TestsUtil.generateTestUsers(camAdminRestContext, 2, function(err, users, simong, nico) {
assert.ok(!err);
// The users need an email address
simong.user.email = TestsUtil.generateTestEmailAddress();
nico.user.email = TestsUtil.generateTestEmailAddress();
EmailTestsUtil.sendEmail('oae-email', 'test', simong.user, null, null, function(err, message) {
assert.ok(!err);
assert.ok(message);
EmailTestsUtil.sendEmail('oae-email', 'test', nico.user, null, null, function(err, message) {
assert.ok(!err);
assert.ok(message);
// Sanity-check we cannot send it twice
EmailTestsUtil.sendEmail('oae-email', 'test', simong.user, null, null, function(err, message) {
assert.ok(err);
assert.equal(err.code, 403);
EmailTestsUtil.sendEmail('oae-email', 'test', nico.user, null, null, function(err, message) {
assert.ok(err);
assert.equal(err.code, 403);
return callback();
});
});
});
});
});
TestsUtil.generateTestUsers(camAdminRestContext, 2, function(err, users) {
assert.ok(!err);
var mrvisser = _.values(users)[0];
var simong = _.values(users)[1];
// Generate e-mail addresses
mrvisser.user.email = TestsUtil.generateTestEmailAddress('mrvisser');
simong.user.email = TestsUtil.generateTestEmailAddress('simong');
// Simon is private and mrvisser is public
var mrvisserUpdate = {'email': mrvisser.user.email};
var simongUpdate = {
'email': simong.user.email,
'visibility': 'private',
'publicAlias': 'swappedFromPublicAlias'
};
// Update the users
RestAPI.User.updateUser(mrvisser.restContext, mrvisser.user.id, mrvisserUpdate, function(err) {
assert.ok(!err);
RestAPI.User.updateUser(simong.restContext, simong.user.id, simongUpdate, function(err) {
assert.ok(!err);
// Create the link, sharing it with mrvisser during the creation step. We will ensure he gets an email about it
RestAPI.Discussions.createDiscussion(simong.restContext, 'A talk', 'not about computers', 'public', [], [mrvisser.user.id], function(err, discussion) {
assert.ok(!err);
// Mrvisser should get an email, with simong's information scrubbed
EmailTestsUtil.collectAndFetchAllEmails(function(emails) {
// There should be exactly one email, the one sent to mrvisser
assert.equal(emails.length, 1);
var stringEmail = JSON.stringify(emails[0]);
var email = emails[0];
// Sanity check that the email is to mrvisser
assert.equal(email.to[0].address, mrvisser.user.email);
// Ensure some data expected to be in the email is there
assert.notEqual(stringEmail.indexOf(simong.restContext.hostHeader), -1);
assert.notEqual(stringEmail.indexOf(discussion.profilePath), -1);
assert.notEqual(stringEmail.indexOf(discussion.displayName), -1);
// Ensure simong's private info is nowhere to be found
assert.equal(stringEmail.indexOf(simong.user.displayName), -1);
assert.equal(stringEmail.indexOf(simong.user.email), -1);
assert.equal(stringEmail.indexOf(simong.user.locale), -1);
// The email should contain the public alias
assert.notEqual(stringEmail.indexOf('swappedFromPublicAlias'), -1);
callback();
});
});
});
});
});
it('verify local user accounts need to verify their email address', function(callback) {
// We can't use TestsUtil.generateTestUsers as that would do the verification process for us
var email = TestsUtil.generateTestEmailAddress();
var params = {
'username': TestsUtil.generateTestUserId(),
'password': '******',
'displayName': TestsUtil.generateRandomText(1),
'email': email
};
PrincipalsTestUtil.assertCreateUserSucceeds(anonymousRestContext, params, function(user, token) {
// Sanity check the user has no `email` property yet
RestAPI.User.getUser(camAdminRestContext, user.id, function(err, user) {
assert.ok(!err);
assert.ok(!user.email);
// Assert that there's no mapping yet for the email address
PrincipalsTestUtil.assertUserEmailMappingEquals(email, [], function() {
// Verify the email address
var restContext = TestsUtil.createTenantRestContext(global.oaeTests.tenants.cam.host);
AuthenticationTestUtil.assertLocalLoginSucceeds(restContext, params.username, params.password, function() {
PrincipalsTestUtil.assertVerifyEmailSucceeds(restContext, user.id, token, function() {
// Assert the mapping has been created
PrincipalsTestUtil.assertUserEmailMappingEquals(email, [user.id], function() {
return callback();
});
});
});
});
});
});
});
it('verify a token from another user cannot be used', function(callback) {
// We can't use TestsUtil.generateTestUsers as that would do the verification process for us
var paramsUser1 = {
'username': TestsUtil.generateTestUserId(),
'password': '******',
'displayName': TestsUtil.generateRandomText(1),
'email': TestsUtil.generateTestEmailAddress()
};
var restContextUser1 = TestsUtil.createTenantRestContext(global.oaeTests.tenants.cam.host);
PrincipalsTestUtil.assertCreateUserSucceeds(restContextUser1, paramsUser1, function(user1, tokenUser1) {
AuthenticationTestUtil.assertLocalLoginSucceeds(restContextUser1, paramsUser1.username, 'password', function() {
var paramsUser2 = {
'username': TestsUtil.generateTestUserId(),
'password': '******',
'displayName': TestsUtil.generateRandomText(1),
'email': TestsUtil.generateTestEmailAddress()
};
var restContextUser2 = TestsUtil.createTenantRestContext(global.oaeTests.tenants.cam.host);
PrincipalsTestUtil.assertCreateUserSucceeds(restContextUser2, paramsUser2, function(user2, tokenUser2) {
AuthenticationTestUtil.assertLocalLoginSucceeds(restContextUser2, paramsUser2.username, 'password', function() {
// Assert we cannot user the token from the first user
PrincipalsTestUtil.assertVerifyEmailFails(restContextUser2, user2.id, tokenUser1, 401, function() {
return callback();
});
});
});
});
});
});
it('verify activity emails are not sent to unverified email addresses', function(callback) {
// We can't use TestsUtil.generateTestUsers as that would do the verification process for us
var email = TestsUtil.generateTestEmailAddress();
var params = {
'username': TestsUtil.generateTestUserId(),
'password': '******',
'displayName': TestsUtil.generateRandomText(1),
'email': email
};
PrincipalsTestUtil.assertCreateUserSucceeds(anonymousRestContext, params, function(user, token) {
// Generate some more users who will be part of the activity
TestsUtil.generateTestUsers(camAdminRestContext, 2, function(err, users, simong, mrvisser) {
assert.ok(!err);
RestAPI.Content.createLink(simong.restContext, 'Google', 'Google', 'public', 'http://www.google.ca', [], [user.id, mrvisser.user.id], [], function(err, link) {
assert.ok(!err);
// Mrvisser should've received an email, but not the user with the unverified email address
EmailTestsUtil.collectAndFetchAllEmails(function(messages) {
assert.equal(messages.length, 1);
assert.strictEqual(messages[0].to.length, 1);
assert.equal(messages[0].to[0].address, mrvisser.user.email);
return callback();
});
});
});
});
});
it('verify validation when verifying an email address', function(callback) {
// We can't use TestsUtil.generateTestUsers as that would do the verification process for us
var email = TestsUtil.generateTestEmailAddress();
var params = {
'username': TestsUtil.generateTestUserId(),
'password': '******',
'displayName': TestsUtil.generateRandomText(1),
'email': email
};
var restContext = TestsUtil.createTenantRestContext(global.oaeTests.tenants.cam.host);
PrincipalsTestUtil.assertCreateUserSucceeds(restContext, params, function(user, token) {
AuthenticationTestUtil.assertLocalLoginSucceeds(restContext, params.username, params.password, function() {
// Invalid user id
PrincipalsTestUtil.assertVerifyEmailFails(restContext, 'not a user id', token, 400, function() {
// Missing token
PrincipalsTestUtil.assertVerifyEmailFails(restContext, user.id, null, 400, function() {
// Invalid token
PrincipalsTestUtil.assertVerifyEmailFails(restContext, user.id, 'more than [7-14] characters', 400, function() {
// Incorrect token
PrincipalsTestUtil.assertVerifyEmailFails(restContext, user.id, '123456789', 401, function() {
// Sanity-check
PrincipalsTestUtil.assertVerifyEmailSucceeds(restContext, user.id, token, function() {
// A token can only be verified once
PrincipalsTestUtil.assertVerifyEmailFails(restContext, user.id, token, 404, function() {
return callback();
});
});
});
});
});
});
});
});
});
TestsUtil.generateTestUsers(camAdminRestContext, 2, function(err, users, simong, mrvisser) {
assert.ok(!err);
// Update simon's email address so he has a verification token
var email = TestsUtil.generateTestEmailAddress();
PrincipalsTestUtil.assertUpdateUserSucceeds(simong.restContext, simong.user.id, {'email': email}, function() {
// Anonymous users cannot delete anything
PrincipalsTestUtil.assertDeleteEmailTokenFails(anonymousRestContext, simong.user.id, 401, function() {
// Users cannot delete other users their email tokens
PrincipalsTestUtil.assertDeleteEmailTokenFails(mrvisser.restContext, simong.user.id, 401, function() {
// Tenant administrator cannot delete users from another tenant their email token
PrincipalsTestUtil.assertDeleteEmailTokenFails(gtAdminRestContext, simong.user.id, 401, function() {
// A user can delete his own pending email verification token
PrincipalsTestUtil.assertDeleteEmailTokenSucceeds(simong.restContext, simong.user.id, function(emailForToken) {
email = TestsUtil.generateTestEmailAddress();
PrincipalsTestUtil.assertUpdateUserSucceeds(simong.restContext, simong.user.id, {'email': email}, function() {
// A tenant admin can delete the pending email verification token for users of their tenant
PrincipalsTestUtil.assertDeleteEmailTokenSucceeds(camAdminRestContext, simong.user.id, function(emailForToken) {
return callback();
});
});
});
});
});
});
});
});
it('verify authorization when verifying an email address', function(callback) {
// We can't use TestsUtil.generateTestUsers as that would do the verification process for us
var email = TestsUtil.generateTestEmailAddress();
var params = {
'username': TestsUtil.generateTestUserId(),
'password': '******',
'displayName': TestsUtil.generateRandomText(1),
'email': email
};
var restContext = TestsUtil.createTenantRestContext(global.oaeTests.tenants.cam.host);
PrincipalsTestUtil.assertCreateUserSucceeds(restContext, params, function(user, token) {
// Anonymous users cannot verify an email address
PrincipalsTestUtil.assertVerifyEmailFails(anonymousRestContext, user.id, token, 401, function() {
// Other users cannot verify an email address
TestsUtil.generateTestUsers(camAdminRestContext, 1, function(err, users, badGuy) {
assert.ok(!err);
PrincipalsTestUtil.assertVerifyEmailFails(badGuy.restContext, user.id, token, 401, function() {
// Tenant admins from other tenants cannot verify an email address
PrincipalsTestUtil.assertVerifyEmailFails(gtAdminRestContext, user.id, token, 401, function() {
// The user can verify their email address if they've signed in
AuthenticationTestUtil.assertLocalLoginSucceeds(restContext, params.username, params.password, function() {
PrincipalsTestUtil.assertVerifyEmailSucceeds(restContext, user.id, token, function() {
return callback();
});
});
});
});
});
});
});
});
PrincipalsTestUtil.assertUpdateUserSucceeds(simong.restContext, simong.user.id, {'email': email1}, function(user, token1) {
// Update the email address again (with a second email address)
var email2 = TestsUtil.generateTestEmailAddress();
PrincipalsTestUtil.assertUpdateUserSucceeds(simong.restContext, simong.user.id, {'email': email2}, function(user, token2) {
// Using the first token to verify the email address should fail
PrincipalsTestUtil.assertVerifyEmailFails(simong.restContext, simong.user.id, token1, 401, function() {
// Using the second token we can verify the email address
PrincipalsTestUtil.assertVerifyEmailSucceeds(simong.restContext, simong.user.id, token2, function() {
// Assert the old mapping is gone
PrincipalsTestUtil.assertUserEmailMappingEquals(oldEmailAddress, [], function() {
// Assert no mapping was created for the first email address
PrincipalsTestUtil.assertUserEmailMappingEquals(email1, [], function() {
// Assert a mapping for the second email address is created
PrincipalsTestUtil.assertUserEmailMappingEquals(email2, [simong.user.id], function() {
// The second email address should be confirmed
RestAPI.User.getMe(simong.restContext, function(err, me) {
assert.ok(!err);
assert.strictEqual(me.email, email2.toLowerCase());
return callback();
});
});
});
});
});
});
});
});
TestsUtil.generateTestUsers(camAdminRestContext, 1, function(err, users, simong) {
assert.ok(!err);
// The user needs an email address
simong.user.email = TestsUtil.generateTestEmailAddress();
// Send out the first e-mail
EmailTestsUtil.sendEmail('oae-email', 'test', simong.user, null, null, function(err, message) {
assert.ok(!err);
assert.ok(message);
// Sending out the same email should result in a failure
EmailTestsUtil.sendEmail('oae-email', 'test', simong.user, null, null, function(err) {
assert.ok(err);
assert.equal(err.code, 403);
// Sanity check that sending out a different email works
EmailTestsUtil.sendEmail('oae-email', 'test', simong.user, {'data': 'test'}, null, function(err) {
assert.ok(err);
assert.equal(err.code, 403);
return callback();
});
});
});
});
it('verify an email verification token can be resent', function(callback) {
// We can't use TestsUtil.generateTestUsers as that would do the verification process for us
var email = TestsUtil.generateTestEmailAddress();
var params = {
'username': TestsUtil.generateTestUserId(),
'password': '******',
'displayName': TestsUtil.generateRandomText(1),
'email': email
};
var restContext = TestsUtil.createTenantRestContext(global.oaeTests.tenants.cam.host);
PrincipalsTestUtil.assertCreateUserSucceeds(restContext, params, function(user, token) {
RestAPI.Authentication.login(restContext, params.username, 'password', function(err) {
assert.ok(!err);
// Verify we can resend the email verification token
PrincipalsTestUtil.assertResendEmailTokenSucceeds(restContext, user.id, function(newToken) {
// Assert we've sent the same token
assert.strictEqual(newToken, token);
// Sanity-check we can use this new token to verify the email address
PrincipalsTestUtil.assertVerifyEmailSucceeds(restContext, user.id, newToken, function() {
return callback();
});
});
});
});
});
TestsUtil.generateTestUsers(camAdminRestContext, 1, function(err, users, simong) {
assert.ok(!err);
// The user needs an email address
simong.user.email = TestsUtil.generateTestEmailAddress();
EmailTestsUtil.sendEmail('oae-email', 'test', simong.user, null, {'hash': _uniqueHash()}, function(err, message) {
assert.ok(!err);
EmailTestsUtil.sendEmail('oae-email', 'test', simong.user, null, {'hash': _uniqueHash()}, function(err, message) {
assert.ok(!err);
EmailTestsUtil.sendEmail('oae-email', 'test', simong.user, null, {'hash': _uniqueHash()}, function(err, message) {
assert.ok(err);
assert.equal(err.code, 403);
// If we wait longer than the throttle timespan, we should be able to send an e-mail to this user
setTimeout(function() {
EmailTestsUtil.sendEmail('oae-email', 'test', simong.user, null, {'hash': _uniqueHash()}, function(err, message) {
assert.ok(!err);
return callback();
});
}, 2250);
});
});
});
});
TestsUtil.generateTestUsers(camAdminRestContext, 1, function(err, users, simong) {
assert.ok(!err);
// The user needs an email address
simong.user.email = TestsUtil.generateTestEmailAddress();
// Send out the first e-mail
EmailTestsUtil.sendEmail('oae-email', 'test', simong.user, null, {'hash': 'u:cam:simong#123456'}, function(err, message) {
assert.ok(!err);
assert.ok(message);
// Re-using the same hash should result in test failure
EmailTestsUtil.sendEmail('oae-email', 'test', simong.user, null, {'hash': 'u:cam:simong#123456'}, function(err) {
assert.ok(err);
assert.equal(err.code, 403);
// Re-using the same hash, but with the same mail should result in a failure
// We generate a "different" mail by passing in a data object
EmailTestsUtil.sendEmail('oae-email', 'test', simong.user, {'data': 'test'}, {'hash': 'u:cam:simong#123456'}, function(err) {
assert.ok(err);
assert.equal(err.code, 403);
// Using another hash (but otherwise the same mail) should work
EmailTestsUtil.sendEmail('oae-email', 'test', simong.user, null, {'hash': 'u:cam:mrvisser#000000'}, function(err, message) {
assert.ok(!err);
assert.ok(message);
return callback();
});
});
});
});
});
EmailTestsUtil.collectAndFetchAllEmails(function() {
// Create 2 email addresses that have tokens associated to them
var email1 = TestsUtil.generateTestEmailAddress();
var email2 = TestsUtil.generateTestEmailAddress();
AuthzInvitationsDAO.getOrCreateTokensByEmails([email1, email2], function(err, emailTokens) {
assert.ok(!err);
// Try to create a profile with email1, using email2's token. It should
// work, but it shouldn't auto-verify the email address
var profile = {
'username': TestsUtil.generateTestUserId(),
'password': '******',
'displayName': TestsUtil.generateRandomText(),
'email': email1,
'invitationToken': emailTokens[email2]
};
// Ensure we get a user with an unverified email, as well as one email which
// is a verification email for email1
PrincipalsTestUtil.assertCreateUserSucceeds(TestsUtil.createTenantRestContext(tenantHost), profile, function(user) {
assert.ok(!user.email);
EmailTestsUtil.collectAndFetchAllEmails(function(messages) {
assert.strictEqual(_.size(messages), 1);
// Now create a profile with the matching email1 token and ensure
// email is automatically verified
_.extend(profile, {
'username': TestsUtil.generateTestUserId(),
'invitationToken': emailTokens[email1]
});
// We should get a profile with a verified email and no verification
// email
PrincipalsTestUtil.assertCreateUserSucceeds(TestsUtil.createTenantRestContext(tenantHost), profile, function(user) {
assert.strictEqual(user.email, email1.toLowerCase());
EmailTestsUtil.collectAndFetchAllEmails(function(messages) {
assert.ok(_.isEmpty(messages));
return callback();
});
});
});
});
});
});
PrincipalsTestUtil.assertDeleteEmailTokenSucceeds(simong.restContext, simong.user.id, function(emailForToken) {
email = TestsUtil.generateTestEmailAddress();
PrincipalsTestUtil.assertUpdateUserSucceeds(simong.restContext, simong.user.id, {'email': email}, function() {
// A tenant admin can delete the pending email verification token for users of their tenant
PrincipalsTestUtil.assertDeleteEmailTokenSucceeds(camAdminRestContext, simong.user.id, function(emailForToken) {
return callback();
});
});
});
TestsUtil.generateTestUsers(camAdminRestContext, 1, function(err, users, simong) {
assert.ok(!err);
var oldEmailAddress = simong.user.email;
// Let an administrator update the email address
var email = TestsUtil.generateTestEmailAddress();
PrincipalsTestUtil.assertUpdateUserSucceeds(camAdminRestContext, simong.user.id, {'email': email}, function(user, token) {
// The email address still has to be verified
assert.strictEqual(user.email, oldEmailAddress);
return callback();
});
});
PrincipalsTestUtil.assertGetEmailTokenSucceeds(simong.restContext, simong.user.id, function(email) {
assert.ok(!email);
// Update the user's email address
email = TestsUtil.generateTestEmailAddress();
PrincipalsTestUtil.assertUpdateUserSucceeds(simong.restContext, simong.user.id, {'email': email}, function() {
// Verify the user as a token
PrincipalsTestUtil.assertGetEmailTokenSucceeds(simong.restContext, simong.user.id, function(emailForToken) {
assert.strictEqual(emailForToken, email.toLowerCase());
return callback();
});
});
});
ConfigTestUtil.updateConfigAndWait(globalAdminRestContext, tenantAlias, {'oae-principals/recaptcha/enabled': false}, function(err) {
assert.ok(!err);
var username1 = TestsUtil.generateTestUserId();
var username2 = TestsUtil.generateTestUserId();
var email = TestsUtil.generateTestEmailAddress();
var paramsUser1 = {
'displayName': 'Test user 1',
'email': email,
'password': '******',
'username': TestsUtil.generateTestUserId()
};
var paramsUser2 = {
'displayName': 'Test user 2',
'email': email,
'password': '******',
'username': TestsUtil.generateTestUserId()
};
// Create the first user as a tenant admin so the email address is considered verified
PrincipalsTestUtil.assertCreateUserSucceeds(tenantAdminRestContext, paramsUser1, function(user1) {
// Verify there's a mapping for the first user
PrincipalsTestUtil.assertUserEmailMappingEquals(email, [user1.id], function() {
// Create the second user as an anonymous user so the email address is not verified
var restContext = TestsUtil.createTenantRestContext(tenantHost);
PrincipalsTestUtil.assertCreateUserSucceeds(restContext, paramsUser2, function(user2, token) {
// Verify there's no mapping yet for the second user as the email address
// hasn't been verified yet
PrincipalsTestUtil.assertUserEmailMappingEquals(email, [user1.id], function() {
// Verify the email address
AuthenticationTestUtil.assertLocalLoginSucceeds(restContext, paramsUser2.username, paramsUser2.password, function() {
PrincipalsTestUtil.assertVerifyEmailSucceeds(restContext, user2.id, token, function() {
// The second user should now also be mapped to the email address
PrincipalsTestUtil.assertUserEmailMappingEquals(email, [user1.id, user2.id], function() {
return callback();
});
});
});
});
});
});
});
});
TestsUtil.generateTestUsers(camAdminRestContext, 1, function(err, users, simong) {
assert.ok(!err);
// Update the email address
var email = TestsUtil.generateTestEmailAddress();
PrincipalsTestUtil.assertUpdateUserSucceeds(simong.restContext, simong.user.id, {'email': email}, function() {
// Delete the token
PrincipalsTestUtil.assertDeleteEmailTokenSucceeds(simong.restContext, simong.user.id, function() {
// Verify a token can't be deleted twice
PrincipalsTestUtil.assertDeleteEmailTokenFails(simong.restContext, simong.user.id, 404, function() {
return callback();
});
});
});
});
AuthenticationTestUtil.assertUpdateAuthConfigSucceeds(tenantAdminRestContext, null, {'oae-authentication/google/enabled': true}, function() {
// Sign in through google
var email = TestsUtil.generateTestEmailAddress();
AuthenticationTestUtil.assertGoogleLoginSucceeds(tenant.host, email, function(restContext, response) {
// As google is considered an authoritative source, the user shouldn't have
// to verify their email address
RestAPI.User.getMe(restContext, function(err, me) {
assert.ok(!err);
assert.ok(!me.anon);
assert.strictEqual(me.email, email.toLowerCase());
// Assert that there's a mapping for the email address
PrincipalsTestUtil.assertUserEmailMappingEquals(email, [me.id], function() {
return callback();
});
});
});
});
PrincipalsTestUtil.assertResendEmailTokenFails(simong.restContext, simong.user.id, 404, function() {
// Update the email address so we get a token
var email = TestsUtil.generateTestEmailAddress();
PrincipalsTestUtil.assertUpdateUserSucceeds(simong.restContext, simong.user.id, {'email': email}, function(user, token) {
// Resending a token now should be OK
PrincipalsTestUtil.assertResendEmailTokenSucceeds(simong.restContext, simong.user.id, function(newToken) {
// Use the token to verify the new email address
PrincipalsTestUtil.assertVerifyEmailSucceeds(simong.restContext, simong.user.id, newToken, function() {
// Resending a token should now fail as the token has been used and should be removed
PrincipalsTestUtil.assertResendEmailTokenFails(simong.restContext, simong.user.id, 404, function() {
return callback();
});
});
});
});
});
it("verify that a user's login ids can be successfully returned", callback => {
// Generate a user id
const username = TestsUtil.generateTestUserId();
const email = TestsUtil.generateTestEmailAddress(null, global.oaeTests.tenants.cam.emailDomains[0]);
// Create a test user
RestAPI.User.createUser(camAdminRestContext, username, 'password', 'Test User', email, null, (err, createdUser) => {
assert.ok(!err);
// Verify that a global admin can request the login ids for the test user
RestAPI.Authentication.getUserLoginIds(globalAdminRestContext, createdUser.id, (err, loginIds) => {
assert.ok(!err);
assert.ok(loginIds);
assert.ok(loginIds.local);
assert.strictEqual(loginIds.local, username.toLowerCase());
return callback();
});
});
});
it('verify validation when resending an email verification token', function(callback) {
// We can't use TestsUtil.generateTestUsers as that would do the verification process for us
var email = TestsUtil.generateTestEmailAddress();
var params = {
'username': TestsUtil.generateTestUserId(),
'password': '******',
'displayName': TestsUtil.generateRandomText(1),
'email': email
};
var restContext = TestsUtil.createTenantRestContext(global.oaeTests.tenants.cam.host);
PrincipalsTestUtil.assertCreateUserSucceeds(restContext, params, function(user, token) {
RestAPI.Authentication.login(restContext, params.username, 'password', function(err) {
assert.ok(!err);
// Invalid user id
PrincipalsTestUtil.assertResendEmailTokenFails(restContext, 'not a user id', 400, function() {
return callback();
});
});
});
});
PrincipalsTestUtil.assertUserEmailMappingEquals(me.email, [me.id], function() {
// Update the email address
var email = TestsUtil.generateTestEmailAddress();
PrincipalsTestUtil.assertUpdateUserSucceeds(simong.restContext, simong.user.id, {'email': email}, function(user, token) {
// Assert the old mapping is still in place
PrincipalsTestUtil.assertUserEmailMappingEquals(oldEmailAddress, [me.id], function() {
// Assert there's no mapping for the new email address as it hasn't been verified yet
PrincipalsTestUtil.assertUserEmailMappingEquals(email, [], function() {
// The old email address should still be in place as the new one hasn't been verified yet
RestAPI.User.getMe(simong.restContext, function(err, me) {
assert.ok(!err);
assert.strictEqual(me.email, oldEmailAddress);
// Assert we can verify the email address
PrincipalsTestUtil.assertVerifyEmailSucceeds(simong.restContext, simong.user.id, token, function() {
// Assert the old mapping is gone
PrincipalsTestUtil.assertUserEmailMappingEquals(oldEmailAddress, [], function() {
// Assert the new mapping is there
PrincipalsTestUtil.assertUserEmailMappingEquals(email, [me.id], function() {
// The new email address should be confirmed
RestAPI.User.getMe(simong.restContext, function(err, me) {
assert.ok(!err);
assert.strictEqual(me.email, email.toLowerCase());
return callback();
});
});
});
});
});
});
});
});
});
it('verify authorization when resending an email verification token', function(callback) {
// We can't use TestsUtil.generateTestUsers as that would do the verification process for us
var email = TestsUtil.generateTestEmailAddress();
var params = {
'username': TestsUtil.generateTestUserId(),
'password': '******',
'displayName': TestsUtil.generateRandomText(1),
'email': email
};
var restContext = TestsUtil.createTenantRestContext(global.oaeTests.tenants.cam.host);
PrincipalsTestUtil.assertCreateUserSucceeds(restContext, params, function(user, token) {
RestAPI.Authentication.login(restContext, params.username, 'password', function(err) {
assert.ok(!err);
// Anonymous users can't resend a token
PrincipalsTestUtil.assertResendEmailTokenFails(anonymousRestContext, user.id, 401, function() {
// Users cannot resend a token for someone else
TestsUtil.generateTestUsers(camAdminRestContext, 1, function(err, users, otherUser) {
assert.ok(!err);
PrincipalsTestUtil.assertResendEmailTokenFails(otherUser.restContext, user.id, 401, function() {
// Tenant administrators from another tenant cannot resend a token
PrincipalsTestUtil.assertResendEmailTokenFails(gtAdminRestContext, user.id, 401, function() {
// Tenant administrators from the same tenant as the user can resend a token
PrincipalsTestUtil.assertResendEmailTokenSucceeds(camAdminRestContext, user.id, function(newToken) {
// Global administrators can resend a token
PrincipalsTestUtil.assertResendEmailTokenSucceeds(globalAdminRestContext, user.id, function(newToken) {
return callback();
});
});
});
});
});
});
});
});
});
var createPrincipal = function(type, identifier, metadata) {
var principalId = TestsUtil.generateTestUserId(identifier);
if (type === 'group') {
RestAPI.Group.createGroup(johnRestContext, metadata, metadata, 'public', 'yes', [], [], function(err, groupObj) {
assert.ok(!err);
createdPrincipals[identifier] = groupObj;
if (_.keys(createdPrincipals).length === 7) {
callback(createdPrincipals);
}
});
} else {
var email = TestsUtil.generateTestEmailAddress();
RestAPI.User.createUser(camAdminRestContext, principalId, 'password', metadata, email, {}, function(err, userObj) {
assert.ok(!err);
var userContext = new Context(global.oaeTests.tenants.cam, userObj);
createdPrincipals[identifier] = userContext;
if (_.keys(createdPrincipals).length === 7) {
callback(createdPrincipals);
}
});
}
};
it('verify local user accounts created by a tenant administrator do not need to verify their email address', function(callback) {
// We can't use TestsUtil.generateTestUsers as that would do the verification process for us
var email = TestsUtil.generateTestEmailAddress();
var params = {
'username': TestsUtil.generateTestUserId(),
'password': '******',
'displayName': TestsUtil.generateRandomText(1),
'email': email
};
PrincipalsTestUtil.assertCreateUserSucceeds(camAdminRestContext, params, function(user) {
// Verify the user doesn't need to verify their email address
RestAPI.User.getUser(camAdminRestContext, user.id, function(err, user) {
assert.ok(!err);
assert.strictEqual(user.email, email.toLowerCase());
// Assert that there's a mapping for the email address
PrincipalsTestUtil.assertUserEmailMappingEquals(email, [user.id], function() {
return callback();
});
});
});
});
TestsUtil.generateTestUsers(camAdminRestContext, 1, function(err, users, simong) {
assert.ok(!err);
// The user needs an email address
simong.user.email = TestsUtil.generateTestEmailAddress();
EmailAPI.init(_createDefaultConfig({'deduplicationInterval': 2}), function(err) {
assert.ok(!err);
// Send out the first e-mail
EmailTestsUtil.sendEmail('oae-email', 'test', simong.user, null, null, function(err, message) {
assert.ok(!err);
assert.ok(message);
// Sending out the same email should result in a failure
EmailTestsUtil.sendEmail('oae-email', 'test', simong.user, null, null, function(err) {
assert.ok(err);
assert.equal(err.code, 403);
// If we wait till the deduplication interval has passed, we should be able to send out the same email again
setTimeout(function() {
EmailTestsUtil.sendEmail('oae-email', 'test', simong.user, null, null, function(err) {
assert.ok(!err);
assert.ok(message);
// Sanity-check that sending the same email again is now not allowed
EmailTestsUtil.sendEmail('oae-email', 'test', simong.user, null, null, function(err) {
assert.ok(err);
assert.equal(err.code, 403);
return callback();
});
});
}, 2500);
});
});
});
});
TestsUtil.generateTestUsers(camAdminRestContext, 3, function(err, users) {
assert.ok(!err);
var mrvisser = _.values(users)[0];
var simong = _.values(users)[1];
var nicolaas = _.values(users)[2];
// Generate e-mail addresses
mrvisser.user.email = TestsUtil.generateTestEmailAddress('mrvisser');
simong.user.email = TestsUtil.generateTestEmailAddress('simong');
// Simon is private and mrvisser is public
var mrvisserUpdate = {'email': mrvisser.user.email};
var simongUpdate = {
'email': simong.user.email,
'visibility': 'private',
'publicAlias': 'swappedFromPublicAlias'
};
// Update the users
RestAPI.User.updateUser(mrvisser.restContext, mrvisser.user.id, mrvisserUpdate, function(err) {
assert.ok(!err);
RestAPI.User.updateUser(simong.restContext, simong.user.id, simongUpdate, function(err) {
assert.ok(!err);
// Create the discussion
RestAPI.Discussions.createDiscussion(mrvisser.restContext, 'A talk', 'about computers', 'public', [], [], function(err, discussion) {
assert.ok(!err);
// Post a new message
RestAPI.Discussions.createMessage(simong.restContext, discussion.id, '<b>Nice discussion.</b>\n\nWould read again', null, function(err, simongMessage) {
assert.ok(!err);
EmailTestsUtil.collectAndFetchAllEmails(function(emails) {
// There should be exactly one email, the one sent to mrvisser (manager of discussion receives discussion-message notification)
assert.equal(emails.length, 1);
var stringEmail = JSON.stringify(emails[0]);
var email = emails[0];
// Sanity check that the email is to mrvisser
assert.equal(email.to[0].address, mrvisser.user.email);
// Ensure that the subject of the email contains the poster's name
assert.notEqual(email.subject.indexOf('swappedFromPublicAlias'), -1);
// Ensure some data expected to be in the email is there
assert.notEqual(stringEmail.indexOf(simong.restContext.hostHeader), -1);
assert.notEqual(stringEmail.indexOf(discussion.profilePath), -1);
assert.notEqual(stringEmail.indexOf(discussion.displayName), -1);
// Ensure simong's private info is nowhere to be found
assert.equal(stringEmail.indexOf(simong.user.displayName), -1);
assert.equal(stringEmail.indexOf(simong.user.email), -1);
assert.equal(stringEmail.indexOf(simong.user.locale), -1);
// The email should contain the public alias
assert.notEqual(stringEmail.indexOf('swappedFromPublicAlias'), -1);
// The message should have escaped the HTML content in the original message
assert.strictEqual(stringEmail.indexOf('<b>Nice discussion.</b>'), -1);
// The new line characters should've been converted into paragraphs
assert.notEqual(stringEmail.indexOf('Would read again</p>'), -1);
// Send a message as nicolaas and ensure the recent commenter, simong receives an email about it
RestAPI.Discussions.createMessage(nicolaas.restContext, discussion.id, 'I have a computer, too', null, function(err, nicolaasMessage) {
assert.ok(!err);
EmailTestsUtil.collectAndFetchAllEmails(function(emails) {
// There should be 2 emails this time, one to the manager and one to the recent commenter, simong
assert.equal(emails.length, 2);
var emailAddresses = [emails[0].to[0].address, emails[1].to[0].address];
assert.ok(_.contains(emailAddresses, simong.user.email));
assert.ok(_.contains(emailAddresses, mrvisser.user.email));
return callback();
});
});
});
});
});
});
});
});
it('verify cookie expiration for mobile and non-mobile browsers', function(callback) {
/*!
* A collection of user agents for a variety of desktop / non-mobile clients
*/
var nonMobileUserAgents = [
// Firefox variants
'Mozilla/5.0 (Windows NT 6.3; rv:36.0) Gecko/20100101 Firefox/36.0',
'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10; rv:33.0) Gecko/20100101 Firefox/33.0',
'Mozilla/5.0 (X11; Linux i586; rv:31.0) Gecko/20100101 Firefox/31.0',
'Mozilla/5.0 (Windows NT 6.1; WOW64; rv:31.0) Gecko/20130401 Firefox/31.0',
'Mozilla/5.0 (Windows NT 5.1; rv:31.0) Gecko/20100101 Firefox/31.0',
// Chrome variants
'Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36',
'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.1 Safari/537.36',
'Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36',
'Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36',
// Safari variants
'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_3) AppleWebKit/537.75.14 (KHTML, like Gecko) Version/7.0.3 Safari/7046A194A',
'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_6_8) AppleWebKit/537.13+ (KHTML, like Gecko) Version/5.1.7 Safari/534.57.2',
'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_3) AppleWebKit/534.55.3 (KHTML, like Gecko) Version/5.1.3 Safari/534.53.10',
// IE variants
'Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko',
'Mozilla/5.0 (compatible, MSIE 11, Windows NT 6.3; Trident/7.0; rv:11.0) like Gecko',
'Mozilla/5.0 (compatible; MSIE 10.6; Windows NT 6.1; Trident/5.0; InfoPath.2; SLCC1; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET CLR 2.0.50727) 3gpp-gba UNTRUSTED/1.0',
'Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)',
'Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/6.0)',
'Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/5.0)',
'Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/4.0; InfoPath.2; SV1; .NET CLR 2.0.50727; WOW64)',
'Mozilla/5.0 (compatible; MSIE 10.0; Macintosh; Intel Mac OS X 10_7_3; Trident/6.0)',
'Mozilla/4.0 (Compatible; MSIE 8.0; Windows NT 5.2; Trident/6.0)',
'Mozilla/4.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/5.0)',
'Mozilla/1.22 (compatible; MSIE 10.0; Windows 3.1)'
];
/*!
* A collection of user agents for mobile devices (phones, tablets, etc...)
*/
var mobileUserAgents = [
// iPhone/iPad variants
'Mozilla/5.0 (iPhone; U; CPU iPhone OS 4_0 like Mac OS X; en-us) AppleWebKit/532.9 (KHTML, like Gecko) Version/4.0.5 Mobile/8A293 Safari/6531.22.7',
'Mozilla/5.0 (iPhone; CPU iPhone OS 5_0 like Mac OS X) AppleWebKit/534.46 (KHTML, like Gecko) Version/5.1 Mobile/9A334 Safari/7534.48.3',
'Mozilla/5.0 (iPad; CPU OS 5_0 like Mac OS X) AppleWebKit/534.46 (KHTML, like Gecko) Version/5.1 Mobile/9A334 Safari/7534.48.3',
'Mozilla/5.0 (iPhone; CPU iPhone OS 6_0 like Mac OS X) AppleWebKit/536.26 (KHTML, like Gecko) Version/6.0 Mobile/10A5376e Safari/8536.25',
'Mozilla/5.0 (iPad; CPU OS 6_0 like Mac OS X) AppleWebKit/536.26 (KHTML, like Gecko) Version/6.0 Mobile/10A5376e Safari/8536.25',
// Android variants
'Mozilla/5.0 (Linux; U; Android 4.0.3; ko-kr; LG-L160L Build/IML74K) AppleWebkit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30',
'Mozilla/5.0 (Linux; U; Android 4.0.3; de-ch; HTC Sensation Build/IML74K) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30',
'Mozilla/5.0 (Linux; U; Android 2.3.5; zh-cn; HTC_IncredibleS_S710e Build/GRJ90) AppleWebKit/533.1 (KHTML, like Gecko) Version/4.0 Mobile Safari/533.1',
// Windows variants
'Mozilla/5.0 (compatible; MSIE 10.0; Windows Phone 8.0; Trident/6.0; IEMobile/10.0; ARM; Touch; NOKIA; Lumia 920)',
'Mozilla/5.0 (compatible; MSIE 9.0; Windows Phone OS 7.5; Trident/5.0; IEMobile/9.0)',
'HTC_Touch_3G Mozilla/4.0 (compatible; MSIE 6.0; Windows CE; IEMobile 7.11)',
'Mozilla/4.0 (compatible; MSIE 7.0; Windows Phone OS 7.0; Trident/3.1; IEMobile/7.0; Nokia;N70)'
];
// Combine all user agents
var allUserAgents = _.chain(mobileUserAgents).union(nonMobileUserAgents).shuffle().value();
// Create a test user
var username = TestsUtil.generateTestUserId();
var email = TestsUtil.generateTestEmailAddress();
RestAPI.User.createUser(camAdminRestContext, username, 'password', 'Test User', email, {}, function(err, createdUser) {
assert.ok(!err);
var userRestContext = TestsUtil.createTenantRestContext(global.oaeTests.tenants.cam.host, username, 'password');
// Get all user agents for a user. When using a user tenant, mobile user-agents
// should result in a cookie that has a length expiry
_getCookiesForUserAgents(userRestContext, username, 'password', allUserAgents, function(userAgentCookies) {
assert.strictEqual(_.keys(userAgentCookies).length, allUserAgents.length);
// Ensure each mobile user agent has a cookie with an explicit expiry time that
// is more than 29 days into the future
_.each(mobileUserAgents, function(mobileUserAgent) {
var cookies = userAgentCookies[mobileUserAgent];
assert.strictEqual(cookies.length, 2);
_.each(cookies, function(cookie) {
assert.ok(_.isNumber(cookie.TTL()));
assert.ok(cookie.TTL() > (1000 * 60 * 60 * 24 * 29));
assert.notEqual(cookie.TTL(), Infinity);
});
});
// Ensure each non-mobile user agent has a cookie without an explicit expiry
// (i.e., browser session cookie)
_.each(nonMobileUserAgents, function(nonMobileUserAgent) {
var cookies = userAgentCookies[nonMobileUserAgent];
assert.strictEqual(cookies.length, 2);
_.each(cookies, function(cookie) {
assert.strictEqual(cookie.TTL(), Infinity);
});
});
// Get all user agents for a global admin login. When using the global admin
// tenant, both mobile and non-mobile user-agents should not have an extended
// expiry
_getCookiesForUserAgents(globalAdminRestContext, 'administrator', 'administrator', allUserAgents, function(userAgentCookies) {
assert.strictEqual(_.keys(userAgentCookies).length, allUserAgents.length);
// Ensure all user agents have a cookie without an explicit expiry (i.e.,
// browser session cookie)
_.each(allUserAgents, function(userAgent) {
var cookies = userAgentCookies[userAgent];
assert.ok(!_.isEmpty(cookies));
_.each(cookies, function(cookie) {
assert.strictEqual(cookie.TTL(), Infinity);
});
});
return callback();
});
});
});
});