164 lines
5.0 KiB
TypeScript
164 lines
5.0 KiB
TypeScript
/*
|
|
* Copyright (C) 2026 Fluxer Contributors
|
|
*
|
|
* This file is part of Fluxer.
|
|
*
|
|
* Fluxer is free software: you can redistribute it and/or modify
|
|
* it under the terms of the GNU Affero General Public License as published by
|
|
* the Free Software Foundation, either version 3 of the License, or
|
|
* (at your option) any later version.
|
|
*
|
|
* Fluxer is distributed in the hope that it will be useful,
|
|
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
* GNU Affero General Public License for more details.
|
|
*
|
|
* You should have received a copy of the GNU Affero General Public License
|
|
* along with Fluxer. If not, see <https://www.gnu.org/licenses/>.
|
|
*/
|
|
|
|
import {
|
|
type BackupCodesResponse,
|
|
createAuthHarness,
|
|
createTestAccount,
|
|
type PhoneVerifyResponse,
|
|
totpCodeNow,
|
|
} from '@fluxer/api/src/auth/tests/AuthTestUtils';
|
|
import type {ApiTestHarness} from '@fluxer/api/src/test/ApiTestHarness';
|
|
import {createBuilder, createBuilderWithoutAuth} from '@fluxer/api/src/test/TestRequestBuilder';
|
|
import {afterAll, beforeAll, beforeEach, describe, expect, it} from 'vitest';
|
|
|
|
describe('Auth MFA TOTP flag matches authenticator types', () => {
|
|
let harness: ApiTestHarness;
|
|
|
|
beforeAll(async () => {
|
|
harness = await createAuthHarness();
|
|
});
|
|
|
|
beforeEach(async () => {
|
|
await harness.reset();
|
|
});
|
|
|
|
afterAll(async () => {
|
|
await harness?.shutdown();
|
|
});
|
|
|
|
it('WebAuthn-only reports TOTP false', async () => {
|
|
const account = await createTestAccount(harness);
|
|
const secret = 'JBSWY3DPEHPK3PXP';
|
|
|
|
const totpData = await createBuilder<BackupCodesResponse>(harness, account.token)
|
|
.post('/users/@me/mfa/totp/enable')
|
|
.body({secret, code: totpCodeNow(secret), password: account.password})
|
|
.execute();
|
|
expect(totpData.backup_codes.length).toBeGreaterThan(0);
|
|
|
|
const totpLogin = await createBuilderWithoutAuth<{ticket: string}>(harness)
|
|
.post('/auth/login')
|
|
.body({email: account.email, password: account.password})
|
|
.execute();
|
|
expect(totpLogin.ticket).toBeDefined();
|
|
|
|
const totpResp = await createBuilderWithoutAuth<{token: string}>(harness)
|
|
.post('/auth/login/mfa/totp')
|
|
.body({code: totpCodeNow(secret), ticket: totpLogin.ticket})
|
|
.execute();
|
|
account.token = totpResp.token;
|
|
|
|
await createBuilder(harness, account.token)
|
|
.post('/users/@me/mfa/totp/disable')
|
|
.body({
|
|
code: totpData.backup_codes[0]!.code,
|
|
mfa_method: 'totp',
|
|
mfa_code: totpCodeNow(secret),
|
|
})
|
|
.expect(204)
|
|
.execute();
|
|
|
|
const loginResp = await createBuilderWithoutAuth<{
|
|
token: string;
|
|
user_id: string;
|
|
}>(harness)
|
|
.post('/auth/login')
|
|
.body({email: account.email, password: account.password})
|
|
.execute();
|
|
expect('mfa' in loginResp).toBe(false);
|
|
expect(loginResp.token).toBeDefined();
|
|
});
|
|
|
|
it('SMS-only reports TOTP false when SMS is implicitly removed', async () => {
|
|
const account = await createTestAccount(harness);
|
|
const secret = 'JBSWY3DPEHPK3PXP';
|
|
|
|
const totpData = await createBuilder<BackupCodesResponse>(harness, account.token)
|
|
.post('/users/@me/mfa/totp/enable')
|
|
.body({secret, code: totpCodeNow(secret), password: account.password})
|
|
.execute();
|
|
expect(totpData.backup_codes.length).toBeGreaterThan(0);
|
|
|
|
const totpLogin = await createBuilderWithoutAuth<{ticket: string}>(harness)
|
|
.post('/auth/login')
|
|
.body({email: account.email, password: account.password})
|
|
.execute();
|
|
expect(totpLogin.ticket).toBeDefined();
|
|
|
|
const totpResp = await createBuilderWithoutAuth<{token: string}>(harness)
|
|
.post('/auth/login/mfa/totp')
|
|
.body({code: totpCodeNow(secret), ticket: totpLogin.ticket})
|
|
.execute();
|
|
account.token = totpResp.token;
|
|
|
|
const phone = `+1555${String(Date.now() % 10000000).padStart(7, '0')}`;
|
|
await createBuilder(harness, account.token)
|
|
.post('/users/@me/phone/send-verification')
|
|
.body({phone})
|
|
.expect(204)
|
|
.execute();
|
|
|
|
const phoneVerify = await createBuilder<PhoneVerifyResponse>(harness, account.token)
|
|
.post('/users/@me/phone/verify')
|
|
.body({phone, code: '123456'})
|
|
.execute();
|
|
expect(phoneVerify.phone_token).toBeDefined();
|
|
|
|
await createBuilder(harness, account.token)
|
|
.post('/users/@me/phone')
|
|
.body({
|
|
phone_token: phoneVerify.phone_token,
|
|
mfa_method: 'totp',
|
|
mfa_code: totpCodeNow(secret),
|
|
})
|
|
.expect(204)
|
|
.execute();
|
|
|
|
await createBuilder(harness, account.token)
|
|
.post('/users/@me/mfa/sms/enable')
|
|
.body({
|
|
mfa_method: 'totp',
|
|
mfa_code: totpCodeNow(secret),
|
|
})
|
|
.expect(204)
|
|
.execute();
|
|
|
|
await createBuilder(harness, account.token)
|
|
.post('/users/@me/mfa/totp/disable')
|
|
.body({
|
|
code: totpData.backup_codes[0]!.code,
|
|
mfa_method: 'totp',
|
|
mfa_code: totpCodeNow(secret),
|
|
})
|
|
.expect(204)
|
|
.execute();
|
|
|
|
const loginResp = await createBuilderWithoutAuth<{
|
|
token: string;
|
|
user_id: string;
|
|
}>(harness)
|
|
.post('/auth/login')
|
|
.body({email: account.email, password: account.password})
|
|
.execute();
|
|
expect('mfa' in loginResp).toBe(false);
|
|
expect(loginResp.token).toBeDefined();
|
|
});
|
|
});
|