fix: Change update user routes to use PUT instead of POST

2025-12-18 07:07:35 +01:00 · 2016-03-16 08:41:56 -05:00
parent 6d14b9d5c5
commit 22d25f8be3
4 changed files with 27 additions and 22 deletions
--- a/test/api/v3/integration/user/POST-user_update_email.test.js
+++ b/test/api/v3/integration/user/POST-user_update_email.test.js
@@ -4,7 +4,7 @@ import {
 } from '../../../../helpers/api-v3-integration.helper';
 import { model as User } from '../../../../../website/src/models/user';

-describe('POST /user/update-email', () => {
+describe('PUT /user/update-email', () => {
  let user;
  let fbUser;
  let endpoint = '/user/update-email';
@@ -17,7 +17,7 @@ describe('POST /user/update-email', () => {
    });

    it('does not change email if one is not provided', async () => {
-      await expect(user.post(endpoint)).to.eventually.be.rejected.and.eql({
+      await expect(user.put(endpoint)).to.eventually.be.rejected.and.eql({
        code: 400,
        error: 'BadRequest',
        message: t('invalidReqParams'),
@@ -25,7 +25,7 @@ describe('POST /user/update-email', () => {
    });

    it('does not change email if password is not provided', async () => {
-      await expect(user.post(endpoint, {
+      await expect(user.put(endpoint, {
        newEmail,
      })).to.eventually.be.rejected.and.eql({
        code: 400,
@@ -35,7 +35,7 @@ describe('POST /user/update-email', () => {
    });

    it('does not change email if wrong password is provided', async () => {
-      await expect(user.post(endpoint, {
+      await expect(user.put(endpoint, {
        newEmail,
        password: 'wrong password',
      })).to.eventually.be.rejected.and.eql({
@@ -46,7 +46,7 @@ describe('POST /user/update-email', () => {
    });

    it('changes email if new email and existing password are provided', async () => {
-      let response = await user.post(endpoint, {
+      let response = await user.put(endpoint, {
        newEmail,
        password: thePassword,
      });
@@ -64,7 +64,7 @@ describe('POST /user/update-email', () => {
    });

    it('does not change email if user.auth.local.email does not exist for this user', async () => {
-      await expect(fbUser.post(endpoint, {
+      await expect(fbUser.put(endpoint, {
        newEmail,
        password: thePassword,
      })).to.eventually.be.rejected.and.eql({
--- a/test/api/v3/integration/user/POST-user_update_password.test.js
+++ b/test/api/v3/integration/user/POST-user_update_password.test.js
@@ -3,7 +3,7 @@ import {
  translate as t,
 } from '../../../../helpers/api-integration/v3';

-describe('POST /user/update-password', async () => {
+describe('PUT /user/update-password', async () => {
  let endpoint = '/user/update-password';
  let user;
  let password = 'password';
@@ -16,7 +16,7 @@ describe('POST /user/update-password', async () => {

  it('successfully changes the password', async () => {
    let previousHashedPassword = user.auth.local.hashed_password;
-    let response = await user.post(endpoint, {
+    let response = await user.put(endpoint, {
      password,
      newPassword,
      confirmPassword: newPassword,
@@ -27,7 +27,7 @@ describe('POST /user/update-password', async () => {
  });

  it('new passwords mismatch', async () => {
-    await expect(user.post(endpoint, {
+    await expect(user.put(endpoint, {
      password,
      newPassword,
      confirmPassword: `${newPassword}-wrong-confirmation`,
@@ -39,7 +39,7 @@ describe('POST /user/update-password', async () => {
  });

  it('existing password is wrong', async () => {
-    await expect(user.post(endpoint, {
+    await expect(user.put(endpoint, {
      password: wrongPassword,
      newPassword,
      confirmPassword: newPassword,
--- a/test/api/v3/integration/user/POST-user_update_username.test.js
+++ b/test/api/v3/integration/user/POST-user_update_username.test.js
@@ -4,7 +4,7 @@ import {
 } from '../../../../helpers/api-integration/v3';
 import { model as User } from '../../../../../website/src/models/user';

-describe('POST /user/update-username', async () => {
+describe('PUT /user/update-username', async () => {
  let endpoint = '/user/update-username';
  let user;
  let newUsername = 'new-username';
@@ -17,7 +17,7 @@ describe('POST /user/update-username', async () => {
  });

  it('successfully changes username', async () => {
-    let response = await user.post(endpoint, {
+    let response = await user.put(endpoint, {
      username: newUsername,
      password,
    });
@@ -32,8 +32,9 @@ describe('POST /user/update-username', async () => {
        user = await generateUser();
        await user.update({'auth.local.username': existingUsername, 'auth.local.lowerCaseUsername': existingUsername });
      });
+
      it('prevents username update', async () => {
-        await expect(user.post(endpoint, {
+        await expect(user.put(endpoint, {
          username: existingUsername,
          password,
        })).to.eventually.be.rejected.and.eql({
@@ -43,8 +44,9 @@ describe('POST /user/update-username', async () => {
        });
      });
    });
+
    it('password is wrong', async () => {
-      await expect(user.post(endpoint, {
+      await expect(user.put(endpoint, {
        username: newUsername,
        password: wrongPassword,
      })).to.eventually.be.rejected.and.eql({
@@ -53,13 +55,15 @@ describe('POST /user/update-username', async () => {
        message: t('wrongPassword'),
      });
    });
+
    describe('social-only user', async () => {
      beforeEach(async () => {
        user = await generateUser();
        await user.update({ 'auth.local': { ok: true } });
      });
+
      it('prevents username update', async () => {
-        await expect(user.post(endpoint, {
+        await expect(user.put(endpoint, {
          username: newUsername,
          password,
        })).to.eventually.be.rejected.and.eql({
@@ -69,8 +73,9 @@ describe('POST /user/update-username', async () => {
        });
      });
    });
+
    it('new username is not provided', async () => {
-      await expect(user.post(endpoint, {
+      await expect(user.put(endpoint, {
        password,
      })).to.eventually.be.rejected.and.eql({
        code: 400,
--- a/website/src/controllers/api-v3/user.js
+++ b/website/src/controllers/api-v3/user.js
@@ -43,7 +43,7 @@ api.getUser = {
 };

 /**
- * @api {post} /user/update-password
+ * @api {put} /user/update-password
 * @apiVersion 3.0.0
 * @apiName updatePassword
 * @apiGroup User
@@ -53,7 +53,7 @@ api.getUser = {
 * @apiSuccess {Object} The success message
 **/
 api.updatePassword = {
-  method: 'POST',
+  method: 'PUT',
  middlewares: [authWithHeaders(), cron],
  url: '/user/update-password',
  async handler (req, res) {
@@ -82,7 +82,7 @@ api.updatePassword = {
 };

 /**
- * @api {post} /user/update-username
+ * @api {put} /user/update-username
 * @apiVersion 3.0.0
 * @apiName updateUsername
 * @apiGroup User
@@ -91,7 +91,7 @@ api.updatePassword = {
 * @apiSuccess {Object} The new username
 **/
 api.updateUsername = {
-  method: 'POST',
+  method: 'PUT',
  middlewares: [authWithHeaders(), cron],
  url: '/user/update-username',
  async handler (req, res) {
@@ -128,7 +128,7 @@ api.updateUsername = {


 /**
- * @api {post} /user/update-email
+ * @api {put} /user/update-email
 * @apiVersion 3.0.0
 * @apiName UpdateEmail
 * @apiGroup User
@@ -139,7 +139,7 @@ api.updateUsername = {
 * @apiSuccess {Object} An object containing the new email address
 */
 api.updateEmail = {
-  method: 'POST',
+  method: 'PUT',
  middlewares: [authWithHeaders(), cron],
  url: '/user/update-email',
  async handler (req, res) {