2020-06-25 22:12:09 -07:00
|
|
|
<?php
|
|
|
|
|
|
2024-03-12 22:39:16 -04:00
|
|
|
namespace App\Tests\Integration\Api\Client;
|
2020-06-25 22:12:09 -07:00
|
|
|
|
2026-04-20 17:25:54 +02:00
|
|
|
use App\Jobs\RevokeSftpAccessJob;
|
|
|
|
|
use App\Models\Subuser;
|
2024-03-12 22:39:16 -04:00
|
|
|
use App\Models\User;
|
2026-04-20 17:25:54 +02:00
|
|
|
use Illuminate\Database\Eloquent\Collection;
|
2020-06-25 22:12:09 -07:00
|
|
|
use Illuminate\Http\Response;
|
2026-04-20 17:25:54 +02:00
|
|
|
use Illuminate\Support\Facades\Bus;
|
2021-08-15 17:37:12 -07:00
|
|
|
use Illuminate\Support\Facades\Hash;
|
2025-09-24 13:34:19 +02:00
|
|
|
use Illuminate\Support\Str;
|
2020-06-25 22:12:09 -07:00
|
|
|
|
2020-06-27 12:04:41 -07:00
|
|
|
class AccountControllerTest extends ClientApiIntegrationTestCase
|
2020-06-25 22:12:09 -07:00
|
|
|
{
|
|
|
|
|
/**
|
|
|
|
|
* Test that the user's account details are returned from the account endpoint.
|
|
|
|
|
*/
|
2025-02-25 14:22:07 +01:00
|
|
|
public function test_account_details_are_returned(): void
|
2020-06-25 22:12:09 -07:00
|
|
|
{
|
2026-03-17 09:09:01 +01:00
|
|
|
/** @var User $user */
|
2021-01-23 12:09:16 -08:00
|
|
|
$user = User::factory()->create();
|
2020-06-25 22:12:09 -07:00
|
|
|
|
|
|
|
|
$response = $this->actingAs($user)->get('/api/client/account');
|
|
|
|
|
|
|
|
|
|
$response->assertOk()->assertJson([
|
|
|
|
|
'object' => 'user',
|
|
|
|
|
'attributes' => [
|
2024-06-23 16:33:18 +02:00
|
|
|
'uuid' => $user->uuid,
|
2020-06-25 22:12:09 -07:00
|
|
|
'username' => $user->username,
|
|
|
|
|
'email' => $user->email,
|
2024-06-23 16:33:18 +02:00
|
|
|
'language' => 'en',
|
|
|
|
|
'image' => 'https://gravatar.com/avatar/' . md5(Str::lower($user->email)),
|
|
|
|
|
'admin' => false,
|
|
|
|
|
'root_admin' => false,
|
|
|
|
|
'2fa_enabled' => false,
|
|
|
|
|
'created_at' => $this->formatTimestamp($user->created_at),
|
|
|
|
|
'updated_at' => $this->formatTimestamp($user->updated_at),
|
2020-06-25 22:12:09 -07:00
|
|
|
],
|
|
|
|
|
]);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* Test that the user's email address can be updated via the API.
|
|
|
|
|
*/
|
2025-02-25 14:22:07 +01:00
|
|
|
public function test_email_is_updated(): void
|
2020-06-25 22:12:09 -07:00
|
|
|
{
|
2026-03-17 09:09:01 +01:00
|
|
|
/** @var User $user */
|
2021-01-23 12:09:16 -08:00
|
|
|
$user = User::factory()->create();
|
2020-06-25 22:12:09 -07:00
|
|
|
|
2026-04-20 17:25:54 +02:00
|
|
|
$this->actingAs($user)
|
|
|
|
|
->putJson('/api/client/account/email', [
|
|
|
|
|
'email' => $email = mb_strtolower(Str::random() . '@example.com'),
|
|
|
|
|
'password' => 'password',
|
|
|
|
|
])
|
|
|
|
|
->assertStatus(Response::HTTP_NO_CONTENT);
|
2020-06-25 22:12:09 -07:00
|
|
|
|
2026-04-20 17:25:54 +02:00
|
|
|
$this->assertActivityFor('user:account.email-changed', $user, $user);
|
2022-05-29 17:52:14 -04:00
|
|
|
$this->assertDatabaseHas('users', ['id' => $user->id, 'email' => $email]);
|
2020-06-25 22:12:09 -07:00
|
|
|
}
|
|
|
|
|
|
2026-04-20 17:25:54 +02:00
|
|
|
public function test_email_change_is_throttled(): void
|
|
|
|
|
{
|
|
|
|
|
/** @var Collection<int, User> $users */
|
|
|
|
|
$users = User::factory()->count(2)->create();
|
|
|
|
|
|
|
|
|
|
for ($i = 0; $i < 3; $i++) {
|
|
|
|
|
$this->actingAs($users[0])
|
|
|
|
|
->putJson('/api/client/account/email', ['email' => "foo+{$i}@example.com", 'password' => 'password'])
|
|
|
|
|
->assertNoContent();
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
$this->putJson('/api/client/account/email', ['email' => 'bar@example.com', 'password' => 'password'])
|
|
|
|
|
->assertTooManyRequests();
|
|
|
|
|
|
|
|
|
|
// The other user should still be able to update their email because the throttle
|
|
|
|
|
// is tied to the account, not to the IP address.
|
|
|
|
|
$this->actingAs($users[1])
|
|
|
|
|
->putJson('/api/client/account/email', ['email' => 'bar+1@example.com', 'password' => 'password'])
|
|
|
|
|
->assertNoContent();
|
|
|
|
|
}
|
|
|
|
|
|
2020-06-25 22:12:09 -07:00
|
|
|
/**
|
2022-10-14 10:59:20 -06:00
|
|
|
* Tests that an email is not updated if the password provided in the request is not
|
2020-06-25 22:12:09 -07:00
|
|
|
* valid for the account.
|
|
|
|
|
*/
|
2025-02-25 14:22:07 +01:00
|
|
|
public function test_email_is_not_updated_when_password_is_invalid(): void
|
2020-06-25 22:12:09 -07:00
|
|
|
{
|
2026-03-17 09:09:01 +01:00
|
|
|
/** @var User $user */
|
2021-01-23 12:09:16 -08:00
|
|
|
$user = User::factory()->create();
|
2020-06-25 22:12:09 -07:00
|
|
|
|
|
|
|
|
$response = $this->actingAs($user)->putJson('/api/client/account/email', [
|
|
|
|
|
'email' => 'hodor@example.com',
|
|
|
|
|
'password' => 'invalid',
|
|
|
|
|
]);
|
|
|
|
|
|
|
|
|
|
$response->assertStatus(Response::HTTP_BAD_REQUEST);
|
|
|
|
|
$response->assertJsonPath('errors.0.code', 'InvalidPasswordProvidedException');
|
|
|
|
|
$response->assertJsonPath('errors.0.detail', 'The password provided was invalid for this account.');
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* Tests that an email is not updated if an invalid email address is passed through
|
|
|
|
|
* in the request.
|
|
|
|
|
*/
|
2025-02-25 14:22:07 +01:00
|
|
|
public function test_email_is_not_updated_when_not_valid(): void
|
2020-06-25 22:12:09 -07:00
|
|
|
{
|
2026-03-17 09:09:01 +01:00
|
|
|
/** @var User $user */
|
2021-01-23 12:09:16 -08:00
|
|
|
$user = User::factory()->create();
|
2020-06-25 22:12:09 -07:00
|
|
|
|
|
|
|
|
$response = $this->actingAs($user)->putJson('/api/client/account/email', [
|
|
|
|
|
'email' => '',
|
|
|
|
|
'password' => 'password',
|
|
|
|
|
]);
|
|
|
|
|
|
|
|
|
|
$response->assertStatus(Response::HTTP_UNPROCESSABLE_ENTITY);
|
2020-08-27 21:19:01 -07:00
|
|
|
$response->assertJsonPath('errors.0.meta.rule', 'required');
|
2020-06-25 22:12:09 -07:00
|
|
|
$response->assertJsonPath('errors.0.detail', 'The email field is required.');
|
|
|
|
|
|
|
|
|
|
$response = $this->actingAs($user)->putJson('/api/client/account/email', [
|
|
|
|
|
'email' => 'invalid',
|
|
|
|
|
'password' => 'password',
|
|
|
|
|
]);
|
|
|
|
|
|
|
|
|
|
$response->assertStatus(Response::HTTP_UNPROCESSABLE_ENTITY);
|
2020-08-27 21:19:01 -07:00
|
|
|
$response->assertJsonPath('errors.0.meta.rule', 'email');
|
2020-06-25 22:12:09 -07:00
|
|
|
$response->assertJsonPath('errors.0.detail', 'The email must be a valid email address.');
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* Test that the password for an account can be successfully updated.
|
|
|
|
|
*/
|
2025-02-25 14:22:07 +01:00
|
|
|
public function test_password_is_updated(): void
|
2020-06-25 22:12:09 -07:00
|
|
|
{
|
2026-03-17 09:09:01 +01:00
|
|
|
/** @var User $user */
|
2021-01-23 12:09:16 -08:00
|
|
|
$user = User::factory()->create();
|
2020-06-25 22:12:09 -07:00
|
|
|
|
2026-04-20 17:25:54 +02:00
|
|
|
// Assign the user to two servers, one as the owner the other as a subuser, both
|
|
|
|
|
// on different nodes to ensure our logic fires off correctly and the user has their
|
|
|
|
|
// credentials revoked on both nodes.
|
|
|
|
|
$server = $this->createServerModel(['owner_id' => $user->id]);
|
|
|
|
|
$server2 = $this->createServerModel();
|
|
|
|
|
Subuser::factory()->for($server2)->for($user)->create();
|
|
|
|
|
|
2021-08-15 17:37:12 -07:00
|
|
|
$initialHash = $user->password;
|
2020-06-25 22:12:09 -07:00
|
|
|
|
2026-04-20 17:25:54 +02:00
|
|
|
Bus::fake([RevokeSftpAccessJob::class]);
|
|
|
|
|
|
|
|
|
|
$this->actingAs($user)
|
|
|
|
|
->putJson('/api/client/account/password', [
|
|
|
|
|
'current_password' => 'password',
|
|
|
|
|
'password' => 'New_Password1',
|
|
|
|
|
'password_confirmation' => 'New_Password1',
|
|
|
|
|
])
|
|
|
|
|
->assertNoContent();
|
2020-06-25 22:12:09 -07:00
|
|
|
|
2021-08-15 17:37:12 -07:00
|
|
|
$user = $user->refresh();
|
|
|
|
|
|
|
|
|
|
$this->assertNotEquals($user->password, $initialHash);
|
|
|
|
|
$this->assertTrue(Hash::check('New_Password1', $user->password));
|
|
|
|
|
$this->assertFalse(Hash::check('password', $user->password));
|
|
|
|
|
|
2026-04-20 17:25:54 +02:00
|
|
|
$this->assertActivityFor('user:account.password-changed', $user, $user);
|
|
|
|
|
$this->assertNotEquals($server->node_id, $server2->node_id);
|
|
|
|
|
|
|
|
|
|
Bus::assertDispatchedTimes(RevokeSftpAccessJob::class, 2);
|
|
|
|
|
Bus::assertDispatched(fn (RevokeSftpAccessJob $job) => $job->user === $user->uuid && $job->target->is($server->node));
|
|
|
|
|
Bus::assertDispatched(fn (RevokeSftpAccessJob $job) => $job->user === $user->uuid && $job->target->is($server2->node));
|
2020-06-25 22:12:09 -07:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* Test that the password for an account is not updated if the current password is not
|
|
|
|
|
* provided correctly.
|
|
|
|
|
*/
|
2025-02-25 14:22:07 +01:00
|
|
|
public function test_password_is_not_updated_if_current_password_is_invalid(): void
|
2020-06-25 22:12:09 -07:00
|
|
|
{
|
2026-03-17 09:09:01 +01:00
|
|
|
/** @var User $user */
|
2021-01-23 12:09:16 -08:00
|
|
|
$user = User::factory()->create();
|
2020-06-25 22:12:09 -07:00
|
|
|
|
|
|
|
|
$response = $this->actingAs($user)->putJson('/api/client/account/password', [
|
|
|
|
|
'current_password' => 'invalid',
|
|
|
|
|
'password' => 'New_Password1',
|
|
|
|
|
'password_confirmation' => 'New_Password1',
|
|
|
|
|
]);
|
|
|
|
|
|
|
|
|
|
$response->assertStatus(Response::HTTP_BAD_REQUEST);
|
|
|
|
|
$response->assertJsonPath('errors.0.code', 'InvalidPasswordProvidedException');
|
|
|
|
|
$response->assertJsonPath('errors.0.detail', 'The password provided was invalid for this account.');
|
|
|
|
|
}
|
|
|
|
|
|
2020-11-29 13:28:46 -08:00
|
|
|
/**
|
|
|
|
|
* Test that a validation error is returned to the user if no password is provided or if
|
|
|
|
|
* the password is below the minimum password length.
|
|
|
|
|
*/
|
2025-02-25 14:22:07 +01:00
|
|
|
public function test_error_is_returned_for_invalid_request_data(): void
|
2020-11-29 13:28:46 -08:00
|
|
|
{
|
2021-01-23 12:09:16 -08:00
|
|
|
$user = User::factory()->create();
|
2020-11-29 13:28:46 -08:00
|
|
|
|
|
|
|
|
$this->actingAs($user)->putJson('/api/client/account/password', [
|
|
|
|
|
'current_password' => 'password',
|
|
|
|
|
])
|
|
|
|
|
->assertStatus(Response::HTTP_UNPROCESSABLE_ENTITY)
|
|
|
|
|
->assertJsonPath('errors.0.meta.rule', 'required');
|
|
|
|
|
|
|
|
|
|
$this->actingAs($user)->putJson('/api/client/account/password', [
|
|
|
|
|
'current_password' => 'password',
|
|
|
|
|
'password' => 'pass',
|
|
|
|
|
'password_confirmation' => 'pass',
|
|
|
|
|
])
|
|
|
|
|
->assertStatus(Response::HTTP_UNPROCESSABLE_ENTITY)
|
|
|
|
|
->assertJsonPath('errors.0.meta.rule', 'min');
|
|
|
|
|
}
|
|
|
|
|
|
2020-06-25 22:12:09 -07:00
|
|
|
/**
|
|
|
|
|
* Test that a validation error is returned if the password passed in the request
|
|
|
|
|
* does not have a confirmation, or the confirmation is not the same as the password.
|
|
|
|
|
*/
|
2025-02-25 14:22:07 +01:00
|
|
|
public function test_error_is_returned_if_password_is_not_confirmed(): void
|
2020-06-25 22:12:09 -07:00
|
|
|
{
|
2026-03-17 09:09:01 +01:00
|
|
|
/** @var User $user */
|
2021-01-23 12:09:16 -08:00
|
|
|
$user = User::factory()->create();
|
2020-06-25 22:12:09 -07:00
|
|
|
|
|
|
|
|
$response = $this->actingAs($user)->putJson('/api/client/account/password', [
|
|
|
|
|
'current_password' => 'password',
|
|
|
|
|
'password' => 'New_Password1',
|
|
|
|
|
'password_confirmation' => 'Invalid_New_Password',
|
|
|
|
|
]);
|
|
|
|
|
|
|
|
|
|
$response->assertStatus(Response::HTTP_UNPROCESSABLE_ENTITY);
|
2020-08-27 21:19:01 -07:00
|
|
|
$response->assertJsonPath('errors.0.meta.rule', 'confirmed');
|
2020-06-25 22:12:09 -07:00
|
|
|
$response->assertJsonPath('errors.0.detail', 'The password confirmation does not match.');
|
|
|
|
|
}
|
|
|
|
|
}
|
