refactor progress

packages/api/src/auth/tests/ResetPasswordRequiresMfa.test.tsx

@@ -0,0 +1,119 @@
+/*
+ * Copyright (C) 2026 Fluxer Contributors
+ *
+ * This file is part of Fluxer.
+ *
+ * Fluxer is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Affero General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * Fluxer is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU Affero General Public License for more details.
+ *
+ * You should have received a copy of the GNU Affero General Public License
+ * along with Fluxer. If not, see <https://www.gnu.org/licenses/>.
+ */
+
+import {
+	clearTestEmails,
+	createAuthHarness,
+	createTestAccount,
+	findLastTestEmail,
+	listTestEmails,
+	type TestEmailRecord,
+	totpCodeNow,
+} from '@fluxer/api/src/auth/tests/AuthTestUtils';
+import type {ApiTestHarness} from '@fluxer/api/src/test/ApiTestHarness';
+import {createBuilder, createBuilderWithoutAuth} from '@fluxer/api/src/test/TestRequestBuilder';
+import {afterAll, beforeAll, beforeEach, describe, expect, it} from 'vitest';
+
+interface MfaRequiredResponse {
+	mfa: true;
+	ticket: string;
+	allowed_methods: Array<string>;
+	sms_phone_hint: string | null;
+	sms: boolean;
+	totp: boolean;
+	webauthn: boolean;
+}
+
+async function waitForEmail(harness: ApiTestHarness, type: string, recipient: string): Promise<TestEmailRecord> {
+	const maxAttempts = 20;
+	for (let i = 0; i < maxAttempts; i++) {
+		await new Promise((resolve) => setTimeout(resolve, 100));
+		const emails = await listTestEmails(harness, {recipient});
+		const email = findLastTestEmail(emails, type);
+		if (email) {
+			return email;
+		}
+	}
+	throw new Error(`Email not found: type=${type}, recipient=${recipient}`);
+}
+
+describe('Auth reset password requires MFA', () => {
+	let harness: ApiTestHarness;
+
+	beforeAll(async () => {
+		harness = await createAuthHarness();
+	});
+
+	beforeEach(async () => {
+		await harness.reset();
+	});
+
+	afterAll(async () => {
+		await harness?.shutdown();
+	});
+
+	it('returns MFA ticket after password reset when MFA is enabled', async () => {
+		const account = await createTestAccount(harness);
+		await clearTestEmails(harness);
+
+		const secret = 'JBSWY3DPEHPK3PXP';
+		await createBuilder(harness, account.token)
+			.post('/users/@me/mfa/totp/enable')
+			.body({secret, code: totpCodeNow(secret), password: account.password})
+			.execute();
+
+		await createBuilderWithoutAuth(harness).post('/auth/forgot').body({email: account.email}).expect(204).execute();
+
+		const email = await waitForEmail(harness, 'password_reset', account.email);
+		const token = email.metadata['token'];
+		expect(token).toBeDefined();
+
+		const newPassword = 'new-strong-password-123';
+		const resetResp = await createBuilderWithoutAuth<MfaRequiredResponse>(harness)
+			.post('/auth/reset')
+			.body({token, password: newPassword})
+			.execute();
+		expect(resetResp.mfa).toBe(true);
+		expect(resetResp.ticket).toBeDefined();
+		expect(resetResp.totp).toBe(true);
+		expect(resetResp.sms).toBe(false);
+		expect(resetResp.webauthn).toBe(false);
+		expect(resetResp.allowed_methods).toEqual(['totp']);
+		expect(resetResp.sms_phone_hint).toBeNull();
+
+		const mfaResp = await createBuilderWithoutAuth<{token: string}>(harness)
+			.post('/auth/login/mfa/totp')
+			.body({
+				ticket: resetResp.ticket,
+				code: totpCodeNow(secret),
+			})
+			.execute();
+		expect(mfaResp.token).toBeDefined();
+
+		const login = await createBuilderWithoutAuth<MfaRequiredResponse>(harness)
+			.post('/auth/login')
+			.body({email: account.email, password: newPassword})
+			.execute();
+		expect(login.mfa).toBe(true);
+		expect(login.ticket).toBeDefined();
+		expect(login.totp).toBe(true);
+		expect(login.sms).toBe(false);
+		expect(login.webauthn).toBe(false);
+	});
+});