User password change (#280)

* start passwordChangeHandler * add user scope * add user module / api path * add password change request * make comment clearer * add user to processor * required true * add processor call to handler * don't pass tc or channel * change password func + tests * add some first docs about password management * update swagger docs * add api tests * go fmt * test fixes
author: tobi <31960611+tsmethurst@users.noreply.github.com> 2021-10-14 14:26:04 +0200
committer: GitHub <noreply@github.com> 2021-10-14 14:26:04 +0200
commit: 107685e22e809123a31e6518249d14888767f0fe (patch)
tree: 3a46ca8a095f7ec1a0ee65845364b498099b6954 /internal/api/client/user/passwordchange_test.go
parent: go fmt (#278) (diff)
download: gotosocial-107685e22e809123a31e6518249d14888767f0fe.tar.xz
1 files changed, 157 insertions, 0 deletions
diff --git a/internal/api/client/user/passwordchange_test.go b/internal/api/client/user/passwordchange_test.go
new file mode 100644
index 000000000..bdbeb3e42
--- /dev/null
+++ b/internal/api/client/user/passwordchange_test.go
@@ -0,0 +1,157 @@
+/*
+   GoToSocial
+   Copyright (C) 2021 GoToSocial Authors admin@gotosocial.org
+
+   This program is free software: you can redistribute it and/or modify
+   it under the terms of the GNU Affero General Public License as published by
+   the Free Software Foundation, either version 3 of the License, or
+   (at your option) any later version.
+
+   This program is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+   GNU Affero General Public License for more details.
+
+   You should have received a copy of the GNU Affero General Public License
+   along with this program.  If not, see <http://www.gnu.org/licenses/>.
+*/
+
+package user_test
+
+import (
+	"context"
+	"fmt"
+	"io/ioutil"
+	"net/http"
+	"net/http/httptest"
+	"net/url"
+	"testing"
+
+	"github.com/gin-gonic/gin"
+	"github.com/stretchr/testify/suite"
+	"github.com/superseriousbusiness/gotosocial/internal/api/client/user"
+	"github.com/superseriousbusiness/gotosocial/internal/gtsmodel"
+	"github.com/superseriousbusiness/gotosocial/internal/oauth"
+	"golang.org/x/crypto/bcrypt"
+)
+
+type PasswordChangeTestSuite struct {
+	UserStandardTestSuite
+}
+
+func (suite *PasswordChangeTestSuite) TestPasswordChangePOST() {
+	t := suite.testTokens["local_account_1"]
+	oauthToken := oauth.DBTokenToToken(t)
+
+	recorder := httptest.NewRecorder()
+	ctx, _ := gin.CreateTestContext(recorder)
+	ctx.Set(oauth.SessionAuthorizedApplication, suite.testApplications["application_1"])
+	ctx.Set(oauth.SessionAuthorizedToken, oauthToken)
+	ctx.Set(oauth.SessionAuthorizedUser, suite.testUsers["local_account_1"])
+	ctx.Set(oauth.SessionAuthorizedAccount, suite.testAccounts["local_account_1"])
+	ctx.Request = httptest.NewRequest(http.MethodPost, fmt.Sprintf("http://localhost:8080/%s", user.PasswordChangePath), nil)
+	ctx.Request.Form = url.Values{
+		"old_password": {"password"},
+		"new_password": {"peepeepoopoopassword"},
+	}
+	suite.userModule.PasswordChangePOSTHandler(ctx)
+
+	// check response
+	suite.EqualValues(http.StatusOK, recorder.Code)
+
+	dbUser := &gtsmodel.User{}
+	err := suite.db.GetByID(context.Background(), suite.testUsers["local_account_1"].ID, dbUser)
+	suite.NoError(err)
+
+	// new password should pass
+	err = bcrypt.CompareHashAndPassword([]byte(dbUser.EncryptedPassword), []byte("peepeepoopoopassword"))
+	suite.NoError(err)
+
+	// old password should fail
+	err = bcrypt.CompareHashAndPassword([]byte(dbUser.EncryptedPassword), []byte("password"))
+	suite.EqualError(err, "crypto/bcrypt: hashedPassword is not the hash of the given password")
+}
+
+func (suite *PasswordChangeTestSuite) TestPasswordMissingOldPassword() {
+	t := suite.testTokens["local_account_1"]
+	oauthToken := oauth.DBTokenToToken(t)
+
+	recorder := httptest.NewRecorder()
+	ctx, _ := gin.CreateTestContext(recorder)
+	ctx.Set(oauth.SessionAuthorizedApplication, suite.testApplications["application_1"])
+	ctx.Set(oauth.SessionAuthorizedToken, oauthToken)
+	ctx.Set(oauth.SessionAuthorizedUser, suite.testUsers["local_account_1"])
+	ctx.Set(oauth.SessionAuthorizedAccount, suite.testAccounts["local_account_1"])
+	ctx.Request = httptest.NewRequest(http.MethodPost, fmt.Sprintf("http://localhost:8080/%s", user.PasswordChangePath), nil)
+	ctx.Request.Form = url.Values{
+		"new_password": {"peepeepoopoopassword"},
+	}
+	suite.userModule.PasswordChangePOSTHandler(ctx)
+
+	// check response
+	suite.EqualValues(http.StatusBadRequest, recorder.Code)
+
+	result := recorder.Result()
+	defer result.Body.Close()
+	b, err := ioutil.ReadAll(result.Body)
+	suite.NoError(err)
+	suite.Equal(`{"error":"missing one or more required form values"}`, string(b))
+}
+
+func (suite *PasswordChangeTestSuite) TestPasswordIncorrectOldPassword() {
+	t := suite.testTokens["local_account_1"]
+	oauthToken := oauth.DBTokenToToken(t)
+
+	recorder := httptest.NewRecorder()
+	ctx, _ := gin.CreateTestContext(recorder)
+	ctx.Set(oauth.SessionAuthorizedApplication, suite.testApplications["application_1"])
+	ctx.Set(oauth.SessionAuthorizedToken, oauthToken)
+	ctx.Set(oauth.SessionAuthorizedUser, suite.testUsers["local_account_1"])
+	ctx.Set(oauth.SessionAuthorizedAccount, suite.testAccounts["local_account_1"])
+	ctx.Request = httptest.NewRequest(http.MethodPost, fmt.Sprintf("http://localhost:8080/%s", user.PasswordChangePath), nil)
+	ctx.Request.Form = url.Values{
+		"old_password": {"notright"},
+		"new_password": {"peepeepoopoopassword"},
+	}
+	suite.userModule.PasswordChangePOSTHandler(ctx)
+
+	// check response
+	suite.EqualValues(http.StatusBadRequest, recorder.Code)
+
+	result := recorder.Result()
+	defer result.Body.Close()
+	b, err := ioutil.ReadAll(result.Body)
+	suite.NoError(err)
+	suite.Equal(`{"error":"bad request: old password did not match"}`, string(b))
+}
+
+func (suite *PasswordChangeTestSuite) TestPasswordWeakNewPassword() {
+	t := suite.testTokens["local_account_1"]
+	oauthToken := oauth.DBTokenToToken(t)
+
+	recorder := httptest.NewRecorder()
+	ctx, _ := gin.CreateTestContext(recorder)
+	ctx.Set(oauth.SessionAuthorizedApplication, suite.testApplications["application_1"])
+	ctx.Set(oauth.SessionAuthorizedToken, oauthToken)
+	ctx.Set(oauth.SessionAuthorizedUser, suite.testUsers["local_account_1"])
+	ctx.Set(oauth.SessionAuthorizedAccount, suite.testAccounts["local_account_1"])
+	ctx.Request = httptest.NewRequest(http.MethodPost, fmt.Sprintf("http://localhost:8080/%s", user.PasswordChangePath), nil)
+	ctx.Request.Form = url.Values{
+		"old_password": {"password"},
+		"new_password": {"peepeepoopoo"},
+	}
+	suite.userModule.PasswordChangePOSTHandler(ctx)
+
+	// check response
+	suite.EqualValues(http.StatusBadRequest, recorder.Code)
+
+	result := recorder.Result()
+	defer result.Body.Close()
+	b, err := ioutil.ReadAll(result.Body)
+	suite.NoError(err)
+	suite.Equal(`{"error":"bad request: insecure password, try including more special characters, using uppercase letters, using numbers or using a longer password"}`, string(b))
+}
+
+func TestPasswordChangeTestSuite(t *testing.T) {
+	suite.Run(t, &PasswordChangeTestSuite{})
+}
author	tobi <31960611+tsmethurst@users.noreply.github.com>	2021-10-14 14:26:04 +0200
committer	GitHub <noreply@github.com>	2021-10-14 14:26:04 +0200
commit	107685e22e809123a31e6518249d14888767f0fe (patch)
tree	3a46ca8a095f7ec1a0ee65845364b498099b6954 /internal/api/client/user/passwordchange_test.go
parent	go fmt (#278) (diff)
download	gotosocial-107685e22e809123a31e6518249d14888767f0fe.tar.xz