overleaf-cep/services/web/test/acceptance/src/UserEmailsTests.js

const { expect } = require('chai')
const async = require('async')
const User = require('./helpers/User')
const UserHelper = require('./helpers/UserHelper')
const { db, ObjectId } = require('../../../app/src/infrastructure/mongodb')
const MockV1Api = require('./helpers/MockV1Api')
const expectErrorResponse = require('./helpers/expectErrorResponse')

async function confirmEmail(userHelper, email) {
  let response
  // UserHelper.createUser does not create a confirmation token
  response = await userHelper.request.post({
    form: {
      email
    },
    simple: false,
    uri: '/user/emails/resend_confirmation'
  })
  expect(response.statusCode).to.equal(200)
  const tokenData = await db.tokens
    .find({
      use: 'email_confirmation',
      'data.user_id': userHelper.user._id.toString(),
      usedAt: { $exists: false }
    })
    .next()
  response = await userHelper.request.post({
    form: {
      token: tokenData.token
    },
    simple: false,
    uri: '/user/emails/confirm'
  })
  expect(response.statusCode).to.equal(200)
}

describe('UserEmails', function() {
  beforeEach(function(done) {
    this.timeout(20000)
    this.user = new User()
    this.user.login(done)
  })

  describe('confirming an email', function() {
    it('should confirm the email', function(done) {
      let token = null
      async.series(
        [
          cb => {
            this.user.request(
              {
                method: 'POST',
                url: '/user/emails',
                json: {
                  email: 'newly-added-email@example.com'
                }
              },
              (error, response, body) => {
                expect(error).to.not.exist
                expect(response.statusCode).to.equal(204)
                cb()
              }
            )
          },
          cb => {
            this.user.request(
              { url: '/user/emails', json: true },
              (error, response, body) => {
                expect(error).to.not.exist
                expect(response.statusCode).to.equal(200)
                expect(body[0].confirmedAt).to.not.exist
                expect(body[0].reconfirmedAt).to.not.exist
                expect(body[1].confirmedAt).to.not.exist
                expect(body[1].reconfirmedAt).to.not.exist
                cb()
              }
            )
          },
          cb => {
            db.tokens
              .find({
                use: 'email_confirmation',
                'data.user_id': this.user._id,
                usedAt: { $exists: false }
              })
              .toArray((error, tokens) => {
                expect(error).to.not.exist
                // There should only be one confirmation token at the moment
                expect(tokens.length).to.equal(1)
                expect(tokens[0].data.email).to.equal(
                  'newly-added-email@example.com'
                )
                expect(tokens[0].data.user_id).to.equal(this.user._id)
                ;({ token } = tokens[0])
                cb()
              })
          },
          cb => {
            this.user.request(
              {
                method: 'POST',
                url: '/user/emails/confirm',
                json: {
                  token
                }
              },
              (error, response, body) => {
                expect(error).to.not.exist
                expect(response.statusCode).to.equal(200)
                cb()
              }
            )
          },
          cb => {
            this.user.request(
              { url: '/user/emails', json: true },
              (error, response, body) => {
                expect(error).to.not.exist
                expect(response.statusCode).to.equal(200)
                expect(body[0].confirmedAt).to.not.exist
                expect(body[0].reconfirmedAt).to.not.exist
                expect(body[1].confirmedAt).to.exist
                expect(body[1].reconfirmedAt).to.exist
                expect(body[1].reconfirmedAt).to.deep.equal(body[1].confirmedAt)
                cb()
              }
            )
          },
          cb => {
            db.tokens
              .find({
                use: 'email_confirmation',
                'data.user_id': this.user._id,
                usedAt: { $exists: false }
              })
              .toArray((error, tokens) => {
                expect(error).to.not.exist
                // Token should be deleted after use
                expect(tokens.length).to.equal(0)
                cb()
              })
          }
        ],
        done
      )
    })

    it('should not allow confirmation of the email if the user has changed', function(done) {
      let token1 = null
      let token2 = null
      this.user2 = new User()
      this.email = 'duplicate-email@example.com'
      async.series(
        [
          cb => this.user2.login(cb),
          cb => {
            // Create email for first user
            this.user.request(
              {
                method: 'POST',
                url: '/user/emails',
                json: { email: this.email }
              },
              cb
            )
          },
          cb => {
            db.tokens
              .find({
                use: 'email_confirmation',
                'data.user_id': this.user._id,
                usedAt: { $exists: false }
              })
              .toArray((error, tokens) => {
                expect(error).to.not.exist
                // There should only be one confirmation token at the moment
                expect(tokens.length).to.equal(1)
                expect(tokens[0].data.email).to.equal(this.email)
                expect(tokens[0].data.user_id).to.equal(this.user._id)
                token1 = tokens[0].token
                cb()
              })
          },
          cb => {
            // Delete the email from the first user
            this.user.request(
              {
                method: 'POST',
                url: '/user/emails/delete',
                json: { email: this.email }
              },
              cb
            )
          },
          cb => {
            // Create email for second user
            this.user2.request(
              {
                method: 'POST',
                url: '/user/emails',
                json: { email: this.email }
              },
              cb
            )
          },
          cb => {
            // Original confirmation token should no longer work
            this.user.request(
              {
                method: 'POST',
                url: '/user/emails/confirm',
                json: {
                  token: token1
                }
              },
              (error, response, body) => {
                expect(error).to.not.exist
                expect(response.statusCode).to.equal(404)
                cb()
              }
            )
          },
          cb => {
            db.tokens
              .find({
                use: 'email_confirmation',
                'data.user_id': this.user2._id,
                usedAt: { $exists: false }
              })
              .toArray((error, tokens) => {
                expect(error).to.not.exist
                // The first token has been used, so this should be token2 now
                expect(tokens.length).to.equal(1)
                expect(tokens[0].data.email).to.equal(this.email)
                expect(tokens[0].data.user_id).to.equal(this.user2._id)
                token2 = tokens[0].token
                cb()
              })
          },
          cb => {
            // Second user should be able to confirm the email
            this.user2.request(
              {
                method: 'POST',
                url: '/user/emails/confirm',
                json: {
                  token: token2
                }
              },
              (error, response, body) => {
                expect(error).to.not.exist
                expect(response.statusCode).to.equal(200)
                cb()
              }
            )
          },
          cb => {
            this.user2.request(
              { url: '/user/emails', json: true },
              (error, response, body) => {
                expect(error).to.not.exist
                expect(response.statusCode).to.equal(200)
                expect(body[0].confirmedAt).to.not.exist
                expect(body[1].confirmedAt).to.exist
                cb()
              }
            )
          }
        ],
        done
      )
    })
  })

  describe('reconfirm an email', function() {
    let email, userHelper, confirmedAtDate
    beforeEach(async function() {
      userHelper = new UserHelper()
      email = userHelper.getDefaultEmail()
      userHelper = await UserHelper.createUser({ email })
      userHelper = await UserHelper.loginUser({
        email,
        password: userHelper.getDefaultPassword()
      })
      // original confirmation
      await confirmEmail(userHelper, email)
      const user = (await UserHelper.getUser({ email })).user
      confirmedAtDate = user.emails[0].confirmedAt
      expect(user.emails[0].confirmedAt).to.exist
      expect(user.emails[0].reconfirmedAt).to.exist
    })
    it('should set reconfirmedAt and not reset confirmedAt', async function() {
      await confirmEmail(userHelper, email)
      const user = (await UserHelper.getUser({ email })).user
      expect(user.emails[0].confirmedAt).to.exist
      expect(user.emails[0].reconfirmedAt).to.exist
      expect(user.emails[0].confirmedAt).to.deep.equal(confirmedAtDate)
      expect(user.emails[0].reconfirmedAt).to.not.deep.equal(
        user.emails[0].confirmedAt
      )
      expect(user.emails[0].reconfirmedAt > user.emails[0].confirmedAt).to.be
        .true
    })
  })

  describe('with an expired token', function() {
    it('should not confirm the email', function(done) {
      let token = null
      async.series(
        [
          cb => {
            this.user.request(
              {
                method: 'POST',
                url: '/user/emails',
                json: {
                  email: (this.email = 'expired-token-email@example.com')
                }
              },
              (error, response, body) => {
                expect(error).to.not.exist
                expect(response.statusCode).to.equal(204)
                cb()
              }
            )
          },
          cb => {
            db.tokens
              .find({
                use: 'email_confirmation',
                'data.user_id': this.user._id,
                usedAt: { $exists: false }
              })
              .toArray((error, tokens) => {
                expect(error).to.not.exist
                // There should only be one confirmation token at the moment
                expect(tokens.length).to.equal(1)
                expect(tokens[0].data.email).to.equal(this.email)
                expect(tokens[0].data.user_id).to.equal(this.user._id)
                ;({ token } = tokens[0])
                cb()
              })
          },
          cb => {
            db.tokens.update(
              {
                token
              },
              {
                $set: {
                  expiresAt: new Date(Date.now() - 1000000)
                }
              },
              cb
            )
          },
          cb => {
            this.user.request(
              {
                method: 'POST',
                url: '/user/emails/confirm',
                json: {
                  token
                }
              },
              (error, response, body) => {
                expect(error).to.not.exist
                expect(response.statusCode).to.equal(404)
                cb()
              }
            )
          }
        ],
        done
      )
    })
  })

  describe('resending the confirmation', function() {
    it('should generate a new token', function(done) {
      async.series(
        [
          cb => {
            this.user.request(
              {
                method: 'POST',
                url: '/user/emails',
                json: {
                  email: 'reconfirmation-email@example.com'
                }
              },
              (error, response, body) => {
                expect(error).to.not.exist
                expect(response.statusCode).to.equal(204)
                cb()
              }
            )
          },
          cb => {
            db.tokens
              .find({
                use: 'email_confirmation',
                'data.user_id': this.user._id,
                usedAt: { $exists: false }
              })
              .toArray((error, tokens) => {
                expect(error).to.not.exist
                // There should only be one confirmation token at the moment
                expect(tokens.length).to.equal(1)
                expect(tokens[0].data.email).to.equal(
                  'reconfirmation-email@example.com'
                )
                expect(tokens[0].data.user_id).to.equal(this.user._id)
                cb()
              })
          },
          cb => {
            this.user.request(
              {
                method: 'POST',
                url: '/user/emails/resend_confirmation',
                json: {
                  email: 'reconfirmation-email@example.com'
                }
              },
              (error, response, body) => {
                expect(error).to.not.exist
                expect(response.statusCode).to.equal(200)
                cb()
              }
            )
          },
          cb => {
            db.tokens
              .find({
                use: 'email_confirmation',
                'data.user_id': this.user._id,
                usedAt: { $exists: false }
              })
              .toArray((error, tokens) => {
                expect(error).to.not.exist
                // There should be two tokens now
                expect(tokens.length).to.equal(2)
                expect(tokens[0].data.email).to.equal(
                  'reconfirmation-email@example.com'
                )
                expect(tokens[0].data.user_id).to.equal(this.user._id)
                expect(tokens[1].data.email).to.equal(
                  'reconfirmation-email@example.com'
                )
                expect(tokens[1].data.user_id).to.equal(this.user._id)
                cb()
              })
          }
        ],
        done
      )
    })

    it('should create a new token if none exists', function(done) {
      // This should only be for users that have sign up with their main
      // emails before the confirmation system existed
      async.series(
        [
          cb => {
            db.tokens.remove(
              {
                use: 'email_confirmation',
                'data.user_id': this.user._id,
                usedAt: { $exists: false }
              },
              cb
            )
          },
          cb => {
            this.user.request(
              {
                method: 'POST',
                url: '/user/emails/resend_confirmation',
                json: {
                  email: this.user.email
                }
              },
              (error, response, body) => {
                expect(error).to.not.exist
                expect(response.statusCode).to.equal(200)
                cb()
              }
            )
          },
          cb => {
            db.tokens
              .find({
                use: 'email_confirmation',
                'data.user_id': this.user._id,
                usedAt: { $exists: false }
              })
              .toArray((error, tokens) => {
                expect(error).to.not.exist
                // There should still only be one confirmation token
                expect(tokens.length).to.equal(1)
                expect(tokens[0].data.email).to.equal(this.user.email)
                expect(tokens[0].data.user_id).to.equal(this.user._id)
                cb()
              })
          }
        ],
        done
      )
    })

    it("should not allow reconfirmation if the email doesn't match the user", function(done) {
      async.series(
        [
          cb => {
            this.user.request(
              {
                method: 'POST',
                url: '/user/emails/resend_confirmation',
                json: {
                  email: 'non-matching-email@example.com'
                }
              },
              (error, response, body) => {
                expect(error).to.not.exist
                expect(response.statusCode).to.equal(422)
                cb()
              }
            )
          },
          cb => {
            db.tokens
              .find({
                use: 'email_confirmation',
                'data.user_id': this.user._id,
                usedAt: { $exists: false }
              })
              .toArray((error, tokens) => {
                expect(error).to.not.exist
                expect(tokens.length).to.equal(0)
                cb()
              })
          }
        ],
        done
      )
    })
  })

  describe('setting a default email', function() {
    it('should update confirmed emails for users not in v1', function(done) {
      async.series(
        [
          cb => {
            this.user.request(
              {
                method: 'POST',
                url: '/user/emails',
                json: {
                  email: 'new-confirmed-default@example.com'
                }
              },
              (error, response, body) => {
                expect(error).to.not.exist
                expect(response.statusCode).to.equal(204)
                cb()
              }
            )
          },
          cb => {
            // Mark the email as confirmed
            db.users.updateOne(
              {
                'emails.email': 'new-confirmed-default@example.com'
              },
              {
                $set: {
                  'emails.$.confirmedAt': new Date()
                }
              },
              cb
            )
          },
          cb => {
            this.user.request(
              {
                method: 'POST',
                url: '/user/emails/default',
                json: {
                  email: 'new-confirmed-default@example.com'
                }
              },
              (error, response, body) => {
                expect(error).to.not.exist
                expect(response.statusCode).to.equal(200)
                cb()
              }
            )
          },
          cb => {
            this.user.request(
              { url: '/user/emails', json: true },
              (error, response, body) => {
                expect(error).to.not.exist
                expect(response.statusCode).to.equal(200)
                expect(body[0].confirmedAt).to.not.exist
                expect(body[0].default).to.equal(false)
                expect(body[1].confirmedAt).to.exist
                expect(body[1].default).to.equal(true)
                cb()
              }
            )
          }
        ],
        done
      )
    })

    it('should not allow changing unconfirmed emails in v1', function(done) {
      async.series(
        [
          cb => {
            db.users.updateOne(
              {
                _id: ObjectId(this.user._id)
              },
              {
                $set: {
                  'overleaf.id': 42
                }
              },
              cb
            )
          },
          cb => {
            this.user.request(
              {
                method: 'POST',
                url: '/user/emails',
                json: {
                  email: 'new-unconfirmed-default@example.com'
                }
              },
              (error, response, body) => {
                expect(error).to.not.exist
                expect(response.statusCode).to.equal(204)
                cb()
              }
            )
          },
          cb => {
            this.user.request(
              {
                method: 'POST',
                url: '/user/emails/default',
                json: {
                  email: 'new-unconfirmed-default@example.com'
                }
              },
              (error, response, body) => {
                expect(error).to.not.exist
                expect(response.statusCode).to.equal(409)
                cb()
              }
            )
          },
          cb => {
            this.user.request(
              { url: '/user/emails', json: true },
              (error, response, body) => {
                expect(error).to.not.exist
                expect(body[0].default).to.equal(true)
                expect(body[1].default).to.equal(false)
                cb()
              }
            )
          }
        ],
        done
      )
    })

    it('should not update the email in v1', function(done) {
      async.series(
        [
          cb => {
            db.users.updateOne(
              {
                _id: ObjectId(this.user._id)
              },
              {
                $set: {
                  'overleaf.id': 42
                }
              },
              cb
            )
          },
          cb => {
            this.user.request(
              {
                method: 'POST',
                url: '/user/emails',
                json: {
                  email: 'new-confirmed-default-in-v1@example.com'
                }
              },
              (error, response, body) => {
                expect(error).to.not.exist
                expect(response.statusCode).to.equal(204)
                cb()
              }
            )
          },
          cb => {
            // Mark the email as confirmed
            db.users.updateOne(
              {
                'emails.email': 'new-confirmed-default-in-v1@example.com'
              },
              {
                $set: {
                  'emails.$.confirmedAt': new Date()
                }
              },
              cb
            )
          },
          cb => {
            this.user.request(
              {
                method: 'POST',
                url: '/user/emails/default',
                json: {
                  email: 'new-confirmed-default-in-v1@example.com'
                }
              },
              (error, response, body) => {
                expect(error).to.not.exist
                expect(response.statusCode).to.equal(200)
                cb()
              }
            )
          }
        ],
        error => {
          expect(error).to.not.exist
          expect(MockV1Api.updateEmail.callCount).to.equal(0)
          done()
        }
      )
    })

    it('should not return an error if the email exists in v1', function(done) {
      MockV1Api.existingEmails.push('exists-in-v1@example.com')
      async.series(
        [
          cb => {
            db.users.updateOne(
              {
                _id: ObjectId(this.user._id)
              },
              {
                $set: {
                  'overleaf.id': 42
                }
              },
              cb
            )
          },
          cb => {
            this.user.request(
              {
                method: 'POST',
                url: '/user/emails',
                json: {
                  email: 'exists-in-v1@example.com'
                }
              },
              (error, response, body) => {
                expect(error).to.not.exist
                expect(response.statusCode).to.equal(204)
                cb()
              }
            )
          },
          cb => {
            // Mark the email as confirmed
            db.users.updateOne(
              {
                'emails.email': 'exists-in-v1@example.com'
              },
              {
                $set: {
                  'emails.$.confirmedAt': new Date()
                }
              },
              cb
            )
          },
          cb => {
            this.user.request(
              {
                method: 'POST',
                url: '/user/emails/default',
                json: {
                  email: 'exists-in-v1@example.com'
                }
              },
              (error, response, body) => {
                expect(error).to.not.exist
                expect(response.statusCode).to.equal(200)
                cb()
              }
            )
          },
          cb => {
            this.user.request(
              { url: '/user/emails', json: true },
              (error, response, body) => {
                expect(error).to.not.exist
                expect(body[0].default).to.equal(false)
                expect(body[1].default).to.equal(true)
                cb()
              }
            )
          }
        ],
        done
      )
    })

    describe('audit log', function() {
      const originalEmail = 'original@overleaf.com'
      let otherEmail, response, userHelper, user, userId
      beforeEach(async function() {
        otherEmail = 'other@overleaf.com'
        userHelper = new UserHelper()
        userHelper = await UserHelper.createUser({
          email: originalEmail
        })
        userHelper = await UserHelper.loginUser({
          email: originalEmail,
          password: userHelper.getDefaultPassword()
        })
        userId = userHelper.user._id
        response = await userHelper.request.post({
          form: {
            email: otherEmail
          },
          simple: false,
          uri: '/user/emails'
        })
        expect(response.statusCode).to.equal(204)
        const token = (
          await db.tokens.findOne({
            'data.user_id': userId.toString(),
            'data.email': otherEmail
          })
        ).token
        response = await userHelper.request.post(`/user/emails/confirm`, {
          form: {
            token
          },
          simple: false
        })
        expect(response.statusCode).to.equal(200)
        response = await userHelper.request.post('/user/emails/default', {
          form: {
            email: otherEmail
          },
          simple: false
        })
        expect(response.statusCode).to.equal(200)
        userHelper = await UserHelper.getUser(userId)
        user = userHelper.user
      })
      it('should be updated', function() {
        const entry = user.auditLog[user.auditLog.length - 1]
        expect(typeof entry.initiatorId).to.equal('object')
        expect(entry.initiatorId).to.deep.equal(user._id)
        expect(entry.ipAddress).to.equal('127.0.0.1')
        expect(entry.info).to.deep.equal({
          newPrimaryEmail: otherEmail,
          oldPrimaryEmail: originalEmail
        })
      })
    })

    describe('session cleanup', function() {
      beforeEach(function setupSecondSession(done) {
        this.userSession2 = new User()
        this.userSession2.email = this.user.email
        this.userSession2.emails = this.user.emails
        this.userSession2.password = this.user.password
        // login before adding the new email address
        // User.login() performs a mongo update and resets the .emails field.
        this.userSession2.login(done)
      })

      beforeEach(function checkSecondSessionLiveness(done) {
        this.userSession2.request(
          { method: 'GET', url: '/project', followRedirect: false },
          (error, response) => {
            expect(error).to.not.exist
            expect(response.statusCode).to.equal(200)
            done()
          }
        )
      })

      beforeEach(function addSecondaryEmail(done) {
        this.user.request(
          {
            method: 'POST',
            url: '/user/emails',
            json: { email: 'new-confirmed-default@example.com' }
          },
          (error, response) => {
            expect(error).to.not.exist
            expect(response.statusCode).to.equal(204)
            done()
          }
        )
      })

      beforeEach(function confirmSecondaryEmail(done) {
        db.users.updateOne(
          { 'emails.email': 'new-confirmed-default@example.com' },
          { $set: { 'emails.$.confirmedAt': new Date() } },
          done
        )
      })

      beforeEach(function setDefault(done) {
        this.user.request(
          {
            method: 'POST',
            url: '/user/emails/default',
            json: { email: 'new-confirmed-default@example.com' }
          },
          (error, response) => {
            expect(error).to.not.exist
            expect(response.statusCode).to.equal(200)
            done()
          }
        )
      })

      it('should logout the other sessions', function(done) {
        this.userSession2.request(
          { method: 'GET', url: '/project', followRedirect: false },
          (error, response) => {
            expect(error).to.not.exist
            expect(response.statusCode).to.equal(302)
            expect(response.headers)
              .to.have.property('location')
              .to.match(new RegExp('^/login'))
            done()
          }
        )
      })
    })
  })

  describe('when not logged in', function() {
    beforeEach(function(done) {
      this.anonymous = new User()
      this.anonymous.getCsrfToken(done)
    })
    it('should return a plain 403 when setting the email', function(done) {
      this.anonymous.request(
        {
          method: 'POST',
          url: '/user/emails',
          json: {
            email: 'newly-added-email@example.com'
          }
        },
        (error, response, body) => {
          if (error) {
            return done(error)
          }
          expectErrorResponse.requireLogin.json(response, body)
          done()
        }
      )
    })
  })

  describe('secondary email', function() {
    let newEmail, userHelper, userId, user
    beforeEach(async function() {
      newEmail = 'a-new-email@overleaf.com'
      userHelper = new UserHelper()
      userHelper = await UserHelper.createUser()
      userHelper = await UserHelper.loginUser({
        email: userHelper.getDefaultEmail(),
        password: userHelper.getDefaultPassword()
      })
      userId = userHelper.user._id
      await userHelper.request.post({
        form: {
          email: newEmail
        },
        simple: false,
        uri: '/user/emails'
      })
      userHelper = await UserHelper.getUser(userId)
      user = userHelper.user
    })
    it('should add the email', async function() {
      expect(user.emails[1].email).to.equal(newEmail)
    })
    it('should add to the user audit log', async function() {
      expect(typeof user.auditLog[0].initiatorId).to.equal('object')
      expect(user.auditLog[0].initiatorId).to.deep.equal(user._id)
      expect(user.auditLog[0].info.newSecondaryEmail).to.equal(newEmail)
      expect(user.auditLog[0].ip).to.equal(this.user.request.ip)
    })
  })
})