chore: Add serverPassword param to endpoints (#2919) [skip e2e]

* chore: send server password param to delete account endpoint * chore: send server password param to disable mfa endpoint * chore: modify tests * chore: force challenge prompt for mfa disable * chore: fix eslint errors * chore: add server passsword to get recovery codes * chore: fix tests * chore: pass server password as header
2025-08-26 09:04:03 -03:00
parent cf4d2196de
commit 54af28aa04
29 changed files with 298 additions and 62 deletions
--- a/packages/snjs/mocha/auth.test.js
+++ b/packages/snjs/mocha/auth.test.js
@@ -549,6 +549,24 @@ describe('basic auth', function () {
      expect(sendChallengeSpy.callCount).to.equal(1)
    }).timeout(Factory.TenSecondTimeout)

+    it('should send server password when deleting account', async function () {
+      Factory.handlePasswordChallenges(context.application, context.password)
+
+      const userApiService = context.application.dependencies.get(TYPES.UserApiService)
+      const deleteAccountSpy = sinon.spy(userApiService, 'deleteAccount')
+
+      await context.application.user.deleteAccount()
+
+      expect(deleteAccountSpy.callCount).to.equal(1)
+      const deleteAccountCall = deleteAccountSpy.getCall(0)
+      const callArgs = deleteAccountCall.args[0]
+      
+      expect(callArgs).to.have.property('serverPassword')
+      expect(callArgs.serverPassword).to.not.be.undefined
+      expect(typeof callArgs.serverPassword).to.equal('string')
+      expect(callArgs.serverPassword.length).to.be.above(0)
+    }).timeout(Factory.TenSecondTimeout)
+
    it('deleting account should sign out current user', async function () {
      Factory.handlePasswordChallenges(context.application, context.password)

@@ -567,12 +585,40 @@ describe('basic auth', function () {

      const response = await context.application.dependencies
        .get(TYPES.UserApiService)
-        .deleteAccount(registerResponse.user.uuid)
+        .deleteAccount({
+          userUuid: registerResponse.user.uuid,
+          serverPassword: 'dummy-password'
+        })

      expect(response.status).to.equal(401)
      expect(response.data.error.message).to.equal('Operation not allowed.')

      await secondContext.deinit()
    })
+
+    it('should not allow deleting account if server password is not sent', async function () {
+      Factory.handlePasswordChallenges(context.application, context.password)
+
+      const response = await context.application.dependencies
+        .get(TYPES.UserApiService)
+        .deleteAccount({
+          userUuid: context.application.user.uuid,
+        })
+
+      expect(response.status).to.equal(400)
+    }).timeout(Factory.TenSecondTimeout)
+
+    it('should not allow deleting account if server password is incorrect', async function () {
+      Factory.handlePasswordChallenges(context.application, context.password)
+
+      const response = await context.application.dependencies
+        .get(TYPES.UserApiService)
+        .deleteAccount({
+          userUuid: context.application.user.uuid,
+          serverPassword: 'wrong-password'
+        })
+
+      expect(response.status).to.equal(400)
+    }).timeout(Factory.TenSecondTimeout)
  })
 })
--- a/packages/snjs/mocha/mfa_service.test.js
+++ b/packages/snjs/mocha/mfa_service.test.js
@@ -65,6 +65,7 @@ describe('mfa service', () => {
    const token = await application.mfa.getOtpToken(secret)

    sinon.spy(application.challenges, 'sendChallenge')
+    
    await application.mfa.enableMfa(secret, token)
    await application.mfa.disableMfa()

@@ -73,4 +74,64 @@ describe('mfa service', () => {
    expect(challenge.prompts).to.have.lengthOf(2)
    expect(challenge.prompts[0].validation).to.equal(ChallengeValidation.AccountPassword)
  }).timeout(Factory.TenSecondTimeout)
+
+  it('sends server password when disabling mfa', async () => {
+    await registerApp(application)
+
+    Factory.handlePasswordChallenges(application, accountPassword)
+    const secret = await application.mfa.generateMfaSecret()
+    const token = await application.mfa.getOtpToken(secret)
+
+    await application.mfa.enableMfa(secret, token)
+
+    sinon.spy(application.settings.settingsApi, 'deleteSetting')
+
+    await application.mfa.disableMfa()
+
+    const deleteSettingCall = application.settings.settingsApi.deleteSetting.getCall(0)    
+    const [serverPassword] = deleteSettingCall.args
+    expect(typeof serverPassword).to.equal('string')
+    expect(serverPassword.length).to.be.above(0)
+  }).timeout(Factory.TenSecondTimeout)
+
+  it('should not allow disabling mfa if server password is not sent', async function () {
+    await registerApp(application)
+    
+    Factory.handlePasswordChallenges(application, accountPassword)
+
+    const secret = await application.mfa.generateMfaSecret()
+    const token = await application.mfa.getOtpToken(secret)
+
+    await application.mfa.enableMfa(secret, token)
+    
+    const response = await application.dependencies
+      .get(TYPES.SettingsApiService)
+      .deleteSetting({
+        userUuid: application.user.uuid,
+        settingName: 'MFA_SECRET',
+      })
+
+    expect(response.status).to.equal(400)
+  }).timeout(Factory.TenSecondTimeout)
+
+  it('should not allow disabling mfa if server password is incorrect', async function () {
+    await registerApp(application)
+    
+    Factory.handlePasswordChallenges(application, accountPassword)
+
+    const secret = await application.mfa.generateMfaSecret()
+    const token = await application.mfa.getOtpToken(secret)
+
+    await application.mfa.enableMfa(secret, token)
+    
+    const response = await application.dependencies
+      .get(TYPES.SettingsApiService)
+      .deleteSetting({
+        userUuid: application.user.uuid,
+        settingName: 'MFA_SECRET',
+        serverPassword: 'wrong-password'
+      })
+
+    expect(response.status).to.equal(400)
+  }).timeout(Factory.TenSecondTimeout)
 })