Merge 806751d into 362ca73

test/api/v3/integration/user/PUT-user.test.js

@@ -54,7 +54,7 @@ describe('PUT /user', () => {
     });
 
 
-    it('profile.name cannot be an empty string or null', async () => {
+    it('validates profile.name', async () => {
       await expect(user.put('/user', {
         'profile.name': ' ', // string should be trimmed
       })).to.eventually.be.rejected.and.eql({
@@ -76,7 +76,23 @@ describe('PUT /user', () => {
       })).to.eventually.be.rejected.and.eql({
         code: 400,
         error: 'BadRequest',
-        message: 'User validation failed',
+        message: t('invalidReqParams'),
+      });
+
+      await expect(user.put('/user', {
+        'profile.name': 'this is a very long display name that will not be allowed due to length',
+      })).to.eventually.be.rejected.and.eql({
+        code: 400,
+        error: 'BadRequest',
+        message: t('displaynameIssueLength'),
+      });
+
+      await expect(user.put('/user', {
+        'profile.name': 'TESTPLACEHOLDERSLURWORDHERE',
+      })).to.eventually.be.rejected.and.eql({
+        code: 400,
+        error: 'BadRequest',
+        message: t('displaynameIssueSlur'),
       });
     });
   });

test/api/v3/integration/user/auth/POST-register_local.test.js

@@ -41,6 +41,23 @@ describe('POST /user/auth/local/register', () => {
       expect(user.newUser).to.eql(true);
     });
 
+    it('registers a new user and sets verifiedUsername to true', async () => {
+      let username = generateRandomUserName();
+      let email = `${username}@example.com`;
+      let password = 'password';
+
+      let user = await api.post('/user/auth/local/register', {
+        username,
+        email,
+        password,
+        confirmPassword: password,
+      });
+
+      expect(user._id).to.exist;
+      expect(user.apiToken).to.exist;
+      expect(user.flags.verifiedUsername).to.eql(true);
+    });
+
     xit('remove spaces from username', async () => {
       // TODO can probably delete this test now
       let username = ' usernamewithspaces ';

test/api/v4/user/PUT-user.test.js

@@ -76,7 +76,7 @@ describe('PUT /user', () => {
       })).to.eventually.be.rejected.and.eql({
         code: 400,
         error: 'BadRequest',
-        message: 'User validation failed',
+        message: t('invalidReqParams'),
       });
     });
   });

test/api/v4/user/auth/POST-user_verify_username.test.js

@@ -0,0 +1,89 @@
+import {
+  generateUser,
+  translate as t,
+} from '../../../../helpers/api-integration/v4';
+
+const ENDPOINT = '/user/auth/verify-username';
+
+describe('POST /user/auth/verify-username', async () => {
+  let user;
+
+  beforeEach(async () => {
+    user = await generateUser();
+  });
+
+  it('successfully verifies username', async () => {
+    let newUsername = 'new-username';
+    let response = await user.post(ENDPOINT, {
+      username: newUsername,
+    });
+    expect(response).to.eql({ isUsable: true });
+  });
+
+  it('successfully verifies username with allowed characters', async () => {
+    let newUsername = 'new-username_123';
+    let response = await user.post(ENDPOINT, {
+      username: newUsername,
+    });
+    expect(response).to.eql({ isUsable: true });
+  });
+
+  context('errors', async () => {
+    it('errors if username is not provided', async () => {
+      await expect(user.post(ENDPOINT, {
+      })).to.eventually.be.rejected.and.eql({
+        code: 400,
+        error: 'BadRequest',
+        message: t('invalidReqParams'),
+      });
+    });
+
+    it('errors if username is a slur', async () => {
+      await expect(user.post(ENDPOINT, {
+        username: 'TESTPLACEHOLDERSLURWORDHERE',
+      })).to.eventually.eql({ isUsable: false, issues: [t('usernameIssueLength'), t('usernameIssueSlur')] });
+    });
+
+    it('errors if username contains a slur', async () => {
+      await expect(user.post(ENDPOINT, {
+        username: 'TESTPLACEHOLDERSLURWORDHERE_otherword',
+      })).to.eventually.eql({ isUsable: false, issues: [t('usernameIssueLength'), t('usernameIssueSlur')] });
+      await expect(user.post(ENDPOINT, {
+        username: 'something_TESTPLACEHOLDERSLURWORDHERE',
+      })).to.eventually.eql({ isUsable: false, issues: [t('usernameIssueLength'), t('usernameIssueSlur')] });
+      await expect(user.post(ENDPOINT, {
+        username: 'somethingTESTPLACEHOLDERSLURWORDHEREotherword',
+      })).to.eventually.eql({ isUsable: false, issues: [t('usernameIssueLength'), t('usernameIssueSlur')] });
+    });
+
+    it('errors if username is not allowed', async () => {
+      await expect(user.post(ENDPOINT, {
+        username: 'support',
+      })).to.eventually.eql({ isUsable: false, issues: [t('usernameIssueForbidden')] });
+    });
+
+    it('errors if username is not allowed regardless of casing', async () => {
+      await expect(user.post(ENDPOINT, {
+        username: 'SUppORT',
+      })).to.eventually.eql({ isUsable: false, issues: [t('usernameIssueForbidden')] });
+    });
+
+    it('errors if username has incorrect length', async () => {
+      await expect(user.post(ENDPOINT, {
+        username: 'thisisaverylongusernameover20characters',
+      })).to.eventually.eql({ isUsable: false, issues: [t('usernameIssueLength')] });
+    });
+
+    it('errors if username contains invalid characters', async () => {
+      await expect(user.post(ENDPOINT, {
+        username: 'Eichhörnchen',
+      })).to.eventually.eql({ isUsable: false, issues: [t('usernameIssueInvalidCharacters')] });
+      await expect(user.post(ENDPOINT, {
+        username: 'test.name',
+      })).to.eventually.eql({ isUsable: false, issues: [t('usernameIssueInvalidCharacters')] });
+      await expect(user.post(ENDPOINT, {
+        username: '🤬',
+      })).to.eventually.eql({ isUsable: false, issues: [t('usernameIssueInvalidCharacters')] });
+    });
+  });
+});

test/api/v4/user/auth/PUT-user_update_username.test.js

@@ -0,0 +1,224 @@
+import {
+  generateUser,
+  translate as t,
+} from '../../../../helpers/api-integration/v4';
+import {
+  bcryptCompare,
+  sha1MakeSalt,
+  sha1Encrypt as sha1EncryptPassword,
+} from '../../../../../website/server/libs/password';
+
+const ENDPOINT = '/user/auth/update-username';
+
+describe('PUT /user/auth/update-username', async () => {
+  let user;
+  let password = 'password'; // from habitrpg/test/helpers/api-integration/v4/object-generators.js
+
+  beforeEach(async () => {
+    user = await generateUser();
+  });
+
+  it('successfully changes username with password', async () => {
+    let newUsername = 'new-username';
+    let response = await user.put(ENDPOINT, {
+      username: newUsername,
+      password,
+    });
+    expect(response).to.eql({ username: newUsername });
+    await user.sync();
+    expect(user.auth.local.username).to.eql(newUsername);
+  });
+
+  it('successfully changes username without password', async () => {
+    let newUsername = 'new-username-nopw';
+    let response = await user.put(ENDPOINT, {
+      username: newUsername,
+    });
+    expect(response).to.eql({ username: newUsername });
+    await user.sync();
+    expect(user.auth.local.username).to.eql(newUsername);
+  });
+
+  it('successfully changes username containing number and underscore', async () => {
+    let newUsername = 'new_username9';
+    let response = await user.put(ENDPOINT, {
+      username: newUsername,
+    });
+    expect(response).to.eql({ username: newUsername });
+    await user.sync();
+    expect(user.auth.local.username).to.eql(newUsername);
+  });
+
+  it('sets verifiedUsername when changing username', async () => {
+    user.flags.verifiedUsername = false;
+    await user.sync();
+    let newUsername = 'new-username-verify';
+    let response = await user.put(ENDPOINT, {
+      username: newUsername,
+    });
+    expect(response).to.eql({ username: newUsername });
+    await user.sync();
+    expect(user.flags.verifiedUsername).to.eql(true);
+  });
+
+  it('converts user with SHA1 encrypted password to bcrypt encryption', async () => {
+    let myNewUsername = 'my-new-username';
+    let textPassword = 'mySecretPassword';
+    let salt = sha1MakeSalt();
+    let sha1HashedPassword = sha1EncryptPassword(textPassword, salt);
+
+    await user.update({
+      'auth.local.hashed_password': sha1HashedPassword,
+      'auth.local.passwordHashMethod': 'sha1',
+      'auth.local.salt': salt,
+    });
+
+    await user.sync();
+    expect(user.auth.local.passwordHashMethod).to.equal('sha1');
+    expect(user.auth.local.salt).to.equal(salt);
+    expect(user.auth.local.hashed_password).to.equal(sha1HashedPassword);
+
+    // update email
+    let response = await user.put(ENDPOINT, {
+      username: myNewUsername,
+      password: textPassword,
+    });
+    expect(response).to.eql({ username: myNewUsername });
+
+    await user.sync();
+
+    expect(user.auth.local.username).to.eql(myNewUsername);
+    expect(user.auth.local.passwordHashMethod).to.equal('bcrypt');
+    expect(user.auth.local.salt).to.be.undefined;
+    expect(user.auth.local.hashed_password).not.to.equal(sha1HashedPassword);
+
+    let isValidPassword = await bcryptCompare(textPassword, user.auth.local.hashed_password);
+    expect(isValidPassword).to.equal(true);
+  });
+
+  context('errors', async () => {
+    it('prevents username update if new username is already taken', async () => {
+      let existingUsername = 'existing-username';
+      await generateUser({'auth.local.username': existingUsername, 'auth.local.lowerCaseUsername': existingUsername });
+
+      await expect(user.put(ENDPOINT, {
+        username: existingUsername,
+        password,
+      })).to.eventually.be.rejected.and.eql({
+        code: 400,
+        error: 'BadRequest',
+        message: t('usernameTaken'),
+      });
+    });
+
+    it('errors if password is wrong', async () => {
+      let newUsername = 'new-username';
+      await expect(user.put(ENDPOINT, {
+        username: newUsername,
+        password: 'wrong-password',
+      })).to.eventually.be.rejected.and.eql({
+        code: 401,
+        error: 'NotAuthorized',
+        message: t('wrongPassword'),
+      });
+    });
+
+    it('errors if new username is not provided', async () => {
+      await expect(user.put(ENDPOINT, {
+        password,
+      })).to.eventually.be.rejected.and.eql({
+        code: 400,
+        error: 'BadRequest',
+        message: t('invalidReqParams'),
+      });
+    });
+
+    it('errors if new username is a slur', async () => {
+      await expect(user.put(ENDPOINT, {
+        username: 'TESTPLACEHOLDERSLURWORDHERE',
+      })).to.eventually.be.rejected.and.eql({
+        code: 400,
+        error: 'BadRequest',
+        message: [t('usernameIssueLength'), t('usernameIssueSlur')].join(' '),
+      });
+    });
+
+    it('errors if new username contains a slur', async () => {
+      await expect(user.put(ENDPOINT, {
+        username: 'TESTPLACEHOLDERSLURWORDHERE_otherword',
+      })).to.eventually.be.rejected.and.eql({
+        code: 400,
+        error: 'BadRequest',
+        message: [t('usernameIssueLength'), t('usernameIssueSlur')].join(' '),
+      });
+      await expect(user.put(ENDPOINT, {
+        username: 'something_TESTPLACEHOLDERSLURWORDHERE',
+      })).to.eventually.be.rejected.and.eql({
+        code: 400,
+        error: 'BadRequest',
+        message: [t('usernameIssueLength'), t('usernameIssueSlur')].join(' '),
+      });
+      await expect(user.put(ENDPOINT, {
+        username: 'somethingTESTPLACEHOLDERSLURWORDHEREotherword',
+      })).to.eventually.be.rejected.and.eql({
+        code: 400,
+        error: 'BadRequest',
+        message: [t('usernameIssueLength'), t('usernameIssueSlur')].join(' '),
+      });
+    });
+
+    it('errors if new username is not allowed', async () => {
+      await expect(user.put(ENDPOINT, {
+        username: 'support',
+      })).to.eventually.be.rejected.and.eql({
+        code: 400,
+        error: 'BadRequest',
+        message: t('usernameIssueForbidden'),
+      });
+    });
+
+    it('errors if new username is not allowed regardless of casing', async () => {
+      await expect(user.put(ENDPOINT, {
+        username: 'SUppORT',
+      })).to.eventually.be.rejected.and.eql({
+        code: 400,
+        error: 'BadRequest',
+        message: t('usernameIssueForbidden'),
+      });
+    });
+
+    it('errors if username has incorrect length', async () => {
+      await expect(user.put(ENDPOINT, {
+        username: 'thisisaverylongusernameover20characters',
+      })).to.eventually.be.rejected.and.eql({
+        code: 400,
+        error: 'BadRequest',
+        message: t('usernameIssueLength'),
+      });
+    });
+
+    it('errors if new username contains invalid characters', async () => {
+      await expect(user.put(ENDPOINT, {
+        username: 'Eichhörnchen',
+      })).to.eventually.be.rejected.and.eql({
+        code: 400,
+        error: 'BadRequest',
+        message: t('usernameIssueInvalidCharacters'),
+      });
+      await expect(user.put(ENDPOINT, {
+        username: 'test.name',
+      })).to.eventually.be.rejected.and.eql({
+        code: 400,
+        error: 'BadRequest',
+        message: t('usernameIssueInvalidCharacters'),
+      });
+      await expect(user.put(ENDPOINT, {
+        username: '🤬',
+      })).to.eventually.be.rejected.and.eql({
+        code: 400,
+        error: 'BadRequest',
+        message: t('usernameIssueInvalidCharacters'),
+      });
+    });
+  });
+});