Fix password validation bug and add test for it

This ensures that the password validation function `bcrypt.compare` actually completes its process before the next step of the promise chain executes, then the `===` ensures that the value of `valid` is actually `true`, not just a truthy value. The test ensures that this function actually returns an error for an invalid combination of username and password.
stockpile-co · Feb 17, 2017 · 07376ff · 07376ff
1 parent 6da1344
commit 07376ff
Show file tree

Hide file tree

Showing 3 changed files with 32 additions and 3 deletions.
diff --git a/controllers/auth.js b/controllers/auth.js
@@ -23,13 +23,13 @@ module.exports.authenticate = (req, res, next) => {
   if (req.body.email && req.body.password) {
     return db.get('organization', 'email', req.body.email)
       .then(organization => {
-        return [
+        return Promise.all([
           organization.organization_id,
           bcrypt.compare(req.body.password, organization.password)
-        ]
+        ])
       })
       .then(([organizationID, valid]) => {
-        if (valid) {
+        if (valid === true) {
           const token = makeToken({sub: organizationID})
           res.send({
             id: organizationID,

diff --git a/test/auth.js b/test/auth.js
@@ -66,6 +66,22 @@ test('Authenticates an organization', async t => {
   t.false(next.called, 'no errors')
 })
 
+test('Returns error when email and password do not match', async t => {
+  const req = {
+    body: d.authOrganizationWrong
+  }
+  const res = {
+    send: sinon.spy()
+  }
+  const next = sinon.spy()
+
+  await knex(d.table).insert(d.authOrganizationWrongHash)
+  await auth.authenticate(req, res, next)
+
+  t.false(res.send.called, 'does not respond')
+  t.true(next.called, 'returns an error')
+})
+
 test.after.always('Clean up database', async t => {
   // Delete created organizations
   await knex(d.table)
@@ -74,4 +90,7 @@ test.after.always('Clean up database', async t => {
   await knex(d.table)
     .where('email', d.authOrganization.email)
     .del()
+  await knex(d.table)
+    .where('email', d.authOrganizationWrong.email)
+    .del()
 })
diff --git a/test/fixtures/auth.json b/test/fixtures/auth.json
@@ -20,5 +20,15 @@
     "name": "Second Test Organization",
     "email": "authtestorg@example.com",
     "password": "$2a$10$iWpLbGBdE99lnTTSFOT.u.MgKvGSdzapRpTn4iIqeKrkoEq/308Lq"
+  },
+  "authOrganizationWrong": {
+    "name": "Third Test Organization",
+    "email": "authtestorg3@example.com",
+    "password": "testpassword"
+  },
+  "authOrganizationWrongHash": {
+    "name": "Third Test Organization",
+    "email": "authtestorg3@example.com",
+    "password": "$2a$10$iWpLbGBdE99lnTTSFOT.u.MgKvGSdzapRpTn4iIqeKrkoEq/308Lq"
   }
 }