feat: change password (#35)

* refactor: implement factories for testing

* add additional factories

* change protection for dropFields

* prevent timed attacks on login

* use switch instead of else-if

* API implementation for changing password

* add change-password dialog

frontend/lib/api/__test__/factories/index.ts

@@ -0,0 +1,80 @@
+import { faker } from "@faker-js/faker";
+import { expect } from "vitest";
+import { overrideParts } from "../../base/urls";
+import { PublicApi } from "../../public";
+import { LabelCreate, LocationCreate, UserRegistration } from "../../types/data-contracts";
+import * as config from "../../../../test/config";
+import { UserClient } from "../../user";
+import { Requests } from "../../../requests";
+
+/**
+ * Returns a random user registration object that can be
+ * used to signup a new user.
+ */
+function user(): UserRegistration {
+  return {
+    email: faker.internet.email(),
+    password: faker.internet.password(),
+    name: faker.name.firstName(),
+    token: "",
+  };
+}
+
+function location(): LocationCreate {
+  return {
+    name: faker.address.city(),
+    description: faker.lorem.sentence(),
+  };
+}
+
+function label(): LabelCreate {
+  return {
+    name: faker.lorem.word(),
+    description: faker.lorem.sentence(),
+    color: faker.internet.color(),
+  };
+}
+
+function publicClient(): PublicApi {
+  overrideParts(config.BASE_URL, "/api/v1");
+  const requests = new Requests("");
+  return new PublicApi(requests);
+}
+
+function userClient(token: string): UserClient {
+  overrideParts(config.BASE_URL, "/api/v1");
+  const requests = new Requests("", token);
+  return new UserClient(requests);
+}
+
+type TestUser = {
+  client: UserClient;
+  user: UserRegistration;
+};
+
+async function userSingleUse(): Promise<TestUser> {
+  const usr = user();
+
+  const pub = publicClient();
+  await pub.register(usr);
+  const result = await pub.login(usr.email, usr.password);
+
+  expect(result.error).toBeFalsy();
+  expect(result.status).toBe(200);
+
+  return {
+    client: new UserClient(new Requests("", result.data.token)),
+    user: usr,
+  };
+}
+
+export const factories = {
+  user,
+  location,
+  label,
+  client: {
+    public: publicClient,
+    user: userClient,
+    singleUse: userSingleUse,
+  },
+};

frontend/lib/api/__test__/public.test.ts

@@ -1,20 +1,10 @@
 import { describe, test, expect } from "vitest";
-import { faker } from "@faker-js/faker";
-import { UserRegistration } from "../types/data-contracts";
-import { client, sharedUserClient, userClient } from "./test-utils";
-
-function userFactory(): UserRegistration {
-  return {
-    email: faker.internet.email(),
-    password: faker.internet.password(),
-    name: faker.name.firstName(),
-    token: "",
-  };
-}
+import { factories } from "./factories";
+import { sharedUserClient } from "./test-utils";
 
 describe("[GET] /api/v1/status", () => {
   test("server should respond", async () => {
-    const api = client();
+    const api = factories.client.public();
     const { response, data } = await api.status();
     expect(response.status).toBe(200);
     expect(data.health).toBe(true);
@@ -22,8 +12,8 @@ describe("[GET] /api/v1/status", () => {
 });
 
 describe("first time user workflow (register, login, join group)", () => {
-  const api = client();
-  const userData = userFactory();
+  const api = factories.client.public();
+  const userData = factories.user();
 
   test("user should be able to register", async () => {
     const { response } = await api.register(userData);
@@ -36,7 +26,7 @@ describe("first time user workflow (register, login, join group)", () => {
     expect(data.token).toBeTruthy();
 
     // Cleanup
-    const userApi = userClient(data.token);
+    const userApi = factories.client.user(data.token);
     {
       const { response } = await userApi.user.delete();
       expect(response.status).toBe(204);
@@ -59,7 +49,7 @@ describe("first time user workflow (register, login, join group)", () => {
 
     // Create User 2 with token
 
-    const duplicateUser = userFactory();
+    const duplicateUser = factories.user();
     duplicateUser.token = data.token;
 
     const { response: registerResp } = await api.register(duplicateUser);
@@ -70,7 +60,7 @@ describe("first time user workflow (register, login, join group)", () => {
 
     // Get Self and Assert
 
-    const client2 = userClient(loginData.token);
+    const client2 = factories.client.user(loginData.token);
 
     const { data: user2 } = await client2.user.self();
 

frontend/lib/api/__test__/test-utils.ts

@@ -1,21 +1,6 @@
 import { beforeAll, expect } from "vitest";
-import { Requests } from "../../requests";
-import { overrideParts } from "../base/urls";
-import { PublicApi } from "../public";
-import * as config from "../../../test/config";
 import { UserClient } from "../user";
-
-export function client() {
-  overrideParts(config.BASE_URL, "/api/v1");
-  const requests = new Requests("");
-  return new PublicApi(requests);
-}
-
-export function userClient(token: string) {
-  overrideParts(config.BASE_URL, "/api/v1");
-  const requests = new Requests("", token);
-  return new UserClient(requests);
-}
+import { factories } from "./factories";
 
 const cache = {
   token: "",
@@ -27,7 +12,7 @@ const cache = {
  */
 export async function sharedUserClient(): Promise<UserClient> {
   if (cache.token) {
-    return userClient(cache.token);
+    return factories.client.user(cache.token);
   }
   const testUser = {
     email: "__test__@__test__.com",
@@ -36,12 +21,12 @@ export async function sharedUserClient(): Promise<UserClient> {
     token: "",
   };
 
-  const api = client();
+  const api = factories.client.public();
   const { response: tryLoginResp, data } = await api.login(testUser.email, testUser.password);
 
   if (tryLoginResp.status === 200) {
     cache.token = data.token;
-    return userClient(cache.token);
+    return factories.client.user(cache.token);
   }
 
   const { response: registerResp } = await api.register(testUser);
@@ -51,7 +36,7 @@ export async function sharedUserClient(): Promise<UserClient> {
   expect(loginResp.status).toBe(200);
 
   cache.token = loginData.token;
-  return userClient(data.token);
+  return factories.client.user(data.token);
 }
 
 beforeAll(async () => {

frontend/lib/api/__test__/user/labels.test.ts

@@ -1,23 +1,17 @@
 import { describe, expect, test } from "vitest";
 import { LabelOut } from "../../types/data-contracts";
 import { UserClient } from "../../user";
+import { factories } from "../factories";
 import { sharedUserClient } from "../test-utils";
 
 describe("locations lifecycle (create, update, delete)", () => {
-  let increment = 0;
-
   /**
    * useLabel sets up a label resource for testing, and returns a function
    * that can be used to delete the label from the backend server.
    */
   async function useLabel(api: UserClient): Promise<[LabelOut, () => Promise<void>]> {
-    const { response, data } = await api.labels.create({
-      name: `__test__.label.name_${increment}`,
-      description: `__test__.label.description_${increment}`,
-      color: "",
-    });
+    const { response, data } = await api.labels.create(factories.label());
     expect(response.status).toBe(201);
-    increment++;
 
     const cleanup = async () => {
       const { response } = await api.labels.delete(data.id);
@@ -29,11 +23,7 @@ describe("locations lifecycle (create, update, delete)", () => {
   test("user should be able to create a label", async () => {
     const api = await sharedUserClient();
 
-    const labelData = {
-      name: "test-label",
-      description: "test-description",
-      color: "",
-    };
+    const labelData = factories.label();
 
     const { response, data } = await api.labels.create(labelData);
 

frontend/lib/api/__test__/user/locations.test.ts

@@ -1,22 +1,17 @@
 import { describe, expect, test } from "vitest";
 import { LocationOut } from "../../types/data-contracts";
 import { UserClient } from "../../user";
+import { factories } from "../factories";
 import { sharedUserClient } from "../test-utils";
 
 describe("locations lifecycle (create, update, delete)", () => {
-  let increment = 0;
-
   /**
    * useLocatio sets up a location resource for testing, and returns a function
    * that can be used to delete the location from the backend server.
    */
   async function useLocation(api: UserClient): Promise<[LocationOut, () => Promise<void>]> {
-    const { response, data } = await api.locations.create({
-      name: `__test__.location.name_${increment}`,
-      description: `__test__.location.description_${increment}`,
-    });
+    const { response, data } = await api.locations.create(factories.location());
     expect(response.status).toBe(201);
-    increment++;
 
     const cleanup = async () => {
       const { response } = await api.locations.delete(data.id);
@@ -29,10 +24,7 @@ describe("locations lifecycle (create, update, delete)", () => {
   test("user should be able to create a location", async () => {
     const api = await sharedUserClient();
 
-    const locationData = {
-      name: "test-location",
-      description: "test-description",
-    };
+    const locationData = factories.location();
 
     const { response, data } = await api.locations.create(locationData);
 

frontend/lib/api/__test__/user/user.test.ts

@@ -0,0 +1,27 @@
+import { faker } from "@faker-js/faker";
+import { describe, expect, test } from "vitest";
+import { factories } from "../factories";
+
+describe("basic user workflows", () => {
+  test("user should be able to change password", async () => {
+    const { client, user } = await factories.client.singleUse();
+    const password = faker.internet.password();
+
+    // Change Password
+    {
+      const response = await client.user.changePassword(user.password, password);
+      expect(response.error).toBeFalsy();
+      expect(response.status).toBe(204);
+    }
+
+    // Ensure New Login is Valid
+    {
+      const pub = factories.client.public();
+      const response = await pub.login(user.email, password);
+      expect(response.error).toBeFalsy();
+      expect(response.status).toBe(200);
+    }
+
+    await client.user.delete();
+  }, 20000);
+});

frontend/lib/api/base/base-api.ts

@@ -43,7 +43,7 @@ export class BaseAPI {
    * are present. This is useful for when you want to send a subset of fields to
    * the server like when performing an update.
    */
-  dropFields<T>(obj: T, keys: Array<keyof T> = []): T {
+  protected dropFields<T>(obj: T, keys: Array<keyof T> = []): T {
     const result = { ...obj };
     [...keys, "createdAt", "updatedAt"].forEach(key => {
       // @ts-ignore - we are checking for the key above

frontend/lib/api/classes/users.ts

@@ -1,5 +1,5 @@
 import { BaseAPI, route } from "../base";
-import { UserOut } from "../types/data-contracts";
+import { ChangePassword, UserOut } from "../types/data-contracts";
 import { Result } from "../types/non-generated";
 
 export class UserApi extends BaseAPI {
@@ -14,4 +14,14 @@ export class UserApi extends BaseAPI {
   public delete() {
     return this.http.delete<void>({ url: route("/users/self") });
   }
+
+  public changePassword(current: string, newPassword: string) {
+    return this.http.put<ChangePassword, void>({
+      url: route("/users/self/change-password"),
+      body: {
+        current,
+        new: newPassword,
+      },
+    });
+  }
 }

frontend/lib/api/types/data-contracts.ts

@@ -238,6 +238,11 @@ export interface Build {
   version: string;
 }
 
+export interface ChangePassword {
+  current: string;
+  new: string;
+}
+
 export interface GroupInvitation {
   expiresAt: Date;
   token: string;