fix(core): verify an empty string password should return 400 instead of 500 (#3939)

* fix(core): verify an empty string password should return 400 instead of 500 * test(core,test): add unit and integration tests for verify password api
2025-03-17 22:31:28 -05:00 · 2023-06-01 15:10:21 +08:00 · 2023-06-01 15:10:21 +08:00 · 1d7330835c
commit 1d7330835c
parent b1e048772c
4 changed files with 36 additions and 2 deletions
--- a/packages/core/src/routes/admin-user.test.ts
+++ b/packages/core/src/routes/admin-user.test.ts
@ -319,6 +319,14 @@ describe('adminUserRoutes', () => {
    expect(response.status).toEqual(204);
  });

+  it('POST /users/:userId/password/verify should throw 400 if password is empty', async () => {
+    const password = '';
+    await expect(
+      userRequest.post(`/users/foo/password/verify`).send({ password })
+    ).resolves.toHaveProperty('status', 400);
+    expect(verifyUserPassword).not.toHaveBeenCalled();
+  });
+
  it('POST /users/:userId/password/verify should throw if password is invalid', async () => {
    const password = 'invalidPassword';
    verifyUserPassword.mockImplementationOnce(async () => {
--- a/packages/core/src/routes/admin-user.ts
+++ b/packages/core/src/routes/admin-user.ts
@ -212,8 +212,8 @@ export default function adminUserRoutes<T extends AuthedRouter>(
    '/users/:userId/password/verify',
    koaGuard({
      params: object({ userId: string() }),
-      body: object({ password: string() }),
-      status: [204],
+      body: object({ password: string().min(1) }),
+      status: [204, 404, 422],
    }),
    async (ctx, next) => {
      const {
--- a/packages/integration-tests/src/api/admin-user.ts
+++ b/packages/integration-tests/src/api/admin-user.ts
@ -65,3 +65,6 @@ export const postUserIdentity = async (
      },
    })
    .json<Identities>();
+
+export const verifyUserPassword = async (userId: string, password: string) =>
+  authedAdminApi.post(`users/${userId}/password/verify`, { json: { password } });
--- a/packages/integration-tests/src/tests/api/admin-user.test.ts
+++ b/packages/integration-tests/src/tests/api/admin-user.test.ts
@ -15,6 +15,7 @@ import {
  getConnectorAuthorizationUri,
  deleteConnectorById,
  postUserIdentity,
+  verifyUserPassword,
 } from '#src/api/index.js';
 import { createResponseWithCode } from '#src/helpers/admin-tenant.js';
 import { createUserByAdmin } from '#src/helpers/index.js';
@ -161,4 +162,26 @@ describe('admin console user management', () => {

    await deleteConnectorById(connectorId);
  });
+
+  it('should return 204 if password is correct', async () => {
+    const user = await createUserByAdmin(undefined, 'new_password');
+    expect(await verifyUserPassword(user.id, 'new_password')).toHaveProperty('statusCode', 204);
+    void deleteUser(user.id);
+  });
+
+  it('should return 422 if password is incorrect', async () => {
+    const user = await createUserByAdmin(undefined, 'new_password');
+    await expect(verifyUserPassword(user.id, 'wrong_password')).rejects.toMatchObject(
+      createResponseWithCode(422)
+    );
+    void deleteUser(user.id);
+  });
+
+  it('should return 400 if password is empty', async () => {
+    const user = await createUserByAdmin();
+    await expect(verifyUserPassword(user.id, '')).rejects.toMatchObject(
+      createResponseWithCode(400)
+    );
+    void deleteUser(user.id);
+  });
 });