
|
assert.ifError(err);
|
2021-01-07 14:58:19 -05:00
|
|
|
assert.equal(response.statusCode, 400);
|
2017-05-23 22:09:25 -04:00
|
|
|
assert.equal(body, '[[error:wrong-login-type-username]]');
|
|
|
|
|
done();
|
|
|
|
|
});
|
|
|
|
|
});
|
|
|
|
|
|
2021-02-04 00:01:39 -07:00
|
|
|
it('should send 200 if not logged in', (done) => {
|
2017-05-23 22:09:25 -04:00
|
|
|
var jar = request.jar();
|
|
|
|
|
request({
|
2021-02-03 23:59:08 -07:00
|
|
|
url: `${nconf.get('url')}/api/config`,
|
2017-05-23 22:09:25 -04:00
|
|
|
json: true,
|
|
|
|
|
jar: jar,
|
2021-02-04 00:01:39 -07:00
|
|
|
}, (err, response, body) => {
|
2017-05-23 22:09:25 -04:00
|
|
|
assert.ifError(err);
|
|
|
|
|
|
2021-02-03 23:59:08 -07:00
|
|
|
request.post(`${nconf.get('url')}/logout`, {
|
2017-05-23 22:09:25 -04:00
|
|
|
form: {},
|
|
|
|
|
json: true,
|
|
|
|
|
jar: jar,
|
|
|
|
|
headers: {
|
|
|
|
|
'x-csrf-token': body.csrf_token,
|
|
|
|
|
},
|
2021-02-04 00:01:39 -07:00
|
|
|
}, (err, res, body) => {
|
2017-05-23 22:09:25 -04:00
|
|
|
assert.ifError(err);
|
|
|
|
|
assert.equal(res.statusCode, 200);
|
|
|
|
|
assert.equal(body, 'not-logged-in');
|
|
|
|
|
done();
|
|
|
|
|
});
|
|
|
|
|
});
|
|
|
|
|
});
|
|
|
|
|
|
2021-02-04 00:01:39 -07:00
|
|
|
describe('banned user authentication', () => {
|
2020-12-14 09:20:41 +03:00
|
|
|
const bannedUser = {
|
|
|
|
|
username: 'banme',
|
|
|
|
|
pw: '123456',
|
|
|
|
|
uid: null,
|
|
|
|
|
};
|
|
|
|
|
|
2021-02-04 00:01:39 -07:00
|
|
|
before(async () => {
|
2020-12-14 09:20:41 +03:00
|
|
|
bannedUser.uid = await user.create({ username: 'banme', password: '123456', email: 'ban@me.com' });
|
|
|
|
|
});
|
|
|
|
|
|
2021-02-04 00:01:39 -07:00
|
|
|
it('should prevent banned user from logging in', (done) => {
|
|
|
|
|
user.bans.ban(bannedUser.uid, 0, 'spammer', (err) => {
|
2017-05-23 22:09:25 -04:00
|
|
|
assert.ifError(err);
|
2021-02-04 00:01:39 -07:00
|
|
|
loginUser(bannedUser.username, bannedUser.pw, (err, res, body) => {
|
2017-05-23 22:09:25 -04:00
|
|
|
assert.ifError(err);
|
|
|
|
|
assert.equal(res.statusCode, 403);
|
|
|
|
|
assert.equal(body, '[[error:user-banned-reason, spammer]]');
|
2021-02-04 00:01:39 -07:00
|
|
|
user.bans.unban(bannedUser.uid, (err) => {
|
2017-05-23 22:09:25 -04:00
|
|
|
assert.ifError(err);
|
|
|
|
|
var expiry = Date.now() + 10000;
|
2021-02-04 00:01:39 -07:00
|
|
|
user.bans.ban(bannedUser.uid, expiry, '', (err) => {
|
2017-05-23 22:09:25 -04:00
|
|
|
assert.ifError(err);
|
2021-02-04 00:01:39 -07:00
|
|
|
loginUser(bannedUser.username, bannedUser.pw, (err, res, body) => {
|
2017-05-23 22:09:25 -04:00
|
|
|
assert.ifError(err);
|
|
|
|
|
assert.equal(res.statusCode, 403);
|
2021-02-03 23:59:08 -07:00
|
|
|
assert.equal(body, `[[error:user-banned-reason-until, ${utils.toISOString(expiry)}, No reason given.]]`);
|
2017-05-23 22:09:25 -04:00
|
|
|
done();
|
|
|
|
|
});
|
|
|
|
|
});
|
|
|
|
|
});
|
|
|
|
|
});
|
|
|
|
|
});
|
|
|
|
|
});
|
2020-12-14 09:20:41 +03:00
|
|
|
|
2021-02-04 00:01:39 -07:00
|
|
|
it('should allow banned user to log in if the "banned-users" group has "local-login" privilege', async () => {
|
2020-12-14 09:20:41 +03:00
|
|
|
await privileges.global.give(['groups:local:login'], 'banned-users');
|
|
|
|
|
const res = await loginUserPromisified(bannedUser.username, bannedUser.pw);
|
|
|
|
|
assert.strictEqual(res.statusCode, 200);
|
|
|
|
|
});
|
|
|
|
|
|
2021-02-04 00:01:39 -07:00
|
|
|
it('should allow banned user to log in if the user herself has "local-login" privilege', async () => {
|
2020-12-14 09:20:41 +03:00
|
|
|
await privileges.global.rescind(['groups:local:login'], 'banned-users');
|
|
|
|
|
await privileges.categories.give(['local:login'], 0, bannedUser.uid);
|
|
|
|
|
const res = await loginUserPromisified(bannedUser.username, bannedUser.pw);
|
|
|
|
|
assert.strictEqual(res.statusCode, 200);
|
|
|
|
|
});
|
2017-05-23 22:09:25 -04:00
|
|
|
});
|
|
|
|
|
|
2021-02-04 00:01:39 -07:00
|
|
|
it('should lockout account on 3 failed login attempts', (done) => {
|
2017-05-23 22:47:40 -04:00
|
|
|
meta.config.loginAttempts = 3;
|
|
|
|
|
var uid;
|
|
|
|
|
async.waterfall([
|
|
|
|
|
function (next) {
|
|
|
|
|
user.create({ username: 'lockme', password: '123456' }, next);
|
|
|
|
|
},
|
|
|
|
|
function (_uid, next) {
|
|
|
|
|
uid = _uid;
|
|
|
|
|
loginUser('lockme', 'abcdef', next);
|
|
|
|
|
},
|
|
|
|
|
function (res, body, jar, next) {
|
|
|
|
|
loginUser('lockme', 'abcdef', next);
|
|
|
|
|
},
|
|
|
|
|
function (res, body, jar, next) {
|
|
|
|
|
loginUser('lockme', 'abcdef', next);
|
|
|
|
|
},
|
|
|
|
|
function (res, body, jar, next) {
|
|
|
|
|
loginUser('lockme', 'abcdef', next);
|
|
|
|
|
},
|
|
|
|
|
function (res, body, jar, next) {
|
|
|
|
|
meta.config.loginAttempts = 5;
|
2017-05-23 23:03:40 -04:00
|
|
|
assert.equal(res.statusCode, 403);
|
|
|
|
|
assert.equal(body, '[[error:account-locked]]');
|
|
|
|
|
loginUser('lockme', 'abcdef', next);
|
|
|
|
|
},
|
|
|
|
|
function (res, body, jar, next) {
|
2017-05-23 22:47:40 -04:00
|
|
|
assert.equal(res.statusCode, 403);
|
|
|
|
|
assert.equal(body, '[[error:account-locked]]');
|
2021-02-03 23:59:08 -07:00
|
|
|
db.exists(`lockout:${uid}`, next);
|
2017-05-23 22:47:40 -04:00
|
|
|
},
|
|
|
|
|
function (locked, next) {
|
|
|
|
|
assert(locked);
|
|
|
|
|
next();
|
|
|
|
|
},
|
|
|
|
|
], done);
|
|
|
|
|
});
|
2016-10-16 16:43:38 +03:00
|
|
|
});
|
