juice-shop
250 строк · 8.7 Кб
1/*
2* Copyright (c) 2014-2024 Bjoern Kimminich & the OWASP Juice Shop contributors.
3* SPDX-License-Identifier: MIT
4*/
5
6import frisby = require('frisby')
7import config from 'config'
8
9const API_URL = 'http://localhost:3000/api'
10const REST_URL = 'http://localhost:3000/rest'
11
12const jsonHeader = { 'content-type': 'application/json' }
13
14describe('/rest/user/change-password', () => {
15it('GET password change for newly created user with recognized token as Authorization header', () => {
16return frisby.post(API_URL + '/Users', {
17headers: jsonHeader,
18body: {
19email: 'kuni@be.rt',
20password: 'kunigunde'
21}
22})
23.expect('status', 201)
24.then(() => {
25return frisby.post(REST_URL + '/user/login', {
26headers: jsonHeader,
27body: {
28email: 'kuni@be.rt',
29password: 'kunigunde'
30}
31})
32.expect('status', 200)
33.then(({ json }) => {
34return frisby.get(REST_URL + '/user/change-password?current=kunigunde&new=foo&repeat=foo', {
35headers: { Authorization: 'Bearer ' + json.authentication.token }
36})
37.expect('status', 200)
38})
39})
40})
41
42it('GET password change with passing wrong current password', () => {
43return frisby.post(REST_URL + '/user/login', {
44headers: jsonHeader,
45body: {
46email: 'bjoern@' + config.get<string>('application.domain'),
47password: 'monkey summer birthday are all bad passwords but work just fine in a long passphrase'
48}
49})
50.expect('status', 200)
51.then(({ json }) => {
52return frisby.get(REST_URL + '/user/change-password?current=definetely_wrong&new=blubb&repeat=blubb', {
53headers: { Authorization: 'Bearer ' + json.authentication.token }
54})
55.expect('status', 401)
56.expect('bodyContains', 'Current password is not correct')
57})
58})
59
60it('GET password change without passing any passwords', () => {
61return frisby.get(REST_URL + '/user/change-password')
62.expect('status', 401)
63.expect('bodyContains', 'Password cannot be empty')
64})
65
66it('GET password change with passing wrong repeated password', () => {
67return frisby.get(REST_URL + '/user/change-password?new=foo&repeat=bar')
68.expect('status', 401)
69.expect('bodyContains', 'New and repeated password do not match')
70})
71
72it('GET password change without passing an authorization token', () => {
73return frisby.get(REST_URL + '/user/change-password?new=foo&repeat=foo')
74.expect('status', 500)
75.expect('header', 'content-type', /text\/html/)
76.expect('bodyContains', '<h1>' + config.get<string>('application.name') + ' (Express')
77.expect('bodyContains', 'Error: Blocked illegal activity')
78})
79
80it('GET password change with passing unrecognized authorization token', () => {
81return frisby.get(REST_URL + '/user/change-password?new=foo&repeat=foo', { headers: { Authorization: 'Bearer unknown' } })
82.expect('status', 500)
83.expect('header', 'content-type', /text\/html/)
84.expect('bodyContains', '<h1>' + config.get<string>('application.name') + ' (Express')
85.expect('bodyContains', 'Error: Blocked illegal activity')
86})
87
88it('GET password change for Bender without current password using GET request', () => {
89return frisby.post(REST_URL + '/user/login', {
90headers: jsonHeader,
91body: {
92email: 'bender@' + config.get<string>('application.domain'),
93password: 'OhG0dPlease1nsertLiquor!'
94}
95})
96.expect('status', 200)
97.then(({ json }) => {
98return frisby.get(REST_URL + '/user/change-password?new=slurmCl4ssic&repeat=slurmCl4ssic', {
99headers: { Authorization: 'Bearer ' + json.authentication.token }
100})
101.expect('status', 200)
102})
103})
104})
105
106describe('/rest/user/reset-password', () => {
107it('POST password reset for Jim with correct answer to his security question', () => {
108return frisby.post(REST_URL + '/user/reset-password', {
109headers: jsonHeader,
110body: {
111email: 'jim@' + config.get<string>('application.domain'),
112answer: 'Samuel',
113new: 'ncc-1701',
114repeat: 'ncc-1701'
115}
116})
117.expect('status', 200)
118})
119
120it('POST password reset for Bender with correct answer to his security question', () => {
121return frisby.post(REST_URL + '/user/reset-password', {
122headers: jsonHeader,
123body: {
124email: 'bender@' + config.get<string>('application.domain'),
125answer: 'Stop\'n\'Drop',
126new: 'OhG0dPlease1nsertLiquor!',
127repeat: 'OhG0dPlease1nsertLiquor!'
128}
129})
130.expect('status', 200)
131})
132
133it('POST password reset for Bjoern´s internal account with correct answer to his security question', () => {
134return frisby.post(REST_URL + '/user/reset-password', {
135headers: jsonHeader,
136body: {
137email: 'bjoern@' + config.get<string>('application.domain'),
138answer: 'West-2082',
139new: 'monkey summer birthday are all bad passwords but work just fine in a long passphrase',
140repeat: 'monkey summer birthday are all bad passwords but work just fine in a long passphrase'
141}
142})
143.expect('status', 200)
144})
145
146it('POST password reset for Bjoern´s OWASP account with correct answer to his security question', () => {
147return frisby.post(REST_URL + '/user/reset-password', {
148headers: jsonHeader,
149body: {
150email: 'bjoern@owasp.org',
151answer: 'Zaya',
152new: 'kitten lesser pooch karate buffoon indoors',
153repeat: 'kitten lesser pooch karate buffoon indoors'
154}
155})
156.expect('status', 200)
157})
158
159it('POST password reset for Morty with correct answer to his security question', () => {
160return frisby.post(REST_URL + '/user/reset-password', {
161headers: jsonHeader,
162body: {
163email: 'morty@' + config.get<string>('application.domain'),
164answer: '5N0wb41L',
165new: 'iBurri3dMySe1fInTheB4ckyard!',
166repeat: 'iBurri3dMySe1fInTheB4ckyard!'
167}
168})
169.expect('status', 200)
170})
171
172it('POST password reset with wrong answer to security question', () => {
173return frisby.post(REST_URL + '/user/reset-password', {
174headers: jsonHeader,
175body: {
176email: 'bjoern@' + config.get<string>('application.domain'),
177answer: '25436',
178new: '12345',
179repeat: '12345'
180}
181})
182.expect('status', 401)
183.expect('bodyContains', 'Wrong answer to security question.')
184})
185
186it('POST password reset without any data is blocked', () => {
187return frisby.post(REST_URL + '/user/reset-password')
188.expect('status', 500)
189.expect('header', 'content-type', /text\/html/)
190.expect('bodyContains', '<h1>' + config.get<string>('application.name') + ' (Express')
191.expect('bodyContains', 'Error: Blocked illegal activity')
192})
193
194it('POST password reset without new password throws a 401 error', () => {
195return frisby.post(REST_URL + '/user/reset-password', {
196headers: jsonHeader,
197body: {
198email: 'bjoern@' + config.get<string>('application.domain'),
199answer: 'W-2082',
200repeat: '12345'
201}
202})
203.expect('status', 401)
204.expect('bodyContains', 'Password cannot be empty.')
205})
206
207it('POST password reset with mismatching passwords throws a 401 error', () => {
208return frisby.post(REST_URL + '/user/reset-password', {
209headers: jsonHeader,
210body: {
211email: 'bjoern@' + config.get<string>('application.domain'),
212answer: 'W-2082',
213new: '12345',
214repeat: '1234_'
215}
216})
217.expect('status', 401)
218.expect('bodyContains', 'New and repeated password do not match.')
219})
220
221it('POST password reset with no email address throws a 412 error', () => {
222return frisby.post(REST_URL + '/user/reset-password', {
223header: jsonHeader,
224body: {
225answer: 'W-2082',
226new: 'abcdef',
227repeat: 'abcdef'
228}
229})
230.expect('status', 500)
231.expect('header', 'content-type', /text\/html/)
232.expect('bodyContains', '<h1>' + config.get<string>('application.name') + ' (Express')
233.expect('bodyContains', 'Error: Blocked illegal activity')
234})
235
236it('POST password reset with no answer to the security question throws a 412 error', () => {
237return frisby.post(REST_URL + '/user/reset-password', {
238header: jsonHeader,
239body: {
240email: 'bjoern@' + config.get<string>('application.domain'),
241new: 'abcdef',
242repeat: 'abcdef'
243}
244})
245.expect('status', 500)
246.expect('header', 'content-type', /text\/html/)
247.expect('bodyContains', '<h1>' + config.get<string>('application.name') + ' (Express')
248.expect('bodyContains', 'Error: Blocked illegal activity')
249})
250})
251