budibase/packages/server/tests/authenticate.js

const statusCodes = require("../utilities/statusCodes");
const { readFile } = require("../utilities/fsawait");
const { timeout } = require("./helpers");

module.exports = (app) => {

    it("should return unauthorized if username is incorrect", async () => {
        await app.post("/_master/api/authenticate", {
            username: "unknownuser",
            password: app.masterAuth.password
        })
        .expect(statusCodes.UNAUTHORIZED); 
    })

    it("should return unauthorized if password is incorrect", async () => {
        await app.post("/_master/api/authenticate", {
            username: app.masterAuth.username,
            password: "incorrect_password"
        })
        .expect(statusCodes.UNAUTHORIZED); 
    })

    it("should not get cookie when unauthorized", async () => {
        const response = await app.post("/_master/api/authenticate", {
            username: app.masterAuth.username,
            password: "incorrect_password"
        });
        
        expect(response.header['set-cookie']).toBeUndefined();

    });

    it("should return ok correct username and password supplied", async () => {

        const response = await app.post("/_master/api/authenticate", {
            username: app.masterAuth.username,
            password: app.masterAuth.password
        })
        .expect(statusCodes.OK);

        app.masterAuth.cookie = response.header['set-cookie'];
    });

    const testUserName = "test_user";
    let testPassword = "test_user_password";
    it("should be able to create new user with authenticated cookie", async () => {
                
        await app.post("/_master/api/createUser", {
            user: {
                name: testUserName, 
                accessLevels:["owner"], 
                enabled:true
            
            },
            password: testPassword
        })
        .set("cookie", app.masterAuth.cookie)
        .expect(statusCodes.OK);

        
    });

    let newUserCookie;
    it("should be able to authenticate with new user", async () => {

        const responseNewUser = await app.post("/_master/api/authenticate", {
            username: testUserName,
            password: testPassword
        })
        .expect(statusCodes.OK);
        
        newUserCookie = responseNewUser.header['set-cookie'];

        expect(newUserCookie).toBeDefined();
        expect(newUserCookie).not.toEqual(app.masterAuth.cookie);

        app.get("/_master/api/users/")
        .set("cookie", newUserCookie)
        .expect(statusCodes.OK);
    });

    it("should not be able to perform requests when user is disabled", async () => {

        await app.post("/_master/api/disableUser", {
            username: testUserName
        })
        .set("cookie", app.masterAuth.cookie)
        .expect(statusCodes.OK);

        await app.get("/_master/api/users/")
            .set("cookie", newUserCookie)
            .expect(statusCodes.UNAUTHORIZED);

        await app.post("/_master/api/authenticate", {
            username: testUserName,
            password: testPassword
        })
        .expect(statusCodes.UNAUTHORIZED);

    });

    it("should not be able to re-authenticate when user is disabled", async () => {
        await app.post("/_master/api/authenticate", {
            username: testUserName,
            password: testPassword
        })
        .expect(statusCodes.UNAUTHORIZED);
    });

    it("should be able with re-authenticate when user is enabled again", async () => {

        await app.post("/_master/api/enableUser", {
            username: testUserName
        })
        .set("cookie", app.masterAuth.cookie)
        .expect(statusCodes.OK);

        await app.post("/_master/api/authenticate", {
            username: testUserName,
            password: testPassword
        })
        .expect(statusCodes.OK);
    });

    let testUserTempCode;
    it("should be able to reset password with temporary access", async () => {

        await app.post("/_master/api/createTemporaryAccess", {
            username: testUserName
        })
        .expect(statusCodes.OK);

        testPassword = "test_user_new_password";

        // the behaviour that creates the below file is async,
        /// to this timeout is giving it a change to work its magic        
        await timeout(10);

        const testUserTempCode = await readFile(`./tests/.data/tempaccess${testUserName}`, "utf8");
    
        await app.post("/_master/api/setPasswordFromTemporaryCode", {
            username: testUserName,
            tempCode:testUserTempCode,
            newPassword:testPassword
        })
        .expect(statusCodes.OK);

        await app.post("/_master/api/authenticate", {
            username: testUserName,
            password: testPassword
        })
        .expect(statusCodes.OK);

        

    });

    it("should not be able to set password with used temp code", async () => {
      
        await app.post("/_master/api/setPasswordFromTemporaryCode", {
            username: testUserName,
            tempCode:testUserTempCode,
            newPassword:"whatever"
        })
        .expect(statusCodes.OK);

        await app.post("/_master/api/authenticate", {
            username: testUserName,
            password: "whatever"
        })
        .expect(statusCodes.UNAUTHORIZED);

        await app.post("/_master/api/authenticate", {
            username: testUserName,
            password: testPassword
        })
        .expect(statusCodes.OK);

    });
};