Mirrors/sftpgo
1
0
Fork 0
mirror of https://github.com/drakkan/sftpgo.git synced 2025-12-08 23:28:39 +03:00
Code Issues Packages Projects Releases Wiki Activity

REST API: fix token invalidation after password change

Browse Source 
Signed-off-by: Nicola Murino <nicola.murino@gmail.com>
This commit is contained in:
Nicola Murino
2024-06-07 18:19:05 +02:00
parent aceecd9800
commit 1f8ac8bfe1
7 changed files with 56 additions and 18 deletions
Download Patch File Download Diff File Expand all files Collapse all files

36
internal/httpd/httpd_test.go
View File

@@ -11372,11 +11372,17 @@ func TestWebAPIChangeUserPwdMock(t *testing.T) {
assert.NoError(t, err)
token, err := getJWTAPIUserTokenFromTestServer(defaultUsername, defaultPassword)
assert.NoError(t, err)
// invalid json
req, err := http.NewRequest(http.MethodPut, userPwdPath, bytes.NewBuffer([]byte("{")))
req, err := http.NewRequest(http.MethodGet, userProfilePath, nil)
assert.NoError(t, err)
setBearerForReq(req, token)
rr := executeRequest(req)
checkResponseCode(t, http.StatusOK, rr)
// invalid json
req, err = http.NewRequest(http.MethodPut, userPwdPath, bytes.NewBuffer([]byte("{")))
assert.NoError(t, err)
setBearerForReq(req, token)
rr = executeRequest(req)
checkResponseCode(t, http.StatusBadRequest, rr)
pwd := make(map[string]string)
@@ -11399,6 +11405,13 @@ func TestWebAPIChangeUserPwdMock(t *testing.T) {
setBearerForReq(req, token)
rr = executeRequest(req)
checkResponseCode(t, http.StatusOK, rr)
req, err = http.NewRequest(http.MethodGet, userProfilePath, nil)
assert.NoError(t, err)
setBearerForReq(req, token)
rr = executeRequest(req)
checkResponseCode(t, http.StatusUnauthorized, rr)
_, err = getJWTAPIUserTokenFromTestServer(defaultUsername, defaultPassword)
assert.Error(t, err)
token, err = getJWTAPIUserTokenFromTestServer(defaultUsername, altAdminPassword)
@@ -11548,6 +11561,12 @@ func TestChangeAdminPwdMock(t *testing.T) {
setBearerForReq(req, altToken)
rr = executeRequest(req)
checkResponseCode(t, http.StatusOK, rr)
// try using the old token
req, err = http.NewRequest(http.MethodGet, versionPath, nil)
assert.NoError(t, err)
setBearerForReq(req, altToken)
rr = executeRequest(req)
checkResponseCode(t, http.StatusUnauthorized, rr)
_, err = getJWTAPITokenFromTestServer(altAdminUsername, altAdminPassword)
assert.Error(t, err)
@@ -13599,6 +13618,13 @@ func TestWebClientChangePwd(t *testing.T) {
checkResponseCode(t, http.StatusFound, rr)
assert.Equal(t, webClientLoginPath, rr.Header().Get("Location"))
req, err = http.NewRequest(http.MethodGet, webClientPingPath, nil)
assert.NoError(t, err)
req.RemoteAddr = defaultRemoteAddr
setJWTCookieForReq(req, webToken)
rr = executeRequest(req)
checkResponseCode(t, http.StatusFound, rr)
_, err = getJWTWebClientTokenFromTestServer(defaultUsername, defaultPassword)
assert.Error(t, err)
_, err = getJWTWebClientTokenFromTestServer(defaultUsername+"1", defaultPassword+"1")
@@ -18850,6 +18876,12 @@ func TestWebAdminLoginMock(t *testing.T) {
cookie := rr.Header().Get("Cookie")
assert.Empty(t, cookie)
req, _ = http.NewRequest(http.MethodGet, webStatusPath, nil)
req.RemoteAddr = defaultRemoteAddr
setJWTCookieForReq(req, webToken)
rr = executeRequest(req)
checkResponseCode(t, http.StatusFound, rr)
req, _ = http.NewRequest(http.MethodGet, logoutPath, nil)
setBearerForReq(req, apiToken)
rr = executeRequest(req)