Files
bvandeusen cbe838cbe3 feat(server/m7-user-mgmt): forgot + reset password endpoints (U3)
POST /api/auth/forgot-password and POST /api/auth/reset-password.

Forgot-password ALWAYS returns 200 with empty JSON to prevent
enumeration of registered emails. Side effect: when email matches
a user with email-on-file, generates a 32-byte hex token (24h
TTL), inserts into password_resets, and sends the reset email via
the mailer. Mailer failures are logged (not surfaced) and the
audit log carries metadata.email_match for operator visibility.

Reset-password atomically claims the token via UsePasswordReset
(:execrows; concurrent calls can't both succeed). On rows=1,
hashes the new password and writes via ChangeUserPassword.
Returns 204 on success, 400 invalid_token on stale/used/missing
tokens, 400 password_too_short for short passwords. Audits
ActionPasswordResetByEmail.

Wires the mailer.Sender into the handlers struct via Mount;
production sender (NewSMTPSender) constructed in server.Router();
tests inject FakeSender via testHandlers default. The reset
URL embedded in the email is derived from r.Host (no PublicURL
config setting in v1; self-hosted operators see their own
hostname).

Tests cover happy-path send + token-row insertion, unknown email
returns 200 with no send, mailer failure still returns 200, reset
happy path verifies bcrypt match + used_at set, already-used
token 400, expired token 400, short password 400, bogus token 400.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-05-07 12:49:30 -04:00

146 lines
4.4 KiB
Go

package api
import (
"bytes"
"context"
"net/http"
"net/http/httptest"
"os"
"testing"
"time"
"github.com/jackc/pgx/v5/pgtype"
"golang.org/x/crypto/bcrypt"
)
func TestResetPassword_Happy(t *testing.T) {
if os.Getenv("MINSTREL_TEST_DATABASE_URL") == "" {
t.Skip("MINSTREL_TEST_DATABASE_URL not set")
}
h, pool := testHandlers(t)
user := seedUser(t, pool, "resetuser", "oldpw1234", false)
// Insert a fresh token.
token := "test-reset-token-abc"
if _, err := pool.Exec(context.Background(),
`INSERT INTO password_resets (token, user_id, expires_at)
VALUES ($1, $2, $3)`, token, user.ID, time.Now().Add(time.Hour),
); err != nil {
t.Fatalf("seed: %v", err)
}
body := `{"token":"test-reset-token-abc","new_password":"newpassword1"}`
req := httptest.NewRequest(http.MethodPost, "/api/auth/reset-password",
bytes.NewReader([]byte(body)))
rec := httptest.NewRecorder()
h.handleResetPassword(rec, req)
if rec.Code != http.StatusNoContent {
t.Fatalf("status = %d, want 204; body=%s", rec.Code, rec.Body.String())
}
// New password works?
var hash string
if err := pool.QueryRow(context.Background(),
"SELECT password_hash FROM users WHERE id = $1", user.ID).Scan(&hash); err != nil {
t.Fatalf("read hash: %v", err)
}
if err := bcrypt.CompareHashAndPassword([]byte(hash), []byte("newpassword1")); err != nil {
t.Errorf("new password doesn't match: %v", err)
}
// Token marked used?
var usedAt pgtype.Timestamptz
if err := pool.QueryRow(context.Background(),
"SELECT used_at FROM password_resets WHERE token = $1", token).Scan(&usedAt); err != nil {
t.Fatalf("verify used_at: %v", err)
}
if !usedAt.Valid {
t.Errorf("used_at is NULL after reset; should be set")
}
}
func TestResetPassword_AlreadyUsed_400(t *testing.T) {
if os.Getenv("MINSTREL_TEST_DATABASE_URL") == "" {
t.Skip("MINSTREL_TEST_DATABASE_URL not set")
}
h, pool := testHandlers(t)
user := seedUser(t, pool, "alreadyused", "pw", false)
token := "test-already-used"
if _, err := pool.Exec(context.Background(),
`INSERT INTO password_resets (token, user_id, expires_at, used_at)
VALUES ($1, $2, $3, now())`, token, user.ID, time.Now().Add(time.Hour),
); err != nil {
t.Fatalf("seed: %v", err)
}
body := `{"token":"test-already-used","new_password":"abcd1234"}`
req := httptest.NewRequest(http.MethodPost, "/api/auth/reset-password",
bytes.NewReader([]byte(body)))
rec := httptest.NewRecorder()
h.handleResetPassword(rec, req)
if rec.Code != http.StatusBadRequest {
t.Errorf("status = %d, want 400 (invalid_token for already-used)", rec.Code)
}
}
func TestResetPassword_Expired_400(t *testing.T) {
if os.Getenv("MINSTREL_TEST_DATABASE_URL") == "" {
t.Skip("MINSTREL_TEST_DATABASE_URL not set")
}
h, pool := testHandlers(t)
user := seedUser(t, pool, "expiredreset", "pw", false)
token := "test-expired-token"
if _, err := pool.Exec(context.Background(),
`INSERT INTO password_resets (token, user_id, expires_at)
VALUES ($1, $2, $3)`, token, user.ID, time.Now().Add(-time.Hour), // already expired
); err != nil {
t.Fatalf("seed: %v", err)
}
body := `{"token":"test-expired-token","new_password":"abcd1234"}`
req := httptest.NewRequest(http.MethodPost, "/api/auth/reset-password",
bytes.NewReader([]byte(body)))
rec := httptest.NewRecorder()
h.handleResetPassword(rec, req)
if rec.Code != http.StatusBadRequest {
t.Errorf("status = %d, want 400 (invalid_token for expired)", rec.Code)
}
}
func TestResetPassword_PasswordTooShort_400(t *testing.T) {
if os.Getenv("MINSTREL_TEST_DATABASE_URL") == "" {
t.Skip("MINSTREL_TEST_DATABASE_URL not set")
}
h, _ := testHandlers(t)
body := `{"token":"any-token","new_password":"abc"}`
req := httptest.NewRequest(http.MethodPost, "/api/auth/reset-password",
bytes.NewReader([]byte(body)))
rec := httptest.NewRecorder()
h.handleResetPassword(rec, req)
if rec.Code != http.StatusBadRequest {
t.Errorf("status = %d, want 400", rec.Code)
}
}
func TestResetPassword_BogusToken_400(t *testing.T) {
if os.Getenv("MINSTREL_TEST_DATABASE_URL") == "" {
t.Skip("MINSTREL_TEST_DATABASE_URL not set")
}
h, _ := testHandlers(t)
body := `{"token":"bogus-token","new_password":"abcd1234"}`
req := httptest.NewRequest(http.MethodPost, "/api/auth/reset-password",
bytes.NewReader([]byte(body)))
rec := httptest.NewRecorder()
h.handleResetPassword(rec, req)
if rec.Code != http.StatusBadRequest {
t.Errorf("status = %d, want 400 (invalid_token for bogus)", rec.Code)
}
}