feat(member): changing password endpoint

AEGEE · Mar 23, 2020 · d23ea10 · d23ea10
1 parent b3e0428
commit d23ea10
Show file tree

Hide file tree

Showing 5 changed files with 197 additions and 4 deletions.
diff --git a/lib/server.js b/lib/server.js
@@ -78,6 +78,7 @@ GeneralRouter.post('/campaigns', middlewares.ensureAuthorized, campaigns.createC
 MemberRouter.use(middlewares.maybeAuthorize, middlewares.ensureAuthorized, fetch.fetchUser);
 MemberRouter.get('/my_permissions', myPermissions.getMyPermissions);
 MemberRouter.put('/active', members.setUserActive);
+MemberRouter.put('/password', members.setUserPassword);
 MemberRouter.get('/', members.getUser);
 MemberRouter.put('/', members.updateUser);
 // MemberRouter.delete('/', members.deleteUser);

diff --git a/middlewares/members.js b/middlewares/members.js
@@ -54,6 +54,27 @@ exports.updateUser = async (req, res) => {
 //     });
 // };
 
+exports.setUserPassword = async (req, res) => {
+    if (!req.permissions.hasPermission('update:member') && req.user.id !== req.currentUser.id) {
+        return errors.makeForbiddenError(res, 'Permission update:member is required, but not present.');
+    }
+
+    const userWithPassword = await User.scope('withPassword').findByPk(req.currentUser.id);
+
+    if (!await userWithPassword.checkPassword(req.body.old_password)) {
+        return errors.makeForbiddenError(res, 'The old password is invalid.');
+    }
+
+    await userWithPassword.update({ password: req.body.password });
+
+    // TODO: add a mail that the password was changed.
+
+    return res.json({
+        success: true,
+        message: 'The password was changed.'
+    });
+};
+
 exports.setUserActive = async (req, res) => {
     if (!req.permissions.hasPermission('update_active:member')) {
         return errors.makeForbiddenError(res, 'Permission update_active:member is required, but not present.');

diff --git a/models/User.js b/models/User.js
@@ -135,11 +135,15 @@ User.beforeValidate(async (user) => {
     if (typeof user.about_me === 'string') user.about_me = user.about_me.trim();
 });
 
-User.afterValidate(async (user) => {
+async function encryptPassword(user) {
     if (user.changed('password')) {
-        user.password = await bcrypt.hash(user.password, config.salt_rounds);
+        user.setDataValue('password', await bcrypt.hash(user.password, config.salt_rounds));
     }
-});
+}
+
+User.beforeCreate(encryptPassword);
+User.beforeUpdate(encryptPassword);
+
 
 User.prototype.checkPassword = async function checkPassword(password) {
     return bcrypt.compare(password, this.password);

diff --git a/test/api/users-activation.test.js b/test/api/users-activation.test.js
@@ -19,7 +19,7 @@ describe('User activation', () => {
         const user = await generator.createUser({ superadmin: true });
         const token = await generator.createAccessToken({}, user);
 
-        await generator.createPermission({ scope: 'local', action: 'update_active', object: 'member' });
+        await generator.createPermission({ scope: 'global', action: 'update_active', object: 'member' });
 
         const res = await request({
             uri: '/members/1337/active',

diff --git a/test/api/users-password.test.js b/test/api/users-password.test.js
@@ -0,0 +1,167 @@
+const { startServer, stopServer } = require('../../lib/server.js');
+const { User } = require('../../models');
+const { request } = require('../scripts/helpers');
+const generator = require('../scripts/generator');
+
+
+describe('User activation', () => {
+    beforeAll(async () => {
+        await startServer();
+    });
+
+    afterAll(async () => {
+        await stopServer();
+    });
+
+    afterEach(async () => {
+        await generator.clearAll();
+    });
+
+    test('should return 404 if the user is not found', async () => {
+        const user = await generator.createUser({ password: 'testtest', superadmin: true });
+        const token = await generator.createAccessToken({}, user);
+
+        await generator.createPermission({ scope: 'global', action: 'update', object: 'member' });
+
+        const res = await request({
+            uri: '/members/1337/password',
+            method: 'PUT',
+            headers: { 'X-Auth-Token': token.value },
+            body: { old_password: 'testtest', password: 'testtest2' }
+        });
+
+        expect(res.statusCode).toEqual(404);
+        expect(res.body.success).toEqual(false);
+        expect(res.body).not.toHaveProperty('data');
+        expect(res.body).toHaveProperty('message');
+    });
+
+    test('should fail if old password is incorrect', async () => {
+        const user = await generator.createUser({ password: 'testtest', superadmin: true });
+        const token = await generator.createAccessToken({}, user);
+
+        await generator.createPermission({ scope: 'global', action: 'update', object: 'member' });
+
+        const res = await request({
+            uri: '/members/' + user.id + '/password',
+            method: 'PUT',
+            headers: { 'X-Auth-Token': token.value },
+            body: { old_password: 'not right', password: 'short' }
+        });
+
+        expect(res.statusCode).toEqual(403);
+        expect(res.body.success).toEqual(false);
+        expect(res.body).not.toHaveProperty('data');
+        expect(res.body).toHaveProperty('message');
+    });
+
+    test('should fail if there are validation errors', async () => {
+        const user = await generator.createUser({ password: 'testtest', superadmin: true });
+        const token = await generator.createAccessToken({}, user);
+
+        await generator.createPermission({ scope: 'global', action: 'update', object: 'member' });
+
+        const res = await request({
+            uri: '/members/' + user.id + '/password',
+            method: 'PUT',
+            headers: { 'X-Auth-Token': token.value },
+            body: { old_password: 'testtest', password: 'short' }
+        });
+
+        expect(res.statusCode).toEqual(422);
+        expect(res.body.success).toEqual(false);
+        expect(res.body).not.toHaveProperty('data');
+        expect(res.body).toHaveProperty('errors');
+        expect(res.body.errors).toHaveProperty('password');
+    });
+
+    test('should succeed if everything is okay', async () => {
+        const user = await generator.createUser({ password: 'testtest', superadmin: true });
+        const token = await generator.createAccessToken({}, user);
+
+        await generator.createPermission({ scope: 'local', action: 'update', object: 'member' });
+
+        const res = await request({
+            uri: '/members/' + user.id + '/password',
+            method: 'PUT',
+            headers: { 'X-Auth-Token': token.value },
+            body: { old_password: 'testtest', password: 'testtest2' }
+        });
+
+        expect(res.statusCode).toEqual(200);
+        expect(res.body.success).toEqual(true);
+        expect(res.body).not.toHaveProperty('errors');
+        expect(res.body).toHaveProperty('message');
+
+        const userFromDb = await User.scope('withPassword').findByPk(user.id);
+        expect(await userFromDb.checkPassword('testtest2')).toEqual(true);
+    });
+
+    test('should work for yourself without permission', async () => {
+        const user = await generator.createUser({ password: 'testtest', superadmin: true });
+        const token = await generator.createAccessToken({}, user);
+
+        const res = await request({
+            uri: '/members/' + user.id + '/password',
+            method: 'PUT',
+            headers: { 'X-Auth-Token': token.value },
+            body: { old_password: 'testtest', password: 'testtest2' }
+        });
+
+        expect(res.statusCode).toEqual(200);
+        expect(res.body.success).toEqual(true);
+        expect(res.body).not.toHaveProperty('errors');
+        expect(res.body).toHaveProperty('message');
+
+        const userFromDb = await User.scope('withPassword').findByPk(user.id);
+        expect(await userFromDb.checkPassword('testtest2')).toEqual(true);
+    });
+
+    test('should work with local permission', async () => {
+        const user = await generator.createUser();
+        const token = await generator.createAccessToken({}, user);
+
+        const otherUser = await generator.createUser({ password: 'testtest', superadmin: true });
+
+        const permission = await generator.createPermission({ scope: 'local', action: 'update', object: 'member' });
+        const body = await generator.createBody();
+        const circle = await generator.createCircle({ body_id: body.id });
+        await generator.createCircleMembership(circle, user);
+        await generator.createCirclePermission(circle, permission);
+        await generator.createBodyMembership(body, otherUser);
+
+        const res = await request({
+            uri: '/members/' + otherUser.id + '/password',
+            method: 'PUT',
+            headers: { 'X-Auth-Token': token.value },
+            body: { old_password: 'testtest', password: 'testtest2' }
+        });
+
+        expect(res.statusCode).toEqual(200);
+        expect(res.body.success).toEqual(true);
+        expect(res.body).not.toHaveProperty('errors');
+        expect(res.body).toHaveProperty('message');
+
+        const userFromDb = await User.scope('withPassword').findByPk(otherUser.id);
+        expect(await userFromDb.checkPassword('testtest2')).toEqual(true);
+    });
+
+    test('should fail for other person without permission', async () => {
+        const user = await generator.createUser();
+        const token = await generator.createAccessToken({}, user);
+
+        const otherUser = await generator.createUser({ password: 'testtest', superadmin: true });
+
+        const res = await request({
+            uri: '/members/' + otherUser.id + '/password',
+            method: 'PUT',
+            headers: { 'X-Auth-Token': token.value },
+            body: { old_password: 'testtest', password: 'testtest2' }
+        });
+
+        expect(res.statusCode).toEqual(403);
+        expect(res.body.success).toEqual(false);
+        expect(res.body).not.toHaveProperty('data');
+        expect(res.body).toHaveProperty('message');
+    });
+});