diff options
Diffstat (limited to 'api4/user_test.go')
-rw-r--r-- | api4/user_test.go | 90 |
1 files changed, 90 insertions, 0 deletions
diff --git a/api4/user_test.go b/api4/user_test.go index bf4612635..37f251c6d 100644 --- a/api4/user_test.go +++ b/api4/user_test.go @@ -6,8 +6,10 @@ package api4 import ( "net/http" "strconv" + "strings" "testing" + "github.com/mattermost/platform/app" "github.com/mattermost/platform/model" "github.com/mattermost/platform/utils" ) @@ -581,3 +583,91 @@ func TestUpdateUserPassword(t *testing.T) { _, resp = Client.Login(th.BasicUser.Email, adminSetPassword) CheckNoError(t, resp) } + +func TestResetPassword(t *testing.T) { + th := Setup().InitBasic() + Client := th.Client + + Client.Logout() + + user := th.BasicUser + + // Delete all the messages before check the reset password + utils.DeleteMailBox(user.Email) + + success, resp := Client.SendPasswordResetEmail(user.Email) + CheckNoError(t, resp) + if !success { + t.Fatal("should have succeeded") + } + + _, resp = Client.SendPasswordResetEmail("") + CheckBadRequestStatus(t, resp) + + // Should not leak whether the email is attached to an account or not + success, resp = Client.SendPasswordResetEmail("notreal@example.com") + CheckNoError(t, resp) + if !success { + t.Fatal("should have succeeded") + } + + var recovery *model.PasswordRecovery + if result := <-app.Srv.Store.PasswordRecovery().Get(user.Id); result.Err != nil { + t.Fatal(result.Err) + } else { + recovery = result.Data.(*model.PasswordRecovery) + } + + // Check if the email was send to the right email address and the recovery key match + if resultsMailbox, err := utils.GetMailBox(user.Email); err != nil && !strings.ContainsAny(resultsMailbox[0].To[0], user.Email) { + t.Fatal("Wrong To recipient") + } else { + if resultsEmail, err := utils.GetMessageFromMailbox(user.Email, resultsMailbox[0].ID); err == nil { + if !strings.Contains(resultsEmail.Body.Text, recovery.Code) { + t.Log(resultsEmail.Body.Text) + t.Log(recovery.Code) + t.Fatal("Received wrong recovery code") + } + } + } + + _, resp = Client.ResetPassword(recovery.Code, "") + CheckBadRequestStatus(t, resp) + + _, resp = Client.ResetPassword(recovery.Code, "newp") + CheckBadRequestStatus(t, resp) + + _, resp = Client.ResetPassword("", "newpwd") + CheckBadRequestStatus(t, resp) + + _, resp = Client.ResetPassword("junk", "newpwd") + CheckBadRequestStatus(t, resp) + + code := "" + for i := 0; i < model.PASSWORD_RECOVERY_CODE_SIZE; i++ { + code += "a" + } + + _, resp = Client.ResetPassword(code, "newpwd") + CheckBadRequestStatus(t, resp) + + success, resp = Client.ResetPassword(recovery.Code, "newpwd") + CheckNoError(t, resp) + if !success { + t.Fatal("should have succeeded") + } + + Client.Login(user.Email, "newpwd") + Client.Logout() + + _, resp = Client.ResetPassword(recovery.Code, "newpwd") + CheckBadRequestStatus(t, resp) + + authData := model.NewId() + if result := <-app.Srv.Store.User().UpdateAuthData(user.Id, "random", &authData, "", true); result.Err != nil { + t.Fatal(result.Err) + } + + _, resp = Client.SendPasswordResetEmail(user.Email) + CheckBadRequestStatus(t, resp) +} |