mirror of
https://github.com/NodeBB/NodeBB.git
synced 2025-12-30 04:10:27 +01:00
c4fbed24f8
commit 9c86d9b2904e14927cd7e9679b92aec0951d1063 Merge: ebfa63a5a7f811Author: Julian Lam <julian@nodebb.org> Date: Thu Jul 20 08:41:39 2017 -0400 Merge branch 'noscript-login' of https://github.com/An-dz/NodeBB into noscript commit5a7f81185eAuthor: André Zanghelini <an_dz@simutrans-forum> Date: Mon Jul 17 23:07:14 2017 -0300 Rename clashing variable 'next' commit ebfa63a984073a58c17aa408c363cdb03ef89985 Merge: c1801cdf159d0dAuthor: Julian Lam <julian@nodebb.org> Date: Mon Jul 17 16:30:40 2017 -0400 Merge branch 'noscript-logout' of https://github.com/An-dz/NodeBB into noscript commit c1801cda14e6363491e30b659902e2ae71f7e1f7 Merge: 7a5f9f39fd542dAuthor: Julian Lam <julian@nodebb.org> Date: Mon Jul 17 16:30:31 2017 -0400 Merge branch 'noscript-register' of https://github.com/An-dz/NodeBB into noscript commit 7a5f9f35abc834bb72ddddc9ca07d34f2fde8353 Merge:44851f9d37b95cAuthor: Julian Lam <julian@nodebb.org> Date: Mon Jul 17 16:30:10 2017 -0400 Merge branch 'noscript-compose' of https://github.com/An-dz/NodeBB into noscript commitf159d0d9efAuthor: André Zanghelini <an_dz@simutrans-forum> Date: Thu Jul 6 12:16:38 2017 -0300 Prevent form submit Required for theme change commitd37b95cb71Author: André Zanghelini <an_dz@simutrans-forum> Date: Thu Jul 6 01:49:52 2017 -0300 Prevent link action with scripts Required for the theme change that changes the buttons to `a` tags. commit9fd542d897Author: André Zanghelini <an_dz@simutrans-forum> Date: Wed Jul 5 19:57:56 2017 -0300 Fix tests commitcdad5bf8c2Author: André Zanghelini <an_dz@simutrans-forum> Date: Wed Jul 5 19:09:17 2017 -0300 Update error handling commit4ff11cd136Author: André Zanghelini <an_dz@simutrans-forum> Date: Wed Jul 5 17:29:08 2017 -0300 Remove async waterfall commitdf01d44e82Author: André Zanghelini <an_dz@simutrans-forum> Date: Wed Jul 5 16:59:43 2017 -0300 Set noscript compose as noscript at start commit4bcc380da7Author: André Zanghelini <an_dz@simutrans-forum> Date: Wed Jul 5 16:59:12 2017 -0300 Remove last useless next commitb5eac6fea1Author: André Zanghelini <an_dz@simutrans-forum> Date: Sun Jul 2 18:35:08 2017 -0300 Last function requires no next commit20a5cce6e6Author: André Zanghelini <an_dz@simutrans-forum> Date: Sun Jul 2 18:06:58 2017 -0300 Remove more useless next calls commit85ee22a79bAuthor: André Zanghelini <an_dz@simutrans-forum> Date: Sun Jul 2 17:46:07 2017 -0300 Remove useless next calls commit7d984c47adAuthor: André Zanghelini <an_dz@simutrans-forum> Date: Sun Jul 2 15:45:31 2017 -0300 Support old themes commit4a09dfbd08Author: André Zanghelini <an_dz@simutrans-forum> Date: Sun Jul 2 15:37:23 2017 -0300 Moved all error handling into helpers function commit391aa6e67eAuthor: André Zanghelini <an_dz@simutrans-forum> Date: Thu Jun 8 15:37:37 2017 -0300 ESLint - Fix mixed conditionals commit80ccc6fd58Author: André Zanghelini <an_dz@simutrans-forum> Date: Sat Jun 3 18:08:15 2017 -0300 Compose without scripts commit2aca811256Author: André Zanghelini <an_dz@simutrans-forum> Date: Sat Jun 3 18:00:44 2017 -0300 Register without scripts commit097bb51577Author: André Zanghelini <an_dz@simutrans-forum> Date: Sat Jun 3 16:42:15 2017 -0300 Logout without scripts commitd497e08109Author: André Zanghelini <an_dz@simutrans-forum> Date: Sat Jun 3 16:27:10 2017 -0300 Login without script
419 lines
12 KiB
JavaScript
419 lines
12 KiB
JavaScript
'use strict';
|
|
|
|
|
|
var assert = require('assert');
|
|
var nconf = require('nconf');
|
|
var request = require('request');
|
|
var async = require('async');
|
|
|
|
var db = require('./mocks/databasemock');
|
|
var user = require('../src/user');
|
|
var meta = require('../src/meta');
|
|
var helpers = require('./helpers');
|
|
|
|
describe('authentication', function () {
|
|
function loginUser(username, password, callback) {
|
|
var jar = request.jar();
|
|
request({
|
|
url: nconf.get('url') + '/api/config',
|
|
json: true,
|
|
jar: jar,
|
|
}, function (err, response, body) {
|
|
if (err) {
|
|
return callback(err);
|
|
}
|
|
|
|
request.post(nconf.get('url') + '/login', {
|
|
form: {
|
|
username: username,
|
|
password: password,
|
|
},
|
|
json: true,
|
|
jar: jar,
|
|
headers: {
|
|
'x-csrf-token': body.csrf_token,
|
|
},
|
|
}, function (err, response, body) {
|
|
callback(err, response, body, jar);
|
|
});
|
|
});
|
|
}
|
|
|
|
function registerUser(email, username, password, callback) {
|
|
var jar = request.jar();
|
|
request({
|
|
url: nconf.get('url') + '/api/config',
|
|
json: true,
|
|
jar: jar,
|
|
}, function (err, response, body) {
|
|
if (err) {
|
|
return callback(err);
|
|
}
|
|
|
|
request.post(nconf.get('url') + '/register', {
|
|
form: {
|
|
email: email,
|
|
username: username,
|
|
password: password,
|
|
'password-confirm': password,
|
|
},
|
|
json: true,
|
|
jar: jar,
|
|
headers: {
|
|
'x-csrf-token': body.csrf_token,
|
|
},
|
|
}, function (err, response, body) {
|
|
callback(err, response, body, jar);
|
|
});
|
|
});
|
|
}
|
|
|
|
var jar = request.jar();
|
|
var regularUid;
|
|
before(function (done) {
|
|
user.create({ username: 'regular', password: 'regularpwd', email: 'regular@nodebb.org' }, function (err, uid) {
|
|
assert.ifError(err);
|
|
regularUid = uid;
|
|
done();
|
|
});
|
|
});
|
|
|
|
it('should register and login a user', function (done) {
|
|
request({
|
|
url: nconf.get('url') + '/api/config',
|
|
json: true,
|
|
jar: jar,
|
|
}, function (err, response, body) {
|
|
assert.ifError(err);
|
|
|
|
request.post(nconf.get('url') + '/register', {
|
|
form: {
|
|
email: 'admin@nodebb.org',
|
|
username: 'admin',
|
|
password: 'adminpwd',
|
|
'password-confirm': 'adminpwd',
|
|
userLang: 'it',
|
|
},
|
|
json: true,
|
|
jar: jar,
|
|
headers: {
|
|
'x-csrf-token': body.csrf_token,
|
|
},
|
|
}, function (err, response, body) {
|
|
assert.ifError(err);
|
|
assert(body);
|
|
|
|
request({
|
|
url: nconf.get('url') + '/api/me',
|
|
json: true,
|
|
jar: jar,
|
|
}, function (err, response, body) {
|
|
assert.ifError(err);
|
|
assert(body);
|
|
assert.equal(body.username, 'admin');
|
|
assert.equal(body.email, 'admin@nodebb.org');
|
|
user.getSettings(body.uid, function (err, settings) {
|
|
assert.ifError(err);
|
|
assert.equal(settings.userLang, 'it');
|
|
done();
|
|
});
|
|
});
|
|
});
|
|
});
|
|
});
|
|
|
|
it('should logout a user', function (done) {
|
|
helpers.logoutUser(jar, function (err) {
|
|
assert.ifError(err);
|
|
request({
|
|
url: nconf.get('url') + '/api/me',
|
|
json: true,
|
|
jar: jar,
|
|
}, function (err, response, body) {
|
|
assert.ifError(err);
|
|
assert.equal(body, 'not-authorized');
|
|
done();
|
|
});
|
|
});
|
|
});
|
|
|
|
it('should login a user', function (done) {
|
|
loginUser('regular', 'regularpwd', function (err, response, body, jar) {
|
|
assert.ifError(err);
|
|
assert(body);
|
|
|
|
request({
|
|
url: nconf.get('url') + '/api/me',
|
|
json: true,
|
|
jar: jar,
|
|
}, function (err, response, body) {
|
|
assert.ifError(err);
|
|
assert(body);
|
|
assert.equal(body.username, 'regular');
|
|
assert.equal(body.email, 'regular@nodebb.org');
|
|
db.getObject('uid:' + regularUid + ':sessionUUID:sessionId', function (err, sessions) {
|
|
assert.ifError(err);
|
|
assert(sessions);
|
|
assert(Object.keys(sessions).length > 0);
|
|
done();
|
|
});
|
|
});
|
|
});
|
|
});
|
|
|
|
it('should revoke all sessions', function (done) {
|
|
var socketAdmin = require('../src/socket.io/admin');
|
|
db.sortedSetCard('uid:' + regularUid + ':sessions', function (err, count) {
|
|
assert.ifError(err);
|
|
assert(count);
|
|
socketAdmin.deleteAllSessions({ uid: 1 }, {}, function (err) {
|
|
assert.ifError(err);
|
|
db.sortedSetCard('uid:' + regularUid + ':sessions', function (err, count) {
|
|
assert.ifError(err);
|
|
assert(!count);
|
|
done();
|
|
});
|
|
});
|
|
});
|
|
});
|
|
|
|
it('should fail to login if user does not exist', function (done) {
|
|
loginUser('doesnotexist', 'nopassword', function (err, response, body) {
|
|
assert.ifError(err);
|
|
assert.equal(response.statusCode, 403);
|
|
assert.equal(body, '[[error:invalid-login-credentials]]');
|
|
done();
|
|
});
|
|
});
|
|
|
|
it('should fail to login if username is empty', function (done) {
|
|
loginUser('', 'some password', function (err, response, body) {
|
|
assert.ifError(err);
|
|
assert.equal(response.statusCode, 403);
|
|
assert.equal(body, '[[error:invalid-username-or-password]]');
|
|
done();
|
|
});
|
|
});
|
|
|
|
it('should fail to login if password is empty', function (done) {
|
|
loginUser('someuser', '', function (err, response, body) {
|
|
assert.ifError(err);
|
|
assert.equal(response.statusCode, 403);
|
|
assert.equal(body, '[[error:invalid-username-or-password]]');
|
|
done();
|
|
});
|
|
});
|
|
|
|
it('should fail to login if username and password are empty', function (done) {
|
|
loginUser('', '', function (err, response, body) {
|
|
assert.ifError(err);
|
|
assert.equal(response.statusCode, 403);
|
|
assert.equal(body, '[[error:invalid-username-or-password]]');
|
|
done();
|
|
});
|
|
});
|
|
|
|
it('should fail to login if password is longer than 4096', function (done) {
|
|
var longPassword;
|
|
for (var i = 0; i < 5000; i++) {
|
|
longPassword += 'a';
|
|
}
|
|
loginUser('someuser', longPassword, function (err, response, body) {
|
|
assert.ifError(err);
|
|
assert.equal(response.statusCode, 403);
|
|
assert.equal(body, '[[error:password-too-long]]');
|
|
done();
|
|
});
|
|
});
|
|
|
|
|
|
it('should fail to login if local login is disabled', function (done) {
|
|
meta.config.allowLocalLogin = 0;
|
|
loginUser('someuser', 'somepass', function (err, response, body) {
|
|
meta.config.allowLocalLogin = 1;
|
|
assert.ifError(err);
|
|
assert.equal(response.statusCode, 403);
|
|
assert.equal(body, '[[error:local-login-disabled]]');
|
|
done();
|
|
});
|
|
});
|
|
|
|
it('should fail to register if registraton is disabled', function (done) {
|
|
meta.config.registrationType = 'disabled';
|
|
registerUser('some@user.com', 'someuser', 'somepassword', function (err, response, body) {
|
|
assert.ifError(err);
|
|
assert.equal(response.statusCode, 403);
|
|
assert.equal(body, 'Forbidden');
|
|
done();
|
|
});
|
|
});
|
|
|
|
it('should return error if invitation is not valid', function (done) {
|
|
meta.config.registrationType = 'invite-only';
|
|
registerUser('some@user.com', 'someuser', 'somepassword', function (err, response, body) {
|
|
meta.config.registrationType = 'normal';
|
|
assert.ifError(err);
|
|
assert.equal(response.statusCode, 400);
|
|
assert.equal(body, '[[error:invalid-data]]');
|
|
done();
|
|
});
|
|
});
|
|
|
|
it('should fail to register if email is falsy', function (done) {
|
|
registerUser('', 'someuser', 'somepassword', function (err, response, body) {
|
|
assert.ifError(err);
|
|
assert.equal(response.statusCode, 400);
|
|
assert.equal(body, '[[error:invalid-email]]');
|
|
done();
|
|
});
|
|
});
|
|
|
|
it('should fail to register if username is falsy or too short', function (done) {
|
|
registerUser('some@user.com', '', 'somepassword', function (err, response, body) {
|
|
assert.ifError(err);
|
|
assert.equal(response.statusCode, 400);
|
|
assert.equal(body, '[[error:username-too-short]]');
|
|
registerUser('some@user.com', 'a', 'somepassword', function (err, response, body) {
|
|
assert.ifError(err);
|
|
assert.equal(response.statusCode, 400);
|
|
assert.equal(body, '[[error:username-too-short]]');
|
|
done();
|
|
});
|
|
});
|
|
});
|
|
|
|
it('should fail to register if username is too long', function (done) {
|
|
registerUser('some@user.com', 'thisisareallylongusername', '123456', function (err, response, body) {
|
|
assert.ifError(err);
|
|
assert.equal(response.statusCode, 400);
|
|
assert.equal(body, '[[error:username-too-long]]');
|
|
done();
|
|
});
|
|
});
|
|
|
|
it('should queue user if ip is used before', function (done) {
|
|
meta.config.registrationType = 'admin-approval-ip';
|
|
registerUser('another@user.com', 'anotheruser', 'anotherpwd', function (err, response, body) {
|
|
meta.config.registrationType = 'normal';
|
|
assert.ifError(err);
|
|
assert.equal(response.statusCode, 200);
|
|
assert.equal(body.message, '[[register:registration-added-to-queue]]');
|
|
done();
|
|
});
|
|
});
|
|
|
|
|
|
it('should be able to login with email', function (done) {
|
|
user.create({ username: 'ginger', password: '123456', email: 'ginger@nodebb.org' }, function (err) {
|
|
assert.ifError(err);
|
|
loginUser('ginger@nodebb.org', '123456', function (err, response) {
|
|
assert.ifError(err);
|
|
assert.equal(response.statusCode, 200);
|
|
done();
|
|
});
|
|
});
|
|
});
|
|
|
|
it('should fail to login if login type is username and an email is sent', function (done) {
|
|
meta.config.allowLoginWith = 'username';
|
|
loginUser('ginger@nodebb.org', '123456', function (err, response, body) {
|
|
meta.config.allowLoginWith = 'username-email';
|
|
assert.ifError(err);
|
|
assert.equal(response.statusCode, 500);
|
|
assert.equal(body, '[[error:wrong-login-type-username]]');
|
|
done();
|
|
});
|
|
});
|
|
|
|
it('should send 200 if not logged in', function (done) {
|
|
var jar = request.jar();
|
|
request({
|
|
url: nconf.get('url') + '/api/config',
|
|
json: true,
|
|
jar: jar,
|
|
}, function (err, response, body) {
|
|
assert.ifError(err);
|
|
|
|
request.post(nconf.get('url') + '/logout', {
|
|
form: {},
|
|
json: true,
|
|
jar: jar,
|
|
headers: {
|
|
'x-csrf-token': body.csrf_token,
|
|
},
|
|
}, function (err, res, body) {
|
|
assert.ifError(err);
|
|
assert.equal(res.statusCode, 200);
|
|
assert.equal(body, 'not-logged-in');
|
|
done();
|
|
});
|
|
});
|
|
});
|
|
|
|
it('should prevent banned user from logging in', function (done) {
|
|
user.create({ username: 'banme', password: '123456', email: 'ban@me.com' }, function (err, uid) {
|
|
assert.ifError(err);
|
|
user.ban(uid, 0, 'spammer', function (err) {
|
|
assert.ifError(err);
|
|
loginUser('banme', '123456', function (err, res, body) {
|
|
assert.ifError(err);
|
|
assert.equal(res.statusCode, 403);
|
|
assert.equal(body, '[[error:user-banned-reason, spammer]]');
|
|
user.unban(uid, function (err) {
|
|
assert.ifError(err);
|
|
var expiry = Date.now() + 10000;
|
|
user.ban(uid, expiry, '', function (err) {
|
|
assert.ifError(err);
|
|
loginUser('banme', '123456', function (err, res, body) {
|
|
assert.ifError(err);
|
|
assert.equal(res.statusCode, 403);
|
|
assert.equal(body, '[[error:user-banned-reason-until, ' + (new Date(parseInt(expiry, 10)).toString()) + ', No reason given.]]');
|
|
done();
|
|
});
|
|
});
|
|
});
|
|
});
|
|
});
|
|
});
|
|
});
|
|
|
|
it('should lockout account on 3 failed login attempts', function (done) {
|
|
meta.config.loginAttempts = 3;
|
|
var uid;
|
|
async.waterfall([
|
|
function (next) {
|
|
user.create({ username: 'lockme', password: '123456' }, next);
|
|
},
|
|
function (_uid, next) {
|
|
uid = _uid;
|
|
loginUser('lockme', 'abcdef', next);
|
|
},
|
|
function (res, body, jar, next) {
|
|
loginUser('lockme', 'abcdef', next);
|
|
},
|
|
function (res, body, jar, next) {
|
|
loginUser('lockme', 'abcdef', next);
|
|
},
|
|
function (res, body, jar, next) {
|
|
loginUser('lockme', 'abcdef', next);
|
|
},
|
|
function (res, body, jar, next) {
|
|
meta.config.loginAttempts = 5;
|
|
assert.equal(res.statusCode, 403);
|
|
assert.equal(body, '[[error:account-locked]]');
|
|
loginUser('lockme', 'abcdef', next);
|
|
},
|
|
function (res, body, jar, next) {
|
|
assert.equal(res.statusCode, 403);
|
|
assert.equal(body, '[[error:account-locked]]');
|
|
db.exists('lockout:' + uid, next);
|
|
},
|
|
function (locked, next) {
|
|
assert(locked);
|
|
next();
|
|
},
|
|
], done);
|
|
});
|
|
});
|
|
|