From c976c2881ce5e34febac8a9850a6bad5d728625e Mon Sep 17 00:00:00 2001
From: Christopher Speller <crspeller@gmail.com>
Date: Tue, 12 Jul 2016 10:09:04 -0400
Subject: Some improvments to password handling (#3549)

---
 api/user_test.go | 56 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 56 insertions(+)

(limited to 'api/user_test.go')

diff --git a/api/user_test.go b/api/user_test.go
index 7dabc8e9b..d0a70c1c0 100644
--- a/api/user_test.go
+++ b/api/user_test.go
@@ -249,6 +249,42 @@ func TestLoginWithDeviceId(t *testing.T) {
 	}
 }
 
+func TestPasswordGuessLockout(t *testing.T) {
+	th := Setup().InitBasic()
+	Client := th.BasicClient
+	user := th.BasicUser
+	Client.Must(Client.Logout())
+
+	enableSignInWithEmail := *utils.Cfg.EmailSettings.EnableSignInWithEmail
+	passwordAttempts := utils.Cfg.ServiceSettings.MaximumLoginAttempts
+	defer func() {
+		*utils.Cfg.EmailSettings.EnableSignInWithEmail = enableSignInWithEmail
+		utils.Cfg.ServiceSettings.MaximumLoginAttempts = passwordAttempts
+	}()
+	*utils.Cfg.EmailSettings.EnableSignInWithEmail = true
+	utils.Cfg.ServiceSettings.MaximumLoginAttempts = 2
+
+	// OK to log in
+	if _, err := Client.Login(user.Username, user.Password); err != nil {
+		t.Fatal(err)
+	}
+
+	Client.Must(Client.Logout())
+
+	// Fail twice
+	if _, err := Client.Login(user.Email, "notthepassword"); err == nil {
+		t.Fatal("Shouldn't be able to login with bad password.")
+	}
+	if _, err := Client.Login(user.Email, "notthepassword"); err == nil {
+		t.Fatal("Shouldn't be able to login with bad password.")
+	}
+
+	// Locked out
+	if _, err := Client.Login(user.Email, user.Password); err == nil {
+		t.Fatal("Shouldn't be able to login with password when account is locked out.")
+	}
+}
+
 func TestSessions(t *testing.T) {
 	th := Setup().InitBasic()
 	Client := th.BasicClient
@@ -746,6 +782,26 @@ func TestUserUpdatePassword(t *testing.T) {
 		t.Fatal(err)
 	}
 
+	// Test lockout
+	passwordAttempts := utils.Cfg.ServiceSettings.MaximumLoginAttempts
+	defer func() {
+		utils.Cfg.ServiceSettings.MaximumLoginAttempts = passwordAttempts
+	}()
+	utils.Cfg.ServiceSettings.MaximumLoginAttempts = 2
+
+	// Fail twice
+	if _, err := Client.UpdateUserPassword(user.Id, "badpwd", "newpwd"); err == nil {
+		t.Fatal("Should have errored")
+	}
+	if _, err := Client.UpdateUserPassword(user.Id, "badpwd", "newpwd"); err == nil {
+		t.Fatal("Should have errored")
+	}
+
+	// Should fail because account is locked out
+	if _, err := Client.UpdateUserPassword(user.Id, "newpwd1", "newpwd2"); err == nil {
+		t.Fatal("Should have errored")
+	}
+
 	user2 := &model.User{Email: strings.ToLower(model.NewId()) + "success+test@simulator.amazonses.com", Nickname: "Corey Hulen", Password: "passwd1"}
 	user2 = Client.Must(Client.CreateUser(user2, "")).Data.(*model.User)
 	LinkUserToTeam(user2, team)
-- 
cgit v1.2.3-1-g7c22