const crypto = require('crypto'); const bcrypt = require('bcryptjs'); const { authenticator } = require('otplib'); const QRCode = require('qrcode'); // Mock dependencies jest.mock('otplib', () => ({ authenticator: { generateSecret: jest.fn(), keyuri: jest.fn(), verify: jest.fn(), }, })); jest.mock('qrcode', () => ({ toDataURL: jest.fn(), })); jest.mock('bcryptjs', () => ({ hash: jest.fn(), compare: jest.fn(), })); jest.mock('../../../utils/logger', () => ({ info: jest.fn(), error: jest.fn(), warn: jest.fn(), })); const TwoFactorService = require('../../../services/TwoFactorService'); describe('TwoFactorService', () => { const originalEnv = process.env; beforeEach(() => { jest.clearAllMocks(); process.env = { ...originalEnv, TOTP_ENCRYPTION_KEY: 'a'.repeat(64), // 64 hex chars = 32 bytes TOTP_ISSUER: 'TestApp', TWO_FACTOR_EMAIL_OTP_EXPIRY_MINUTES: '10', TWO_FACTOR_STEP_UP_VALIDITY_MINUTES: '5', }; }); afterEach(() => { process.env = originalEnv; }); describe('generateTotpSecret', () => { it('should generate TOTP secret with QR code', async () => { authenticator.generateSecret.mockReturnValue('test-secret'); authenticator.keyuri.mockReturnValue('otpauth://totp/VillageShare:test@example.com?secret=test-secret'); QRCode.toDataURL.mockResolvedValue('data:image/png;base64,qrcode'); const result = await TwoFactorService.generateTotpSecret('test@example.com'); expect(result.qrCodeDataUrl).toBe('data:image/png;base64,qrcode'); expect(result.encryptedSecret).toBeDefined(); expect(result.encryptedSecretIv).toBeDefined(); // The issuer is loaded at module load time, so it uses the default 'VillageShare' expect(authenticator.keyuri).toHaveBeenCalledWith('test@example.com', 'VillageShare', 'test-secret'); }); it('should use issuer from environment', async () => { authenticator.generateSecret.mockReturnValue('test-secret'); authenticator.keyuri.mockReturnValue('otpauth://totp/VillageShare:test@example.com'); QRCode.toDataURL.mockResolvedValue('data:image/png;base64,qrcode'); const result = await TwoFactorService.generateTotpSecret('test@example.com'); expect(result.qrCodeDataUrl).toBeDefined(); expect(authenticator.keyuri).toHaveBeenCalled(); }); }); describe('verifyTotpCode', () => { it('should return true for valid code', () => { authenticator.verify.mockReturnValue(true); // Use actual encryption const { encrypted, iv } = TwoFactorService._encryptSecret('test-secret'); const result = TwoFactorService.verifyTotpCode(encrypted, iv, '123456'); expect(result).toBe(true); }); it('should return false for invalid code', () => { authenticator.verify.mockReturnValue(false); const { encrypted, iv } = TwoFactorService._encryptSecret('test-secret'); const result = TwoFactorService.verifyTotpCode(encrypted, iv, '654321'); expect(result).toBe(false); }); it('should return false for non-6-digit code', () => { const result = TwoFactorService.verifyTotpCode('encrypted', 'iv', '12345'); expect(result).toBe(false); const result2 = TwoFactorService.verifyTotpCode('encrypted', 'iv', '1234567'); expect(result2).toBe(false); const result3 = TwoFactorService.verifyTotpCode('encrypted', 'iv', 'abcdef'); expect(result3).toBe(false); }); it('should return false when decryption fails', () => { const result = TwoFactorService.verifyTotpCode('invalid-encrypted', 'invalid-iv', '123456'); expect(result).toBe(false); }); }); describe('generateEmailOtp', () => { it('should generate 6-digit code', () => { const result = TwoFactorService.generateEmailOtp(); expect(result.code).toMatch(/^\d{6}$/); }); it('should return hashed code', () => { const result = TwoFactorService.generateEmailOtp(); expect(result.hashedCode).toHaveLength(64); // SHA-256 hex }); it('should set expiry in the future', () => { const result = TwoFactorService.generateEmailOtp(); const now = new Date(); expect(result.expiry.getTime()).toBeGreaterThan(now.getTime()); }); it('should generate different codes each time', () => { const result1 = TwoFactorService.generateEmailOtp(); const result2 = TwoFactorService.generateEmailOtp(); // Codes should likely be different (very small chance of collision) expect(result1.code).not.toBe(result2.code); }); }); describe('verifyEmailOtp', () => { it('should return true for valid code', () => { const code = '123456'; const hashedCode = crypto.createHash('sha256').update(code).digest('hex'); const expiry = new Date(Date.now() + 600000); // 10 minutes from now const result = TwoFactorService.verifyEmailOtp(code, hashedCode, expiry); expect(result).toBe(true); }); it('should return false for invalid code', () => { const correctHash = crypto.createHash('sha256').update('123456').digest('hex'); const expiry = new Date(Date.now() + 600000); const result = TwoFactorService.verifyEmailOtp('654321', correctHash, expiry); expect(result).toBe(false); }); it('should return false for expired code', () => { const code = '123456'; const hashedCode = crypto.createHash('sha256').update(code).digest('hex'); const expiry = new Date(Date.now() - 60000); // 1 minute ago const result = TwoFactorService.verifyEmailOtp(code, hashedCode, expiry); expect(result).toBe(false); }); it('should return false for non-6-digit code', () => { const hashedCode = crypto.createHash('sha256').update('123456').digest('hex'); const expiry = new Date(Date.now() + 600000); expect(TwoFactorService.verifyEmailOtp('12345', hashedCode, expiry)).toBe(false); expect(TwoFactorService.verifyEmailOtp('1234567', hashedCode, expiry)).toBe(false); expect(TwoFactorService.verifyEmailOtp('abcdef', hashedCode, expiry)).toBe(false); }); it('should return false when no expiry provided', () => { const code = '123456'; const hashedCode = crypto.createHash('sha256').update(code).digest('hex'); const result = TwoFactorService.verifyEmailOtp(code, hashedCode, null); expect(result).toBe(false); }); }); describe('generateRecoveryCodes', () => { it('should generate 10 recovery codes', async () => { bcrypt.hash.mockResolvedValue('hashed-code'); const result = await TwoFactorService.generateRecoveryCodes(); expect(result.codes).toHaveLength(10); expect(result.hashedCodes).toHaveLength(10); }); it('should generate codes in XXXX-XXXX format', async () => { bcrypt.hash.mockResolvedValue('hashed-code'); const result = await TwoFactorService.generateRecoveryCodes(); result.codes.forEach(code => { expect(code).toMatch(/^[A-Z0-9]{4}-[A-Z0-9]{4}$/); }); }); it('should exclude confusing characters', async () => { bcrypt.hash.mockResolvedValue('hashed-code'); const result = await TwoFactorService.generateRecoveryCodes(); const confusingChars = ['0', 'O', '1', 'I', 'L']; result.codes.forEach(code => { confusingChars.forEach(char => { expect(code).not.toContain(char); }); }); }); it('should hash each code with bcrypt', async () => { bcrypt.hash.mockResolvedValue('hashed-code'); await TwoFactorService.generateRecoveryCodes(); expect(bcrypt.hash).toHaveBeenCalledTimes(10); }); }); describe('verifyRecoveryCode', () => { it('should return valid for correct code (new format)', async () => { bcrypt.compare.mockResolvedValueOnce(false).mockResolvedValueOnce(true); const recoveryData = { version: 1, codes: [ { hash: 'hash1', used: false, index: 0 }, { hash: 'hash2', used: false, index: 1 }, ], }; const result = await TwoFactorService.verifyRecoveryCode('XXXX-YYYY', recoveryData); expect(result.valid).toBe(true); expect(result.index).toBe(1); }); it('should return invalid for incorrect code', async () => { bcrypt.compare.mockResolvedValue(false); const recoveryData = { version: 1, codes: [ { hash: 'hash1', used: false, index: 0 }, ], }; const result = await TwoFactorService.verifyRecoveryCode('XXXX-YYYY', recoveryData); expect(result.valid).toBe(false); expect(result.index).toBe(-1); }); it('should skip used codes', async () => { bcrypt.compare.mockResolvedValue(true); const recoveryData = { version: 1, codes: [ { hash: 'hash1', used: true, index: 0 }, { hash: 'hash2', used: false, index: 1 }, ], }; await TwoFactorService.verifyRecoveryCode('XXXX-YYYY', recoveryData); // Should only check the unused code expect(bcrypt.compare).toHaveBeenCalledTimes(1); }); it('should normalize input code to uppercase', async () => { bcrypt.compare.mockResolvedValue(true); const recoveryData = { version: 1, codes: [{ hash: 'hash1', used: false, index: 0 }], }; await TwoFactorService.verifyRecoveryCode('xxxx-yyyy', recoveryData); expect(bcrypt.compare).toHaveBeenCalledWith('XXXX-YYYY', 'hash1'); }); it('should return invalid for wrong format', async () => { const recoveryData = { version: 1, codes: [{ hash: 'hash1', used: false, index: 0 }], }; const result = await TwoFactorService.verifyRecoveryCode('INVALID', recoveryData); expect(result.valid).toBe(false); }); it('should handle legacy array format', async () => { bcrypt.compare.mockResolvedValueOnce(false).mockResolvedValueOnce(true); const recoveryData = ['hash1', 'hash2', 'hash3']; const result = await TwoFactorService.verifyRecoveryCode('XXXX-YYYY', recoveryData); expect(result.valid).toBe(true); }); it('should skip null entries in legacy format', async () => { bcrypt.compare.mockResolvedValue(true); const recoveryData = [null, 'hash2']; await TwoFactorService.verifyRecoveryCode('XXXX-YYYY', recoveryData); expect(bcrypt.compare).toHaveBeenCalledTimes(1); }); }); describe('validateStepUpSession', () => { it('should return true for valid session', () => { const user = { twoFactorVerifiedAt: new Date(Date.now() - 60000), // 1 minute ago }; const result = TwoFactorService.validateStepUpSession(user); expect(result).toBe(true); }); it('should return false for expired session', () => { const user = { twoFactorVerifiedAt: new Date(Date.now() - 600000), // 10 minutes ago }; const result = TwoFactorService.validateStepUpSession(user, 5); // 5 minute window expect(result).toBe(false); }); it('should return false when no verification timestamp', () => { const user = { twoFactorVerifiedAt: null, }; const result = TwoFactorService.validateStepUpSession(user); expect(result).toBe(false); }); it('should use custom max age when provided', () => { const user = { twoFactorVerifiedAt: new Date(Date.now() - 1200000), // 20 minutes ago }; const result = TwoFactorService.validateStepUpSession(user, 30); // 30 minute window expect(result).toBe(true); }); }); describe('getRemainingRecoveryCodesCount', () => { it('should return count for new format', () => { const recoveryData = { version: 1, codes: [ { hash: 'hash1', used: false }, { hash: 'hash2', used: true }, { hash: 'hash3', used: false }, ], }; const result = TwoFactorService.getRemainingRecoveryCodesCount(recoveryData); expect(result).toBe(2); }); it('should return count for legacy array format', () => { const recoveryData = ['hash1', null, 'hash3', 'hash4', null]; const result = TwoFactorService.getRemainingRecoveryCodesCount(recoveryData); expect(result).toBe(3); }); it('should return 0 for null data', () => { const result = TwoFactorService.getRemainingRecoveryCodesCount(null); expect(result).toBe(0); }); it('should return 0 for undefined data', () => { const result = TwoFactorService.getRemainingRecoveryCodesCount(undefined); expect(result).toBe(0); }); it('should handle empty array', () => { const result = TwoFactorService.getRemainingRecoveryCodesCount([]); expect(result).toBe(0); }); it('should handle all used codes', () => { const recoveryData = { version: 1, codes: [ { hash: 'hash1', used: true }, { hash: 'hash2', used: true }, ], }; const result = TwoFactorService.getRemainingRecoveryCodesCount(recoveryData); expect(result).toBe(0); }); }); describe('isEmailOtpLocked', () => { it('should return true when max attempts reached', () => { const result = TwoFactorService.isEmailOtpLocked(3); expect(result).toBe(true); }); it('should return true when over max attempts', () => { const result = TwoFactorService.isEmailOtpLocked(5); expect(result).toBe(true); }); it('should return false when under max attempts', () => { const result = TwoFactorService.isEmailOtpLocked(2); expect(result).toBe(false); }); it('should return false for zero attempts', () => { const result = TwoFactorService.isEmailOtpLocked(0); expect(result).toBe(false); }); }); describe('_encryptSecret / _decryptSecret', () => { it('should encrypt and decrypt correctly', () => { const secret = 'my-test-secret'; const { encrypted, iv } = TwoFactorService._encryptSecret(secret); const decrypted = TwoFactorService._decryptSecret(encrypted, iv); expect(decrypted).toBe(secret); }); it('should throw error when encryption key is missing', () => { delete process.env.TOTP_ENCRYPTION_KEY; expect(() => TwoFactorService._encryptSecret('test')).toThrow('TOTP_ENCRYPTION_KEY'); }); it('should throw error when encryption key is wrong length', () => { process.env.TOTP_ENCRYPTION_KEY = 'short'; expect(() => TwoFactorService._encryptSecret('test')).toThrow('64-character hex string'); }); }); });