func TestGetAccountHandler(t *testing.T) {
pool := newConnPool(t)
user := &data.User{
Name: data.NewString("test"),
Email: data.NewString("*****@*****.**"),
}
SetPassword(user, "password")
userID, err := data.CreateUser(pool, user)
if err != nil {
t.Fatal(err)
}
user, err = data.SelectUserByPK(pool, userID)
if err != nil {
t.Fatal(err)
}
req, err := http.NewRequest("GET", "http://example.com/", nil)
if err != nil {
t.Fatal(err)
}
env := &environment{user: user, pool: pool}
w := httptest.NewRecorder()
GetAccountHandler(w, req, env)
if w.Code != 200 {
t.Fatalf("Expected HTTP status 200, instead received %d", w.Code)
}
var resp struct {
ID int32 `json:"id"`
Name string `json:"name"`
Email string `json:"email"`
}
decoder := json.NewDecoder(w.Body)
if err := decoder.Decode(&resp); err != nil {
t.Fatal(err)
}
if user.ID.Value != resp.ID {
t.Errorf("Expected id %d, instead received %d", user.ID.Value, resp.ID)
}
if user.Name.Value != resp.Name {
t.Errorf("Expected name %s, instead received %s", user.Name.Value, resp.Name)
}
if user.Email.Value != resp.Email {
t.Errorf("Expected email %s, instead received %s", user.Email.Value, resp.Email)
}
}
func TestResetPasswordHandlerTokenMatchestUsedPasswordReset(t *testing.T) {
pool := newConnPool(t)
user := &data.User{
Name: data.NewString("test"),
Email: data.NewString("*****@*****.**"),
}
SetPassword(user, "password")
userID, err := data.CreateUser(pool, user)
if err != nil {
t.Fatalf("repo.CreateUser returned error: %v", err)
}
_, localhost, _ := net.ParseCIDR("127.0.0.1/32")
pwr := &data.PasswordReset{
Token: data.NewString("0123456789abcdef"),
Email: data.NewString("*****@*****.**"),
UserID: data.NewInt32(userID),
RequestTime: data.NewTime(time.Now()),
RequestIP: data.NewIPNet(*localhost),
CompletionTime: data.NewTime(time.Now()),
CompletionIP: data.NewIPNet(*localhost),
}
err = data.InsertPasswordReset(pool, pwr)
if err != nil {
t.Fatalf("repo.CreatePasswordReset returned error: %v", err)
}
buf := bytes.NewBufferString(`{"token": "0123456789abcdef", "password": "******"}`)
req, err := http.NewRequest("POST", "http://example.com/", buf)
if err != nil {
t.Fatalf("http.NewRequest returned error: %v", err)
}
env := &environment{pool: pool}
w := httptest.NewRecorder()
ResetPasswordHandler(w, req, env)
if w.Code != 404 {
t.Errorf("Expected HTTP status %d, instead received %d", 404, w.Code)
}
user, err = data.SelectUserByPK(pool, userID)
if err != nil {
t.Fatalf("repo.GetUser returned error: %v", err)
}
if IsPassword(user, "bigsecret") {
t.Error("Expected password not to be changed but it was")
}
}
func BenchmarkDataGetUser(b *testing.B) {
pool := newConnPool(b)
userID, err := data.CreateUser(pool, newUser())
if err != nil {
b.Fatal(err)
}
b.ResetTimer()
for i := 0; i < b.N; i++ {
_, err := data.SelectUserByPK(pool, userID)
if err != nil {
b.Fatal(err)
}
}
}
func TestDataUsersLifeCycle(t *testing.T) {
pool := newConnPool(t)
input := &data.User{
Name: data.NewString("test"),
Email: data.NewString("*****@*****.**"),
PasswordDigest: data.NewBytes([]byte("digest")),
PasswordSalt: data.NewBytes([]byte("salt")),
}
userID, err := data.CreateUser(pool, input)
if err != nil {
t.Fatal(err)
}
user, err := data.SelectUserByName(pool, input.Name.Value)
if err != nil {
t.Fatal(err)
}
if user.ID.Value != userID {
t.Errorf("Expected %v, got %v", userID, user.ID)
}
if user.Name != input.Name {
t.Errorf("Expected %v, got %v", input.Name, user.Name)
}
if user.Email != input.Email {
t.Errorf("Expected %v, got %v", input.Email, user.Email)
}
if bytes.Compare(user.PasswordDigest.Value, input.PasswordDigest.Value) != 0 {
t.Errorf("Expected user (%v) and input (%v) PasswordDigest to match, but they did not", user.PasswordDigest, input.PasswordDigest)
}
if bytes.Compare(user.PasswordSalt.Value, input.PasswordSalt.Value) != 0 {
t.Errorf("Expected user (%v), and input (%v) PasswordSalt to match, but they did not", user.PasswordSalt, input.PasswordSalt)
}
user, err = data.SelectUserByEmail(pool, input.Email.Value)
if err != nil {
t.Fatal(err)
}
if user.ID.Value != userID {
t.Errorf("Expected %v, got %v", userID, user.ID)
}
if user.Name != input.Name {
t.Errorf("Expected %v, got %v", input.Name, user.Name)
}
if user.Email != input.Email {
t.Errorf("Expected %v, got %v", input.Email, user.Email)
}
if bytes.Compare(user.PasswordDigest.Value, input.PasswordDigest.Value) != 0 {
t.Errorf("Expected user (%v) and input (%v) PasswordDigest to match, but they did not", user.PasswordDigest, input.PasswordDigest)
}
if bytes.Compare(user.PasswordSalt.Value, input.PasswordSalt.Value) != 0 {
t.Errorf("Expected user (%v), and input (%v) PasswordSalt to match, but they did not", user.PasswordSalt, input.PasswordSalt)
}
user, err = data.SelectUserByPK(pool, userID)
if err != nil {
t.Fatal(err)
}
if user.ID.Value != userID {
t.Errorf("Expected %v, got %v", userID, user.ID)
}
if user.Name != input.Name {
t.Errorf("Expected %v, got %v", input.Name, user.Name)
}
if user.Email != input.Email {
t.Errorf("Expected %v, got %v", input.Email, user.Email)
}
if bytes.Compare(user.PasswordDigest.Value, input.PasswordDigest.Value) != 0 {
t.Errorf("Expected user (%v) and input (%v) PasswordDigest to match, but they did not", user.PasswordDigest, input.PasswordDigest)
}
if bytes.Compare(user.PasswordSalt.Value, input.PasswordSalt.Value) != 0 {
t.Errorf("Expected user (%v), and input (%v) PasswordSalt to match, but they did not", user.PasswordSalt, input.PasswordSalt)
}
}
func TestResetPasswordHandlerTokenMatchestValidPasswordReset(t *testing.T) {
pool := newConnPool(t)
user := &data.User{
Name: data.NewString("test"),
Email: data.NewString("*****@*****.**"),
}
SetPassword(user, "password")
userID, err := data.CreateUser(pool, user)
if err != nil {
t.Fatalf("repo.CreateUser returned error: %v", err)
}
_, requestIP, _ := net.ParseCIDR("127.0.0.1/32")
pwr := &data.PasswordReset{
Token: data.NewString("0123456789abcdef"),
Email: data.NewString("*****@*****.**"),
UserID: data.NewInt32(userID),
RequestTime: data.NewTime(time.Now()),
RequestIP: data.NewIPNet(*requestIP),
}
err = data.InsertPasswordReset(pool, pwr)
if err != nil {
t.Fatalf("repo.CreatePasswordReset returned error: %v", err)
}
buf := bytes.NewBufferString(`{"token": "0123456789abcdef", "password": "******"}`)
req, err := http.NewRequest("POST", "http://example.com/", buf)
if err != nil {
t.Fatalf("http.NewRequest returned error: %v", err)
}
env := &environment{pool: pool}
w := httptest.NewRecorder()
ResetPasswordHandler(w, req, env)
if w.Code != 200 {
t.Errorf("Expected HTTP status %d, instead received %d", 200, w.Code)
}
user, err = data.SelectUserByPK(pool, userID)
if err != nil {
t.Fatalf("repo.GetUser returned error: %v", err)
}
if !IsPassword(user, "bigsecret") {
t.Error("Expected password to be changed but it was not")
}
var response struct {
Name string `json:"name"`
SessionID string `json:"sessionID"`
}
decoder := json.NewDecoder(w.Body)
if err := decoder.Decode(&response); err != nil {
t.Errorf("Unable to decode response: %v", err)
}
}
func TestUpdateAccountHandler(t *testing.T) {
origEmail := "*****@*****.**"
origPassword := "******"
var tests = []struct {
descr string
reqEmail string
reqExistingPassword string
reqNewPassword string
respCode int
actualEmail string
actualPassword string
}{
{
descr: "Update email and password",
reqEmail: "*****@*****.**",
reqExistingPassword: origPassword,
reqNewPassword: "******",
respCode: 200,
actualEmail: "*****@*****.**",
actualPassword: "******",
},
{
descr: "Update email",
reqEmail: "*****@*****.**",
reqExistingPassword: origPassword,
reqNewPassword: "",
respCode: 200,
actualEmail: "*****@*****.**",
actualPassword: origPassword,
},
{
descr: "Deny update of email and password",
reqEmail: "*****@*****.**",
reqExistingPassword: "******",
reqNewPassword: "******",
respCode: 422,
actualEmail: origEmail,
actualPassword: origPassword,
},
{
descr: "Deny update of email",
reqEmail: "*****@*****.**",
reqExistingPassword: "******",
reqNewPassword: "",
respCode: 422,
actualEmail: origEmail,
actualPassword: origPassword,
},
}
for _, tt := range tests {
pool := newConnPool(t)
user := &data.User{
Name: data.NewString("test"),
Email: data.NewString(origEmail),
}
SetPassword(user, origPassword)
userID, err := data.CreateUser(pool, user)
if err != nil {
t.Errorf("%s: repo.CreateUser returned error: %v", tt.descr, err)
continue
}
user, err = data.SelectUserByPK(pool, userID)
if err != nil {
t.Errorf("%s: repo.GetUser returned error: %v", tt.descr, err)
continue
}
buf := bytes.NewBufferString(`{
"email": "` + tt.reqEmail + `",
"existingPassword": "******",
"newPassword": "******"
}`)
req, err := http.NewRequest("PATCH", "http://example.com/", buf)
if err != nil {
t.Errorf("%s: http.NewRequest returned error: %v", tt.descr, err)
continue
}
env := &environment{user: user, pool: pool}
w := httptest.NewRecorder()
UpdateAccountHandler(w, req, env)
if w.Code != tt.respCode {
t.Errorf("%s: Expected HTTP status %d, instead received %d", tt.descr, tt.respCode, w.Code)
continue
}
user, err = data.SelectUserByPK(pool, userID)
if err != nil {
t.Errorf("%s: repo.GetUser returned error: %v", tt.descr, err)
continue
}
if user.Email.Value != tt.actualEmail {
t.Errorf("%s: Expected email %s, instead received %s", tt.descr, tt.actualEmail, user.Email.Value)
}
if !IsPassword(user, tt.actualPassword) {
t.Errorf("%s: Expected password to be %s, but it wasn't", tt.descr, tt.actualPassword)
}
}
}
func ResetPasswordHandler(w http.ResponseWriter, req *http.Request, env *environment) {
var resetPassword struct {
Token string `json:"token"`
Password string `json:"password"`
}
decoder := json.NewDecoder(req.Body)
if err := decoder.Decode(&resetPassword); err != nil {
w.WriteHeader(422)
fmt.Fprintf(w, "Error decoding request: %v", err)
return
}
pwr, err := data.SelectPasswordResetByPK(env.pool, resetPassword.Token)
if err == data.ErrNotFound {
w.WriteHeader(404)
return
} else if err != nil {
w.WriteHeader(500)
fmt.Fprintf(w, "Error decoding request: %v", err)
return
}
if pwr.UserID.Status != data.Present {
w.WriteHeader(404)
return
}
if pwr.CompletionTime.Status == data.Present {
w.WriteHeader(404)
return
}
attrs := &data.User{}
SetPassword(attrs, resetPassword.Password)
err = data.UpdateUser(env.pool, pwr.UserID.Value, attrs)
if err != nil {
w.WriteHeader(500)
return
}
user, err := data.SelectUserByPK(env.pool, pwr.UserID.Value)
if err != nil {
w.WriteHeader(500)
return
}
sessionID, err := genSessionID()
if err != nil {
http.Error(w, "Internal server error", http.StatusInternalServerError)
return
}
err = data.InsertSession(env.pool,
&data.Session{
ID: data.NewBytes(sessionID),
UserID: user.ID,
},
)
if err != nil {
http.Error(w, "Internal server error", http.StatusInternalServerError)
return
}
w.Header().Set("Content-Type", "application/json")
var response struct {
Name string `json:"name"`
SessionID string `json:"sessionID"`
}
response.Name = user.Name.Value
response.SessionID = hex.EncodeToString(sessionID)
encoder := json.NewEncoder(w)
encoder.Encode(response)
}