mirror of
https://github.com/HabitRPG/habitica.git
synced 2025-12-18 07:07:35 +01:00
Added password requirement
This commit is contained in:
Keith Holliday
@@ -9,15 +9,28 @@ import { find } from 'lodash';
|
|||||||
|
|
||||||
describe('DELETE /user', () => {
|
describe('DELETE /user', () => {
|
||||||
let user;
|
let user;
|
||||||
|
let password = 'password'; // from habitrpg/test/helpers/api-integration/v3/object-generators.js
|
||||||
|
|
||||||
beforeEach(async () => {
|
beforeEach(async () => {
|
||||||
user = await generateUser({balance: 10});
|
user = await generateUser({balance: 10});
|
||||||
});
|
});
|
||||||
|
|
||||||
it('user has active subscription', async () => {
|
it('returns an errors if password is wrong', async () => {
|
||||||
|
await expect(user.del('/user', {
|
||||||
|
password: 'wrong-password',
|
||||||
|
})).to.eventually.be.rejected.and.eql({
|
||||||
|
code: 401,
|
||||||
|
error: 'NotAuthorized',
|
||||||
|
message: t('wrongPassword'),
|
||||||
|
});
|
||||||
|
});
|
||||||
|
|
||||||
|
it('returns an error if user has active subscription', async () => {
|
||||||
let userWithSubscription = await generateUser({'purchased.plan.customerId': 'fake-customer-id'});
|
let userWithSubscription = await generateUser({'purchased.plan.customerId': 'fake-customer-id'});
|
||||||
|
|
||||||
await expect(userWithSubscription.del('/user')).to.be.rejected.and.to.eventually.eql({
|
await expect(userWithSubscription.del('/user', {
|
||||||
|
password,
|
||||||
|
})).to.be.rejected.and.to.eventually.eql({
|
||||||
code: 401,
|
code: 401,
|
||||||
error: 'NotAuthorized',
|
error: 'NotAuthorized',
|
||||||
message: t('cannotDeleteActiveAccount'),
|
message: t('cannotDeleteActiveAccount'),
|
||||||
@@ -25,7 +38,9 @@ describe('DELETE /user', () => {
|
|||||||
});
|
});
|
||||||
|
|
||||||
it('deletes the user', async () => {
|
it('deletes the user', async () => {
|
||||||
await user.del('/user');
|
await user.del('/user', {
|
||||||
|
password,
|
||||||
|
});
|
||||||
await expect(checkExistence('users', user._id)).to.eventually.eql(false);
|
await expect(checkExistence('users', user._id)).to.eventually.eql(false);
|
||||||
});
|
});
|
||||||
|
|
||||||
@@ -40,7 +55,9 @@ describe('DELETE /user', () => {
|
|||||||
});
|
});
|
||||||
|
|
||||||
it('deletes party when user is the only member', async () => {
|
it('deletes party when user is the only member', async () => {
|
||||||
await user.del('/user');
|
await user.del('/user', {
|
||||||
|
password,
|
||||||
|
});
|
||||||
await expect(checkExistence('party', party._id)).to.eventually.eql(false);
|
await expect(checkExistence('party', party._id)).to.eventually.eql(false);
|
||||||
});
|
});
|
||||||
});
|
});
|
||||||
@@ -56,7 +73,9 @@ describe('DELETE /user', () => {
|
|||||||
});
|
});
|
||||||
|
|
||||||
it('deletes guild when user is the only member', async () => {
|
it('deletes guild when user is the only member', async () => {
|
||||||
await user.del('/user');
|
await user.del('/user', {
|
||||||
|
password,
|
||||||
|
});
|
||||||
await expect(checkExistence('groups', privateGuild._id)).to.eventually.eql(false);
|
await expect(checkExistence('groups', privateGuild._id)).to.eventually.eql(false);
|
||||||
});
|
});
|
||||||
});
|
});
|
||||||
@@ -79,7 +98,9 @@ describe('DELETE /user', () => {
|
|||||||
});
|
});
|
||||||
|
|
||||||
it('chooses new group leader for any group user was the leader of', async () => {
|
it('chooses new group leader for any group user was the leader of', async () => {
|
||||||
await oldLeader.del('/user');
|
await oldLeader.del('/user', {
|
||||||
|
password,
|
||||||
|
});
|
||||||
|
|
||||||
let updatedGuild = await newLeader.get(`/groups/${guild._id}`);
|
let updatedGuild = await newLeader.get(`/groups/${guild._id}`);
|
||||||
|
|
||||||
@@ -114,7 +135,9 @@ describe('DELETE /user', () => {
|
|||||||
});
|
});
|
||||||
|
|
||||||
it('removes user from all groups user was a part of', async () => {
|
it('removes user from all groups user was a part of', async () => {
|
||||||
await userToDelete.del('/user');
|
await userToDelete.del('/user', {
|
||||||
|
password,
|
||||||
|
});
|
||||||
|
|
||||||
let updatedGroup1Members = await otherUser.get(`/groups/${group1._id}/members`);
|
let updatedGroup1Members = await otherUser.get(`/groups/${group1._id}/members`);
|
||||||
let updatedGroup2Members = await otherUser.get(`/groups/${group2._id}/members`);
|
let updatedGroup2Members = await otherUser.get(`/groups/${group2._id}/members`);
|
||||||
|
|||||||
@@ -50,7 +50,6 @@ describe('PUT /user/auth/update-username', async () => {
|
|||||||
});
|
});
|
||||||
});
|
});
|
||||||
|
|
||||||
|
|
||||||
it('prevents social-only user from changing username', async () => {
|
it('prevents social-only user from changing username', async () => {
|
||||||
let socialUser = await generateUser({ 'auth.local': { ok: true } });
|
let socialUser = await generateUser({ 'auth.local': { ok: true } });
|
||||||
|
|
||||||
|
|||||||
@@ -15,6 +15,7 @@ import { model as User } from '../../models/user';
|
|||||||
import Q from 'q';
|
import Q from 'q';
|
||||||
import _ from 'lodash';
|
import _ from 'lodash';
|
||||||
import * as firebase from '../../libs/api-v3/firebase';
|
import * as firebase from '../../libs/api-v3/firebase';
|
||||||
|
import * as passwordUtils from '../../libs/api-v3/password';
|
||||||
|
|
||||||
let api = {};
|
let api = {};
|
||||||
|
|
||||||
@@ -61,6 +62,18 @@ api.deleteUser = {
|
|||||||
let user = res.locals.user;
|
let user = res.locals.user;
|
||||||
let plan = user.purchased.plan;
|
let plan = user.purchased.plan;
|
||||||
|
|
||||||
|
req.checkBody({
|
||||||
|
password: {
|
||||||
|
notEmpty: {errorMessage: res.t('missingPassword')},
|
||||||
|
},
|
||||||
|
});
|
||||||
|
|
||||||
|
let validationErrors = req.validationErrors();
|
||||||
|
if (validationErrors) throw validationErrors;
|
||||||
|
|
||||||
|
let oldPassword = passwordUtils.encrypt(req.body.password, user.auth.local.salt);
|
||||||
|
if (oldPassword !== user.auth.local.hashed_password) throw new NotAuthorized(res.t('wrongPassword'));
|
||||||
|
|
||||||
if (plan && plan.customerId && !plan.dateTerminated) {
|
if (plan && plan.customerId && !plan.dateTerminated) {
|
||||||
throw new NotAuthorized(res.t('cannotDeleteActiveAccount'));
|
throw new NotAuthorized(res.t('cannotDeleteActiveAccount'));
|
||||||
}
|
}
|
||||||
@@ -68,9 +81,8 @@ api.deleteUser = {
|
|||||||
let types = ['party', 'publicGuilds', 'privateGuilds'];
|
let types = ['party', 'publicGuilds', 'privateGuilds'];
|
||||||
// @TODO: The group leave route doesn't work unless it has these fields. We should probably force the group to get these
|
// @TODO: The group leave route doesn't work unless it has these fields. We should probably force the group to get these
|
||||||
let groupFields = basicGroupFields.concat(' leader memberCount');
|
let groupFields = basicGroupFields.concat(' leader memberCount');
|
||||||
let populateLeader = true;
|
|
||||||
|
|
||||||
let groupsUserIsMemberOf = await Group.getGroups({user, types, groupFields, populateLeader});
|
let groupsUserIsMemberOf = await Group.getGroups({user, types, groupFields});
|
||||||
|
|
||||||
let groupLeavePromises = groupsUserIsMemberOf.map((group) => {
|
let groupLeavePromises = groupsUserIsMemberOf.map((group) => {
|
||||||
return group.leave(user, 'remove-all');
|
return group.leave(user, 'remove-all');
|
||||||
|
|||||||
Reference in New Issue
Block a user