mirror of
https://github.com/HabitRPG/habitica.git
synced 2025-12-18 07:07:35 +01:00
Added password requirement
This commit is contained in:
Keith Holliday
@@ -9,15 +9,28 @@ import { find } from 'lodash';
|
||||
|
||||
describe('DELETE /user', () => {
|
||||
let user;
|
||||
let password = 'password'; // from habitrpg/test/helpers/api-integration/v3/object-generators.js
|
||||
|
||||
beforeEach(async () => {
|
||||
user = await generateUser({balance: 10});
|
||||
});
|
||||
|
||||
it('user has active subscription', async () => {
|
||||
it('returns an errors if password is wrong', async () => {
|
||||
await expect(user.del('/user', {
|
||||
password: 'wrong-password',
|
||||
})).to.eventually.be.rejected.and.eql({
|
||||
code: 401,
|
||||
error: 'NotAuthorized',
|
||||
message: t('wrongPassword'),
|
||||
});
|
||||
});
|
||||
|
||||
it('returns an error if user has active subscription', async () => {
|
||||
let userWithSubscription = await generateUser({'purchased.plan.customerId': 'fake-customer-id'});
|
||||
|
||||
await expect(userWithSubscription.del('/user')).to.be.rejected.and.to.eventually.eql({
|
||||
await expect(userWithSubscription.del('/user', {
|
||||
password,
|
||||
})).to.be.rejected.and.to.eventually.eql({
|
||||
code: 401,
|
||||
error: 'NotAuthorized',
|
||||
message: t('cannotDeleteActiveAccount'),
|
||||
@@ -25,7 +38,9 @@ describe('DELETE /user', () => {
|
||||
});
|
||||
|
||||
it('deletes the user', async () => {
|
||||
await user.del('/user');
|
||||
await user.del('/user', {
|
||||
password,
|
||||
});
|
||||
await expect(checkExistence('users', user._id)).to.eventually.eql(false);
|
||||
});
|
||||
|
||||
@@ -40,7 +55,9 @@ describe('DELETE /user', () => {
|
||||
});
|
||||
|
||||
it('deletes party when user is the only member', async () => {
|
||||
await user.del('/user');
|
||||
await user.del('/user', {
|
||||
password,
|
||||
});
|
||||
await expect(checkExistence('party', party._id)).to.eventually.eql(false);
|
||||
});
|
||||
});
|
||||
@@ -56,7 +73,9 @@ describe('DELETE /user', () => {
|
||||
});
|
||||
|
||||
it('deletes guild when user is the only member', async () => {
|
||||
await user.del('/user');
|
||||
await user.del('/user', {
|
||||
password,
|
||||
});
|
||||
await expect(checkExistence('groups', privateGuild._id)).to.eventually.eql(false);
|
||||
});
|
||||
});
|
||||
@@ -79,7 +98,9 @@ describe('DELETE /user', () => {
|
||||
});
|
||||
|
||||
it('chooses new group leader for any group user was the leader of', async () => {
|
||||
await oldLeader.del('/user');
|
||||
await oldLeader.del('/user', {
|
||||
password,
|
||||
});
|
||||
|
||||
let updatedGuild = await newLeader.get(`/groups/${guild._id}`);
|
||||
|
||||
@@ -114,7 +135,9 @@ describe('DELETE /user', () => {
|
||||
});
|
||||
|
||||
it('removes user from all groups user was a part of', async () => {
|
||||
await userToDelete.del('/user');
|
||||
await userToDelete.del('/user', {
|
||||
password,
|
||||
});
|
||||
|
||||
let updatedGroup1Members = await otherUser.get(`/groups/${group1._id}/members`);
|
||||
let updatedGroup2Members = await otherUser.get(`/groups/${group2._id}/members`);
|
||||
|
||||
@@ -50,7 +50,6 @@ describe('PUT /user/auth/update-username', async () => {
|
||||
});
|
||||
});
|
||||
|
||||
|
||||
it('prevents social-only user from changing username', async () => {
|
||||
let socialUser = await generateUser({ 'auth.local': { ok: true } });
|
||||
|
||||
|
||||
@@ -15,6 +15,7 @@ import { model as User } from '../../models/user';
|
||||
import Q from 'q';
|
||||
import _ from 'lodash';
|
||||
import * as firebase from '../../libs/api-v3/firebase';
|
||||
import * as passwordUtils from '../../libs/api-v3/password';
|
||||
|
||||
let api = {};
|
||||
|
||||
@@ -61,6 +62,18 @@ api.deleteUser = {
|
||||
let user = res.locals.user;
|
||||
let plan = user.purchased.plan;
|
||||
|
||||
req.checkBody({
|
||||
password: {
|
||||
notEmpty: {errorMessage: res.t('missingPassword')},
|
||||
},
|
||||
});
|
||||
|
||||
let validationErrors = req.validationErrors();
|
||||
if (validationErrors) throw validationErrors;
|
||||
|
||||
let oldPassword = passwordUtils.encrypt(req.body.password, user.auth.local.salt);
|
||||
if (oldPassword !== user.auth.local.hashed_password) throw new NotAuthorized(res.t('wrongPassword'));
|
||||
|
||||
if (plan && plan.customerId && !plan.dateTerminated) {
|
||||
throw new NotAuthorized(res.t('cannotDeleteActiveAccount'));
|
||||
}
|
||||
@@ -68,9 +81,8 @@ api.deleteUser = {
|
||||
let types = ['party', 'publicGuilds', 'privateGuilds'];
|
||||
// @TODO: The group leave route doesn't work unless it has these fields. We should probably force the group to get these
|
||||
let groupFields = basicGroupFields.concat(' leader memberCount');
|
||||
let populateLeader = true;
|
||||
|
||||
let groupsUserIsMemberOf = await Group.getGroups({user, types, groupFields, populateLeader});
|
||||
let groupsUserIsMemberOf = await Group.getGroups({user, types, groupFields});
|
||||
|
||||
let groupLeavePromises = groupsUserIsMemberOf.map((group) => {
|
||||
return group.leave(user, 'remove-all');
|
||||
|
||||
Reference in New Issue
Block a user