1 files changed, 68 insertions, 0 deletions
diff --git a/src/login/routes/password/test.rs b/src/login/routes/password/test.rs
new file mode 100644
index 0000000..c1974bf
--- /dev/null
+++ b/src/login/routes/password/test.rs
@@ -0,0 +1,68 @@
+use axum::extract::{Json, State};
+
+use super::post;
+use crate::{
+    test::fixtures,
+    token::app::{LoginError, ValidateError},
+};
+
+#[tokio::test]
+async fn password_change() {
+    // Set up the environment
+    let app = fixtures::scratch_app().await;
+    let creds = fixtures::login::create_with_password(&app, &fixtures::now()).await;
+    let cookie = fixtures::cookie::logged_in(&app, &creds, &fixtures::now()).await;
+    let identity = fixtures::identity::from_cookie(&app, &cookie, &fixtures::now()).await;
+
+    // Call the endpoint
+    let (name, password) = creds;
+    let to = fixtures::login::propose_password();
+    let request = post::Request {
+        password: password.clone(),
+        to: to.clone(),
+    };
+    let (new_cookie, Json(response)) = post::handler(
+        State(app.clone()),
+        fixtures::now(),
+        identity.clone(),
+        cookie.clone(),
+        Json(request),
+    )
+    .await
+    .expect("changing passwords succeeds");
+
+    // Verify that we have a new session
+    assert_ne!(cookie.secret(), new_cookie.secret());
+
+    // Verify that we're still ourselves
+    assert_eq!(identity.login, response);
+
+    // Verify that our original token is no longer valid
+    let validate_err = app
+        .tokens()
+        .validate(
+            &cookie
+                .secret()
+                .expect("original identity cookie has a secret"),
+            &fixtures::now(),
+        )
+        .await
+        .expect_err("validating the original identity secret should fail");
+    assert!(matches!(validate_err, ValidateError::InvalidToken));
+
+    // Verify that our original password is no longer valid
+    let login_err = app
+        .tokens()
+        .login(&name, &password, &fixtures::now())
+        .await
+        .expect_err("logging in with the original password should fail");
+    assert!(matches!(login_err, LoginError::Rejected));
+
+    // Verify that our new password is valid
+    let (login, _) = app
+        .tokens()
+        .login(&name, &to, &fixtures::now())
+        .await
+        .expect("logging in with the new password should succeed");
+    assert_eq!(identity.login, login);
+}