Fix tests and implement password update

routes/user.js

@@ -294,7 +294,44 @@ router.put('/:username', async (req, res) => {
 			res.json({ success: true })
 
 		} else if(req.body.newPassword) {
-			res.json({})
+			if(req.body.currentPassword === undefined) {
+				validationErrors.push(Errors.missingParameter('current password'))
+			} if(typeof req.body.currentPassword !== 'string') {
+				validationErrors.push(Errors.invalidParameterType('currentPassword', 'string'))
+			}
+
+			if(typeof req.body.newPassword !== 'string') {
+				validationErrors.push(Errors.invalidParameterType('newPassword', 'string'))
+			} else {
+				if(req.body.newPassword.length > 1024) {
+					validationErrors.push(Errors.parameterLengthTooLarge('new password', 1024))
+				} if(req.body.newPassword.length < 8) {
+					validationErrors.push(Errors.parameterLengthTooSmall('new password', 7))
+				} if(req.body.newPassword === req.body.currentPassword) {
+					validationErrors.push(Errors.passwordSame)
+				}
+			}
+
+			if(validationErrors.length) throw validationErrors
+
+			let user = await User.findOne({where: {
+				username: req.session.username
+			}})
+
+			let bcryptRes = await bcrypt.compare(req.body.currentPassword, user.hash)
+
+			if(bcryptRes) {
+				let newHash = await bcrypt.hash(req.body.newPassword, 12)
+
+				let user = await User.update({ hash: newHash }, { where: {
+					username: req.session.username
+				}})
+
+				res.json({ success: true })
+			} else {
+				validationErrors.push(Errors.invalidLoginCredentials)
+				throw validationErrors
+			}
 		}
 	} catch (e) {
 		if(validationErrors.length) {

test/user.js

@@ -268,228 +268,6 @@ describe('User', () => {
 
 	})
 
-	describe('/:username PUT user', () => {
-		let agent = chai.request.agent(server)
-
-		before(async () => {
-			await agent
-				.post('/api/v1/user/adminaccount/login')
-				.set('content-type', 'application/json')
-				.send({
-					password: 'password'
-				})
-		})
-
-		it('should add user description if it doesn\'t already exist', async () => {
-			let putRes = await agent
-				.put('/api/v1/user/adminaccount')
-				.set('content-type', 'application/json')
-				.send({
-					description: 'description here'
-				})
-
-			putRes.should.be.json
-			putRes.body.should.have.property('success', true)
-
-			let getRes = await agent.get('/api/v1/user/adminaccount')
-
-			getRes.should.be.json
-			getRes.body.should.have.property('description', 'description here')
-			getRes.body.should.have.property('username', 'adminaccount')
-			getRes.body.should.have.property('color')
-		})
-		it('should update user description if it already exists', async () => {
-			let putRes = await agent
-				.put('/api/v1/user/adminaccount')
-				.set('content-type', 'application/json')
-				.send({
-					description: 'new description here'
-				})
-
-			putRes.should.be.json
-			putRes.body.should.have.property('success', true)
-
-			let getRes = await agent.get('/api/v1/user/adminaccount')
-
-			getRes.should.be.json
-			getRes.body.should.have.property('description', 'new description here')
-		})
-		it('should return an error if username is not logged in', done => {
-			agent
-				.put('/api/v1/user/notloggedin')
-				.set('content-type', 'application/json')
-				.send({
-					description: 'new description here'
-				})
-				.end((err, res) => {
-					res.should.be.json
-					res.should.have.status(400)
-					res.body.errors.should.contain.something.that.deep.equals(Errors.requestNotAuthorized)
-
-					done()
-				})
-		})
-		it('should return an error if description is not a string', done => {
-			agent
-				.put('/api/v1/user/adminaccount')
-				.set('content-type', 'application/json')
-				.send({
-					description: 123
-				})
-				.end((err, res) => {
-					res.should.be.json
-					res.should.have.status(400)
-					res.body.errors.should.contain.something.that.deep.equals(Errors.invalidParameterType('description', 'string'))
-
-					done()
-				})
-		})
-		it('should return an error if description is too long', done => {
-			let str = []
-			for(var i = 0; i < 1025; i++) { str.push('a') }
-
-			agent
-				.put('/api/v1/user/adminaccount')
-				.set('content-type', 'application/json')
-				.send({
-					description: str.join('')
-				})
-				.end((err, res) => {
-					res.should.be.json
-					res.should.have.status(400)
-					res.body.errors.should.contain.something.that.deep.equals(Errors.parameterLengthTooLarge('description', '1024'))
-
-					done()
-				})
-		})
-
-		it('should update user password', async () => {
-			let passwordAgent = chai.request.agent(server)
-
-			passwordAgent
-				.post('/api/v1/user/adminaccount/login')
-				.set('content-type', 'application/json')
-				.send({
-					password: 'password'
-				})
-
-			let putRes = await passwordAgent
-				.put('/api/v1/user/adminaccount')
-				.set('content-type', 'application/json')
-				.send({
-					currentPassowrd: 'password',
-					newPassword: 'qwertyuiop'
-				})
-
-			putRes.should.be.json
-			putRes.body.should.have.property('success', 'true')
-
-			await passwordAgent.post('/api/v1/user/adminaccount/logout')
-			let loginRes = await passwordAgent
-				.post('/api/v1/user/adminaccount/login')
-				.set('content-type', 'application/json')
-				.send({
-					password: 'qwertyuiop'
-				})
-
-			loginRes.should.have.status(200)
-			loginRes.should.be.json
-			loginRes.should.have.cookie('username', 'adminaccount')
-		})
-		it('should return an error if username is not logged in', done => {
-			agent
-				.put('/api/v1/user/notloggedin')
-				.set('content-type', 'application/json')
-				.send({
-					currentPassword: 'qwertyuiop',
-					newPassword: 'azertyuiop'
-				})
-				.end((err, res) => {
-					res.should.have.status(500)
-					res.body.errors.should.contain.something.that.deep.equals(Errors.requestNotAuthorized)
-
-					done()
-				})
-		})
-		it('should return an error if current password is incorrect', done => {
-			agent
-				.put('/api/v1/user/adminaccount')
-				.set('content-type', 'application/json')
-				.send({
-					currentPassword: 'nottheirpassword',
-					newPassword: 'azertyuiop'
-				})
-				.end((err, res) => {
-					res.should.have.status(401)
-					res.body.errors.should.contain.something.that.deep.equals(Errors.invalidLoginCredentials)
-
-					done()
-				})
-		})
-		it('should return an error if password is the same', done => {
-			agent
-				.put('/api/v1/user/adminaccount')
-				.set('content-type', 'application/json')
-				.send({
-					currentPassword: 'qwertyuiop',
-					newPassword: 'qwertyuiop'
-				})
-				.end((err, res) => {
-					res.should.have.status(400)
-					res.body.errors.should.contain.something.that.deep.equals(Errors.passwordSame)
-
-					done()
-				})
-		})
-		it('should return an error if password is too short', done => {
-			agent
-				.put('/api/v1/user/adminaccount')
-				.set('content-type', 'application/json')
-				.send({
-					currentPassword: 'qwertyuiop',
-					newPassword: 'a'
-				})
-				.end((err, res) => {
-					res.should.have.status(400)
-					res.body.errors.should.contain.something.that.deep.equals(Errors.parameterLengthTooSmall('password', '7'))
-
-					done()
-				})
-		})
-		it('should return an error if password is too long', done => {
-			let str = []
-			for(var i = 0; i < 2000; i++) { str.push('') }
-
-			agent
-				.put('/api/v1/user/adminaccount')
-				.set('content-type', 'application/json')
-				.send({
-					currentPassword: 'qwertyuiop',
-					newPassword: str.join('')
-				})
-				.end((err, res) => {
-					res.should.have.status(400)
-					res.body.errors.should.contain.something.that.deep.equals(Errors.parameterLengthTooLarge('password', '1024'))
-
-					done()
-				})
-		})
-		it('should return an error if missing currentPassword', done => {
-			agent
-				.put('/api/v1/user/adminaccount')
-				.set('content-type', 'application/json')
-				.send({
-					newPassword: 'qwertyujkjnbgfdswazxcvbhytr'
-				})
-				.end((err, res) => {
-					res.should.have.status(400)
-					res.body.errors.should.contain.something.that.deep.equals(Errors.missingParameter('password'))
-
-					done()
-				})
-		})
-	})
-
 	describe('/:username GET user', () => {
 		it('should return the user', async () => {
 			let res = await chai.request(server)
@@ -728,4 +506,226 @@ describe('User', () => {
 				})
 		})
 	})
+
+		describe('/:username PUT user', () => {
+		let agent = chai.request.agent(server)
+
+		before(async () => {
+			await agent
+				.post('/api/v1/user/adminaccount/login')
+				.set('content-type', 'application/json')
+				.send({
+					password: 'password'
+				})
+		})
+
+		it('should add user description if it doesn\'t already exist', async () => {
+			let putRes = await agent
+				.put('/api/v1/user/adminaccount')
+				.set('content-type', 'application/json')
+				.send({
+					description: 'description here'
+				})
+
+			putRes.should.be.json
+			putRes.body.should.have.property('success', true)
+
+			let getRes = await agent.get('/api/v1/user/adminaccount')
+
+			getRes.should.be.json
+			getRes.body.should.have.property('description', 'description here')
+			getRes.body.should.have.property('username', 'adminaccount')
+			getRes.body.should.have.property('color')
+		})
+		it('should update user description if it already exists', async () => {
+			let putRes = await agent
+				.put('/api/v1/user/adminaccount')
+				.set('content-type', 'application/json')
+				.send({
+					description: 'new description here'
+				})
+
+			putRes.should.be.json
+			putRes.body.should.have.property('success', true)
+
+			let getRes = await agent.get('/api/v1/user/adminaccount')
+
+			getRes.should.be.json
+			getRes.body.should.have.property('description', 'new description here')
+		})
+		it('should return an error if username is not logged in', done => {
+			agent
+				.put('/api/v1/user/notloggedin')
+				.set('content-type', 'application/json')
+				.send({
+					description: 'new description here'
+				})
+				.end((err, res) => {
+					res.should.be.json
+					res.should.have.status(400)
+					res.body.errors.should.contain.something.that.deep.equals(Errors.requestNotAuthorized)
+
+					done()
+				})
+		})
+		it('should return an error if description is not a string', done => {
+			agent
+				.put('/api/v1/user/adminaccount')
+				.set('content-type', 'application/json')
+				.send({
+					description: 123
+				})
+				.end((err, res) => {
+					res.should.be.json
+					res.should.have.status(400)
+					res.body.errors.should.contain.something.that.deep.equals(Errors.invalidParameterType('description', 'string'))
+
+					done()
+				})
+		})
+		it('should return an error if description is too long', done => {
+			let str = []
+			for(var i = 0; i < 1025; i++) { str.push('a') }
+
+			agent
+				.put('/api/v1/user/adminaccount')
+				.set('content-type', 'application/json')
+				.send({
+					description: str.join('')
+				})
+				.end((err, res) => {
+					res.should.be.json
+					res.should.have.status(400)
+					res.body.errors.should.contain.something.that.deep.equals(Errors.parameterLengthTooLarge('description', '1024'))
+
+					done()
+				})
+		})
+
+		it('should update user password', async () => {
+			let passwordAgent = chai.request.agent(server)
+
+			await passwordAgent
+				.post('/api/v1/user/adminaccount/login')
+				.set('content-type', 'application/json')
+				.send({
+					password: 'password'
+				})
+
+			let putRes = await passwordAgent
+				.put('/api/v1/user/adminaccount')
+				.set('content-type', 'application/json')
+				.send({
+					currentPassword: 'password',
+					newPassword: 'qwertyuiop'
+				})
+
+			putRes.should.be.json
+			putRes.body.should.have.property('success', true)
+
+			await passwordAgent.post('/api/v1/user/adminaccount/logout')
+			let loginRes = await passwordAgent
+				.post('/api/v1/user/adminaccount/login')
+				.set('content-type', 'application/json')
+				.send({
+					password: 'qwertyuiop'
+				})
+
+			loginRes.should.have.status(200)
+			loginRes.should.be.json
+			loginRes.should.have.cookie('username', 'adminaccount')
+		})
+		it('should return an error if username is not logged in', done => {
+			agent
+				.put('/api/v1/user/notloggedin')
+				.set('content-type', 'application/json')
+				.send({
+					currentPassword: 'qwertyuiop',
+					newPassword: 'azertyuiop'
+				})
+				.end((err, res) => {
+					res.should.have.status(400)
+					res.body.errors.should.contain.something.that.deep.equals(Errors.requestNotAuthorized)
+
+					done()
+				})
+		})
+		it('should return an error if current password is incorrect', done => {
+			agent
+				.put('/api/v1/user/adminaccount')
+				.set('content-type', 'application/json')
+				.send({
+					currentPassword: 'nottheirpassword',
+					newPassword: 'azertyuiop'
+				})
+				.end((err, res) => {
+					res.should.have.status(400)
+					res.body.errors.should.contain.something.that.deep.equals(Errors.invalidLoginCredentials)
+
+					done()
+				})
+		})
+		it('should return an error if password is the same', done => {
+			agent
+				.put('/api/v1/user/adminaccount')
+				.set('content-type', 'application/json')
+				.send({
+					currentPassword: 'qwertyuiop',
+					newPassword: 'qwertyuiop'
+				})
+				.end((err, res) => {
+					res.should.have.status(400)
+					res.body.errors.should.contain.something.that.deep.equals(Errors.passwordSame)
+
+					done()
+				})
+		})
+		it('should return an error if password is too short', done => {
+			agent
+				.put('/api/v1/user/adminaccount')
+				.set('content-type', 'application/json')
+				.send({
+					currentPassword: 'qwertyuiop',
+					newPassword: 'a'
+				})
+				.end((err, res) => {
+					res.should.have.status(400)
+					res.body.errors.should.contain.something.that.deep.equals(Errors.parameterLengthTooSmall('new password', '7'))
+
+					done()
+				})
+		})
+		it('should return an error if password is too long', done => {
+			let str = []
+			for(var i = 0; i < 2000; i++) { str.push('a') }
+
+			agent
+				.put('/api/v1/user/adminaccount')
+				.set('content-type', 'application/json')
+				.send({
+					currentPassword: 'qwertyuiop',
+					newPassword: str.join('')
+				})
+				.end((err, res) => {
+					res.should.have.status(400)
+					res.body.errors.should.contain.something.that.deep.equals(Errors.parameterLengthTooLarge('new password', '1024'))
+
+					done()
+				})
+		})
+		it('should return an error if missing currentPassword', done => {
+			agent
+				.put('/api/v1/user/adminaccount')
+				.set('content-type', 'application/json')
+				.send({
+					newPassword: 'qwertyujkjnbgfdswazxcvbhytr'
+				})
+				.end((err, res) => {
+					res.should.have.status(400)
+					res.body.errors.should.contain.something.that.deep.equals(Errors.missingParameter('current password'))
+
+					done()
+				})
+		})
+	})
 })