juice-shop
250 строк · 8.7 Кб
1/*2* Copyright (c) 2014-2024 Bjoern Kimminich & the OWASP Juice Shop contributors.3* SPDX-License-Identifier: MIT4*/5import frisby = require('frisby')7import config from 'config'8const API_URL = 'http://localhost:3000/api'10const REST_URL = 'http://localhost:3000/rest'11const jsonHeader = { 'content-type': 'application/json' }13describe('/rest/user/change-password', () => {15it('GET password change for newly created user with recognized token as Authorization header', () => {16return frisby.post(API_URL + '/Users', {17headers: jsonHeader,18body: {19email: 'kuni@be.rt',20password: 'kunigunde'21}22})23.expect('status', 201)24.then(() => {25return frisby.post(REST_URL + '/user/login', {26headers: jsonHeader,27body: {28email: 'kuni@be.rt',29password: 'kunigunde'30}31})32.expect('status', 200)33.then(({ json }) => {34return frisby.get(REST_URL + '/user/change-password?current=kunigunde&new=foo&repeat=foo', {35headers: { Authorization: 'Bearer ' + json.authentication.token }36})37.expect('status', 200)38})39})40})41it('GET password change with passing wrong current password', () => {43return frisby.post(REST_URL + '/user/login', {44headers: jsonHeader,45body: {46email: 'bjoern@' + config.get<string>('application.domain'),47password: 'monkey summer birthday are all bad passwords but work just fine in a long passphrase'48}49})50.expect('status', 200)51.then(({ json }) => {52return frisby.get(REST_URL + '/user/change-password?current=definetely_wrong&new=blubb&repeat=blubb', {53headers: { Authorization: 'Bearer ' + json.authentication.token }54})55.expect('status', 401)56.expect('bodyContains', 'Current password is not correct')57})58})59it('GET password change without passing any passwords', () => {61return frisby.get(REST_URL + '/user/change-password')62.expect('status', 401)63.expect('bodyContains', 'Password cannot be empty')64})65it('GET password change with passing wrong repeated password', () => {67return frisby.get(REST_URL + '/user/change-password?new=foo&repeat=bar')68.expect('status', 401)69.expect('bodyContains', 'New and repeated password do not match')70})71it('GET password change without passing an authorization token', () => {73return frisby.get(REST_URL + '/user/change-password?new=foo&repeat=foo')74.expect('status', 500)75.expect('header', 'content-type', /text\/html/)76.expect('bodyContains', '<h1>' + config.get<string>('application.name') + ' (Express')77.expect('bodyContains', 'Error: Blocked illegal activity')78})79it('GET password change with passing unrecognized authorization token', () => {81return frisby.get(REST_URL + '/user/change-password?new=foo&repeat=foo', { headers: { Authorization: 'Bearer unknown' } })82.expect('status', 500)83.expect('header', 'content-type', /text\/html/)84.expect('bodyContains', '<h1>' + config.get<string>('application.name') + ' (Express')85.expect('bodyContains', 'Error: Blocked illegal activity')86})87it('GET password change for Bender without current password using GET request', () => {89return frisby.post(REST_URL + '/user/login', {90headers: jsonHeader,91body: {92email: 'bender@' + config.get<string>('application.domain'),93password: 'OhG0dPlease1nsertLiquor!'94}95})96.expect('status', 200)97.then(({ json }) => {98return frisby.get(REST_URL + '/user/change-password?new=slurmCl4ssic&repeat=slurmCl4ssic', {99headers: { Authorization: 'Bearer ' + json.authentication.token }100})101.expect('status', 200)102})103})104})105describe('/rest/user/reset-password', () => {107it('POST password reset for Jim with correct answer to his security question', () => {108return frisby.post(REST_URL + '/user/reset-password', {109headers: jsonHeader,110body: {111email: 'jim@' + config.get<string>('application.domain'),112answer: 'Samuel',113new: 'ncc-1701',114repeat: 'ncc-1701'115}116})117.expect('status', 200)118})119it('POST password reset for Bender with correct answer to his security question', () => {121return frisby.post(REST_URL + '/user/reset-password', {122headers: jsonHeader,123body: {124email: 'bender@' + config.get<string>('application.domain'),125answer: 'Stop\'n\'Drop',126new: 'OhG0dPlease1nsertLiquor!',127repeat: 'OhG0dPlease1nsertLiquor!'128}129})130.expect('status', 200)131})132it('POST password reset for Bjoern´s internal account with correct answer to his security question', () => {134return frisby.post(REST_URL + '/user/reset-password', {135headers: jsonHeader,136body: {137email: 'bjoern@' + config.get<string>('application.domain'),138answer: 'West-2082',139new: 'monkey summer birthday are all bad passwords but work just fine in a long passphrase',140repeat: 'monkey summer birthday are all bad passwords but work just fine in a long passphrase'141}142})143.expect('status', 200)144})145it('POST password reset for Bjoern´s OWASP account with correct answer to his security question', () => {147return frisby.post(REST_URL + '/user/reset-password', {148headers: jsonHeader,149body: {150email: 'bjoern@owasp.org',151answer: 'Zaya',152new: 'kitten lesser pooch karate buffoon indoors',153repeat: 'kitten lesser pooch karate buffoon indoors'154}155})156.expect('status', 200)157})158it('POST password reset for Morty with correct answer to his security question', () => {160return frisby.post(REST_URL + '/user/reset-password', {161headers: jsonHeader,162body: {163email: 'morty@' + config.get<string>('application.domain'),164answer: '5N0wb41L',165new: 'iBurri3dMySe1fInTheB4ckyard!',166repeat: 'iBurri3dMySe1fInTheB4ckyard!'167}168})169.expect('status', 200)170})171it('POST password reset with wrong answer to security question', () => {173return frisby.post(REST_URL + '/user/reset-password', {174headers: jsonHeader,175body: {176email: 'bjoern@' + config.get<string>('application.domain'),177answer: '25436',178new: '12345',179repeat: '12345'180}181})182.expect('status', 401)183.expect('bodyContains', 'Wrong answer to security question.')184})185it('POST password reset without any data is blocked', () => {187return frisby.post(REST_URL + '/user/reset-password')188.expect('status', 500)189.expect('header', 'content-type', /text\/html/)190.expect('bodyContains', '<h1>' + config.get<string>('application.name') + ' (Express')191.expect('bodyContains', 'Error: Blocked illegal activity')192})193it('POST password reset without new password throws a 401 error', () => {195return frisby.post(REST_URL + '/user/reset-password', {196headers: jsonHeader,197body: {198email: 'bjoern@' + config.get<string>('application.domain'),199answer: 'W-2082',200repeat: '12345'201}202})203.expect('status', 401)204.expect('bodyContains', 'Password cannot be empty.')205})206it('POST password reset with mismatching passwords throws a 401 error', () => {208return frisby.post(REST_URL + '/user/reset-password', {209headers: jsonHeader,210body: {211email: 'bjoern@' + config.get<string>('application.domain'),212answer: 'W-2082',213new: '12345',214repeat: '1234_'215}216})217.expect('status', 401)218.expect('bodyContains', 'New and repeated password do not match.')219})220it('POST password reset with no email address throws a 412 error', () => {222return frisby.post(REST_URL + '/user/reset-password', {223header: jsonHeader,224body: {225answer: 'W-2082',226new: 'abcdef',227repeat: 'abcdef'228}229})230.expect('status', 500)231.expect('header', 'content-type', /text\/html/)232.expect('bodyContains', '<h1>' + config.get<string>('application.name') + ' (Express')233.expect('bodyContains', 'Error: Blocked illegal activity')234})235it('POST password reset with no answer to the security question throws a 412 error', () => {237return frisby.post(REST_URL + '/user/reset-password', {238header: jsonHeader,239body: {240email: 'bjoern@' + config.get<string>('application.domain'),241new: 'abcdef',242repeat: 'abcdef'243}244})245.expect('status', 500)246.expect('header', 'content-type', /text\/html/)247.expect('bodyContains', '<h1>' + config.get<string>('application.name') + ' (Express')248.expect('bodyContains', 'Error: Blocked illegal activity')249})250})251