Skip to content

Commit 25581c2

Browse files
DanielleMaywoodDanielleMaywood
committed
test: one-time passcode becomes invalid after use
1 parent 26cc758 commit 25581c2

File tree

2 files changed

+47
-0
lines changed

2 files changed

+47
-0
lines changed

coderd/database/dbmem/dbmem.go

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -9110,6 +9110,8 @@ func (q *FakeQuerier) UpdateUserHashedPassword(_ context.Context, arg database.U
91109110
continue
91119111
}
91129112
user.HashedPassword = arg.HashedPassword
9113+
user.HashedOneTimePasscode = nil
9114+
user.OneTimePasscodeExpiresAt = sql.NullTime{}
91139115
q.users[i] = user
91149116
return nil
91159117
}

coderd/userauth_test.go

Lines changed: 45 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1715,6 +1715,14 @@ func TestUserForgotPassword(t *testing.T) {
17151715
Password: newPassword,
17161716
})
17171717
require.NoError(t, err)
1718+
1719+
// We now need to check that the one-time passcode isn't valid.
1720+
err = anotherClient.ChangePasswordWithOneTimePasscode(ctx, codersdk.ChangePasswordWithOneTimePasscodeRequest{
1721+
Email: anotherUser.Email,
1722+
OneTimePasscode: oneTimePasscode,
1723+
Password: "SomeDifferentSecurePassword!",
1724+
})
1725+
require.Error(t, err)
17181726
})
17191727

17201728
t.Run("CannotChangePasswordWithInvalidOneTimePasscode", func(t *testing.T) {
@@ -1754,6 +1762,43 @@ func TestUserForgotPassword(t *testing.T) {
17541762
require.Equal(t, http.StatusBadRequest, apiErr.StatusCode())
17551763
})
17561764

1765+
t.Run("CannotChangePasswordWithNoOneTimePasscode", func(t *testing.T) {
1766+
t.Parallel()
1767+
1768+
notifyEnq := &testutil.FakeNotificationsEnqueuer{}
1769+
1770+
client := coderdtest.New(t, &coderdtest.Options{
1771+
NotificationsEnqueuer: notifyEnq,
1772+
})
1773+
user := coderdtest.CreateFirstUser(t, client)
1774+
1775+
ctx, cancel := context.WithTimeout(context.Background(), testutil.WaitLong)
1776+
defer cancel()
1777+
1778+
anotherClient, anotherUser := coderdtest.CreateAnotherUser(t, client, user.OrganizationID)
1779+
1780+
err := anotherClient.RequestOneTimePasscode(ctx, codersdk.RequestOneTimePasscodeRequest{
1781+
Email: anotherUser.Email,
1782+
})
1783+
require.NoError(t, err)
1784+
1785+
require.Equal(t, 2, len(notifyEnq.Sent))
1786+
1787+
notif := notifyEnq.Sent[1]
1788+
verifyOneTimePasscodeNotification(t, notif, anotherUser.ID)
1789+
1790+
err = anotherClient.ChangePasswordWithOneTimePasscode(ctx, codersdk.ChangePasswordWithOneTimePasscodeRequest{
1791+
Email: anotherUser.Email,
1792+
OneTimePasscode: "",
1793+
Password: "SomeNewSecurePassword!",
1794+
})
1795+
require.Error(t, err)
1796+
1797+
var apiErr *codersdk.Error
1798+
require.ErrorAs(t, err, &apiErr)
1799+
require.Equal(t, http.StatusBadRequest, apiErr.StatusCode())
1800+
})
1801+
17571802
t.Run("CannotChangePasswordWithWeakPassword", func(t *testing.T) {
17581803
t.Parallel()
17591804

0 commit comments

Comments
 (0)