Auth: Extend account settings with user details and avatar upload #98

Signed-off-by: Michael Mayer <michael@photoprism.app>
2025-12-12 00:34:13 +01:00 · 2022-10-17 19:07:38 +02:00
parent 2cf420d04a
commit 837669f796
93 changed files with 2634 additions and 1212 deletions
--- a/internal/api/users_password_test.go
+++ b/internal/api/users_password_test.go
@@ -0,0 +1,160 @@
+package api
+
+import (
+	"encoding/json"
+	"net/http"
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+
+	"github.com/photoprism/photoprism/internal/config"
+	"github.com/photoprism/photoprism/internal/form"
+)
+
+func TestChangePassword(t *testing.T) {
+	t.Run("NonExistentUser", func(t *testing.T) {
+		app, router, _ := NewApiTest()
+		UpdateUserPassword(router)
+		r := PerformRequestWithBody(app, "PUT", "/api/v1/users/xxx/password", `{}`)
+		assert.Equal(t, http.StatusForbidden, r.Code)
+	})
+
+	t.Run("AliceProvidesWrongPassword", func(t *testing.T) {
+		app, router, conf := NewApiTest()
+		conf.SetAuthMode(config.AuthModePasswd)
+		defer conf.SetAuthMode(config.AuthModePublic)
+		UpdateUserPassword(router)
+		sessId := AuthenticateUser(app, router, "alice", "Alice123!")
+
+		f := form.ChangePassword{
+			OldPassword: "someonewhoisntalice",
+			NewPassword: "aliceinwonderland",
+		}
+		if pwStr, err := json.Marshal(f); err != nil {
+			log.Fatal(err)
+		} else {
+			r := AuthenticatedRequestWithBody(app, "PUT", "/api/v1/users/uqxetse3cy5eo9z2/password",
+				string(pwStr), sessId)
+			assert.Equal(t, http.StatusBadRequest, r.Code)
+		}
+	})
+
+	t.Run("Ok", func(t *testing.T) {
+		app, router, conf := NewApiTest()
+		conf.SetAuthMode(config.AuthModePasswd)
+		defer conf.SetAuthMode(config.AuthModePublic)
+		UpdateUserPassword(router)
+
+		oldPassword := "PleaseChange$42"
+		newPassword := "SoftwareDevelopmentIsAYoungProfession1234567890!@#$%^&*()_+[]{}|:<>?/.,"
+
+		sessId := AuthenticateUser(app, router, "fowler", oldPassword)
+
+		frm := form.ChangePassword{
+			OldPassword: oldPassword,
+			NewPassword: newPassword,
+		}
+
+		if jsonFrm, err := json.Marshal(frm); err != nil {
+			log.Fatal(err)
+		} else {
+			r := AuthenticatedRequestWithBody(app, "PUT", "/api/v1/users/urinotv3d6jedvlm/password",
+				string(jsonFrm), sessId)
+			assert.Equal(t, http.StatusOK, r.Code)
+		}
+
+		frm = form.ChangePassword{
+			OldPassword: newPassword,
+			NewPassword: oldPassword,
+		}
+
+		if jsonFrm, err := json.Marshal(frm); err != nil {
+			log.Fatal(err)
+		} else {
+			r := AuthenticatedRequestWithBody(app, "PUT", "/api/v1/users/urinotv3d6jedvlm/password",
+				string(jsonFrm), sessId)
+			assert.Equal(t, http.StatusOK, r.Code)
+		}
+	})
+
+	t.Run("AliceChangesOtherUsersPassword", func(t *testing.T) {
+		app, router, conf := NewApiTest()
+		conf.SetAuthMode(config.AuthModePasswd)
+		defer conf.SetAuthMode(config.AuthModePublic)
+		UpdateUserPassword(router)
+		sessId := AuthenticateUser(app, router, "alice", "Alice123!")
+
+		f := form.ChangePassword{
+			OldPassword: "Bobbob123!",
+			NewPassword: "helloworld",
+		}
+		if pwStr, err := json.Marshal(f); err != nil {
+			log.Fatal(err)
+		} else {
+			r := AuthenticatedRequestWithBody(app, "PUT", "/api/v1/users/uqxc08w3d0ej2283/password",
+				string(pwStr), sessId)
+			assert.Equal(t, http.StatusForbidden, r.Code)
+		}
+	})
+
+	t.Run("BobProvidesWrongPassword", func(t *testing.T) {
+		app, router, conf := NewApiTest()
+		conf.SetAuthMode(config.AuthModePasswd)
+		defer conf.SetAuthMode(config.AuthModePublic)
+		UpdateUserPassword(router)
+		sessId := AuthenticateUser(app, router, "bob", "Bobbob123!")
+
+		f := form.ChangePassword{
+			OldPassword: "helloworld",
+			NewPassword: "Bobbob123!",
+		}
+		if pwStr, err := json.Marshal(f); err != nil {
+			log.Fatal(err)
+		} else {
+			r := AuthenticatedRequestWithBody(app, "PUT", "/api/v1/users/uqxc08w3d0ej2283/password",
+				string(pwStr), sessId)
+			assert.Equal(t, http.StatusBadRequest, r.Code)
+		}
+	})
+
+	t.Run("SameNewPassword", func(t *testing.T) {
+		app, router, conf := NewApiTest()
+		conf.SetAuthMode(config.AuthModePasswd)
+		defer conf.SetAuthMode(config.AuthModePublic)
+		UpdateUserPassword(router)
+		sessId := AuthenticateUser(app, router, "friend", "!Friend321")
+
+		f := form.ChangePassword{
+			OldPassword: "!Friend321",
+			NewPassword: "!Friend321",
+		}
+		if pwStr, err := json.Marshal(f); err != nil {
+			log.Fatal(err)
+		} else {
+			r := AuthenticatedRequestWithBody(app, "PUT", "/api/v1/users/uqxqg7i1kperxvu7/password",
+				string(pwStr), sessId)
+			assert.Equal(t, http.StatusOK, r.Code)
+		}
+	})
+
+	t.Run("BobChangesOtherUsersPassword", func(t *testing.T) {
+		app, router, conf := NewApiTest()
+		conf.SetAuthMode(config.AuthModePasswd)
+		defer conf.SetAuthMode(config.AuthModePublic)
+		UpdateUserPassword(router)
+		sessId := AuthenticateUser(app, router, "bob", "Bobbob123!")
+
+		f := form.ChangePassword{
+			OldPassword: "aliceinwonderland",
+			NewPassword: "bobinwonderland",
+		}
+		if pwStr, err := json.Marshal(f); err != nil {
+			log.Fatal(err)
+		} else {
+			r := AuthenticatedRequestWithBody(app, "PUT", "/api/v1/users/uqxetse3cy5eo9z2/password",
+				string(pwStr), sessId)
+			assert.Equal(t, http.StatusForbidden, r.Code)
+		}
+	})
+
+}