fix(core): Make password-reset urls valid only for single-use (#7622)
This commit is contained in:
कारतोफ्फेलस्क्रिप्ट™
committed by
GitHub
GitHub
parent
b3470fd64d
commit
60314248f4
@@ -1,14 +1,14 @@
|
||||
import Container from 'typedi';
|
||||
import config from '@/config';
|
||||
import * as Db from '@/Db';
|
||||
import type { Role } from '@db/entities/Role';
|
||||
import type { User } from '@db/entities/User';
|
||||
import * as testDb from './../shared/testDb';
|
||||
import * as utils from '../shared/utils';
|
||||
import { randomPassword } from '@/Ldap/helpers';
|
||||
import { randomDigit, randomString, randomValidPassword, uniqueId } from '../shared/random';
|
||||
import { TOTPService } from '@/Mfa/totp.service';
|
||||
import Container from 'typedi';
|
||||
import { JwtService } from '@/services/jwt.service';
|
||||
import { UserService } from '@/services/user.service';
|
||||
import { randomDigit, randomString, randomValidPassword, uniqueId } from '../shared/random';
|
||||
import * as testDb from '../shared/testDb';
|
||||
import * as utils from '../shared/utils';
|
||||
|
||||
jest.mock('@/telemetry');
|
||||
|
||||
@@ -206,7 +206,7 @@ describe('Change password with MFA enabled', () => {
|
||||
});
|
||||
|
||||
test('POST /change-password should fail due to missing MFA token', async () => {
|
||||
const { user } = await testDb.createUserWithMfaEnabled();
|
||||
await testDb.createUserWithMfaEnabled();
|
||||
|
||||
const newPassword = randomValidPassword();
|
||||
|
||||
@@ -216,11 +216,11 @@ describe('Change password with MFA enabled', () => {
|
||||
.post('/change-password')
|
||||
.send({ password: newPassword, token: resetPasswordToken });
|
||||
|
||||
expect(response.statusCode).toBe(400);
|
||||
expect(response.statusCode).toBe(404);
|
||||
});
|
||||
|
||||
test('POST /change-password should fail due to invalid MFA token', async () => {
|
||||
const { user } = await testDb.createUserWithMfaEnabled();
|
||||
await testDb.createUserWithMfaEnabled();
|
||||
|
||||
const newPassword = randomValidPassword();
|
||||
|
||||
@@ -232,7 +232,7 @@ describe('Change password with MFA enabled', () => {
|
||||
mfaToken: randomDigit(),
|
||||
});
|
||||
|
||||
expect(response.statusCode).toBe(400);
|
||||
expect(response.statusCode).toBe(404);
|
||||
});
|
||||
|
||||
test('POST /change-password should update password', async () => {
|
||||
@@ -242,9 +242,7 @@ describe('Change password with MFA enabled', () => {
|
||||
|
||||
config.set('userManagement.jwtSecret', randomString(5, 10));
|
||||
|
||||
const jwtService = Container.get(JwtService);
|
||||
|
||||
const resetPasswordToken = jwtService.signData({ sub: user.id });
|
||||
const resetPasswordToken = Container.get(UserService).generatePasswordResetToken(user);
|
||||
|
||||
const mfaToken = new TOTPService().generateTOTP(rawSecret);
|
||||
|
||||
|
||||
@@ -1,8 +1,9 @@
|
||||
import { v4 as uuid } from 'uuid';
|
||||
import { compare } from 'bcryptjs';
|
||||
import { Container } from 'typedi';
|
||||
import { License } from '@/License';
|
||||
import { mock } from 'jest-mock-extended';
|
||||
|
||||
import { License } from '@/License';
|
||||
import * as Db from '@/Db';
|
||||
import config from '@/config';
|
||||
import type { Role } from '@db/entities/Role';
|
||||
@@ -10,6 +11,7 @@ import type { User } from '@db/entities/User';
|
||||
import { setCurrentAuthenticationMethod } from '@/sso/ssoHelpers';
|
||||
import { ExternalHooks } from '@/ExternalHooks';
|
||||
import { JwtService } from '@/services/jwt.service';
|
||||
import { UserService } from '@/services/user.service';
|
||||
import { UserManagementMailer } from '@/UserManagement/email';
|
||||
|
||||
import * as utils from './shared/utils/';
|
||||
@@ -33,6 +35,7 @@ const externalHooks = utils.mockInstance(ExternalHooks);
|
||||
const mailer = utils.mockInstance(UserManagementMailer, { isEmailSetUp: true });
|
||||
const testServer = utils.setupTestServer({ endpointGroups: ['passwordReset'] });
|
||||
const jwtService = Container.get(JwtService);
|
||||
let userService: UserService;
|
||||
|
||||
beforeAll(async () => {
|
||||
globalOwnerRole = await testDb.getGlobalOwnerRole();
|
||||
@@ -45,6 +48,7 @@ beforeEach(async () => {
|
||||
member = await testDb.createUser({ globalRole: globalMemberRole });
|
||||
externalHooks.run.mockReset();
|
||||
jest.replaceProperty(mailer, 'isEmailSetUp', true);
|
||||
userService = Container.get(UserService);
|
||||
});
|
||||
|
||||
describe('POST /forgot-password', () => {
|
||||
@@ -127,7 +131,7 @@ describe('POST /forgot-password', () => {
|
||||
|
||||
describe('GET /resolve-password-token', () => {
|
||||
test('should succeed with valid inputs', async () => {
|
||||
const resetPasswordToken = jwtService.signData({ sub: owner.id });
|
||||
const resetPasswordToken = userService.generatePasswordResetToken(owner);
|
||||
|
||||
const response = await testServer.authlessAgent
|
||||
.get('/resolve-password-token')
|
||||
@@ -137,17 +141,15 @@ describe('GET /resolve-password-token', () => {
|
||||
});
|
||||
|
||||
test('should fail with invalid inputs', async () => {
|
||||
const first = await testServer.authlessAgent
|
||||
await testServer.authlessAgent
|
||||
.get('/resolve-password-token')
|
||||
.query({ token: uuid() });
|
||||
.query({ token: uuid() })
|
||||
.expect(404);
|
||||
|
||||
const second = await testServer.authlessAgent
|
||||
await testServer.authlessAgent
|
||||
.get('/resolve-password-token')
|
||||
.query({ userId: owner.id });
|
||||
|
||||
for (const response of [first, second]) {
|
||||
expect(response.statusCode).toBe(400);
|
||||
}
|
||||
.query({ userId: owner.id })
|
||||
.expect(400);
|
||||
});
|
||||
|
||||
test('should fail if user is not found', async () => {
|
||||
@@ -161,7 +163,18 @@ describe('GET /resolve-password-token', () => {
|
||||
});
|
||||
|
||||
test('should fail if token is expired', async () => {
|
||||
const resetPasswordToken = jwtService.signData({ sub: owner.id }, { expiresIn: '-1h' });
|
||||
const resetPasswordToken = userService.generatePasswordResetToken(owner, '-1h');
|
||||
|
||||
const response = await testServer.authlessAgent
|
||||
.get('/resolve-password-token')
|
||||
.query({ userId: owner.id, token: resetPasswordToken });
|
||||
|
||||
expect(response.statusCode).toBe(404);
|
||||
});
|
||||
|
||||
test('should fail after password has changed', async () => {
|
||||
const updatedUser = mock<User>({ ...owner, password: 'another-password' });
|
||||
const resetPasswordToken = userService.generatePasswordResetToken(updatedUser);
|
||||
|
||||
const response = await testServer.authlessAgent
|
||||
.get('/resolve-password-token')
|
||||
@@ -175,7 +188,7 @@ describe('POST /change-password', () => {
|
||||
const passwordToStore = randomValidPassword();
|
||||
|
||||
test('should succeed with valid inputs', async () => {
|
||||
const resetPasswordToken = jwtService.signData({ sub: owner.id });
|
||||
const resetPasswordToken = userService.generatePasswordResetToken(owner);
|
||||
const response = await testServer.authlessAgent.post('/change-password').send({
|
||||
token: resetPasswordToken,
|
||||
userId: owner.id,
|
||||
@@ -202,7 +215,7 @@ describe('POST /change-password', () => {
|
||||
});
|
||||
|
||||
test('should fail with invalid inputs', async () => {
|
||||
const resetPasswordToken = jwtService.signData({ sub: owner.id });
|
||||
const resetPasswordToken = userService.generatePasswordResetToken(owner);
|
||||
|
||||
const invalidPayloads = [
|
||||
{ token: uuid() },
|
||||
@@ -236,7 +249,7 @@ describe('POST /change-password', () => {
|
||||
});
|
||||
|
||||
test('should fail when token has expired', async () => {
|
||||
const resetPasswordToken = jwtService.signData({ sub: owner.id }, { expiresIn: '-1h' });
|
||||
const resetPasswordToken = userService.generatePasswordResetToken(owner, '-1h');
|
||||
|
||||
const response = await testServer.authlessAgent.post('/change-password').send({
|
||||
token: resetPasswordToken,
|
||||
@@ -252,7 +265,7 @@ describe('POST /change-password', () => {
|
||||
test('owner should be able to reset its password when quota:users = 1', async () => {
|
||||
jest.spyOn(Container.get(License), 'getUsersLimit').mockReturnValueOnce(1);
|
||||
|
||||
const resetPasswordToken = jwtService.signData({ sub: owner.id });
|
||||
const resetPasswordToken = userService.generatePasswordResetToken(owner);
|
||||
const response = await testServer.authlessAgent.post('/change-password').send({
|
||||
token: resetPasswordToken,
|
||||
userId: owner.id,
|
||||
@@ -281,7 +294,7 @@ describe('POST /change-password', () => {
|
||||
test('member should not be able to reset its password when quota:users = 1', async () => {
|
||||
jest.spyOn(Container.get(License), 'getUsersLimit').mockReturnValueOnce(1);
|
||||
|
||||
const resetPasswordToken = jwtService.signData({ sub: member.id });
|
||||
const resetPasswordToken = userService.generatePasswordResetToken(member);
|
||||
const response = await testServer.authlessAgent.post('/change-password').send({
|
||||
token: resetPasswordToken,
|
||||
userId: member.id,
|
||||
|
||||
@@ -236,19 +236,7 @@ export const setupTestServer = ({
|
||||
registerController(app, config, Container.get(MeController));
|
||||
break;
|
||||
case 'passwordReset':
|
||||
registerController(
|
||||
app,
|
||||
config,
|
||||
new PasswordResetController(
|
||||
logger,
|
||||
externalHooks,
|
||||
internalHooks,
|
||||
mailer,
|
||||
userService,
|
||||
Container.get(JwtService),
|
||||
mfaService,
|
||||
),
|
||||
);
|
||||
registerController(app, config, Container.get(PasswordResetController));
|
||||
break;
|
||||
case 'owner':
|
||||
registerController(
|
||||
|
||||
73
packages/cli/test/unit/services/user.service.test.ts
Normal file
73
packages/cli/test/unit/services/user.service.test.ts
Normal file
@@ -0,0 +1,73 @@
|
||||
import Container from 'typedi';
|
||||
import jwt from 'jsonwebtoken';
|
||||
import { Logger } from '@/Logger';
|
||||
import config from '@/config';
|
||||
import { User } from '@db/entities/User';
|
||||
import { UserRepository } from '@db/repositories';
|
||||
import { UserService } from '@/services/user.service';
|
||||
import { mockInstance } from '../../integration/shared/utils';
|
||||
|
||||
describe('UserService', () => {
|
||||
config.set('userManagement.jwtSecret', 'random-secret');
|
||||
|
||||
mockInstance(Logger);
|
||||
const repository = mockInstance(UserRepository);
|
||||
const service = Container.get(UserService);
|
||||
const testUser = Object.assign(new User(), {
|
||||
id: '1234',
|
||||
password: 'passwordHash',
|
||||
mfaEnabled: false,
|
||||
});
|
||||
|
||||
beforeEach(() => {
|
||||
jest.resetAllMocks();
|
||||
});
|
||||
|
||||
describe('generatePasswordResetToken', () => {
|
||||
it('should generate valid password-reset tokens', () => {
|
||||
const token = service.generatePasswordResetToken(testUser);
|
||||
const decoded = jwt.decode(token) as jwt.JwtPayload;
|
||||
expect(decoded.sub).toEqual(testUser.id);
|
||||
expect(decoded.exp! - decoded.iat!).toEqual(1200); // Expires in 20 minutes
|
||||
expect(decoded.passwordSha).toEqual(
|
||||
'31513c5a9e3c5afe5c06d5675ace74e8bc3fadd9744ab5d89c311f2a62ccbd39',
|
||||
);
|
||||
});
|
||||
});
|
||||
|
||||
describe('resolvePasswordResetToken', () => {
|
||||
it('should not return a user if the token in invalid', async () => {
|
||||
const user = await service.resolvePasswordResetToken('invalid-token');
|
||||
expect(user).toBeUndefined();
|
||||
});
|
||||
|
||||
it('should not return a user if the token in expired', async () => {
|
||||
const token = service.generatePasswordResetToken(testUser, '-1h');
|
||||
const user = await service.resolvePasswordResetToken(token);
|
||||
expect(user).toBeUndefined();
|
||||
});
|
||||
|
||||
it('should not return a user if the user does not exist in the DB', async () => {
|
||||
repository.findOne.mockResolvedValueOnce(null);
|
||||
const token = service.generatePasswordResetToken(testUser);
|
||||
const user = await service.resolvePasswordResetToken(token);
|
||||
expect(user).toBeUndefined();
|
||||
});
|
||||
|
||||
it('should not return a user if the password sha does not match', async () => {
|
||||
const token = service.generatePasswordResetToken(testUser);
|
||||
const updatedUser = Object.create(testUser);
|
||||
updatedUser.password = 'something-else';
|
||||
repository.findOne.mockResolvedValueOnce(updatedUser);
|
||||
const user = await service.resolvePasswordResetToken(token);
|
||||
expect(user).toBeUndefined();
|
||||
});
|
||||
|
||||
it('should not return the user if all checks pass', async () => {
|
||||
const token = service.generatePasswordResetToken(testUser);
|
||||
repository.findOne.mockResolvedValueOnce(testUser);
|
||||
const user = await service.resolvePasswordResetToken(token);
|
||||
expect(user).toEqual(testUser);
|
||||
});
|
||||
});
|
||||
});
|
||||
Reference in New Issue
Block a user