NodeBB/test/authentication.js

'use strict';


var	assert = require('assert');
var nconf = require('nconf');
var request = require('request');

var db = require('./mocks/databasemock');
var user = require('../src/user');
var meta = require('../src/meta');

describe('authentication', function () {
	function loginUser(username, password, callback) {
		var jar = request.jar();
		request({
			url: nconf.get('url') + '/api/config',
			json: true,
			jar: jar,
		}, function (err, response, body) {
			if (err) {
				return callback(err);
			}

			request.post(nconf.get('url') + '/login', {
				form: {
					username: username,
					password: password,
				},
				json: true,
				jar: jar,
				headers: {
					'x-csrf-token': body.csrf_token,
				},
			}, function (err, response, body) {
				callback(err, response, body, jar);
			});
		});
	}

	function registerUser(email, username, password, callback) {
		var jar = request.jar();
		request({
			url: nconf.get('url') + '/api/config',
			json: true,
			jar: jar,
		}, function (err, response, body) {
			if (err) {
				return callback(err);
			}

			request.post(nconf.get('url') + '/register', {
				form: {
					email: email,
					username: username,
					password: password,
				},
				json: true,
				jar: jar,
				headers: {
					'x-csrf-token': body.csrf_token,
				},
			}, function (err, response, body) {
				callback(err, response, body, jar);
			});
		});
	}

	var jar = request.jar();
	var regularUid;
	before(function (done) {
		user.create({ username: 'regular', password: 'regularpwd', email: 'regular@nodebb.org' }, function (err, uid) {
			assert.ifError(err);
			regularUid = uid;
			done();
		});
	});

	it('should register and login a user', function (done) {
		request({
			url: nconf.get('url') + '/api/config',
			json: true,
			jar: jar,
		}, function (err, response, body) {
			assert.ifError(err);

			request.post(nconf.get('url') + '/register', {
				form: {
					email: 'admin@nodebb.org',
					username: 'admin',
					password: 'adminpwd',
				},
				json: true,
				jar: jar,
				headers: {
					'x-csrf-token': body.csrf_token,
				},
			}, function (err, response, body) {
				assert.ifError(err);
				assert(body);

				request({
					url: nconf.get('url') + '/api/me',
					json: true,
					jar: jar,
				}, function (err, response, body) {
					assert.ifError(err);
					assert(body);
					assert.equal(body.username, 'admin');
					assert.equal(body.email, 'admin@nodebb.org');
					done();
				});
			});
		});
	});

	it('should logout a user', function (done) {
		request({
			url: nconf.get('url') + '/api/config',
			json: true,
			jar: jar,
		}, function (err, response, body) {
			assert.ifError(err);

			request.post(nconf.get('url') + '/logout', {
				form: {},
				json: true,
				jar: jar,
				headers: {
					'x-csrf-token': body.csrf_token,
				},
			}, function (err) {
				assert.ifError(err);

				request({
					url: nconf.get('url') + '/api/me',
					json: true,
					jar: jar,
				}, function (err, response, body) {
					assert.ifError(err);
					assert.equal(body, 'not-authorized');
					done();
				});
			});
		});
	});

	it('should login a user', function (done) {
		loginUser('regular', 'regularpwd', function (err, response, body, jar) {
			assert.ifError(err);
			assert(body);

			request({
				url: nconf.get('url') + '/api/me',
				json: true,
				jar: jar,
			}, function (err, response, body) {
				assert.ifError(err);
				assert(body);
				assert.equal(body.username, 'regular');
				assert.equal(body.email, 'regular@nodebb.org');
				db.getObject('uid:' + regularUid + ':sessionUUID:sessionId', function (err, sessions) {
					assert.ifError(err);
					assert(sessions);
					assert(Object.keys(sessions).length > 0);
					done();
				});
			});
		});
	});

	it('should revoke all sessions', function (done) {
		var socketAdmin = require('../src/socket.io/admin');
		db.sortedSetCard('uid:' + regularUid + ':sessions', function (err, count) {
			assert.ifError(err);
			assert(count);
			socketAdmin.deleteAllSessions({ uid: 1 }, {}, function (err) {
				assert.ifError(err);
				db.sortedSetCard('uid:' + regularUid + ':sessions', function (err, count) {
					assert.ifError(err);
					assert(!count);
					done();
				});
			});
		});
	});

	it('should fail to login if user does not exist', function (done) {
		loginUser('doesnotexist', 'nopassword', function (err, response, body) {
			assert.ifError(err);
			assert.equal(response.statusCode, 403);
			assert.equal(body, '[[error:invalid-login-credentials]]');
			done();
		});
	});

	it('should fail to login if username is empty', function (done) {
		loginUser('', 'some password', function (err, response, body) {
			assert.ifError(err);
			assert.equal(response.statusCode, 403);
			assert.equal(body, '[[error:invalid-username-or-password]]');
			done();
		});
	});

	it('should fail to login if password is empty', function (done) {
		loginUser('someuser', '', function (err, response, body) {
			assert.ifError(err);
			assert.equal(response.statusCode, 403);
			assert.equal(body, '[[error:invalid-username-or-password]]');
			done();
		});
	});

	it('should fail to login if username and password are empty', function (done) {
		loginUser('', '', function (err, response, body) {
			assert.ifError(err);
			assert.equal(response.statusCode, 403);
			assert.equal(body, '[[error:invalid-username-or-password]]');
			done();
		});
	});

	it('should fail to login if password is longer than 4096', function (done) {
		var longPassword;
		for (var i = 0; i < 5000; i++) {
			longPassword += 'a';
		}
		loginUser('someuser', longPassword, function (err, response, body) {
			assert.ifError(err);
			assert.equal(response.statusCode, 403);
			assert.equal(body, '[[error:password-too-long]]');
			done();
		});
	});


	it('should fail to login if local login is disabled', function (done) {
		meta.config.allowLocalLogin = 0;
		loginUser('someuser', 'somepass', function (err, response, body) {
			meta.config.allowLocalLogin = 1;
			assert.ifError(err);
			assert.equal(response.statusCode, 403);
			assert.equal(body, '[[error:local-login-disabled]]');
			done();
		});
	});

	it('should fail to register if registraton is disabled', function (done) {
		meta.config.registrationType = 'disabled';
		registerUser('some@user.com', 'someuser', 'somepassword', function (err, response, body) {
			assert.ifError(err);
			assert.equal(response.statusCode, 403);
			assert.equal(body, 'Forbidden');
			done();
		});
	});

	it('should return error if invitation is not valid', function (done) {
		meta.config.registrationType = 'invite-only';
		registerUser('some@user.com', 'someuser', 'somepassword', function (err, response, body) {
			meta.config.registrationType = 'normal';
			assert.ifError(err);
			assert.equal(response.statusCode, 400);
			assert.equal(body, '[[error:invalid-data]]');
			done();
		});
	});

	it('should fail to register if email is falsy', function (done) {
		registerUser('', 'someuser', 'somepassword', function (err, response, body) {
			assert.ifError(err);
			assert.equal(response.statusCode, 400);
			assert.equal(body, '[[error:invalid-email]]');
			done();
		});
	});

	it('should fail to register if username is falsy or too short', function (done) {
		registerUser('some@user.com', '', 'somepassword', function (err, response, body) {
			assert.ifError(err);
			assert.equal(response.statusCode, 400);
			assert.equal(body, '[[error:username-too-short]]');
			registerUser('some@user.com', 'a', 'somepassword', function (err, response, body) {
				assert.ifError(err);
				assert.equal(response.statusCode, 400);
				assert.equal(body, '[[error:username-too-short]]');
				done();
			});
		});
	});

	it('should fail to register if username is too long', function (done) {
		registerUser('some@user.com', 'thisisareallylongusername', '123456', function (err, response, body) {
			assert.ifError(err);
			assert.equal(response.statusCode, 400);
			assert.equal(body, '[[error:username-too-long]]');
			done();
		});
	});

	after(function (done) {
		db.emptydb(done);
	});
});
more tests register/login/logout tests ability to test socket.io emits for logged in users 2016-10-16 16:43:38 +03:00			`'use strict';`
ESlint no-undef, remove global comments 2017-02-17 21:55:19 -07:00
more tests register/login/logout tests ability to test socket.io emits for logged in users 2016-10-16 16:43:38 +03:00
			`var assert = require('assert');`
			`var nconf = require('nconf');`
			`var request = require('request');`

			`var db = require('./mocks/databasemock');`
more test fixes 2016-10-16 21:51:42 +03:00			`var user = require('../src/user');`
tests for login 2017-05-23 15:37:32 -04:00			`var meta = require('../src/meta');`
more tests register/login/logout tests ability to test socket.io emits for logged in users 2016-10-16 16:43:38 +03:00
			`describe('authentication', function () {`
tests for login 2017-05-23 15:37:32 -04:00			`function loginUser(username, password, callback) {`
			`var jar = request.jar();`
			`request({`
			`url: nconf.get('url') + '/api/config',`
			`json: true,`
			`jar: jar,`
			`}, function (err, response, body) {`
			`if (err) {`
			`return callback(err);`
			`}`

			`request.post(nconf.get('url') + '/login', {`
			`form: {`
			`username: username,`
			`password: password,`
			`},`
			`json: true,`
			`jar: jar,`
			`headers: {`
			`'x-csrf-token': body.csrf_token,`
			`},`
			`}, function (err, response, body) {`
			`callback(err, response, body, jar);`
			`});`
			`});`
			`}`

more auth tests 2017-05-23 17:37:16 -04:00			`function registerUser(email, username, password, callback) {`
			`var jar = request.jar();`
			`request({`
			`url: nconf.get('url') + '/api/config',`
			`json: true,`
			`jar: jar,`
			`}, function (err, response, body) {`
			`if (err) {`
			`return callback(err);`
			`}`

			`request.post(nconf.get('url') + '/register', {`
			`form: {`
			`email: email,`
			`username: username,`
			`password: password,`
			`},`
			`json: true,`
			`jar: jar,`
			`headers: {`
			`'x-csrf-token': body.csrf_token,`
			`},`
			`}, function (err, response, body) {`
			`callback(err, response, body, jar);`
			`});`
			`});`
			`}`
tests for login 2017-05-23 15:37:32 -04:00
more tests register/login/logout tests ability to test socket.io emits for logged in users 2016-10-16 16:43:38 +03:00			`var jar = request.jar();`
closes #4544 2016-12-15 14:47:42 +03:00			`var regularUid;`
fix eslint errors 2016-10-16 17:42:14 +03:00			`before(function (done) {`
ESlint object-curly-spacing 2017-02-18 12:30:49 -07:00			`user.create({ username: 'regular', password: 'regularpwd', email: 'regular@nodebb.org' }, function (err, uid) {`
fix eslint errors 2016-10-16 17:42:14 +03:00			`assert.ifError(err);`
closes #4544 2016-12-15 14:47:42 +03:00			`regularUid = uid;`
try require from root 2016-10-16 17:36:24 +03:00			`done();`
			`});`
			`});`

more tests register/login/logout tests ability to test socket.io emits for logged in users 2016-10-16 16:43:38 +03:00			`it('should register and login a user', function (done) {`
			`request({`
			`url: nconf.get('url') + '/api/config',`
			`json: true,`
ESlint comma-dangle 2017-02-17 19:31:21 -07:00			`jar: jar,`
more tests register/login/logout tests ability to test socket.io emits for logged in users 2016-10-16 16:43:38 +03:00			`}, function (err, response, body) {`
			`assert.ifError(err);`

			`request.post(nconf.get('url') + '/register', {`
			`form: {`
			`email: 'admin@nodebb.org',`
			`username: 'admin',`
			`password: 'adminpwd',`
			`},`
			`json: true,`
			`jar: jar,`
			`headers: {`
ESlint comma-dangle 2017-02-17 19:31:21 -07:00			`'x-csrf-token': body.csrf_token,`
			`},`
more tests register/login/logout tests ability to test socket.io emits for logged in users 2016-10-16 16:43:38 +03:00			`}, function (err, response, body) {`
			`assert.ifError(err);`
			`assert(body);`

			`request({`
			`url: nconf.get('url') + '/api/me',`
			`json: true,`
ESlint comma-dangle 2017-02-17 19:31:21 -07:00			`jar: jar,`
more tests register/login/logout tests ability to test socket.io emits for logged in users 2016-10-16 16:43:38 +03:00			`}, function (err, response, body) {`
			`assert.ifError(err);`
			`assert(body);`
			`assert.equal(body.username, 'admin');`
			`assert.equal(body.email, 'admin@nodebb.org');`
more test fixes 2016-10-16 21:51:42 +03:00			`done();`
more tests register/login/logout tests ability to test socket.io emits for logged in users 2016-10-16 16:43:38 +03:00			`});`
			`});`
			`});`
			`});`

			`it('should logout a user', function (done) {`
			`request({`
			`url: nconf.get('url') + '/api/config',`
			`json: true,`
ESlint comma-dangle 2017-02-17 19:31:21 -07:00			`jar: jar,`
more tests register/login/logout tests ability to test socket.io emits for logged in users 2016-10-16 16:43:38 +03:00			`}, function (err, response, body) {`
			`assert.ifError(err);`

			`request.post(nconf.get('url') + '/logout', {`
			`form: {},`
			`json: true,`
			`jar: jar,`
			`headers: {`
ESlint comma-dangle 2017-02-17 19:31:21 -07:00			`'x-csrf-token': body.csrf_token,`
			`},`
closes #4544 2016-12-15 14:47:42 +03:00			`}, function (err) {`
more tests register/login/logout tests ability to test socket.io emits for logged in users 2016-10-16 16:43:38 +03:00			`assert.ifError(err);`

			`request({`
			`url: nconf.get('url') + '/api/me',`
			`json: true,`
ESlint comma-dangle 2017-02-17 19:31:21 -07:00			`jar: jar,`
more tests register/login/logout tests ability to test socket.io emits for logged in users 2016-10-16 16:43:38 +03:00			`}, function (err, response, body) {`
			`assert.ifError(err);`
			`assert.equal(body, 'not-authorized');`
Fix eslint rules (#5117) * Fix semi linter rule * Fix semi-spacing linter rule * Fix no-undef-init linter rule * Fix space-before-blocks linter rule 2016-10-25 21:34:47 +02:00			`done();`
more tests register/login/logout tests ability to test socket.io emits for logged in users 2016-10-16 16:43:38 +03:00			`});`
			`});`
			`});`
			`});`

			`it('should login a user', function (done) {`
tests for login 2017-05-23 15:37:32 -04:00			`loginUser('regular', 'regularpwd', function (err, response, body, jar) {`
more tests register/login/logout tests ability to test socket.io emits for logged in users 2016-10-16 16:43:38 +03:00			`assert.ifError(err);`
tests for login 2017-05-23 15:37:32 -04:00			`assert(body);`
more tests register/login/logout tests ability to test socket.io emits for logged in users 2016-10-16 16:43:38 +03:00
tests for login 2017-05-23 15:37:32 -04:00			`request({`
			`url: nconf.get('url') + '/api/me',`
more tests register/login/logout tests ability to test socket.io emits for logged in users 2016-10-16 16:43:38 +03:00			`json: true,`
			`jar: jar,`
			`}, function (err, response, body) {`
			`assert.ifError(err);`
			`assert(body);`
tests for login 2017-05-23 15:37:32 -04:00			`assert.equal(body.username, 'regular');`
			`assert.equal(body.email, 'regular@nodebb.org');`
			`db.getObject('uid:' + regularUid + ':sessionUUID:sessionId', function (err, sessions) {`
more tests register/login/logout tests ability to test socket.io emits for logged in users 2016-10-16 16:43:38 +03:00			`assert.ifError(err);`
tests for login 2017-05-23 15:37:32 -04:00			`assert(sessions);`
			`assert(Object.keys(sessions).length > 0);`
			`done();`
more tests register/login/logout tests ability to test socket.io emits for logged in users 2016-10-16 16:43:38 +03:00			`});`
			`});`
			`});`
			`});`

closes #4544 2016-12-15 14:47:42 +03:00			`it('should revoke all sessions', function (done) {`
			`var socketAdmin = require('../src/socket.io/admin');`
			`db.sortedSetCard('uid:' + regularUid + ':sessions', function (err, count) {`
			`assert.ifError(err);`
			`assert(count);`
ESlint object-curly-spacing 2017-02-18 12:30:49 -07:00			`socketAdmin.deleteAllSessions({ uid: 1 }, {}, function (err) {`
closes #4544 2016-12-15 14:47:42 +03:00			`assert.ifError(err);`
			`db.sortedSetCard('uid:' + regularUid + ':sessions', function (err, count) {`
			`assert.ifError(err);`
			`assert(!count);`
			`done();`
			`});`
			`});`
			`});`
			`});`

test login for non-existant user 2017-05-19 16:18:18 -04:00			`it('should fail to login if user does not exist', function (done) {`
tests for login 2017-05-23 15:37:32 -04:00			`loginUser('doesnotexist', 'nopassword', function (err, response, body) {`
test login for non-existant user 2017-05-19 16:18:18 -04:00			`assert.ifError(err);`
tests for login 2017-05-23 15:37:32 -04:00			`assert.equal(response.statusCode, 403);`
			`assert.equal(body, '[[error:invalid-login-credentials]]');`
			`done();`
			`});`
			`});`
test login for non-existant user 2017-05-19 16:18:18 -04:00
tests for login 2017-05-23 15:37:32 -04:00			`it('should fail to login if username is empty', function (done) {`
			`loginUser('', 'some password', function (err, response, body) {`
			`assert.ifError(err);`
			`assert.equal(response.statusCode, 403);`
			`assert.equal(body, '[[error:invalid-username-or-password]]');`
			`done();`
test login for non-existant user 2017-05-19 16:18:18 -04:00			`});`
			`});`

tests for login 2017-05-23 15:37:32 -04:00			`it('should fail to login if password is empty', function (done) {`
			`loginUser('someuser', '', function (err, response, body) {`
			`assert.ifError(err);`
			`assert.equal(response.statusCode, 403);`
			`assert.equal(body, '[[error:invalid-username-or-password]]');`
			`done();`
			`});`
			`});`

			`it('should fail to login if username and password are empty', function (done) {`
			`loginUser('', '', function (err, response, body) {`
			`assert.ifError(err);`
			`assert.equal(response.statusCode, 403);`
			`assert.equal(body, '[[error:invalid-username-or-password]]');`
			`done();`
			`});`
			`});`

			`it('should fail to login if password is longer than 4096', function (done) {`
			`var longPassword;`
			`for (var i = 0; i < 5000; i++) {`
			`longPassword += 'a';`
			`}`
			`loginUser('someuser', longPassword, function (err, response, body) {`
			`assert.ifError(err);`
			`assert.equal(response.statusCode, 403);`
			`assert.equal(body, '[[error:password-too-long]]');`
			`done();`
			`});`
			`});`


			`it('should fail to login if local login is disabled', function (done) {`
			`meta.config.allowLocalLogin = 0;`
			`loginUser('someuser', 'somepass', function (err, response, body) {`
			`meta.config.allowLocalLogin = 1;`
			`assert.ifError(err);`
			`assert.equal(response.statusCode, 403);`
			`assert.equal(body, '[[error:local-login-disabled]]');`
			`done();`
			`});`
			`});`
more tests register/login/logout tests ability to test socket.io emits for logged in users 2016-10-16 16:43:38 +03:00
more auth tests 2017-05-23 17:37:16 -04:00			`it('should fail to register if registraton is disabled', function (done) {`
			`meta.config.registrationType = 'disabled';`
			`registerUser('some@user.com', 'someuser', 'somepassword', function (err, response, body) {`
			`assert.ifError(err);`
			`assert.equal(response.statusCode, 403);`
			`assert.equal(body, 'Forbidden');`
			`done();`
			`});`
			`});`

			`it('should return error if invitation is not valid', function (done) {`
			`meta.config.registrationType = 'invite-only';`
			`registerUser('some@user.com', 'someuser', 'somepassword', function (err, response, body) {`
			`meta.config.registrationType = 'normal';`
			`assert.ifError(err);`
			`assert.equal(response.statusCode, 400);`
			`assert.equal(body, '[[error:invalid-data]]');`
			`done();`
			`});`
			`});`

			`it('should fail to register if email is falsy', function (done) {`
			`registerUser('', 'someuser', 'somepassword', function (err, response, body) {`
			`assert.ifError(err);`
			`assert.equal(response.statusCode, 400);`
			`assert.equal(body, '[[error:invalid-email]]');`
			`done();`
			`});`
			`});`

			`it('should fail to register if username is falsy or too short', function (done) {`
			`registerUser('some@user.com', '', 'somepassword', function (err, response, body) {`
			`assert.ifError(err);`
			`assert.equal(response.statusCode, 400);`
			`assert.equal(body, '[[error:username-too-short]]');`
			`registerUser('some@user.com', 'a', 'somepassword', function (err, response, body) {`
			`assert.ifError(err);`
			`assert.equal(response.statusCode, 400);`
			`assert.equal(body, '[[error:username-too-short]]');`
			`done();`
			`});`
			`});`
			`});`

			`it('should fail to register if username is too long', function (done) {`
			`registerUser('some@user.com', 'thisisareallylongusername', '123456', function (err, response, body) {`
			`assert.ifError(err);`
			`assert.equal(response.statusCode, 400);`
			`assert.equal(body, '[[error:username-too-long]]');`
			`done();`
			`});`
			`});`

more tests register/login/logout tests ability to test socket.io emits for logged in users 2016-10-16 16:43:38 +03:00			`after(function (done) {`
search tests new method emptydb use emptydb instead of flushdb, flushdb removes indices for mongo which breaks search tests initialize meta.config properly in tests enable nodebb-plugin-dbsearch for tests 2016-10-17 23:34:09 +03:00			`db.emptydb(done);`
more tests register/login/logout tests ability to test socket.io emits for logged in users 2016-10-16 16:43:38 +03:00			`});`
			`});`