Add ability to change retro password [#5]

Author: davidje13

backend/package-lock.json

@@ -35,7 +35,7 @@
     "supertest": "7.x",
     "superwstest": "2.x",
     "typescript": "5.9.x",
-    "web-listener": "0.17.1",
+    "web-listener": "0.17.2",
     "ws": "8.x"
   }
 }

backend/package.json

@@ -5,19 +5,6 @@ import { testConfig } from './testConfig';
 import { testServerRunner } from './testServerRunner';
 import { appFactory, type TestHooks } from '../app';
 
-function getRetroToken(
-  { retroAuthService }: TestHooks,
-  retroId: string,
-  scopes = {},
-): Promise<string | null> {
-  return retroAuthService.grantToken(retroId, {
-    read: true,
-    readArchives: true,
-    write: true,
-    ...scopes,
-  });
-}
-
 describe('API retro archives', () => {
   const PROPS = testServerRunner(async () => {
     const app = await appFactory(new TestLogger(), testConfig());
@@ -216,3 +203,17 @@ describe('API retro archives', () => {
     });
   });
 });
+
+function getRetroToken(
+  { retroAuthService }: TestHooks,
+  retroId: string,
+  scopes = {},
+): Promise<string | null> {
+  return retroAuthService.grantToken(retroId, {
+    read: true,
+    readArchives: true,
+    write: true,
+    manage: true,
+    ...scopes,
+  });
+}

backend/src/api-tests/archives.test.ts

@@ -137,6 +137,7 @@ describe('API auth', () => {
         read: true,
         write: true,
         readArchives: true,
+        manage: true,
       });
 
       await request(server)

backend/src/api-tests/auth.test.ts

@@ -14,6 +14,7 @@ function getRetroToken(
     read: true,
     readArchives: true,
     write: true,
+    manage: true,
     ...scopes,
   });
 }

backend/src/api-tests/export.test.ts

@@ -13,6 +13,7 @@ function getRetroToken(
     read: true,
     readArchives: true,
     write: true,
+    manage: true,
     ...scopes,
   });
 }

backend/src/api-tests/retroSocket.test.ts

@@ -4,26 +4,19 @@ import { testConfig } from './testConfig';
 import { testServerRunner } from './testServerRunner';
 import { appFactory, type TestHooks } from '../app';
 
-function getUserToken({ userAuthService }: TestHooks, userId: string): string {
-  return userAuthService.grantToken({
-    aud: 'user',
-    iss: 'test',
-    sub: userId,
-  });
-}
-
 describe('API retros', () => {
   const PROPS = testServerRunner(async () => {
     const app = await appFactory(new TestLogger(), testConfig());
 
     const hooks = app.testHooks;
 
-    await hooks.retroService.createRetro(
+    const myRetroId = await hooks.retroService.createRetro(
       'nobody',
       'my-retro',
       'My Retro',
       'mood',
     );
+    await hooks.retroAuthService.setPassword(myRetroId, 'password1');
 
     await hooks.retroService.createRetro(
       'me',
@@ -151,6 +144,118 @@ describe('API retros', () => {
         .expect(401);
     });
   });
+
+  describe('PUT /api/retros/retro-id/password', () => {
+    it('changes the retro password', async (props) => {
+      const { server, hooks } = props.getTyped(PROPS);
+
+      const id = (await hooks.retroService.getRetroIdForSlug('my-retro'))!;
+      const retroToken = await hooks.retroAuthService.grantForPassword(
+        id,
+        'password1',
+      );
+      if (!retroToken) {
+        throw new Error('failed to get retro token');
+      }
+
+      await request(server)
+        .put(`/api/retros/${id}/password`)
+        .send({ password: 'password2', evictUsers: false })
+        .set('Authorization', `Bearer ${retroToken}`)
+        .expect(200)
+        .expect('Content-Type', /application\/json/);
+
+      // existing token is still valid
+      expect(
+        await hooks.retroAuthService.readAndVerifyToken(id, retroToken),
+      ).isTruthy();
+
+      // new token requests must use new password
+      expect(
+        await hooks.retroAuthService.grantForPassword(id, 'password1'),
+      ).isNull();
+
+      const retroToken2 = await hooks.retroAuthService.grantForPassword(
+        id,
+        'password2',
+      );
+      expect(retroToken2).isTruthy();
+      expect(
+        await hooks.retroAuthService.readAndVerifyToken(id, retroToken2!),
+      ).isTruthy();
+    });
+
+    it('voids existing tokens if requested', async (props) => {
+      const { server, hooks } = props.getTyped(PROPS);
+
+      const id = (await hooks.retroService.getRetroIdForSlug('my-retro'))!;
+      const retroToken = await hooks.retroAuthService.grantForPassword(
+        id,
+        'password1',
+      );
+      if (!retroToken) {
+        throw new Error('failed to get retro token');
+      }
+
+      await request(server)
+        .put(`/api/retros/${id}/password`)
+        .send({ password: 'password2', evictUsers: true })
+        .set('Authorization', `Bearer ${retroToken}`)
+        .expect(200)
+        .expect('Content-Type', /application\/json/);
+
+      // existing token is no longer valid
+      expect(
+        await hooks.retroAuthService.readAndVerifyToken(id, retroToken),
+      ).isNull();
+
+      // new tokens are valid
+      const retroToken2 = await hooks.retroAuthService.grantForPassword(
+        id,
+        'password2',
+      );
+      expect(retroToken2).isTruthy();
+      expect(
+        await hooks.retroAuthService.readAndVerifyToken(id, retroToken2!),
+      ).isTruthy();
+    });
+
+    it('responds HTTP Unauthorized if no credentials are given', async (props) => {
+      const { server, hooks } = props.getTyped(PROPS);
+
+      const id = (await hooks.retroService.getRetroIdForSlug('my-retro'))!;
+      await request(server)
+        .put(`/api/retros/${id}/password`)
+        .send({ password: 'password2', evictUsers: false })
+        .expect(401);
+    });
+
+    it('responds HTTP Unauthorized if credentials are incorrect', async (props) => {
+      const { server, hooks } = props.getTyped(PROPS);
+
+      const id = (await hooks.retroService.getRetroIdForSlug('my-retro'))!;
+      await request(server)
+        .put(`/api/retros/${id}/password`)
+        .send({ password: 'password2', evictUsers: false })
+        .set('Authorization', 'Bearer Foo')
+        .expect(401);
+    });
+
+    it('responds HTTP Forbidden if scope is not "manage"', async (props) => {
+      const { server, hooks } = props.getTyped(PROPS);
+
+      const id = (await hooks.retroService.getRetroIdForSlug('my-retro'))!;
+      const retroToken = await getRetroToken(hooks, id, {
+        manage: false,
+      });
+
+      await request(server)
+        .put(`/api/retros/${id}/password`)
+        .send({ password: 'password2', evictUsers: false })
+        .set('Authorization', `Bearer ${retroToken}`)
+        .expect(403);
+    });
+  });
 });
 
 describe('API retros with my retros disabled', () => {
@@ -201,3 +306,25 @@ describe('API retros with my retros disabled', () => {
     });
   });
 });
+
+function getUserToken({ userAuthService }: TestHooks, userId: string): string {
+  return userAuthService.grantToken({
+    aud: 'user',
+    iss: 'test',
+    sub: userId,
+  });
+}
+
+function getRetroToken(
+  { retroAuthService }: TestHooks,
+  retroId: string,
+  scopes = {},
+): Promise<string | null> {
+  return retroAuthService.grantToken(retroId, {
+    read: true,
+    readArchives: true,
+    write: true,
+    manage: true,
+    ...scopes,
+  });
+}

backend/src/api-tests/retros.test.ts

@@ -85,6 +85,7 @@ export const appFactory = async (
 ): Promise<App> => {
   const db = await CollectionStorage.connect(config.db.url);
 
+  const passwordRequirements = { minLength: 8, maxLength: 512 };
   const hasher = new Hasher(config.password);
   const tokenManager = new TokenManager(config.token);
 
@@ -136,7 +137,10 @@ export const appFactory = async (
   );
   app.mount('/api/diagnostics', new ApiDiagnosticsRouter(analyticsService));
   app.mount('/api/slugs', new ApiSlugsRouter(retroService));
-  app.mount('/api/config', new ApiConfigRouter(config, auth.clientConfig));
+  app.mount(
+    '/api/config',
+    new ApiConfigRouter(config, auth.clientConfig, passwordRequirements),
+  );
   auth.addRoutes(app);
   app.mount(
     '/api/retros',
@@ -147,6 +151,7 @@ export const appFactory = async (
       retroArchiveService,
       analyticsService,
       config.permit.myRetros,
+      passwordRequirements,
     ),
   );
   app.mount(

backend/src/app.ts

@@ -0,0 +1,28 @@
+export class MultiMap<K, V> {
+  private readonly _data = new Map<K, Set<V>>();
+
+  add(k: K, v: V) {
+    let l = this._data.get(k);
+    if (!l) {
+      l = new Set();
+      this._data.set(k, l);
+    }
+    l.add(v);
+  }
+
+  remove(k: K, v: V) {
+    const l = this._data.get(k);
+    if (l) {
+      l.delete(v);
+      if (!l.size) {
+        this._data.delete(k);
+      }
+    }
+  }
+
+  listAndPurge(k: K): Set<V> {
+    const l = this._data.get(k) ?? new Set();
+    this._data.delete(k);
+    return l;
+  }
+}

backend/src/helpers/MultiMap.ts

@@ -1,5 +1,8 @@
 import { Router, sendJSON } from 'web-listener';
-import type { ClientConfig } from '../shared/api-entities';
+import type {
+  ClientConfig,
+  PasswordRequirements,
+} from '../shared/api-entities';
 
 interface ServerConfig {
   giphy: { apiKey: string };
@@ -9,12 +12,14 @@ export class ApiConfigRouter extends Router {
   public constructor(
     serverConfig: ServerConfig,
     ssoClientConfig: ClientConfig['sso'],
+    passwordRequirements: PasswordRequirements,
   ) {
     super();
 
     const clientConfig: ClientConfig = {
       sso: ssoClientConfig,
       giphy: serverConfig.giphy.apiKey !== '',
+      passwordRequirements,
     };
 
     this.get('/', (_, res) => sendJSON(res, clientConfig));