Add link share password authentication (#831)

Reviewed-on: https://kolaente.dev/vikunja/api/pulls/831 Co-authored-by: konrad <konrad@kola-entertainments.de> Co-committed-by: konrad <konrad@kola-entertainments.de>
2021-04-11 13:17:50 +00:00
parent 6a927c0703
commit b3c604fd2f
20 changed files with 471 additions and 40 deletions
--- a/pkg/integrations/integrations.go
+++ b/pkg/integrations/integrations.go
@ -114,8 +114,8 @@ func bootstrapTestRequest(t *testing.T, method string, payload string, queryPara
 	return
 }

-func newTestRequest(t *testing.T, method string, handler func(ctx echo.Context) error, payload string) (rec *httptest.ResponseRecorder, err error) {
-	c, rec := bootstrapTestRequest(t, method, payload, nil)
+func newTestRequest(t *testing.T, method string, handler func(ctx echo.Context) error, payload string, queryParams url.Values, urlParams map[string]string) (rec *httptest.ResponseRecorder, err error) {
+	rec, c := testRequestSetup(t, method, payload, queryParams, urlParams)
 	err = handler(c)
 	return
 }
--- a/pkg/integrations/link_sharing_auth_test.go
+++ b/pkg/integrations/link_sharing_auth_test.go
@ -0,0 +1,60 @@
+// Vikunja is a to-do list application to facilitate your life.
+// Copyright 2018-2021 Vikunja and contributors. All rights reserved.
+//
+// This program is free software: you can redistribute it and/or modify
+// it under the terms of the GNU Affero General Public Licensee as published by
+// the Free Software Foundation, either version 3 of the License, or
+// (at your option) any later version.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU Affero General Public Licensee for more details.
+//
+// You should have received a copy of the GNU Affero General Public Licensee
+// along with this program.  If not, see <https://www.gnu.org/licenses/>.
+
+package integrations
+
+import (
+	"net/http"
+	"testing"
+
+	"code.vikunja.io/api/pkg/models"
+	apiv1 "code.vikunja.io/api/pkg/routes/api/v1"
+	"github.com/stretchr/testify/assert"
+)
+
+func TestLinkSharingAuth(t *testing.T) {
+	t.Run("Without Password", func(t *testing.T) {
+		rec, err := newTestRequest(t, http.MethodPost, apiv1.AuthenticateLinkShare, ``, nil, map[string]string{"share": "test"})
+		assert.NoError(t, err)
+		assert.Equal(t, http.StatusOK, rec.Code)
+		assert.Contains(t, rec.Body.String(), `"token":"`)
+		assert.Contains(t, rec.Body.String(), `"list_id":1`)
+	})
+	t.Run("Without Password, Password Provided", func(t *testing.T) {
+		rec, err := newTestRequest(t, http.MethodPost, apiv1.AuthenticateLinkShare, `{"password":"somethingsomething"}`, nil, map[string]string{"share": "test"})
+		assert.NoError(t, err)
+		assert.Equal(t, http.StatusOK, rec.Code)
+		assert.Contains(t, rec.Body.String(), `"token":"`)
+		assert.Contains(t, rec.Body.String(), `"list_id":1`)
+	})
+	t.Run("With Password, No Password Provided", func(t *testing.T) {
+		_, err := newTestRequest(t, http.MethodPost, apiv1.AuthenticateLinkShare, ``, nil, map[string]string{"share": "testWithPassword"})
+		assert.Error(t, err)
+		assertHandlerErrorCode(t, err, models.ErrCodeLinkSharePasswordRequired)
+	})
+	t.Run("With Password, Password Provided", func(t *testing.T) {
+		rec, err := newTestRequest(t, http.MethodPost, apiv1.AuthenticateLinkShare, `{"password":"1234"}`, nil, map[string]string{"share": "testWithPassword"})
+		assert.NoError(t, err)
+		assert.Equal(t, http.StatusOK, rec.Code)
+		assert.Contains(t, rec.Body.String(), `"token":"`)
+		assert.Contains(t, rec.Body.String(), `"list_id":1`)
+	})
+	t.Run("With Wrong Password", func(t *testing.T) {
+		_, err := newTestRequest(t, http.MethodPost, apiv1.AuthenticateLinkShare, `{"password":"someWrongPassword"}`, nil, map[string]string{"share": "testWithPassword"})
+		assert.Error(t, err)
+		assertHandlerErrorCode(t, err, models.ErrCodeLinkSharePasswordInvalid)
+	})
+}
--- a/pkg/integrations/login_test.go
+++ b/pkg/integrations/login_test.go
@ -30,12 +30,12 @@ func TestLogin(t *testing.T) {
 		rec, err := newTestRequest(t, http.MethodPost, apiv1.Login, `{
  "username": "user1",
  "password": "1234"
-}`)
+}`, nil, nil)
 		assert.NoError(t, err)
 		assert.Contains(t, rec.Body.String(), "token")
 	})
 	t.Run("Empty payload", func(t *testing.T) {
-		_, err := newTestRequest(t, http.MethodPost, apiv1.Login, `{}`)
+		_, err := newTestRequest(t, http.MethodPost, apiv1.Login, `{}`, nil, nil)
 		assert.Error(t, err)
 		assertHandlerErrorCode(t, err, user.ErrCodeNoUsernamePassword)
 	})
@ -43,7 +43,7 @@ func TestLogin(t *testing.T) {
 		_, err := newTestRequest(t, http.MethodPost, apiv1.Login, `{
  "username": "userWichDoesNotExist",
  "password": "1234"
-}`)
+}`, nil, nil)
 		assert.Error(t, err)
 		assertHandlerErrorCode(t, err, user.ErrCodeWrongUsernameOrPassword)
 	})
@ -51,7 +51,7 @@ func TestLogin(t *testing.T) {
 		_, err := newTestRequest(t, http.MethodPost, apiv1.Login, `{
  "username": "user1",
  "password": "wrong"
-}`)
+}`, nil, nil)
 		assert.Error(t, err)
 		assertHandlerErrorCode(t, err, user.ErrCodeWrongUsernameOrPassword)
 	})
@ -59,7 +59,7 @@ func TestLogin(t *testing.T) {
 		_, err := newTestRequest(t, http.MethodPost, apiv1.Login, `{
  "username": "user5",
  "password": "1234"
-}`)
+}`, nil, nil)
 		assert.Error(t, err)
 		assertHandlerErrorCode(t, err, user.ErrCodeEmailNotConfirmed)
 	})
--- a/pkg/integrations/register_test.go
+++ b/pkg/integrations/register_test.go
@ -31,12 +31,12 @@ func TestRegister(t *testing.T) {
  "username": "newUser",
  "password": "1234",
  "email": "email@example.com"
-}`)
+}`, nil, nil)
 		assert.NoError(t, err)
 		assert.Contains(t, rec.Body.String(), `"username":"newUser"`)
 	})
 	t.Run("Empty payload", func(t *testing.T) {
-		_, err := newTestRequest(t, http.MethodPost, apiv1.RegisterUser, `{}`)
+		_, err := newTestRequest(t, http.MethodPost, apiv1.RegisterUser, `{}`, nil, nil)
 		assert.Error(t, err)
 		assertHandlerErrorCode(t, err, user.ErrCodeNoUsernamePassword)
 	})
@ -45,7 +45,7 @@ func TestRegister(t *testing.T) {
  "username": "",
  "password": "1234",
  "email": "email@example.com"
-}`)
+}`, nil, nil)
 		assert.Error(t, err)
 		assertHandlerErrorCode(t, err, user.ErrCodeNoUsernamePassword)
 	})
@ -54,7 +54,7 @@ func TestRegister(t *testing.T) {
  "username": "newUser",
  "password": "",
  "email": "email@example.com"
-}`)
+}`, nil, nil)
 		assert.Error(t, err)
 		assertHandlerErrorCode(t, err, user.ErrCodeNoUsernamePassword)
 	})
@ -63,7 +63,7 @@ func TestRegister(t *testing.T) {
  "username": "newUser",
  "password": "1234",
  "email": ""
-}`)
+}`, nil, nil)
 		assert.Error(t, err)
 		assertHandlerErrorCode(t, err, user.ErrCodeNoUsernamePassword)
 	})
@ -72,7 +72,7 @@ func TestRegister(t *testing.T) {
  "username": "user1",
  "password": "1234",
  "email": "email@example.com"
-}`)
+}`, nil, nil)
 		assert.Error(t, err)
 		assertHandlerErrorCode(t, err, user.ErrorCodeUsernameExists)
 	})
@ -81,7 +81,7 @@ func TestRegister(t *testing.T) {
  "username": "newUser",
  "password": "1234",
  "email": "user1@example.com"
-}`)
+}`, nil, nil)
 		assert.Error(t, err)
 		assertHandlerErrorCode(t, err, user.ErrorCodeUserEmailExists)
 	})
--- a/pkg/integrations/user_confirm_email_test.go
+++ b/pkg/integrations/user_confirm_email_test.go
@ -28,23 +28,23 @@ import (

 func TestUserConfirmEmail(t *testing.T) {
 	t.Run("Normal test", func(t *testing.T) {
-		rec, err := newTestRequest(t, http.MethodPost, apiv1.UserConfirmEmail, `{"token": "tiepiQueed8ahc7zeeFe1eveiy4Ein8osooxegiephauph2Ael"}`)
+		rec, err := newTestRequest(t, http.MethodPost, apiv1.UserConfirmEmail, `{"token": "tiepiQueed8ahc7zeeFe1eveiy4Ein8osooxegiephauph2Ael"}`, nil, nil)
 		assert.NoError(t, err)
 		assert.Contains(t, rec.Body.String(), `The email was confirmed successfully.`)
 	})
 	t.Run("Empty payload", func(t *testing.T) {
-		_, err := newTestRequest(t, http.MethodPost, apiv1.UserConfirmEmail, `{}`)
+		_, err := newTestRequest(t, http.MethodPost, apiv1.UserConfirmEmail, `{}`, nil, nil)
 		assert.Error(t, err)
 		assert.Equal(t, http.StatusPreconditionFailed, err.(*echo.HTTPError).Code)
 		assertHandlerErrorCode(t, err, user.ErrCodeInvalidEmailConfirmToken)
 	})
 	t.Run("Empty token", func(t *testing.T) {
-		_, err := newTestRequest(t, http.MethodPost, apiv1.UserConfirmEmail, `{"token": ""}`)
+		_, err := newTestRequest(t, http.MethodPost, apiv1.UserConfirmEmail, `{"token": ""}`, nil, nil)
 		assert.Error(t, err)
 		assertHandlerErrorCode(t, err, user.ErrCodeInvalidEmailConfirmToken)
 	})
 	t.Run("Invalid token", func(t *testing.T) {
-		_, err := newTestRequest(t, http.MethodPost, apiv1.UserConfirmEmail, `{"token": "invalidToken"}`)
+		_, err := newTestRequest(t, http.MethodPost, apiv1.UserConfirmEmail, `{"token": "invalidToken"}`, nil, nil)
 		assert.Error(t, err)
 		assertHandlerErrorCode(t, err, user.ErrCodeInvalidEmailConfirmToken)
 	})
--- a/pkg/integrations/user_password_request_token_test.go
+++ b/pkg/integrations/user_password_request_token_test.go
@ -28,22 +28,22 @@ import (

 func TestUserRequestResetPasswordToken(t *testing.T) {
 	t.Run("Normal requesting a password reset token", func(t *testing.T) {
-		rec, err := newTestRequest(t, http.MethodPost, apiv1.UserRequestResetPasswordToken, `{"email": "user1@example.com"}`)
+		rec, err := newTestRequest(t, http.MethodPost, apiv1.UserRequestResetPasswordToken, `{"email": "user1@example.com"}`, nil, nil)
 		assert.NoError(t, err)
 		assert.Contains(t, rec.Body.String(), `Token was sent.`)
 	})
 	t.Run("Empty payload", func(t *testing.T) {
-		_, err := newTestRequest(t, http.MethodPost, apiv1.UserRequestResetPasswordToken, `{}`)
+		_, err := newTestRequest(t, http.MethodPost, apiv1.UserRequestResetPasswordToken, `{}`, nil, nil)
 		assert.Error(t, err)
 		assertHandlerErrorCode(t, err, user.ErrCodeNoUsernamePassword)
 	})
 	t.Run("Invalid email address", func(t *testing.T) {
-		_, err := newTestRequest(t, http.MethodPost, apiv1.UserRequestResetPasswordToken, `{"email": "user1example.com"}`)
+		_, err := newTestRequest(t, http.MethodPost, apiv1.UserRequestResetPasswordToken, `{"email": "user1example.com"}`, nil, nil)
 		assert.Error(t, err)
 		assert.Equal(t, http.StatusBadRequest, err.(*echo.HTTPError).Code)
 	})
 	t.Run("No user with that email address", func(t *testing.T) {
-		_, err := newTestRequest(t, http.MethodPost, apiv1.UserRequestResetPasswordToken, `{"email": "user1000@example.com"}`)
+		_, err := newTestRequest(t, http.MethodPost, apiv1.UserRequestResetPasswordToken, `{"email": "user1000@example.com"}`, nil, nil)
 		assert.Error(t, err)
 		assertHandlerErrorCode(t, err, user.ErrCodeUserDoesNotExist)
 	})
--- a/pkg/integrations/user_password_reset_test.go
+++ b/pkg/integrations/user_password_reset_test.go
@ -31,12 +31,12 @@ func TestUserPasswordReset(t *testing.T) {
 		rec, err := newTestRequest(t, http.MethodPost, apiv1.UserResetPassword, `{
 	"new_password": "1234",
 	"token": "passwordresettesttoken"
-}`)
+}`, nil, nil)
 		assert.NoError(t, err)
 		assert.Contains(t, rec.Body.String(), `The password was updated successfully.`)
 	})
 	t.Run("Empty payload", func(t *testing.T) {
-		_, err := newTestRequest(t, http.MethodPost, apiv1.UserResetPassword, `{}`)
+		_, err := newTestRequest(t, http.MethodPost, apiv1.UserResetPassword, `{}`, nil, nil)
 		assert.Error(t, err)
 		assert.Equal(t, http.StatusBadRequest, err.(*echo.HTTPError).Code)
 	})
@ -44,7 +44,7 @@ func TestUserPasswordReset(t *testing.T) {
 		_, err := newTestRequest(t, http.MethodPost, apiv1.UserResetPassword, `{
 	"new_password": "",
 	"token": "passwordresettesttoken"
-}`)
+}`, nil, nil)
 		assert.Error(t, err)
 		assertHandlerErrorCode(t, err, user.ErrCodeNoUsernamePassword)
 	})
@ -52,7 +52,7 @@ func TestUserPasswordReset(t *testing.T) {
 		_, err := newTestRequest(t, http.MethodPost, apiv1.UserResetPassword, `{
 	"new_password": "1234",
 	"token": "invalidtoken"
-}`)
+}`, nil, nil)
 		assert.Error(t, err)
 		assertHandlerErrorCode(t, err, user.ErrCodeInvalidPasswordResetToken)
 	})