From 1e83d33283643167c08a0c7c60c79bcb6bdcd00d Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Bar=C4=B1=C5=9F=20Soner=20U=C5=9Fakl=C4=B1?=
 <baris@nodebb.org>
Date: Tue, 23 May 2017 15:37:32 -0400
Subject: [PATCH] tests for login

---
 src/controllers/authentication.js |  54 +++++------
 test/authentication.js            | 144 +++++++++++++++++++-----------
 2 files changed, 121 insertions(+), 77 deletions(-)

diff --git a/src/controllers/authentication.js b/src/controllers/authentication.js
index 5ca9c421ad..cc4ef41aab 100644
--- a/src/controllers/authentication.js
+++ b/src/controllers/authentication.js
@@ -282,14 +282,14 @@ authenticationController.doLogin = function (req, uid, callback) {
 	if (!uid) {
 		return callback();
 	}
-
-	req.login({ uid: uid }, function (err) {
-		if (err) {
-			return callback(err);
-		}
-
-		authenticationController.onSuccessfulLogin(req, uid, callback);
-	});
+	async.waterfall([
+		function (next) {
+			req.login({ uid: uid }, next);
+		},
+		function (next) {
+			authenticationController.onSuccessfulLogin(req, uid, next);
+		},
+	], callback);
 };
 
 authenticationController.onSuccessfulLogin = function (req, uid, callback) {
@@ -312,28 +312,30 @@ authenticationController.onSuccessfulLogin = function (req, uid, callback) {
 		version: req.useragent.version,
 	});
 
-	// Associate login session with user
-	async.parallel([
-		function (next) {
-			user.auth.addSession(uid, req.sessionID, next);
-		},
+	async.waterfall([
 		function (next) {
-			db.setObjectField('uid:' + uid + ':sessionUUID:sessionId', uuid, req.sessionID, next);
+			async.parallel([
+				function (next) {
+					user.auth.addSession(uid, req.sessionID, next);
+				},
+				function (next) {
+					db.setObjectField('uid:' + uid + ':sessionUUID:sessionId', uuid, req.sessionID, next);
+				},
+				function (next) {
+					user.updateLastOnlineTime(uid, next);
+				},
+			], function (err) {
+				next(err);
+			});
 		},
 		function (next) {
-			user.updateLastOnlineTime(uid, next);
-		},
-	], function (err) {
-		if (err) {
-			return callback(err);
-		}
-
-		// Force session check for all connected socket.io clients with the same session id
-		sockets.in('sess_' + req.sessionID).emit('checkSession', uid);
+			// Force session check for all connected socket.io clients with the same session id
+			sockets.in('sess_' + req.sessionID).emit('checkSession', uid);
 
-		plugins.fireHook('action:user.loggedIn', { uid: uid, req: req });
-		callback();
-	});
+			plugins.fireHook('action:user.loggedIn', { uid: uid, req: req });
+			next();
+		},
+	], callback);
 };
 
 authenticationController.localLogin = function (req, username, password, next) {
diff --git a/test/authentication.js b/test/authentication.js
index 9d49a8e0ff..4ab15b500f 100644
--- a/test/authentication.js
+++ b/test/authentication.js
@@ -7,8 +7,37 @@ var request = require('request');
 
 var db = require('./mocks/databasemock');
 var user = require('../src/user');
+var meta = require('../src/meta');
 
 describe('authentication', function () {
+	function loginUser(username, password, callback) {
+		var jar = request.jar();
+		request({
+			url: nconf.get('url') + '/api/config',
+			json: true,
+			jar: jar,
+		}, function (err, response, body) {
+			if (err) {
+				return callback(err);
+			}
+
+			request.post(nconf.get('url') + '/login', {
+				form: {
+					username: username,
+					password: password,
+				},
+				json: true,
+				jar: jar,
+				headers: {
+					'x-csrf-token': body.csrf_token,
+				},
+			}, function (err, response, body) {
+				callback(err, response, body, jar);
+			});
+		});
+	}
+
+
 	var jar = request.jar();
 	var regularUid;
 	before(function (done) {
@@ -89,43 +118,24 @@ describe('authentication', function () {
 	});
 
 	it('should login a user', function (done) {
-		var jar = request.jar();
-		request({
-			url: nconf.get('url') + '/api/config',
-			json: true,
-			jar: jar,
-		}, function (err, response, body) {
+		loginUser('regular', 'regularpwd', function (err, response, body, jar) {
 			assert.ifError(err);
+			assert(body);
 
-			request.post(nconf.get('url') + '/login', {
-				form: {
-					username: 'regular',
-					password: 'regularpwd',
-				},
+			request({
+				url: nconf.get('url') + '/api/me',
 				json: true,
 				jar: jar,
-				headers: {
-					'x-csrf-token': body.csrf_token,
-				},
 			}, function (err, response, body) {
 				assert.ifError(err);
 				assert(body);
-
-				request({
-					url: nconf.get('url') + '/api/me',
-					json: true,
-					jar: jar,
-				}, function (err, response, body) {
+				assert.equal(body.username, 'regular');
+				assert.equal(body.email, 'regular@nodebb.org');
+				db.getObject('uid:' + regularUid + ':sessionUUID:sessionId', function (err, sessions) {
 					assert.ifError(err);
-					assert(body);
-					assert.equal(body.username, 'regular');
-					assert.equal(body.email, 'regular@nodebb.org');
-					db.getObject('uid:' + regularUid + ':sessionUUID:sessionId', function (err, sessions) {
-						assert.ifError(err);
-						assert(sessions);
-						assert(Object.keys(sessions).length > 0);
-						done();
-					});
+					assert(sessions);
+					assert(Object.keys(sessions).length > 0);
+					done();
 				});
 			});
 		});
@@ -148,33 +158,65 @@ describe('authentication', function () {
 	});
 
 	it('should fail to login if user does not exist', function (done) {
-		var jar = request.jar();
-		request({
-			url: nconf.get('url') + '/api/config',
-			json: true,
-			jar: jar,
-		}, function (err, response, body) {
+		loginUser('doesnotexist', 'nopassword', function (err, response, body) {
 			assert.ifError(err);
+			assert.equal(response.statusCode, 403);
+			assert.equal(body, '[[error:invalid-login-credentials]]');
+			done();
+		});
+	});
 
-			request.post(nconf.get('url') + '/login', {
-				form: {
-					username: 'doesnotexist',
-					password: 'nopassword',
-				},
-				json: true,
-				jar: jar,
-				headers: {
-					'x-csrf-token': body.csrf_token,
-				},
-			}, function (err, response, body) {
-				assert.ifError(err);
-				assert.equal(response.statusCode, 403);
-				assert.equal(body, '[[error:invalid-login-credentials]]');
-				done();
-			});
+	it('should fail to login if username is empty', function (done) {
+		loginUser('', 'some password', function (err, response, body) {
+			assert.ifError(err);
+			assert.equal(response.statusCode, 403);
+			assert.equal(body, '[[error:invalid-username-or-password]]');
+			done();
 		});
 	});
 
+	it('should fail to login if password is empty', function (done) {
+		loginUser('someuser', '', function (err, response, body) {
+			assert.ifError(err);
+			assert.equal(response.statusCode, 403);
+			assert.equal(body, '[[error:invalid-username-or-password]]');
+			done();
+		});
+	});
+
+	it('should fail to login if username and password are empty', function (done) {
+		loginUser('', '', function (err, response, body) {
+			assert.ifError(err);
+			assert.equal(response.statusCode, 403);
+			assert.equal(body, '[[error:invalid-username-or-password]]');
+			done();
+		});
+	});
+
+	it('should fail to login if password is longer than 4096', function (done) {
+		var longPassword;
+		for (var i = 0; i < 5000; i++) {
+			longPassword += 'a';
+		}
+		loginUser('someuser', longPassword, function (err, response, body) {
+			assert.ifError(err);
+			assert.equal(response.statusCode, 403);
+			assert.equal(body, '[[error:password-too-long]]');
+			done();
+		});
+	});
+
+
+	it('should fail to login if local login is disabled', function (done) {
+		meta.config.allowLocalLogin = 0;
+		loginUser('someuser', 'somepass', function (err, response, body) {
+			meta.config.allowLocalLogin = 1;
+			assert.ifError(err);
+			assert.equal(response.statusCode, 403);
+			assert.equal(body, '[[error:local-login-disabled]]');
+			done();
+		});
+	});
 
 	after(function (done) {
 		db.emptydb(done);