test(auth): add comprehensive disabled/locked user auth tests

Add locked user fixture (user18, status=3) and test that both disabled
and locked users are rejected across all auth paths: API tokens,
CalDAV basic auth, CheckUserCredentials.

Ref: GHSA-94xm-jj8x-3cr4
This commit is contained in:
kolaente 2026-03-23 16:15:39 +01:00 committed by kolaente
parent fd452b9cb6
commit 0b04768d83
5 changed files with 53 additions and 0 deletions

View File

@ -38,3 +38,13 @@
owner_id: 17
created: 2023-09-01 07:00:00
# token in plaintext is tk_disabled_user_test_token_000000001234abcd
- id: 5
title: 'locked user token'
token_salt: xK9mPr2sNq
token_hash: ee3fb2381e42ec87430519de0b59ce5fbe6ad7e0f0be40948ac28100167ed6f26fc6999f53958f589536d6291418c9419aef
token_last_eight: 12345678
permissions: '{"tasks":["read_all"]}'
expires_at: 2099-01-01 00:00:00
owner_id: 18
created: 2023-09-01 07:00:00
# token in plaintext is tk_locked_user_test_token_0000000012345678

View File

@ -136,3 +136,12 @@
issuer: local
updated: 2018-12-02 15:13:12
created: 2018-12-01 15:13:12
# Locked user for security tests
- id: 18
username: 'user18'
password: '$2a$04$X4aRMEt0ytgPwMIgv36cI..7X9.nhY/.tYwxpqSi0ykRHx2CwQ0S6' # 12345678
email: 'user18@example.com'
status: 3
issuer: local
updated: 2018-12-02 15:13:12
created: 2018-12-01 15:13:12

View File

@ -329,6 +329,16 @@ func TestCheckUserCredentials(t *testing.T) {
require.Error(t, err)
assert.True(t, IsErrAccountDisabled(err))
})
t.Run("locked user", func(t *testing.T) {
db.LoadAndAssertFixtures(t)
s := db.NewSession()
defer s.Close()
// user18 is locked (status=3), password is "12345678"
_, err := CheckUserCredentials(s, &Login{Username: "user18", Password: "12345678"})
require.Error(t, err)
assert.True(t, IsErrAccountLocked(err))
})
}
func TestUpdateUser(t *testing.T) {

View File

@ -112,6 +112,21 @@ func TestAPIToken(t *testing.T) {
assert.Equal(t, http.StatusUnauthorized, res.Code)
assert.Contains(t, res.Body.String(), `"code":11`)
})
t.Run("locked user token rejected", func(t *testing.T) {
e, err := setupTestEnv()
require.NoError(t, err)
req := httptest.NewRequest(http.MethodGet, "/api/v1/tasks", nil)
res := httptest.NewRecorder()
c := e.NewContext(req, res)
h := routes.SetupTokenMiddleware()(func(c *echo.Context) error {
return c.String(http.StatusOK, "test")
})
req.Header.Set(echo.HeaderAuthorization, "Bearer tk_locked_user_test_token_0000000012345678") // Token 5 (locked user 18)
require.NoError(t, h(c))
assert.Equal(t, http.StatusUnauthorized, res.Code)
assert.Contains(t, res.Body.String(), `"code":11`)
})
t.Run("jwt", func(t *testing.T) {
e, err := setupTestEnv()
require.NoError(t, err)

View File

@ -770,4 +770,13 @@ func TestCaldavDisabledUserRejected(t *testing.T) {
require.NoError(t, err)
assert.False(t, result, "disabled user should not be able to authenticate via CalDAV")
})
t.Run("locked user cannot authenticate via CalDAV", func(t *testing.T) {
e, _ := setupTestEnv()
c, _ := createRequest(e, http.MethodGet, "", nil, nil)
// user18 is locked (status=3), password is "12345678"
result, err := caldav.BasicAuth(c, "user18", "12345678")
require.NoError(t, err)
assert.False(t, result, "locked user should not be able to authenticate via CalDAV")
})
}