externalldap: add tests

src/users.js

@@ -360,11 +360,11 @@ async function verify(userId, password, identifier, options) {
         return user;
     }
 
-    const relaxedTotpCheck = !!options.relaxedTotpCheck; // will enforce totp only if totpToken is valid
+    const skipTotpCheck = !!options.skipTotpCheck;
     const totpToken = options.totpToken || null;
 
     if (user.source === 'ldap') {
-        await externalLdap.verifyPassword(user, password, totpToken);
+        await externalLdap.verifyPassword(user.username, password, totpToken);
     } else {
         const saltBinary = Buffer.from(user.salt, 'hex');
         const [error, derivedKey] = await safe(pbkdf2Async(password, saltBinary, CRYPTO_ITERATIONS, CRYPTO_KEY_LENGTH, CRYPTO_DIGEST));
@@ -373,13 +373,10 @@ async function verify(userId, password, identifier, options) {
         const derivedKeyHex = Buffer.from(derivedKey, 'binary').toString('hex');
         if (derivedKeyHex !== user.password) throw new BoxError(BoxError.INVALID_CREDENTIALS, 'Username and password does not match');
 
-        if (user.twoFactorAuthenticationEnabled) {
-            if (totpToken) {
-                const verified = speakeasy.totp.verify({ secret: user.twoFactorAuthenticationSecret, encoding: 'base32', token: totpToken, window: 2 });
-                if (!verified) throw new BoxError(BoxError.INVALID_CREDENTIALS, 'Invalid totpToken');
-            } else if (!relaxedTotpCheck) {
-                throw new BoxError(BoxError.INVALID_CREDENTIALS, 'A totpToken must be provided');
-            }
+        if (!skipTotpCheck && user.twoFactorAuthenticationEnabled) {
+            if (!totpToken) throw new BoxError(BoxError.INVALID_CREDENTIALS, 'A totpToken must be provided');
+            const verified = speakeasy.totp.verify({ secret: user.twoFactorAuthenticationSecret, encoding: 'base32', token: totpToken, window: 2 });
+            if (!verified) throw new BoxError(BoxError.INVALID_CREDENTIALS, 'Invalid totpToken');
         }
     }