fluxerapp/fluxer
1
0
Fork 0
Code Issues Pull Requests Actions 1 Packages Projects Releases Wiki Activity
Files
d5abd1a7e4bbb6a389b7ecdf7b24c573bf71fc88
fluxer/packages/api/src/auth/tests/ResetPasswordRequiresMfa.test.tsx
Hampus Kraft d5abd1a7e4 refactor progress
2026-02-17 12:22:36 +00:00

120 lines
3.8 KiB
TypeScript
Raw Blame History

/*
* Copyright (C) 2026 Fluxer Contributors
*
* This file is part of Fluxer.
*
* Fluxer is free software: you can redistribute it and/or modify
* it under the terms of the GNU Affero General Public License as published by
* the Free Software Foundation, either version 3 of the License, or
* (at your option) any later version.
*
* Fluxer is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Affero General Public License for more details.
*
* You should have received a copy of the GNU Affero General Public License
* along with Fluxer. If not, see <https://www.gnu.org/licenses/>.
*/
import {
clearTestEmails,
createAuthHarness,
createTestAccount,
findLastTestEmail,
listTestEmails,
type TestEmailRecord,
totpCodeNow,
} from '@fluxer/api/src/auth/tests/AuthTestUtils';
import type {ApiTestHarness} from '@fluxer/api/src/test/ApiTestHarness';
import {createBuilder, createBuilderWithoutAuth} from '@fluxer/api/src/test/TestRequestBuilder';
import {afterAll, beforeAll, beforeEach, describe, expect, it} from 'vitest';
interface MfaRequiredResponse {
mfa: true;
ticket: string;
allowed_methods: Array<string>;
sms_phone_hint: string | null;
sms: boolean;
totp: boolean;
webauthn: boolean;
}
async function waitForEmail(harness: ApiTestHarness, type: string, recipient: string): Promise<TestEmailRecord> {
const maxAttempts = 20;
for (let i = 0; i < maxAttempts; i++) {
await new Promise((resolve) => setTimeout(resolve, 100));
const emails = await listTestEmails(harness, {recipient});
const email = findLastTestEmail(emails, type);
if (email) {
return email;
}
}
throw new Error(`Email not found: type=${type}, recipient=${recipient}`);
}
describe('Auth reset password requires MFA', () => {
let harness: ApiTestHarness;
beforeAll(async () => {
harness = await createAuthHarness();
});
beforeEach(async () => {
await harness.reset();
});
afterAll(async () => {
await harness?.shutdown();
});
it('returns MFA ticket after password reset when MFA is enabled', async () => {
const account = await createTestAccount(harness);
await clearTestEmails(harness);
const secret = 'JBSWY3DPEHPK3PXP';
await createBuilder(harness, account.token)
.post('/users/@me/mfa/totp/enable')
.body({secret, code: totpCodeNow(secret), password: account.password})
.execute();
await createBuilderWithoutAuth(harness).post('/auth/forgot').body({email: account.email}).expect(204).execute();
const email = await waitForEmail(harness, 'password_reset', account.email);
const token = email.metadata['token'];
expect(token).toBeDefined();
const newPassword = 'new-strong-password-123';
const resetResp = await createBuilderWithoutAuth<MfaRequiredResponse>(harness)
.post('/auth/reset')
.body({token, password: newPassword})
.execute();
expect(resetResp.mfa).toBe(true);
expect(resetResp.ticket).toBeDefined();
expect(resetResp.totp).toBe(true);
expect(resetResp.sms).toBe(false);
expect(resetResp.webauthn).toBe(false);
expect(resetResp.allowed_methods).toEqual(['totp']);
expect(resetResp.sms_phone_hint).toBeNull();
const mfaResp = await createBuilderWithoutAuth<{token: string}>(harness)
.post('/auth/login/mfa/totp')
.body({
ticket: resetResp.ticket,
code: totpCodeNow(secret),
})
.execute();
expect(mfaResp.token).toBeDefined();
const login = await createBuilderWithoutAuth<MfaRequiredResponse>(harness)
.post('/auth/login')
.body({email: account.email, password: newPassword})
.execute();
expect(login.mfa).toBe(true);
expect(login.ticket).toBeDefined();
expect(login.totp).toBe(true);
expect(login.sms).toBe(false);
expect(login.webauthn).toBe(false);
});
});
Reference in New Issue View Git Blame Copy Permalink