fix: bug on change password npm profile (#4473)

* fix: bug on change password npm profile * add new case
2025-01-20 22:52:46 -05:00 · 2024-01-24 23:14:38 +01:00 · 2024-01-24 23:14:38 +01:00 · 74cd588828
commit 74cd588828
parent 8380b8e980
5 changed files with 149 additions and 11 deletions
--- a/.changeset/wild-otters-talk.md
+++ b/.changeset/wild-otters-talk.md
@ -0,0 +1,5 @@
+---
+'@verdaccio/api': patch
+---
+
+fix: bug on change password npm profile
--- a/packages/api/jest.config.js
+++ b/packages/api/jest.config.js
@ -1,10 +1,3 @@
 const config = require('../../jest/config');

-module.exports = Object.assign({}, config, {
-  coverageThreshold: {
-    global: {
-      // FIXME: increase to 90
-      lines: 60,
-    },
-  },
-});
+module.exports = Object.assign({}, config, {});
--- a/packages/api/src/v1/profile.ts
+++ b/packages/api/src/v1/profile.ts
@ -81,15 +81,17 @@ export default function (route: Router, auth: Auth, config: Config): void {
          /* eslint new-cap:off */
        }

+        if (_.isEmpty(password.old)) {
+          return next(errorUtils.getBadRequest('old password is required'));
+        }
+
        auth.changePassword(
          name,
          password.old,
          password.new,
          (err, isUpdated): $NextFunctionVer => {
            if (_.isNull(err) === false) {
-              return next(
-                errorUtils.getCode(err.status, err.message) || errorUtils.getConflict(err.message)
-              );
+              return next(errorUtils.getForbidden(err.message));
            }

            if (isUpdated) {
--- a/packages/api/test/integration/config/profile.yaml
+++ b/packages/api/test/integration/config/profile.yaml
@ -0,0 +1,27 @@
+auth:
+  htpasswd:
+    file: ./htpasswd-profile
+web:
+  enable: true
+  title: verdaccio
+
+uplinks:
+
+log: { type: stdout, format: pretty, level: trace }
+
+packages:
+  '@*/*':
+    access: $all
+    publish: $all
+    unpublish: $all
+    proxy: npmjs
+  'verdaccio':
+    access: $all
+    publish: $all
+  '**':
+    access: $all
+    publish: $all
+    unpublish: $all
+    proxy: npmjs
+
+_debug: true
--- a/packages/api/test/integration/profile.spec.ts
+++ b/packages/api/test/integration/profile.spec.ts
@ -0,0 +1,111 @@
+import supertest from 'supertest';
+
+import { HEADERS, HEADER_TYPE, HTTP_STATUS, TOKEN_BEARER } from '@verdaccio/core';
+import { buildToken } from '@verdaccio/utils';
+
+import { createUser, initializeServer } from './_helper';
+
+describe('profile ', () => {
+  describe('get profile ', () => {
+    test('should return Unauthorized if header token is missing', async () => {
+      const app = await initializeServer('profile.yaml');
+      return supertest(app)
+        .get('/-/npm/v1/user')
+        .expect(HEADER_TYPE.CONTENT_TYPE, HEADERS.JSON_CHARSET)
+        .expect(HTTP_STATUS.UNAUTHORIZED);
+    });
+
+    test('should return user details', async () => {
+      const app = await initializeServer('profile.yaml');
+      const credentials = { name: 'test', password: 'test' };
+      const response = await createUser(app, credentials.name, credentials.password);
+      return supertest(app)
+        .get('/-/npm/v1/user')
+        .set(HEADERS.AUTHORIZATION, buildToken(TOKEN_BEARER, response.body.token))
+        .expect(HEADER_TYPE.CONTENT_TYPE, HEADERS.JSON_CHARSET)
+        .expect(HTTP_STATUS.OK);
+    });
+  });
+  describe('post profile ', () => {
+    test('should return Unauthorized if header token is missing', async () => {
+      const app = await initializeServer('profile.yaml');
+      return supertest(app)
+        .post('/-/npm/v1/user')
+        .send({})
+        .expect(HEADER_TYPE.CONTENT_TYPE, HEADERS.JSON_CHARSET)
+        .expect(HTTP_STATUS.UNAUTHORIZED);
+    });
+
+    test('should return handle to short new password', async () => {
+      const app = await initializeServer('profile.yaml');
+      const credentials = { name: 'test', password: 'test' };
+      const response = await createUser(app, credentials.name, credentials.password);
+      return supertest(app)
+        .post('/-/npm/v1/user')
+        .send({ password: { new: '_' } })
+        .set(HEADERS.AUTHORIZATION, buildToken(TOKEN_BEARER, response.body.token))
+        .expect(HEADER_TYPE.CONTENT_TYPE, HEADERS.JSON_CHARSET)
+        .expect(HTTP_STATUS.UNAUTHORIZED);
+    });
+
+    test('should return handle to missing old password', async () => {
+      const app = await initializeServer('profile.yaml');
+      const credentials = { name: 'test', password: 'test' };
+      const response = await createUser(app, credentials.name, credentials.password);
+      return supertest(app)
+        .post('/-/npm/v1/user')
+        .send({ password: { new: 'fooooo', old: undefined } })
+        .set(HEADERS.AUTHORIZATION, buildToken(TOKEN_BEARER, response.body.token))
+        .expect(HEADER_TYPE.CONTENT_TYPE, HEADERS.JSON_CHARSET)
+        .expect(HTTP_STATUS.BAD_REQUEST);
+    });
+
+    test('should return handle to missing password', async () => {
+      const app = await initializeServer('profile.yaml');
+      const credentials = { name: 'test', password: 'test' };
+      const response = await createUser(app, credentials.name, credentials.password);
+      return supertest(app)
+        .post('/-/npm/v1/user')
+        .send({ another: '_' })
+        .set(HEADERS.AUTHORIZATION, buildToken(TOKEN_BEARER, response.body.token))
+        .expect(HEADER_TYPE.CONTENT_TYPE, HEADERS.JSON_CHARSET)
+        .expect(HTTP_STATUS.INTERNAL_ERROR);
+    });
+
+    test('should return handle change password', async () => {
+      const app = await initializeServer('profile.yaml');
+      const credentials = { name: 'test', password: 'test' };
+      const response = await createUser(app, credentials.name, credentials.password);
+      return supertest(app)
+        .post('/-/npm/v1/user')
+        .send({ password: { new: 'good password_.%#@$@#$@#', old: 'test' } })
+        .set(HEADERS.AUTHORIZATION, buildToken(TOKEN_BEARER, response.body.token))
+        .expect(HEADER_TYPE.CONTENT_TYPE, HEADERS.JSON_CHARSET)
+        .expect(HTTP_STATUS.OK);
+    });
+
+    test('should return handle change password failure', async () => {
+      const app = await initializeServer('profile.yaml');
+      const credentials = { name: 'test', password: 'test' };
+      const response = await createUser(app, credentials.name, credentials.password);
+      return supertest(app)
+        .post('/-/npm/v1/user')
+        .send({ password: { new: 'good password_.%#@$@#$@#', old: 'test_do_not_match' } })
+        .set(HEADERS.AUTHORIZATION, buildToken(TOKEN_BEARER, response.body.token))
+        .expect(HEADER_TYPE.CONTENT_TYPE, HEADERS.JSON_CHARSET)
+        .expect(HTTP_STATUS.FORBIDDEN);
+    });
+
+    test('should handle tfa ( two factor auth) disabled', async () => {
+      const app = await initializeServer('profile.yaml');
+      const credentials = { name: 'test', password: 'test' };
+      const response = await createUser(app, credentials.name, credentials.password);
+      return supertest(app)
+        .post('/-/npm/v1/user')
+        .send({ tfa: '_' })
+        .set(HEADERS.AUTHORIZATION, buildToken(TOKEN_BEARER, response.body.token))
+        .expect(HEADER_TYPE.CONTENT_TYPE, HEADERS.JSON_CHARSET)
+        .expect(HTTP_STATUS.SERVICE_UNAVAILABLE);
+    });
+  });
+});