fix(config): respect the changePassword configuration flag (#3849)

2024-12-16 21:56:25 -05:00 · 2023-06-02 19:52:41 +03:00 · 2023-06-02 19:52:41 +03:00 · 679c19c1b6
commit 679c19c1b6
parent a13f1b3626
5 changed files with 96 additions and 1 deletions
--- a/.changeset/chilly-trains-juggle.md
+++ b/.changeset/chilly-trains-juggle.md
@ -0,0 +1,8 @@
+---
+'@verdaccio/config': patch
+---
+
+Respect the `changePassword` configuration flag to enable changing the password through the web API.
+
+> **Note**
+> This feature is still experimental and not fully supported in the default web application.
--- a/packages/config/src/config.ts
+++ b/packages/config/src/config.ts
@ -84,6 +84,7 @@ class Config implements AppConfig {
    this.serverSettings = serverSettings;
    this.flags = {
      searchRemote: config.flags?.searchRemote ?? true,
+      changePassword: config.flags?.changePassword ?? false,
    };
    this.user_agent = config.user_agent;

--- a/packages/core/core/src/constants.ts
+++ b/packages/core/core/src/constants.ts
@ -13,6 +13,7 @@ export const HEADER_TYPE = {
  CONTENT_TYPE: 'content-type',
  CONTENT_LENGTH: 'content-length',
  ACCEPT_ENCODING: 'accept-encoding',
+  AUTHORIZATION: 'authorization',
 };

 export const CHARACTER_ENCODING = {
--- a/packages/web/test/api.user.test.ts
+++ b/packages/web/test/api.user.test.ts
@ -79,6 +79,63 @@ describe('test web server', () => {
      .expect(HTTP_STATUS.CANNOT_HANDLE, JSON.stringify({ error: 'cannot handle this' }));
  });

+  test('should not change password if flag is disabled', async () => {
+    const oldPass = 'test';
+    const newPass = 'new-pass';
+
+    const api = supertest(await initializeServer('change-password-disabled.yaml'));
+
+    // Login with the old password.
+    const loginRes = await api
+      .post('/-/verdaccio/sec/login')
+      .set(HEADER_TYPE.CONTENT_TYPE, HEADERS.JSON)
+      .send(
+        JSON.stringify({
+          username: 'test',
+          password: oldPass,
+        })
+      )
+      .expect(HTTP_STATUS.OK);
+
+    // Try changing the password.
+    await api
+      .put('/-/verdaccio/sec/reset_password')
+      .set(HEADER_TYPE.CONTENT_TYPE, HEADERS.JSON)
+      .set(HEADER_TYPE.AUTHORIZATION, `Bearer ${loginRes.body.token}`)
+      .send(
+        JSON.stringify({
+          password: {
+            old: oldPass,
+            new: newPass,
+          },
+        })
+      )
+      .expect(HTTP_STATUS.CANNOT_HANDLE);
+
+    // Verify that you cannot login with the new (rejected) password.
+    await api
+      .post('/-/verdaccio/sec/login')
+      .set(HEADER_TYPE.CONTENT_TYPE, HEADERS.JSON)
+      .send(
+        JSON.stringify({
+          username: 'test',
+          password: newPass,
+        })
+      )
+      .expect(HTTP_STATUS.UNAUTHORIZED);
+
+    // Verify that you can still login with the old password.
+    await api
+      .post('/-/verdaccio/sec/login')
+      .set(HEADER_TYPE.CONTENT_TYPE, HEADERS.JSON)
+      .send(
+        JSON.stringify({
+          username: 'test',
+          password: oldPass,
+        })
+      )
+      .expect(HTTP_STATUS.OK);
+  });
+
  test.todo('should change password');
-  test.todo('should not change password if flag is disabled');
 });
--- a/packages/web/test/config/change-password-disabled.yaml
+++ b/packages/web/test/config/change-password-disabled.yaml
@ -0,0 +1,28 @@
+auth:
+  auth-memory:
+    users:
+      test:
+        name: test
+        password: test
+
+web:
+  title: verdaccio
+
+publish:
+  allow_offline: false
+
+uplinks:
+
+log: { type: stdout, format: pretty, level: trace }
+
+packages:
+  '@*/*':
+    access: $anonymous
+    publish: $anonymous
+  '**':
+    access: $anonymous
+    publish: $anonymous
+_debug: true
+
+flags:
+  changePassword: false