authelia/test/features/reset-password.feature

Feature: User is able to reset his password

  Scenario: User is redirected to password reset page
    Given I'm on "https://login.example.com:8080"
    When I click on the link "Forgot password?"
    Then I'm redirected to "https://login.example.com:8080/password-reset/request"

  Scenario: User get an email with a link to reset password
    Given I'm on "https://login.example.com:8080/password-reset/request"
    When I set field "username" to "james"
    And I click on "Reset Password"
    Then I get a notification of type "success" with message "An email has been sent to you. Follow the link to change your password."

  Scenario: Request password for unexisting user should behave like existing user
    Given I'm on "https://login.example.com:8080/password-reset/request"
    When I set field "username" to "fake_user"
    And I click on "Reset Password"
    Then I get a notification of type "success" with message "An email has been sent to you. Follow the link to change your password."

  Scenario: User resets his password
    Given I'm on "https://login.example.com:8080/password-reset/request"
    And I set field "username" to "james"
    And I click on "Reset Password"
    When I click on the link of the email
    And I set field "password1" to "newpassword"
    And I set field "password2" to "newpassword"
    And I click on "Reset Password"
    Then I'm redirected to "https://login.example.com:8080/"


  Scenario: User does not confirm new password
    Given I'm on "https://login.example.com:8080/password-reset/request"
    And I set field "username" to "james"
    And I click on "Reset Password"
    When I click on the link of the email
    And I set field "password1" to "newpassword"
    And I set field "password2" to "newpassword2"
    And I click on "Reset Password"
    Then I get a notification of type "warning" with message "The passwords are different."
Replace mocha integration tests by cucumber tests 2017-07-26 21:45:26 +00:00			`Feature: User is able to reset his password`

			`Scenario: User is redirected to password reset page`
Fix unit and integration tests 2018-03-28 22:04:59 +00:00			`Given I'm on "https://login.example.com:8080"`
Replace mocha integration tests by cucumber tests 2017-07-26 21:45:26 +00:00			`When I click on the link "Forgot password?"`
Change domain from test.local to example.com Warning: you will need to update your /etc/hosts to take this change into account for the example environment to work. 2017-11-02 20:34:07 +00:00			`Then I'm redirected to "https://login.example.com:8080/password-reset/request"`
Replace mocha integration tests by cucumber tests 2017-07-26 21:45:26 +00:00
			`Scenario: User get an email with a link to reset password`
Fix unit and integration tests 2018-03-28 22:04:59 +00:00			`Given I'm on "https://login.example.com:8080/password-reset/request"`
Replace mocha integration tests by cucumber tests 2017-07-26 21:45:26 +00:00			`When I set field "username" to "james"`
			`And I click on "Reset Password"`
Every public endpoints return 200 with harmonized error messages or 401 Now, /verify can return 401 or 403 depending on the user authentication. Every public API endpoints and pages return 200 with error message in JSON body or 401 if the user is not authorized. This policy makes it complicated for an attacker to know what is the source of the failure and hide server-side bugs (not returning 500), bugs being potential threats. 2017-10-10 21:03:30 +00:00			`Then I get a notification of type "success" with message "An email has been sent to you. Follow the link to change your password."`

			`Scenario: Request password for unexisting user should behave like existing user`
Fix unit and integration tests 2018-03-28 22:04:59 +00:00			`Given I'm on "https://login.example.com:8080/password-reset/request"`
Every public endpoints return 200 with harmonized error messages or 401 Now, /verify can return 401 or 403 depending on the user authentication. Every public API endpoints and pages return 200 with error message in JSON body or 401 if the user is not authorized. This policy makes it complicated for an attacker to know what is the source of the failure and hide server-side bugs (not returning 500), bugs being potential threats. 2017-10-10 21:03:30 +00:00			`When I set field "username" to "fake_user"`
			`And I click on "Reset Password"`
Notifications to users do not use notifyjs anymore. They are more common and located in the form areas to improve visibility on mobile devices. 2017-08-04 19:20:31 +00:00			`Then I get a notification of type "success" with message "An email has been sent to you. Follow the link to change your password."`
Replace mocha integration tests by cucumber tests 2017-07-26 21:45:26 +00:00
			`Scenario: User resets his password`
Fix unit and integration tests 2018-03-28 22:04:59 +00:00			`Given I'm on "https://login.example.com:8080/password-reset/request"`
Replace mocha integration tests by cucumber tests 2017-07-26 21:45:26 +00:00			`And I set field "username" to "james"`
			`And I click on "Reset Password"`
			`When I click on the link of the email`
			`And I set field "password1" to "newpassword"`
			`And I set field "password2" to "newpassword"`
			`And I click on "Reset Password"`
Change domain from test.local to example.com Warning: you will need to update your /etc/hosts to take this change into account for the example environment to work. 2017-11-02 20:34:07 +00:00			`Then I'm redirected to "https://login.example.com:8080/"`
Replace mocha integration tests by cucumber tests 2017-07-26 21:45:26 +00:00

			`Scenario: User does not confirm new password`
Fix unit and integration tests 2018-03-28 22:04:59 +00:00			`Given I'm on "https://login.example.com:8080/password-reset/request"`
Replace mocha integration tests by cucumber tests 2017-07-26 21:45:26 +00:00			`And I set field "username" to "james"`
			`And I click on "Reset Password"`
			`When I click on the link of the email`
			`And I set field "password1" to "newpassword"`
			`And I set field "password2" to "newpassword2"`
			`And I click on "Reset Password"`
Notifications to users do not use notifyjs anymore. They are more common and located in the form areas to improve visibility on mobile devices. 2017-08-04 19:20:31 +00:00			`Then I get a notification of type "warning" with message "The passwords are different."`