0
Fork 0
mirror of https://github.com/verdaccio/verdaccio.git synced 2025-01-13 22:48:31 -05:00
verdaccio/packages/web/test/api.user.test.ts
George Kalpakas 702d5c4971
fix(api): fix password validation for /reset_password route (#3858)
Previously, the password validation logic for the `/reset_password`
route was reversed: An error was returned when the password was valid
and the operation would succeed when the password was invalid.

This commit fixes the logic to return an error when the validation fails
and proceed with resetting the password when the password is valid.
2023-06-11 16:33:37 +08:00

255 lines
6.9 KiB
TypeScript

import path from 'path';
import supertest from 'supertest';
import { API_ERROR, HEADERS, HEADER_TYPE, HTTP_STATUS } from '@verdaccio/core';
import { setup } from '@verdaccio/logger';
import { initializeServer } from './helper';
setup([]);
const mockManifest = jest.fn();
jest.mock('@verdaccio/ui-theme', () => mockManifest());
describe('test web server', () => {
beforeAll(() => {
mockManifest.mockReturnValue(() => ({
staticPath: path.join(__dirname, 'static'),
manifestFiles: {
js: ['runtime.js', 'vendors.js', 'main.js'],
},
manifest: require('./partials/manifest/manifest.json'),
}));
});
afterEach(() => {
jest.clearAllMocks();
mockManifest.mockClear();
});
test('should get 401', async () => {
return supertest(await initializeServer('default-test.yaml'))
.post('/-/verdaccio/sec/login')
.send(
JSON.stringify({
username: 'test',
password: 'password1',
})
)
.set(HEADER_TYPE.CONTENT_TYPE, HEADERS.JSON)
.expect(HEADER_TYPE.CONTENT_TYPE, HEADERS.JSON_CHARSET)
.expect(HTTP_STATUS.UNAUTHORIZED)
.then((response) => {
expect(response.body.error).toEqual(API_ERROR.BAD_USERNAME_PASSWORD);
});
});
test('should log in', async () => {
return supertest(await initializeServer('default-test.yaml'))
.post('/-/verdaccio/sec/login')
.send(
JSON.stringify({
username: 'test',
password: 'test',
})
)
.set(HEADER_TYPE.CONTENT_TYPE, HEADERS.JSON)
.expect(HEADER_TYPE.CONTENT_TYPE, HEADERS.JSON_CHARSET)
.expect(HEADERS.CACHE_CONTROL, 'no-cache, no-store')
.expect(HTTP_STATUS.OK)
.then((res) => {
expect(res.body.error).toBeUndefined();
expect(res.body.token).toBeDefined();
expect(res.body.token).toBeTruthy();
expect(res.body.username).toMatch('test');
});
});
test('log in should be disabled', async () => {
return supertest(await initializeServer('login-disabled.yaml'))
.post('/-/verdaccio/sec/login')
.send(
JSON.stringify({
username: 'test',
password: 'test',
})
)
.set(HEADER_TYPE.CONTENT_TYPE, HEADERS.JSON)
.expect(HEADER_TYPE.CONTENT_TYPE, HEADERS.JSON_CHARSET)
.expect(HTTP_STATUS.CANNOT_HANDLE, JSON.stringify({ error: 'cannot handle this' }));
});
test('should change password', async () => {
const oldPass = 'test';
const newPass = 'new-pass';
const api = supertest(await initializeServer('default-test.yaml'));
// Login with the old password.
const loginRes = await api
.post('/-/verdaccio/sec/login')
.set(HEADER_TYPE.CONTENT_TYPE, HEADERS.JSON)
.send(
JSON.stringify({
username: 'test',
password: oldPass,
})
)
.expect(HTTP_STATUS.OK);
// Change the password.
await api
.put('/-/verdaccio/sec/reset_password')
.set(HEADER_TYPE.CONTENT_TYPE, HEADERS.JSON)
.set(HEADER_TYPE.AUTHORIZATION, `Bearer ${loginRes.body.token}`)
.send(
JSON.stringify({
password: {
old: oldPass,
new: newPass,
},
})
)
.expect(HTTP_STATUS.OK);
// Verify that you cannot login with the old password.
await api
.post('/-/verdaccio/sec/login')
.set(HEADER_TYPE.CONTENT_TYPE, HEADERS.JSON)
.send(
JSON.stringify({
username: 'test',
password: oldPass,
})
)
.expect(HTTP_STATUS.UNAUTHORIZED);
// Verify that you can login with the new password.
await api
.post('/-/verdaccio/sec/login')
.set(HEADER_TYPE.CONTENT_TYPE, HEADERS.JSON)
.send(
JSON.stringify({
username: 'test',
password: newPass,
})
)
.expect(HTTP_STATUS.OK);
});
test('should not change to invalid password', async () => {
const oldPass = 'test';
const newPass = '12'; // Invalid password: Too short.
const api = supertest(await initializeServer('default-test.yaml'));
// Login with the old password.
const loginRes = await api
.post('/-/verdaccio/sec/login')
.set(HEADER_TYPE.CONTENT_TYPE, HEADERS.JSON)
.send(
JSON.stringify({
username: 'test',
password: oldPass,
})
)
.expect(HTTP_STATUS.OK);
// Try changing to an invalid password.
await api
.put('/-/verdaccio/sec/reset_password')
.set(HEADER_TYPE.CONTENT_TYPE, HEADERS.JSON)
.set(HEADER_TYPE.AUTHORIZATION, `Bearer ${loginRes.body.token}`)
.send(
JSON.stringify({
password: {
old: oldPass,
new: newPass,
},
})
)
.expect(HTTP_STATUS.BAD_REQUEST);
// Verify that you cannot login with the new (invalid) password.
await api
.post('/-/verdaccio/sec/login')
.set(HEADER_TYPE.CONTENT_TYPE, HEADERS.JSON)
.send(
JSON.stringify({
username: 'test',
password: newPass,
})
)
.expect(HTTP_STATUS.UNAUTHORIZED);
// Verify that you can still login with the old password.
await api
.post('/-/verdaccio/sec/login')
.set(HEADER_TYPE.CONTENT_TYPE, HEADERS.JSON)
.send(
JSON.stringify({
username: 'test',
password: oldPass,
})
)
.expect(HTTP_STATUS.OK);
});
test('should not change password if flag is disabled', async () => {
const oldPass = 'test';
const newPass = 'new-pass';
const api = supertest(await initializeServer('change-password-disabled.yaml'));
// Login with the old password.
const loginRes = await api
.post('/-/verdaccio/sec/login')
.set(HEADER_TYPE.CONTENT_TYPE, HEADERS.JSON)
.send(
JSON.stringify({
username: 'test',
password: oldPass,
})
)
.expect(HTTP_STATUS.OK);
// Try changing the password.
await api
.put('/-/verdaccio/sec/reset_password')
.set(HEADER_TYPE.CONTENT_TYPE, HEADERS.JSON)
.set(HEADER_TYPE.AUTHORIZATION, `Bearer ${loginRes.body.token}`)
.send(
JSON.stringify({
password: {
old: oldPass,
new: newPass,
},
})
)
.expect(HTTP_STATUS.CANNOT_HANDLE);
// Verify that you cannot login with the new (rejected) password.
await api
.post('/-/verdaccio/sec/login')
.set(HEADER_TYPE.CONTENT_TYPE, HEADERS.JSON)
.send(
JSON.stringify({
username: 'test',
password: newPass,
})
)
.expect(HTTP_STATUS.UNAUTHORIZED);
// Verify that you can still login with the old password.
await api
.post('/-/verdaccio/sec/login')
.set(HEADER_TYPE.CONTENT_TYPE, HEADERS.JSON)
.send(
JSON.stringify({
username: 'test',
password: oldPass,
})
)
.expect(HTTP_STATUS.OK);
});
});