mirrors/hedgedoc
1
0
Fork 0
mirror of https://github.com/hedgedoc/hedgedoc.git synced 2025-05-13 22:54:42 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions

feat(auth): password change requires old password

Browse source 
By checking the "old" password of the user prior to a password change, the
password change function is more secured against abuse.

Signed-off-by: Erik Michelson <github@erik.michelson.eu>
This commit is contained in:
Erik Michelson 2021-12-28 01:46:40 +01:00 committed by David Mehren
parent 20b0ded223
commit 277e2fb1ca
No known key found for this signature in database
GPG key ID: 185982BA4C42B7C3
4 changed files with 37 additions and 2 deletions
Download patch file Download diff file Expand all files Collapse all files

26
test/private-api/auth.e2e-spec.ts
View file

@ -112,6 +112,7 @@ describe('Auth', () => {
it('works', async () => {
// Change password
const changePasswordDto: UpdatePasswordDto = {
currentPassword: password,
newPassword: newPassword,
};
await request(testSetup.app.getHttpServer())
@ -133,6 +134,7 @@ describe('Auth', () => {
cookie = response.get('Set-Cookie')[0];
// Reset password
const changePasswordBackDto: UpdatePasswordDto = {
currentPassword: newPassword,
newPassword: password,
};
await request(testSetup.app.getHttpServer())
@ -146,6 +148,7 @@ describe('Auth', () => {
testSetup.configService.get('authConfig').local.enableLogin = false;
// Try to change password
const changePasswordDto: UpdatePasswordDto = {
currentPassword: password,
newPassword: newPassword,
};
await request(testSetup.app.getHttpServer())
@ -177,6 +180,29 @@ describe('Auth', () => {
.send(JSON.stringify(loginOldPasswordDto))
.expect(201);
});
it('fails, when old password is wrong', async () => {
// Try to change password
const changePasswordDto: UpdatePasswordDto = {
currentPassword: 'wrong',
newPassword: newPassword,
};
await request(testSetup.app.getHttpServer())
.put('/api/private/auth/local')
.set('Content-Type', 'application/json')
.set('Cookie', cookie)
.send(JSON.stringify(changePasswordDto))
.expect(401);
// old password still does work for login
const loginOldPasswordDto: LoginDto = {
password: password,
username: username,
};
await request(testSetup.app.getHttpServer())
.post('/api/private/auth/local/login')
.set('Content-Type', 'application/json')
.send(JSON.stringify(loginOldPasswordDto))
.expect(201);
});
});
describe('POST /auth/local/login', () => {