techies/authelia
1
0
Fork 0
mirror of https://github.com/0rangebananaspy/authelia.git synced 2024-09-14 22:47:21 +07:00
Code Issues Projects Releases Wiki Activity
d3a2251d4a
authelia/test/features/reset-password.feature
Clement Michaud 56fdc40290 Every public endpoints return 200 with harmonized error messages or 401 
Now, /verify can return 401 or 403 depending on the user authentication.
Every public API endpoints and pages return 200 with error message in
JSON body or 401 if the user is not authorized.

This policy makes it complicated for an attacker to know what is the source of
the failure and hide server-side bugs (not returning 500), bugs being potential
threats.
2017-10-14 11:57:38 +02:00

40 lines
1.8 KiB
Gherkin
Raw Blame History

Feature: User is able to reset his password
Scenario: User is redirected to password reset page
Given I'm on https://auth.test.local:8080
When I click on the link "Forgot password?"
Then I'm redirected to "https://auth.test.local:8080/password-reset/request"
Scenario: User get an email with a link to reset password
Given I'm on https://auth.test.local:8080/password-reset/request
When I set field "username" to "james"
And I click on "Reset Password"
Then I get a notification of type "success" with message "An email has been sent to you. Follow the link to change your password."
Scenario: Request password for unexisting user should behave like existing user
Given I'm on https://auth.test.local:8080/password-reset/request
When I set field "username" to "fake_user"
And I click on "Reset Password"
Then I get a notification of type "success" with message "An email has been sent to you. Follow the link to change your password."
Scenario: User resets his password
Given I'm on https://auth.test.local:8080/password-reset/request
And I set field "username" to "james"
And I click on "Reset Password"
When I click on the link of the email
And I set field "password1" to "newpassword"
And I set field "password2" to "newpassword"
And I click on "Reset Password"
Then I'm redirected to "https://auth.test.local:8080/"
Scenario: User does not confirm new password
Given I'm on https://auth.test.local:8080/password-reset/request
And I set field "username" to "james"
And I click on "Reset Password"
When I click on the link of the email
And I set field "password1" to "newpassword"
And I set field "password2" to "newpassword2"
And I click on "Reset Password"
Then I get a notification of type "warning" with message "The passwords are different."
Reference in New Issue View Git Blame Copy Permalink