
674 lines
22 KiB
Raw Normal View History

import TestApp from "../src/TestApp";
import useApp from "./_app";
import Controller from "../src/Controller";
import supertest from "supertest";
import CsrfProtectionComponent from "../src/components/CsrfProtectionComponent";
import MysqlConnectionManager from "../src/db/MysqlConnectionManager";
import config from "config";
import User from "../src/auth/models/User";
import UserNameComponent from "../src/auth/models/UserNameComponent";
import UserPasswordComponent from "../src/auth/password/UserPasswordComponent";
import {popEmail} from "./_mail_server";
import AuthComponent from "../src/auth/AuthComponent";
let app: TestApp;
useApp(async (addr, port) => {
await MysqlConnectionManager.prepare();
await MysqlConnectionManager.query('DROP DATABASE IF EXISTS ' + config.get<string>('mysql.database'));
await MysqlConnectionManager.endPool();
return app = new class extends TestApp {
protected async init(): Promise<void> {
this.use(new class extends Controller {
public routes(): void {
this.get('/', (req, res) => {
}, 'home');
this.get('/csrf', (req, res) => {
}, 'csrf');
this.get('/is-auth', async (req, res) => {
const proofs = await this.getApp().as(AuthComponent).getAuthGuard().getProofs(req);
if (proofs.length > 0) res.sendStatus(200);
else res.sendStatus(401);
}, 'is-auth');
await super.init();
}(addr, port);
async function followMagicLinkFromMail(cookies: string[]): Promise<void> {
const mail: Record<string, unknown> | null = await popEmail();
const query = (mail?.text as string).split('/magic/link?')[1].split('\n')[0];
await agent.get('/magic/link?' + query)
await agent.get('/magic/lobby')
.set('Cookie', cookies)
.expect('Location', '/');
async function testLogout(cookies: string[], csrf: string): Promise<void> {
// Authenticated
await agent.get('/is-auth').set('Cookie', cookies).expect(200);
// Logout
await agent.post('/auth/logout')
.set('Cookie', cookies)
.send({csrf: csrf})
// Not authenticated
await agent.get('/is-auth').set('Cookie', cookies).expect(401);
let agent: supertest.SuperTest<supertest.Test>;
beforeAll(() => {
agent = supertest(app.getExpressApp());
describe('Register with username and password (password)', () => {
let cookies: string[];
let csrf: string;
test('General case', async () => {
const res = await agent.get('/csrf').expect(200);
cookies = res.get('Set-Cookie');
csrf = res.text;
// Register user
await agent.post('/auth/register')
.set('Cookie', cookies)
csrf: csrf,
auth_method: 'password',
identifier: 'entrapta',
password: 'darla_is_cute',
password_confirmation: 'darla_is_cute',
terms: 'on',
.expect('Location', '/');
// Verify saved user
const user = await User.select()
.where('name', 'entrapta')
await expect(user?.as(UserPasswordComponent).verifyPassword('darla_is_cute')).resolves.toStrictEqual(true);
test('Can\'t register when logged in', async () => {
await agent.post('/auth/register')
.set('Cookie', cookies)
csrf: csrf,
auth_method: 'password',
identifier: 'entrapta2',
password: 'darla_is_cute',
password_confirmation: 'darla_is_cute',
terms: 'on',
.expect('Location', '/csrf');
const user2 = await User.select()
.where('name', 'entrapta2')
test('Cannot register taken username', async () => {
// Check that there is no hordak in DB
expect(await User.select()
.where('name', 'hordak')
const res1 = await agent.get('/csrf').expect(200);
// Register user
await agent.post('/auth/register')
.set('Cookie', res1.get('Set-Cookie'))
csrf: res1.text,
auth_method: 'password',
identifier: 'hordak',
password: 'horde_prime_will_rise',
password_confirmation: 'horde_prime_will_rise',
terms: 'on',
.expect('Location', '/');
// Verify saved user
expect(await User.select()
.where('name', 'hordak')
const res2 = await agent.get('/csrf').expect(200);
// Attempt register same user
const res = await agent.post('/auth/register')
.set('Cookie', res2.get('Set-Cookie'))
csrf: res2.text,
auth_method: 'password',
identifier: 'hordak',
password: 'horde_prime_will_rise_unless',
password_confirmation: 'horde_prime_will_rise_unless',
terms: 'on',
// username field should be translated from identifier
// Verify nothing changed
expect(await User.select()
.where('name', 'hordak')
describe('Register with email (magic_link)', () => {
test('General case', async () => {
const res = await agent.get('/csrf').expect(200);
const cookies = res.get('Set-Cookie');
const csrf = res.text;
await agent.post('/auth/register')
.set('Cookie', cookies)
csrf: csrf,
auth_method: 'magic_link',
identifier: 'glimmer@example.org',
name: 'glimmer',
.expect('Location', '/magic/lobby?redirect_uri=%2Fcsrf');
await followMagicLinkFromMail(cookies);
// Verify saved user
const user = await User.select()
.where('name', 'glimmer')
const email = user?.mainEmail.getOrFail();
await expect(user?.as(UserPasswordComponent).verifyPassword('')).resolves.toStrictEqual(false);
test('Cannot register without specifying username', async () => {
let res = await agent.get('/csrf').expect(200);
const cookies = res.get('Set-Cookie');
const csrf = res.text;
res = await agent.post('/auth/register')
.set('Cookie', cookies)
csrf: csrf,
auth_method: 'magic_link',
identifier: 'no_user_name@example.org',
expect(await popEmail()).toBeNull();
test('Cannot register taken username', async () => {
const res = await agent.get('/csrf').expect(200);
const cookies = res.get('Set-Cookie');
const csrf = res.text;
await agent.post('/auth/register')
.set('Cookie', cookies)
csrf: csrf,
auth_method: 'magic_link',
identifier: 'angella@example.org',
name: 'angella',
.expect('Location', '/magic/lobby?redirect_uri=%2Fcsrf');
await followMagicLinkFromMail(cookies);
// Verify saved user
const user = await User.select()
.where('name', 'glimmer')
// Attempt register with another mail but same username
const res2 = await agent.get('/csrf').expect(200);
await agent.post('/auth/register')
.set('Cookie', res2.get('Set-Cookie'))
csrf: res2.text,
auth_method: 'magic_link',
identifier: 'angella_something_else@example.org',
name: 'angella',
expect(await popEmail()).toBeNull();
test('Cannot register taken email', async () => {
const res = await agent.get('/csrf').expect(200);
const cookies = res.get('Set-Cookie');
const csrf = res.text;
await agent.post('/auth/register')
.set('Cookie', cookies)
csrf: csrf,
auth_method: 'magic_link',
identifier: 'bow@example.org',
name: 'bow',
.expect('Location', '/magic/lobby?redirect_uri=%2Fcsrf');
await followMagicLinkFromMail(cookies);
// Verify saved user
const user = await User.select()
.where('name', 'glimmer')
// Attempt register with another mail but same username
const res2 = await agent.get('/csrf').expect(200);
await agent.post('/auth/register')
.set('Cookie', res2.get('Set-Cookie'))
csrf: res2.text,
auth_method: 'magic_link',
identifier: 'bow@example.org',
name: 'bow2',
expect(await popEmail()).toBeNull();
describe('Authenticate with username and password (password)', () => {
test('Force auth_method', async () => {
let res = await agent.get('/csrf').expect(200);
const cookies = res.get('Set-Cookie');
const csrf = res.text;
// Not authenticated
await agent.get('/is-auth').set('Cookie', cookies).expect(401);
// Bad password
res = await agent.post('/auth/login')
.set('Cookie', cookies)
csrf: csrf,
identifier: 'entrapta',
password: 'darla_is_not_cute',
auth_method: 'password',
// Authenticate
await agent.post('/auth/login')
.set('Cookie', cookies)
csrf: csrf,
identifier: 'entrapta',
password: 'darla_is_cute',
auth_method: 'password',
.expect('Location', '/');
await testLogout(cookies, csrf);
test('Automatic auth_method', async () => {
let res = await agent.get('/csrf').expect(200);
const cookies = res.get('Set-Cookie');
const csrf = res.text;
// Not authenticated
await agent.get('/is-auth').set('Cookie', cookies).expect(401);
// Bad password
res = await agent.post('/auth/login')
.set('Cookie', cookies)
csrf: csrf,
identifier: 'entrapta',
password: 'darla_is_not_cute',
// Authenticate
await agent.post('/auth/login')
.set('Cookie', cookies)
csrf: csrf,
identifier: 'entrapta',
password: 'darla_is_cute',
.expect('Location', '/');
await testLogout(cookies, csrf);
test('Non-existing username', async () => {
let res = await agent.get('/csrf').expect(200);
const cookies = res.get('Set-Cookie');
const csrf = res.text;
// Not authenticated
await agent.get('/is-auth').set('Cookie', cookies).expect(401);
// Authenticate
res = await agent.post('/auth/login')
.set('Cookie', cookies)
csrf: csrf,
identifier: 'i_do_not_exist',
password: 'there_is_no_point',
auth_method: 'password',
// Authenticate (automatic method)
res = await agent.post('/auth/login')
.set('Cookie', cookies)
csrf: csrf,
identifier: 'i_do_not_exist',
password: 'there_is_no_point',
auth_method: 'password',
test('No password user', async () => {
let res = await agent.get('/csrf').expect(200);
const cookies = res.get('Set-Cookie');
const csrf = res.text;
// Not authenticated
await agent.get('/is-auth').set('Cookie', cookies).expect(401);
// Authenticate
res = await agent.post('/auth/login')
.set('Cookie', cookies)
csrf: csrf,
identifier: 'glimmer',
password: '',
auth_method: 'password',
// Authenticate (automatic method)
res = await agent.post('/auth/login')
.set('Cookie', cookies)
csrf: csrf,
identifier: 'glimmer',
password: '',
// Authenticate without password
res = await agent.post('/auth/login')
.set('Cookie', cookies)
csrf: csrf,
identifier: 'angella',
auth_method: 'password',
// Authenticate without password (automatic method)
res = await agent.post('/auth/login')
.set('Cookie', cookies)
csrf: csrf,
identifier: 'angella',
describe('Authenticate with email (magic_link)', () => {
test('Force auth_method', async () => {
const res = await agent.get('/csrf').expect(200);
const cookies = res.get('Set-Cookie');
const csrf = res.text;
// Not authenticated
await agent.get('/is-auth').set('Cookie', cookies).expect(401);
// Authenticate
await agent.post('/auth/login')
.set('Cookie', cookies)
csrf: csrf,
identifier: 'glimmer@example.org',
auth_method: 'magic_link',
.expect('Location', '/magic/lobby?redirect_uri=%2Fcsrf');
await followMagicLinkFromMail(cookies);
await testLogout(cookies, csrf);
test('Automatic auth_method', async () => {
const res = await agent.get('/csrf').expect(200);
const cookies = res.get('Set-Cookie');
const csrf = res.text;
// Not authenticated
await agent.get('/is-auth').set('Cookie', cookies).expect(401);
// Authenticate
await agent.post('/auth/login')
.set('Cookie', cookies)
csrf: csrf,
identifier: 'angella@example.org',
.expect('Location', '/magic/lobby?redirect_uri=%2Fcsrf');
await followMagicLinkFromMail(cookies);
await testLogout(cookies, csrf);
test('Non-existing email (forced auth_method)', async () => {
let res = await agent.get('/csrf').expect(200);
const cookies = res.get('Set-Cookie');
const csrf = res.text;
// Not authenticated
await agent.get('/is-auth').set('Cookie', cookies).expect(401);
// Authenticate
res = await agent.post('/auth/login')
.set('Cookie', cookies)
csrf: csrf,
identifier: 'i_do_not_exist@invalid.org',
auth_method: 'magic_link',
await agent.get('/is-auth').set('Cookie', cookies).expect(401);
test('Non-existing email (automatic auth_method)', async () => {
let res = await agent.get('/csrf').expect(200);
const cookies = res.get('Set-Cookie');
const csrf = res.text;
// Not authenticated
await agent.get('/is-auth').set('Cookie', cookies).expect(401);
// Authenticate
res = await agent.post('/auth/login')
.set('Cookie', cookies)
csrf: csrf,
identifier: 'i_do_not_exist@invalid.org',
await agent.get('/is-auth').set('Cookie', cookies).expect(401);
describe('Authenticate with email and password (password)', () => {
test('Prepare user', async () => {
const res = await agent.get('/csrf').expect(200);
const cookies = res.get('Set-Cookie');
const csrf = res.text;
await agent.post('/auth/register')
.set('Cookie', cookies)
csrf: csrf,
auth_method: 'magic_link',
identifier: 'double-trouble@example.org',
name: 'double-trouble',
.expect('Location', '/magic/lobby?redirect_uri=%2Fcsrf');
await followMagicLinkFromMail(cookies);
// Verify saved user
const user = await User.select()
.where('name', 'double-trouble')
await user?.as(UserPasswordComponent).setPassword('trick-or-treat');
await user?.save();
const email = user?.mainEmail.getOrFail();
await expect(user?.as(UserPasswordComponent).verifyPassword('trick-or-treat')).resolves.toStrictEqual(true);
test('Force auth_method', async () => {
let res = await agent.get('/csrf').expect(200);
const cookies = res.get('Set-Cookie');
const csrf = res.text;
// Not authenticated
await agent.get('/is-auth').set('Cookie', cookies).expect(401);
// Bad password
res = await agent.post('/auth/login')
.set('Cookie', cookies)
csrf: csrf,
identifier: 'double-trouble@example.org',
password: 'i_have_no_imagination',
auth_method: 'password',
// Authenticate
await agent.post('/auth/login')
.set('Cookie', cookies)
csrf: csrf,
identifier: 'double-trouble@example.org',
password: 'trick-or-treat',
auth_method: 'password',
.expect('Location', '/');
await testLogout(cookies, csrf);
test('Automatic auth_method', async () => {
let res = await agent.get('/csrf').expect(200);
const cookies = res.get('Set-Cookie');
const csrf = res.text;
// Not authenticated
await agent.get('/is-auth').set('Cookie', cookies).expect(401);
// Bad password
res = await agent.post('/auth/login')
.set('Cookie', cookies)
csrf: csrf,
identifier: 'double-trouble@example.org',
password: 'i_have_no_imagination',
// Authenticate
await agent.post('/auth/login')
.set('Cookie', cookies)
csrf: csrf,
identifier: 'double-trouble@example.org',
password: 'trick-or-treat',
.expect('Location', '/');
await testLogout(cookies, csrf);