const crypto = require("crypto"); const bcrypt = require("bcryptjs"); const { authenticator } = require("otplib"); const QRCode = require("qrcode"); // Mock dependencies jest.mock("otplib", () => ({ authenticator: { generateSecret: jest.fn(), keyuri: jest.fn(), verify: jest.fn(), }, })); jest.mock("qrcode", () => ({ toDataURL: jest.fn(), })); jest.mock("bcryptjs", () => ({ hash: jest.fn(), compare: jest.fn(), })); jest.mock("../../../utils/logger", () => ({ info: jest.fn(), error: jest.fn(), warn: jest.fn(), })); const TwoFactorService = require("../../../services/TwoFactorService"); describe("TwoFactorService", () => { const originalEnv = process.env; beforeEach(() => { jest.clearAllMocks(); process.env = { ...originalEnv, TOTP_ENCRYPTION_KEY: "a".repeat(64), TOTP_ISSUER: "TestApp", TWO_FACTOR_EMAIL_OTP_EXPIRY_MINUTES: "10", TWO_FACTOR_STEP_UP_VALIDITY_MINUTES: "5", }; }); afterEach(() => { process.env = originalEnv; }); describe("generateTotpSecret", () => { it("should generate TOTP secret with QR code", async () => { authenticator.generateSecret.mockReturnValue("test-secret"); authenticator.keyuri.mockReturnValue( "otpauth://totp/VillageShare:test@example.com?secret=test-secret", ); QRCode.toDataURL.mockResolvedValue("data:image/png;base64,qrcode"); const result = await TwoFactorService.generateTotpSecret("test@example.com"); expect(result.qrCodeDataUrl).toBe("data:image/png;base64,qrcode"); expect(result.encryptedSecret).toBeDefined(); expect(result.encryptedSecretIv).toBeDefined(); // The issuer is loaded at module load time, so it uses the default 'VillageShare' expect(authenticator.keyuri).toHaveBeenCalledWith( "test@example.com", "VillageShare", "test-secret", ); }); it("should use issuer from environment", async () => { authenticator.generateSecret.mockReturnValue("test-secret"); authenticator.keyuri.mockReturnValue( "otpauth://totp/VillageShare:test@example.com", ); QRCode.toDataURL.mockResolvedValue("data:image/png;base64,qrcode"); const result = await TwoFactorService.generateTotpSecret("test@example.com"); expect(result.qrCodeDataUrl).toBeDefined(); expect(authenticator.keyuri).toHaveBeenCalled(); }); }); describe("verifyTotpCode", () => { it("should return true for valid code", () => { authenticator.verify.mockReturnValue(true); // Use actual encryption const { encrypted, iv } = TwoFactorService._encryptSecret("test-secret"); const result = TwoFactorService.verifyTotpCode(encrypted, iv, "123456"); expect(result).toBe(true); }); it("should return false for invalid code", () => { authenticator.verify.mockReturnValue(false); const { encrypted, iv } = TwoFactorService._encryptSecret("test-secret"); const result = TwoFactorService.verifyTotpCode(encrypted, iv, "654321"); expect(result).toBe(false); }); it("should return false for non-6-digit code", () => { const result = TwoFactorService.verifyTotpCode( "encrypted", "iv", "12345", ); expect(result).toBe(false); const result2 = TwoFactorService.verifyTotpCode( "encrypted", "iv", "1234567", ); expect(result2).toBe(false); const result3 = TwoFactorService.verifyTotpCode( "encrypted", "iv", "abcdef", ); expect(result3).toBe(false); }); it("should return false when decryption fails", () => { const result = TwoFactorService.verifyTotpCode( "invalid-encrypted", "invalid-iv", "123456", ); expect(result).toBe(false); }); }); describe("generateEmailOtp", () => { it("should generate 6-digit code", () => { const result = TwoFactorService.generateEmailOtp(); expect(result.code).toMatch(/^\d{6}$/); }); it("should return hashed code", () => { const result = TwoFactorService.generateEmailOtp(); expect(result.hashedCode).toHaveLength(64); // SHA-256 hex }); it("should set expiry in the future", () => { const result = TwoFactorService.generateEmailOtp(); const now = new Date(); expect(result.expiry.getTime()).toBeGreaterThan(now.getTime()); }); it("should generate different codes each time", () => { const result1 = TwoFactorService.generateEmailOtp(); const result2 = TwoFactorService.generateEmailOtp(); // Codes should likely be different (very small chance of collision) expect(result1.code).not.toBe(result2.code); }); }); describe("verifyEmailOtp", () => { it("should return true for valid code", () => { const code = "123456"; const hashedCode = crypto.createHash("sha256").update(code).digest("hex"); const expiry = new Date(Date.now() + 600000); // 10 minutes from now const result = TwoFactorService.verifyEmailOtp(code, hashedCode, expiry); expect(result).toBe(true); }); it("should return false for invalid code", () => { const correctHash = crypto .createHash("sha256") .update("123456") .digest("hex"); const expiry = new Date(Date.now() + 600000); const result = TwoFactorService.verifyEmailOtp( "654321", correctHash, expiry, ); expect(result).toBe(false); }); it("should return false for expired code", () => { const code = "123456"; const hashedCode = crypto.createHash("sha256").update(code).digest("hex"); const expiry = new Date(Date.now() - 60000); // 1 minute ago const result = TwoFactorService.verifyEmailOtp(code, hashedCode, expiry); expect(result).toBe(false); }); it("should return false for non-6-digit code", () => { const hashedCode = crypto .createHash("sha256") .update("123456") .digest("hex"); const expiry = new Date(Date.now() + 600000); expect(TwoFactorService.verifyEmailOtp("12345", hashedCode, expiry)).toBe( false, ); expect( TwoFactorService.verifyEmailOtp("1234567", hashedCode, expiry), ).toBe(false); expect( TwoFactorService.verifyEmailOtp("abcdef", hashedCode, expiry), ).toBe(false); }); it("should return false when no expiry provided", () => { const code = "123456"; const hashedCode = crypto.createHash("sha256").update(code).digest("hex"); const result = TwoFactorService.verifyEmailOtp(code, hashedCode, null); expect(result).toBe(false); }); }); describe("generateRecoveryCodes", () => { it("should generate 10 recovery codes", async () => { bcrypt.hash.mockResolvedValue("hashed-code"); const result = await TwoFactorService.generateRecoveryCodes(); expect(result.codes).toHaveLength(10); expect(result.hashedCodes).toHaveLength(10); }); it("should generate codes in XXXX-XXXX format", async () => { bcrypt.hash.mockResolvedValue("hashed-code"); const result = await TwoFactorService.generateRecoveryCodes(); result.codes.forEach((code) => { expect(code).toMatch(/^[A-Z0-9]{4}-[A-Z0-9]{4}$/); }); }); it("should exclude confusing characters", async () => { bcrypt.hash.mockResolvedValue("hashed-code"); const result = await TwoFactorService.generateRecoveryCodes(); const confusingChars = ["0", "O", "1", "I", "L"]; result.codes.forEach((code) => { confusingChars.forEach((char) => { expect(code).not.toContain(char); }); }); }); it("should hash each code with bcrypt", async () => { bcrypt.hash.mockResolvedValue("hashed-code"); await TwoFactorService.generateRecoveryCodes(); expect(bcrypt.hash).toHaveBeenCalledTimes(10); }); }); describe("verifyRecoveryCode", () => { it("should return valid for correct code (new format)", async () => { bcrypt.compare.mockResolvedValueOnce(false).mockResolvedValueOnce(true); const recoveryData = { version: 1, codes: [ { hash: "hash1", used: false, index: 0 }, { hash: "hash2", used: false, index: 1 }, ], }; const result = await TwoFactorService.verifyRecoveryCode( "XXXX-YYYY", recoveryData, ); expect(result.valid).toBe(true); expect(result.index).toBe(1); }); it("should return invalid for incorrect code", async () => { bcrypt.compare.mockResolvedValue(false); const recoveryData = { version: 1, codes: [{ hash: "hash1", used: false, index: 0 }], }; const result = await TwoFactorService.verifyRecoveryCode( "XXXX-YYYY", recoveryData, ); expect(result.valid).toBe(false); expect(result.index).toBe(-1); }); it("should skip used codes", async () => { bcrypt.compare.mockResolvedValue(true); const recoveryData = { version: 1, codes: [ { hash: "hash1", used: true, index: 0 }, { hash: "hash2", used: false, index: 1 }, ], }; await TwoFactorService.verifyRecoveryCode("XXXX-YYYY", recoveryData); // Should only check the unused code expect(bcrypt.compare).toHaveBeenCalledTimes(1); }); it("should normalize input code to uppercase", async () => { bcrypt.compare.mockResolvedValue(true); const recoveryData = { version: 1, codes: [{ hash: "hash1", used: false, index: 0 }], }; await TwoFactorService.verifyRecoveryCode("xxxx-yyyy", recoveryData); expect(bcrypt.compare).toHaveBeenCalledWith("XXXX-YYYY", "hash1"); }); it("should return invalid for wrong format", async () => { const recoveryData = { version: 1, codes: [{ hash: "hash1", used: false, index: 0 }], }; const result = await TwoFactorService.verifyRecoveryCode( "INVALID", recoveryData, ); expect(result.valid).toBe(false); }); it("should handle legacy array format", async () => { bcrypt.compare.mockResolvedValueOnce(false).mockResolvedValueOnce(true); const recoveryData = ["hash1", "hash2", "hash3"]; const result = await TwoFactorService.verifyRecoveryCode( "XXXX-YYYY", recoveryData, ); expect(result.valid).toBe(true); }); it("should skip null entries in legacy format", async () => { bcrypt.compare.mockResolvedValue(true); const recoveryData = [null, "hash2"]; await TwoFactorService.verifyRecoveryCode("XXXX-YYYY", recoveryData); expect(bcrypt.compare).toHaveBeenCalledTimes(1); }); }); describe("validateStepUpSession", () => { it("should return true for valid session", () => { const user = { twoFactorVerifiedAt: new Date(Date.now() - 60000), // 1 minute ago }; const result = TwoFactorService.validateStepUpSession(user); expect(result).toBe(true); }); it("should return false for expired session", () => { const user = { twoFactorVerifiedAt: new Date(Date.now() - 600000), // 10 minutes ago }; const result = TwoFactorService.validateStepUpSession(user, 5); // 5 minute window expect(result).toBe(false); }); it("should return false when no verification timestamp", () => { const user = { twoFactorVerifiedAt: null, }; const result = TwoFactorService.validateStepUpSession(user); expect(result).toBe(false); }); it("should use custom max age when provided", () => { const user = { twoFactorVerifiedAt: new Date(Date.now() - 1200000), // 20 minutes ago }; const result = TwoFactorService.validateStepUpSession(user, 30); // 30 minute window expect(result).toBe(true); }); }); describe("getRemainingRecoveryCodesCount", () => { it("should return count for new format", () => { const recoveryData = { version: 1, codes: [ { hash: "hash1", used: false }, { hash: "hash2", used: true }, { hash: "hash3", used: false }, ], }; const result = TwoFactorService.getRemainingRecoveryCodesCount(recoveryData); expect(result).toBe(2); }); it("should return count for legacy array format", () => { const recoveryData = ["hash1", null, "hash3", "hash4", null]; const result = TwoFactorService.getRemainingRecoveryCodesCount(recoveryData); expect(result).toBe(3); }); it("should return 0 for null data", () => { const result = TwoFactorService.getRemainingRecoveryCodesCount(null); expect(result).toBe(0); }); it("should return 0 for undefined data", () => { const result = TwoFactorService.getRemainingRecoveryCodesCount(undefined); expect(result).toBe(0); }); it("should handle empty array", () => { const result = TwoFactorService.getRemainingRecoveryCodesCount([]); expect(result).toBe(0); }); it("should handle all used codes", () => { const recoveryData = { version: 1, codes: [ { hash: "hash1", used: true }, { hash: "hash2", used: true }, ], }; const result = TwoFactorService.getRemainingRecoveryCodesCount(recoveryData); expect(result).toBe(0); }); }); describe("isEmailOtpLocked", () => { it("should return true when max attempts reached", () => { const result = TwoFactorService.isEmailOtpLocked(3); expect(result).toBe(true); }); it("should return true when over max attempts", () => { const result = TwoFactorService.isEmailOtpLocked(5); expect(result).toBe(true); }); it("should return false when under max attempts", () => { const result = TwoFactorService.isEmailOtpLocked(2); expect(result).toBe(false); }); it("should return false for zero attempts", () => { const result = TwoFactorService.isEmailOtpLocked(0); expect(result).toBe(false); }); }); describe("_encryptSecret / _decryptSecret", () => { it("should encrypt and decrypt correctly", () => { const secret = "my-test-secret"; const { encrypted, iv } = TwoFactorService._encryptSecret(secret); const decrypted = TwoFactorService._decryptSecret(encrypted, iv); expect(decrypted).toBe(secret); }); it("should throw error when encryption key is missing", () => { delete process.env.TOTP_ENCRYPTION_KEY; expect(() => TwoFactorService._encryptSecret("test")).toThrow( "TOTP_ENCRYPTION_KEY", ); }); it("should throw error when encryption key is wrong length", () => { process.env.TOTP_ENCRYPTION_KEY = "short"; expect(() => TwoFactorService._encryptSecret("test")).toThrow( "64-character hex string", ); }); }); });