merge v0.23.0-rc changes

2024-09-29 19:23:19 +03:00
parent ad92992324
commit 844f18cac3
753 changed files with 85141 additions and 63396 deletions
--- a/apis/record_auth_otp_request_test.go
+++ b/apis/record_auth_otp_request_test.go
@@ -0,0 +1,231 @@
+package apis_test
+
+import (
+	"net/http"
+	"strconv"
+	"strings"
+	"testing"
+	"time"
+
+	"github.com/pocketbase/pocketbase/core"
+	"github.com/pocketbase/pocketbase/tests"
+	"github.com/pocketbase/pocketbase/tools/types"
+)
+
+func TestRecordRequestOTP(t *testing.T) {
+	t.Parallel()
+
+	scenarios := []tests.ApiScenario{
+		{
+			Name:            "not an auth collection",
+			Method:          http.MethodPost,
+			URL:             "/api/collections/demo1/request-otp",
+			Body:            strings.NewReader(`{"email":"test@example.com"}`),
+			ExpectedStatus:  404,
+			ExpectedContent: []string{`"data":{}`},
+			ExpectedEvents:  map[string]int{"*": 0},
+		},
+		{
+			Name:   "auth collection with disabled otp",
+			Method: http.MethodPost,
+			URL:    "/api/collections/users/request-otp",
+			Body:   strings.NewReader(`{"email":"test@example.com"}`),
+			BeforeTestFunc: func(t testing.TB, app *tests.TestApp, e *core.ServeEvent) {
+				usersCol, err := app.FindCollectionByNameOrId("users")
+				if err != nil {
+					t.Fatal(err)
+				}
+
+				usersCol.OTP.Enabled = false
+
+				if err := app.Save(usersCol); err != nil {
+					t.Fatal(err)
+				}
+			},
+			ExpectedStatus:  403,
+			ExpectedContent: []string{`"data":{}`},
+			ExpectedEvents:  map[string]int{"*": 0},
+		},
+		{
+			Name:            "empty body",
+			Method:          http.MethodPost,
+			URL:             "/api/collections/users/request-otp",
+			Body:            strings.NewReader(``),
+			ExpectedStatus:  400,
+			ExpectedContent: []string{`"data":{"email":{"code":"validation_required","message":"Cannot be blank."}}`},
+			ExpectedEvents:  map[string]int{"*": 0},
+		},
+		{
+			Name:            "invalid body",
+			Method:          http.MethodPost,
+			URL:             "/api/collections/users/request-otp",
+			Body:            strings.NewReader(`{"email`),
+			ExpectedStatus:  400,
+			ExpectedContent: []string{`"data":{}`},
+			ExpectedEvents:  map[string]int{"*": 0},
+		},
+		{
+			Name:           "invalid request data",
+			Method:         http.MethodPost,
+			URL:            "/api/collections/users/request-otp",
+			Body:           strings.NewReader(`{"email":"invalid"}`),
+			ExpectedStatus: 400,
+			ExpectedContent: []string{
+				`"data":{`,
+				`"email":{"code":"validation_is_email`,
+			},
+			ExpectedEvents: map[string]int{"*": 0},
+		},
+		{
+			Name:           "missing auth record",
+			Method:         http.MethodPost,
+			URL:            "/api/collections/users/request-otp",
+			Body:           strings.NewReader(`{"email":"missing@example.com"}`),
+			Delay:          100 * time.Millisecond,
+			ExpectedStatus: 200,
+			ExpectedContent: []string{
+				`"otpId":"`, // some fake random generated string
+			},
+			ExpectedEvents: map[string]int{"*": 0},
+			AfterTestFunc: func(t testing.TB, app *tests.TestApp, res *http.Response) {
+				if app.TestMailer.TotalSend() != 0 {
+					t.Fatalf("Expected zero emails, got %d", app.TestMailer.TotalSend())
+				}
+			},
+		},
+		{
+			Name:   "existing auth record (with < 9 non-expired)",
+			Method: http.MethodPost,
+			URL:    "/api/collections/users/request-otp",
+			Body:   strings.NewReader(`{"email":"test@example.com"}`),
+			Delay:  100 * time.Millisecond,
+			BeforeTestFunc: func(t testing.TB, app *tests.TestApp, e *core.ServeEvent) {
+				user, err := app.FindAuthRecordByEmail("users", "test@example.com")
+				if err != nil {
+					t.Fatal(err)
+				}
+
+				// insert 8 non-expired and 2 expired
+				for i := 0; i < 10; i++ {
+					otp := core.NewOTP(app)
+					otp.Id = "otp_" + strconv.Itoa(i)
+					otp.SetCollectionRef(user.Collection().Id)
+					otp.SetRecordRef(user.Id)
+					otp.SetPassword("123456")
+					if i >= 8 {
+						expiredDate := types.NowDateTime().AddDate(-3, 0, 0)
+						otp.SetRaw("created", expiredDate)
+						otp.SetRaw("updated", expiredDate)
+					}
+					if err := app.SaveNoValidate(otp); err != nil {
+						t.Fatal(err)
+					}
+				}
+			},
+			ExpectedStatus: 200,
+			ExpectedContent: []string{
+				`"otpId":"`,
+			},
+			NotExpectedContent: []string{
+				`"otpId":"otp_`,
+			},
+			ExpectedEvents: map[string]int{
+				"*":                          0,
+				"OnRecordRequestOTPRequest":  1,
+				"OnMailerSend":               1,
+				"OnMailerRecordOTPSend":      1,
+				"OnModelCreate":              1,
+				"OnModelCreateExecute":       1,
+				"OnModelAfterCreateSuccess":  1,
+				"OnModelValidate":            1,
+				"OnRecordCreate":             1,
+				"OnRecordCreateExecute":      1,
+				"OnRecordAfterCreateSuccess": 1,
+				"OnRecordValidate":           1,
+			},
+			AfterTestFunc: func(t testing.TB, app *tests.TestApp, res *http.Response) {
+				if app.TestMailer.TotalSend() != 1 {
+					t.Fatalf("Expected 1 email, got %d", app.TestMailer.TotalSend())
+				}
+			},
+		},
+		{
+			Name:   "existing auth record (with > 9 non-expired)",
+			Method: http.MethodPost,
+			URL:    "/api/collections/users/request-otp",
+			Body:   strings.NewReader(`{"email":"test@example.com"}`),
+			Delay:  100 * time.Millisecond,
+			BeforeTestFunc: func(t testing.TB, app *tests.TestApp, e *core.ServeEvent) {
+				user, err := app.FindAuthRecordByEmail("users", "test@example.com")
+				if err != nil {
+					t.Fatal(err)
+				}
+
+				// insert 10 non-expired
+				for i := 0; i < 10; i++ {
+					otp := core.NewOTP(app)
+					otp.Id = "otp_" + strconv.Itoa(i)
+					otp.SetCollectionRef(user.Collection().Id)
+					otp.SetRecordRef(user.Id)
+					otp.SetPassword("123456")
+					if err := app.SaveNoValidate(otp); err != nil {
+						t.Fatal(err)
+					}
+				}
+			},
+			ExpectedStatus: 200,
+			ExpectedContent: []string{
+				`"otpId":"otp_9"`,
+			},
+			ExpectedEvents: map[string]int{
+				"*":                         0,
+				"OnRecordRequestOTPRequest": 1,
+			},
+			AfterTestFunc: func(t testing.TB, app *tests.TestApp, res *http.Response) {
+				if app.TestMailer.TotalSend() != 0 {
+					t.Fatalf("Expected 0 sent emails, got %d", app.TestMailer.TotalSend())
+				}
+			},
+		},
+
+		// rate limit checks
+		// -----------------------------------------------------------
+		{
+			Name:   "RateLimit rule - users:requestOTP",
+			Method: http.MethodPost,
+			URL:    "/api/collections/users/request-otp",
+			Body:   strings.NewReader(`{"email":"test@example.com"}`),
+			BeforeTestFunc: func(t testing.TB, app *tests.TestApp, e *core.ServeEvent) {
+				app.Settings().RateLimits.Enabled = true
+				app.Settings().RateLimits.Rules = []core.RateLimitRule{
+					{MaxRequests: 100, Label: "abc"},
+					{MaxRequests: 100, Label: "*:requestOTP"},
+					{MaxRequests: 0, Label: "users:requestOTP"},
+				}
+			},
+			ExpectedStatus:  429,
+			ExpectedContent: []string{`"data":{}`},
+			ExpectedEvents:  map[string]int{"*": 0},
+		},
+		{
+			Name:   "RateLimit rule - *:requestOTP",
+			Method: http.MethodPost,
+			URL:    "/api/collections/users/request-otp",
+			Body:   strings.NewReader(`{"email":"test@example.com"}`),
+			BeforeTestFunc: func(t testing.TB, app *tests.TestApp, e *core.ServeEvent) {
+				app.Settings().RateLimits.Enabled = true
+				app.Settings().RateLimits.Rules = []core.RateLimitRule{
+					{MaxRequests: 100, Label: "abc"},
+					{MaxRequests: 0, Label: "*:requestOTP"},
+				}
+			},
+			ExpectedStatus:  429,
+			ExpectedContent: []string{`"data":{}`},
+			ExpectedEvents:  map[string]int{"*": 0},
+		},
+	}
+
+	for _, scenario := range scenarios {
+		scenario.Test(t)
+	}
+}