hyperzlib
/
nodebb
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
You cannot select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
isekai-main
v1.18.x
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from 'a6564b7b4e'
${ noResults }
nodebb/test/authentication.js

509 lines
14 KiB
JavaScript
Raw Blame History

'use strict';
var assert = require('assert');
var nconf = require('nconf');
var request = require('request');
var async = require('async');
var db = require('./mocks/databasemock');
var user = require('../src/user');
var meta = require('../src/meta');
var helpers = require('./helpers');
describe('authentication', function () {
function loginUser(username, password, callback) {
var jar = request.jar();
request({
url: nconf.get('url') + '/api/config',
json: true,
jar: jar,
}, function (err, response, body) {
if (err) {
return callback(err);
}
request.post(nconf.get('url') + '/login', {
form: {
username: username,
password: password,
},
json: true,
jar: jar,
headers: {
'x-csrf-token': body.csrf_token,
},
}, function (err, response, body) {
callback(err, response, body, jar);
});
});
}
function registerUser(email, username, password, callback) {
var jar = request.jar();
request({
url: nconf.get('url') + '/api/config',
json: true,
jar: jar,
}, function (err, response, body) {
if (err) {
return callback(err);
}
request.post(nconf.get('url') + '/register', {
form: {
email: email,
username: username,
password: password,
'password-confirm': password,
gdpr_consent: true,
},
json: true,
jar: jar,
headers: {
'x-csrf-token': body.csrf_token,
},
}, function (err, response, body) {
callback(err, response, body, jar);
});
});
}
var jar = request.jar();
var regularUid;
before(function (done) {
user.create({ username: 'regular', password: 'regularpwd', email: '[email protected]' }, function (err, uid) {
assert.ifError(err);
regularUid = uid;
done();
});
});
it('should fail to create user if username is too short', function (done) {
helpers.registerUser({
username: 'a',
password: '123456',
'password-confirm': '123456',
email: '[email protected]',
}, function (err, jar, response, body) {
assert.ifError(err);
assert.equal(response.statusCode, 400);
assert.equal(body, '[[error:username-too-short]]');
done();
});
});
it('should fail to create user if userslug is too short', function (done) {
helpers.registerUser({
username: '----a-----',
password: '123456',
'password-confirm': '123456',
email: '[email protected]',
}, function (err, jar, response, body) {
assert.ifError(err);
assert.equal(response.statusCode, 400);
assert.equal(body, '[[error:username-too-short]]');
done();
});
});
it('should fail to create user if userslug is too short', function (done) {
helpers.registerUser({
username: ' a',
password: '123456',
'password-confirm': '123456',
email: '[email protected]',
}, function (err, jar, response, body) {
assert.ifError(err);
assert.equal(response.statusCode, 400);
assert.equal(body, '[[error:username-too-short]]');
done();
});
});
it('should fail to create user if userslug is too short', function (done) {
helpers.registerUser({
username: 'a ',
password: '123456',
'password-confirm': '123456',
email: '[email protected]',
}, function (err, jar, response, body) {
assert.ifError(err);
assert.equal(response.statusCode, 400);
assert.equal(body, '[[error:username-too-short]]');
done();
});
});
it('should register and login a user', function (done) {
request({
url: nconf.get('url') + '/api/config',
json: true,
jar: jar,
}, function (err, response, body) {
assert.ifError(err);
request.post(nconf.get('url') + '/register', {
form: {
email: '[email protected]',
username: 'admin',
password: 'adminpwd',
'password-confirm': 'adminpwd',
userLang: 'it',
gdpr_consent: true,
},
json: true,
jar: jar,
headers: {
'x-csrf-token': body.csrf_token,
},
}, function (err, response, body) {
assert.ifError(err);
assert(body);
request({
url: nconf.get('url') + '/api/me',
json: true,
jar: jar,
}, function (err, response, body) {
assert.ifError(err);
assert(body);
assert.equal(body.username, 'admin');
assert.equal(body.email, '[email protected]');
user.getSettings(body.uid, function (err, settings) {
assert.ifError(err);
assert.equal(settings.userLang, 'it');
done();
});
});
});
});
});
it('should logout a user', function (done) {
helpers.logoutUser(jar, function (err) {
assert.ifError(err);
request({
url: nconf.get('url') + '/api/me',
json: true,
jar: jar,
}, function (err, res, body) {
assert.ifError(err);
assert.equal(res.statusCode, 401);
assert.equal(body, 'not-authorized');
done();
});
});
});
it('should login a user', function (done) {
loginUser('regular', 'regularpwd', function (err, response, body, jar) {
assert.ifError(err);
assert(body);
request({
url: nconf.get('url') + '/api/me',
json: true,
jar: jar,
}, function (err, response, body) {
assert.ifError(err);
assert(body);
assert.equal(body.username, 'regular');
assert.equal(body.email, '[email protected]');
db.getObject('uid:' + regularUid + ':sessionUUID:sessionId', function (err, sessions) {
assert.ifError(err);
assert(sessions);
assert(Object.keys(sessions).length > 0);
done();
});
});
});
});
it('should revoke all sessions', function (done) {
var socketAdmin = require('../src/socket.io/admin');
db.sortedSetCard('uid:' + regularUid + ':sessions', function (err, count) {
assert.ifError(err);
assert(count);
socketAdmin.deleteAllSessions({ uid: 1 }, {}, function (err) {
assert.ifError(err);
db.sortedSetCard('uid:' + regularUid + ':sessions', function (err, count) {
assert.ifError(err);
assert(!count);
done();
});
});
});
});
it('should fail to login if ip address if invalid', function (done) {
var jar = request.jar();
request({
url: nconf.get('url') + '/api/config',
json: true,
jar: jar,
}, function (err, response, body) {
if (err) {
return done(err);
}
request.post(nconf.get('url') + '/login', {
form: {
username: 'regular',
password: 'regularpwd',
},
json: true,
jar: jar,
headers: {
'x-csrf-token': body.csrf_token,
'x-forwarded-for': '<script>alert("xss")</script>',
},
}, function (err, response, body) {
assert.ifError(err);
assert.equal(response.statusCode, 500);
done();
});
});
});
it('should fail to login if user does not exist', function (done) {
loginUser('doesnotexist', 'nopassword', function (err, response, body) {
assert.ifError(err);
assert.equal(response.statusCode, 403);
assert.equal(body, '[[error:invalid-login-credentials]]');
done();
});
});
it('should fail to login if username is empty', function (done) {
loginUser('', 'some password', function (err, response, body) {
assert.ifError(err);
assert.equal(response.statusCode, 403);
assert.equal(body, '[[error:invalid-username-or-password]]');
done();
});
});
it('should fail to login if password is empty', function (done) {
loginUser('someuser', '', function (err, response, body) {
assert.ifError(err);
assert.equal(response.statusCode, 403);
assert.equal(body, '[[error:invalid-username-or-password]]');
done();
});
});
it('should fail to login if username and password are empty', function (done) {
loginUser('', '', function (err, response, body) {
assert.ifError(err);
assert.equal(response.statusCode, 403);
assert.equal(body, '[[error:invalid-username-or-password]]');
done();
});
});
it('should fail to login if password is longer than 4096', function (done) {
var longPassword;
for (var i = 0; i < 5000; i++) {
longPassword += 'a';
}
loginUser('someuser', longPassword, function (err, response, body) {
assert.ifError(err);
assert.equal(response.statusCode, 403);
assert.equal(body, '[[error:password-too-long]]');
done();
});
});
it('should fail to login if local login is disabled', function (done) {
meta.config.allowLocalLogin = 0;
loginUser('someuser', 'somepass', function (err, response, body) {
meta.config.allowLocalLogin = 1;
assert.ifError(err);
assert.equal(response.statusCode, 403);
assert.equal(body, '[[error:local-login-disabled]]');
done();
});
});
it('should fail to register if registraton is disabled', function (done) {
meta.config.registrationType = 'disabled';
registerUser('[email protected]', 'someuser', 'somepassword', function (err, response, body) {
assert.ifError(err);
assert.equal(response.statusCode, 403);
assert.equal(body, 'Forbidden');
done();
});
});
it('should return error if invitation is not valid', function (done) {
meta.config.registrationType = 'invite-only';
registerUser('[email protected]', 'someuser', 'somepassword', function (err, response, body) {
meta.config.registrationType = 'normal';
assert.ifError(err);
assert.equal(response.statusCode, 400);
assert.equal(body, '[[error:invalid-data]]');
done();
});
});
it('should fail to register if email is falsy', function (done) {
registerUser('', 'someuser', 'somepassword', function (err, response, body) {
assert.ifError(err);
assert.equal(response.statusCode, 400);
assert.equal(body, '[[error:invalid-email]]');
done();
});
});
it('should fail to register if username is falsy or too short', function (done) {
registerUser('[email protected]', '', 'somepassword', function (err, response, body) {
assert.ifError(err);
assert.equal(response.statusCode, 400);
assert.equal(body, '[[error:username-too-short]]');
registerUser('[email protected]', 'a', 'somepassword', function (err, response, body) {
assert.ifError(err);
assert.equal(response.statusCode, 400);
assert.equal(body, '[[error:username-too-short]]');
done();
});
});
});
it('should fail to register if username is too long', function (done) {
registerUser('[email protected]', 'thisisareallylongusername', '123456', function (err, response, body) {
assert.ifError(err);
assert.equal(response.statusCode, 400);
assert.equal(body, '[[error:username-too-long]]');
done();
});
});
it('should queue user if ip is used before', function (done) {
meta.config.registrationType = 'admin-approval-ip';
registerUser('[email protected]', 'anotheruser', 'anotherpwd', function (err, response, body) {
meta.config.registrationType = 'normal';
assert.ifError(err);
assert.equal(response.statusCode, 200);
assert.equal(body.message, '[[register:registration-added-to-queue]]');
done();
});
});
it('should be able to login with email', function (done) {
user.create({ username: 'ginger', password: '123456', email: '[email protected]' }, function (err) {
assert.ifError(err);
loginUser('[email protected]', '123456', function (err, response) {
assert.ifError(err);
assert.equal(response.statusCode, 200);
done();
});
});
});
it('should fail to login if login type is username and an email is sent', function (done) {
meta.config.allowLoginWith = 'username';
loginUser('[email protected]', '123456', function (err, response, body) {
meta.config.allowLoginWith = 'username-email';
assert.ifError(err);
assert.equal(response.statusCode, 500);
assert.equal(body, '[[error:wrong-login-type-username]]');
done();
});
});
it('should send 200 if not logged in', function (done) {
var jar = request.jar();
request({
url: nconf.get('url') + '/api/config',
json: true,
jar: jar,
}, function (err, response, body) {
assert.ifError(err);
request.post(nconf.get('url') + '/logout', {
form: {},
json: true,
jar: jar,
headers: {
'x-csrf-token': body.csrf_token,
},
}, function (err, res, body) {
assert.ifError(err);
assert.equal(res.statusCode, 200);
assert.equal(body, 'not-logged-in');
done();
});
});
});
it('should prevent banned user from logging in', function (done) {
user.create({ username: 'banme', password: '123456', email: '[email protected]' }, function (err, uid) {
assert.ifError(err);
user.ban(uid, 0, 'spammer', function (err) {
assert.ifError(err);
loginUser('banme', '123456', function (err, res, body) {
assert.ifError(err);
assert.equal(res.statusCode, 403);
assert.equal(body, '[[error:user-banned-reason, spammer]]');
user.unban(uid, function (err) {
assert.ifError(err);
var expiry = Date.now() + 10000;
user.ban(uid, expiry, '', function (err) {
assert.ifError(err);
loginUser('banme', '123456', function (err, res, body) {
assert.ifError(err);
assert.equal(res.statusCode, 403);
assert.equal(body, '[[error:user-banned-reason-until, ' + (new Date(parseInt(expiry, 10)).toString()) + ', No reason given.]]');
done();
});
});
});
});
});
});
});
it('should lockout account on 3 failed login attempts', function (done) {
meta.config.loginAttempts = 3;
var uid;
async.waterfall([
function (next) {
user.create({ username: 'lockme', password: '123456' }, next);
},
function (_uid, next) {
uid = _uid;
loginUser('lockme', 'abcdef', next);
},
function (res, body, jar, next) {
loginUser('lockme', 'abcdef', next);
},
function (res, body, jar, next) {
loginUser('lockme', 'abcdef', next);
},
function (res, body, jar, next) {
loginUser('lockme', 'abcdef', next);
},
function (res, body, jar, next) {
meta.config.loginAttempts = 5;
assert.equal(res.statusCode, 403);
assert.equal(body, '[[error:account-locked]]');
loginUser('lockme', 'abcdef', next);
},
function (res, body, jar, next) {
assert.equal(res.statusCode, 403);
assert.equal(body, '[[error:account-locked]]');
db.exists('lockout:' + uid, next);
},
function (locked, next) {
assert(locked);
next();
},
], done);
});
});
Reference in New Issue View Git Blame Copy Permalink