#161: password recovery by email (wip, server part done)

2025-12-18 20:21:41 +00:00 · 2017-11-17 22:03:54 +01:00
parent b8176a9fe9
commit 039d881a07
29 changed files with 881 additions and 66 deletions
--- a/docs-web/src/test/java/com/sismics/docs/rest/TestUserResource.java
+++ b/docs-web/src/test/java/com/sismics/docs/rest/TestUserResource.java
@@ -1,5 +1,6 @@
 package com.sismics.docs.rest;

+import com.sismics.docs.core.model.context.AppContext;
 import com.sismics.util.filter.TokenBasedSecurityFilter;
 import com.sismics.util.totp.GoogleAuthenticator;
 import org.junit.Assert;
@@ -13,6 +14,8 @@ import javax.ws.rs.core.Response;
 import javax.ws.rs.core.Response.Status;
 import java.util.Date;
 import java.util.Locale;
+import java.util.regex.Matcher;
+import java.util.regex.Pattern;

 /**
 * Exhaustive test of the user resource.
@@ -354,4 +357,79 @@ public class TestUserResource extends BaseJerseyTest {
                .get(JsonObject.class);
        Assert.assertFalse(json.getBoolean("totp_enabled"));
    }
+
+    @Test
+    public void testResetPassword() throws Exception {
+        // Login admin
+        String adminToken = clientUtil.login("admin", "admin", false);
+
+        // Change SMTP configuration to target Wiser
+        target().path("/app/config_smtp").request()
+                .cookie(TokenBasedSecurityFilter.COOKIE_NAME, adminToken)
+                .post(Entity.form(new Form()
+                        .param("hostname", "localhost")
+                        .param("port", "2500")
+                        .param("from", "contact@sismicsdocs.com")
+                ), JsonObject.class);
+
+        // Create absent_minded who lost his password
+        clientUtil.createUser("absent_minded");
+
+        // User no_such_user try to recovery its password: invalid user
+        Response response = target().path("/user/password_lost").request()
+                .post(Entity.form(new Form()
+                        .param("username", "no_such_user")));
+        Assert.assertEquals(Response.Status.BAD_REQUEST, Response.Status.fromStatusCode(response.getStatus()));
+        JsonObject json = response.readEntity(JsonObject.class);
+        Assert.assertEquals("UserNotFound", json.getString("type"));
+
+        // User absent_minded try to recovery its password: OK
+        json = target().path("/user/password_lost").request()
+                .post(Entity.form(new Form()
+                        .param("username", "absent_minded")), JsonObject.class);
+        Assert.assertEquals("ok", json.getString("status"));
+        AppContext.getInstance().waitForAsync();
+        String emailBody = popEmail();
+        Assert.assertNotNull("No email to consume", emailBody);
+        Assert.assertTrue(emailBody.contains("Please reset your password"));
+        Pattern keyPattern = Pattern.compile("/passwordreset/(.+?)\"");
+        Matcher keyMatcher = keyPattern.matcher(emailBody);
+        Assert.assertTrue("Token not found", keyMatcher.find());
+        String key = keyMatcher.group(1).replaceAll("=", "");
+
+        // User absent_minded resets its password: invalid key
+        response = target().path("/user/password_reset").request()
+                .post(Entity.form(new Form()
+                        .param("key", "no_such_key")
+                        .param("password", "87654321")));
+        Assert.assertEquals(Response.Status.BAD_REQUEST, Response.Status.fromStatusCode(response.getStatus()));
+        json = response.readEntity(JsonObject.class);
+        Assert.assertEquals("KeyNotFound", json.getString("type"));
+
+        // User absent_minded resets its password: password invalid
+        response = target().path("/user/password_reset").request()
+                .post(Entity.form(new Form()
+                        .param("key", key)
+                        .param("password", " 1 ")));
+        Assert.assertEquals(Response.Status.BAD_REQUEST, Response.Status.fromStatusCode(response.getStatus()));
+        json = response.readEntity(JsonObject.class);
+        Assert.assertEquals("ValidationError", json.getString("type"));
+        Assert.assertTrue(json.getString("message"), json.getString("message").contains("password"));
+
+        // User absent_minded resets its password: OK
+        json = target().path("/user/password_reset").request()
+                .post(Entity.form(new Form()
+                        .param("key", key)
+                        .param("password", "87654321")), JsonObject.class);
+        Assert.assertEquals("ok", json.getString("status"));
+
+        // User absent_minded resets its password: expired key
+        response = target().path("/user/password_reset").request()
+                .post(Entity.form(new Form()
+                        .param("key", key)
+                        .param("password", "87654321")));
+        Assert.assertEquals(Response.Status.BAD_REQUEST, Response.Status.fromStatusCode(response.getStatus()));
+        json = response.readEntity(JsonObject.class);
+        Assert.assertEquals("KeyNotFound", json.getString("type"));
+    }
 }