Jackie/rentall-app
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
main
rentall-app/backend/tests/unit/services/TwoFactorService.test.js
jackiettran 420e0efeb4 text changes and remove infra folder
2026-01-21 19:00:55 -05:00

530 lines
15 KiB
JavaScript
Raw Permalink Blame History

const crypto = require("crypto");
const bcrypt = require("bcryptjs");
const { authenticator } = require("otplib");
const QRCode = require("qrcode");
// Mock dependencies
jest.mock("otplib", () => ({
authenticator: {
generateSecret: jest.fn(),
keyuri: jest.fn(),
verify: jest.fn(),
},
}));
jest.mock("qrcode", () => ({
toDataURL: jest.fn(),
}));
jest.mock("bcryptjs", () => ({
hash: jest.fn(),
compare: jest.fn(),
}));
jest.mock("../../../utils/logger", () => ({
info: jest.fn(),
error: jest.fn(),
warn: jest.fn(),
}));
const TwoFactorService = require("../../../services/TwoFactorService");
describe("TwoFactorService", () => {
const originalEnv = process.env;
beforeEach(() => {
jest.clearAllMocks();
process.env = {
...originalEnv,
TOTP_ENCRYPTION_KEY: "a".repeat(64),
TOTP_ISSUER: "TestApp",
TWO_FACTOR_EMAIL_OTP_EXPIRY_MINUTES: "10",
TWO_FACTOR_STEP_UP_VALIDITY_MINUTES: "5",
};
});
afterEach(() => {
process.env = originalEnv;
});
describe("generateTotpSecret", () => {
it("should generate TOTP secret with QR code", async () => {
authenticator.generateSecret.mockReturnValue("test-secret");
authenticator.keyuri.mockReturnValue(
"otpauth://totp/VillageShare:test@example.com?secret=test-secret",
);
QRCode.toDataURL.mockResolvedValue("data:image/png;base64,qrcode");
const result =
await TwoFactorService.generateTotpSecret("test@example.com");
expect(result.qrCodeDataUrl).toBe("data:image/png;base64,qrcode");
expect(result.encryptedSecret).toBeDefined();
expect(result.encryptedSecretIv).toBeDefined();
// The issuer is loaded at module load time, so it uses the default 'VillageShare'
expect(authenticator.keyuri).toHaveBeenCalledWith(
"test@example.com",
"VillageShare",
"test-secret",
);
});
it("should use issuer from environment", async () => {
authenticator.generateSecret.mockReturnValue("test-secret");
authenticator.keyuri.mockReturnValue(
"otpauth://totp/VillageShare:test@example.com",
);
QRCode.toDataURL.mockResolvedValue("data:image/png;base64,qrcode");
const result =
await TwoFactorService.generateTotpSecret("test@example.com");
expect(result.qrCodeDataUrl).toBeDefined();
expect(authenticator.keyuri).toHaveBeenCalled();
});
});
describe("verifyTotpCode", () => {
it("should return true for valid code", () => {
authenticator.verify.mockReturnValue(true);
// Use actual encryption
const { encrypted, iv } = TwoFactorService._encryptSecret("test-secret");
const result = TwoFactorService.verifyTotpCode(encrypted, iv, "123456");
expect(result).toBe(true);
});
it("should return false for invalid code", () => {
authenticator.verify.mockReturnValue(false);
const { encrypted, iv } = TwoFactorService._encryptSecret("test-secret");
const result = TwoFactorService.verifyTotpCode(encrypted, iv, "654321");
expect(result).toBe(false);
});
it("should return false for non-6-digit code", () => {
const result = TwoFactorService.verifyTotpCode(
"encrypted",
"iv",
"12345",
);
expect(result).toBe(false);
const result2 = TwoFactorService.verifyTotpCode(
"encrypted",
"iv",
"1234567",
);
expect(result2).toBe(false);
const result3 = TwoFactorService.verifyTotpCode(
"encrypted",
"iv",
"abcdef",
);
expect(result3).toBe(false);
});
it("should return false when decryption fails", () => {
const result = TwoFactorService.verifyTotpCode(
"invalid-encrypted",
"invalid-iv",
"123456",
);
expect(result).toBe(false);
});
});
describe("generateEmailOtp", () => {
it("should generate 6-digit code", () => {
const result = TwoFactorService.generateEmailOtp();
expect(result.code).toMatch(/^\d{6}$/);
});
it("should return hashed code", () => {
const result = TwoFactorService.generateEmailOtp();
expect(result.hashedCode).toHaveLength(64); // SHA-256 hex
});
it("should set expiry in the future", () => {
const result = TwoFactorService.generateEmailOtp();
const now = new Date();
expect(result.expiry.getTime()).toBeGreaterThan(now.getTime());
});
it("should generate different codes each time", () => {
const result1 = TwoFactorService.generateEmailOtp();
const result2 = TwoFactorService.generateEmailOtp();
// Codes should likely be different (very small chance of collision)
expect(result1.code).not.toBe(result2.code);
});
});
describe("verifyEmailOtp", () => {
it("should return true for valid code", () => {
const code = "123456";
const hashedCode = crypto.createHash("sha256").update(code).digest("hex");
const expiry = new Date(Date.now() + 600000); // 10 minutes from now
const result = TwoFactorService.verifyEmailOtp(code, hashedCode, expiry);
expect(result).toBe(true);
});
it("should return false for invalid code", () => {
const correctHash = crypto
.createHash("sha256")
.update("123456")
.digest("hex");
const expiry = new Date(Date.now() + 600000);
const result = TwoFactorService.verifyEmailOtp(
"654321",
correctHash,
expiry,
);
expect(result).toBe(false);
});
it("should return false for expired code", () => {
const code = "123456";
const hashedCode = crypto.createHash("sha256").update(code).digest("hex");
const expiry = new Date(Date.now() - 60000); // 1 minute ago
const result = TwoFactorService.verifyEmailOtp(code, hashedCode, expiry);
expect(result).toBe(false);
});
it("should return false for non-6-digit code", () => {
const hashedCode = crypto
.createHash("sha256")
.update("123456")
.digest("hex");
const expiry = new Date(Date.now() + 600000);
expect(TwoFactorService.verifyEmailOtp("12345", hashedCode, expiry)).toBe(
false,
);
expect(
TwoFactorService.verifyEmailOtp("1234567", hashedCode, expiry),
).toBe(false);
expect(
TwoFactorService.verifyEmailOtp("abcdef", hashedCode, expiry),
).toBe(false);
});
it("should return false when no expiry provided", () => {
const code = "123456";
const hashedCode = crypto.createHash("sha256").update(code).digest("hex");
const result = TwoFactorService.verifyEmailOtp(code, hashedCode, null);
expect(result).toBe(false);
});
});
describe("generateRecoveryCodes", () => {
it("should generate 10 recovery codes", async () => {
bcrypt.hash.mockResolvedValue("hashed-code");
const result = await TwoFactorService.generateRecoveryCodes();
expect(result.codes).toHaveLength(10);
expect(result.hashedCodes).toHaveLength(10);
});
it("should generate codes in XXXX-XXXX format", async () => {
bcrypt.hash.mockResolvedValue("hashed-code");
const result = await TwoFactorService.generateRecoveryCodes();
result.codes.forEach((code) => {
expect(code).toMatch(/^[A-Z0-9]{4}-[A-Z0-9]{4}$/);
});
});
it("should exclude confusing characters", async () => {
bcrypt.hash.mockResolvedValue("hashed-code");
const result = await TwoFactorService.generateRecoveryCodes();
const confusingChars = ["0", "O", "1", "I", "L"];
result.codes.forEach((code) => {
confusingChars.forEach((char) => {
expect(code).not.toContain(char);
});
});
});
it("should hash each code with bcrypt", async () => {
bcrypt.hash.mockResolvedValue("hashed-code");
await TwoFactorService.generateRecoveryCodes();
expect(bcrypt.hash).toHaveBeenCalledTimes(10);
});
});
describe("verifyRecoveryCode", () => {
it("should return valid for correct code (new format)", async () => {
bcrypt.compare.mockResolvedValueOnce(false).mockResolvedValueOnce(true);
const recoveryData = {
version: 1,
codes: [
{ hash: "hash1", used: false, index: 0 },
{ hash: "hash2", used: false, index: 1 },
],
};
const result = await TwoFactorService.verifyRecoveryCode(
"XXXX-YYYY",
recoveryData,
);
expect(result.valid).toBe(true);
expect(result.index).toBe(1);
});
it("should return invalid for incorrect code", async () => {
bcrypt.compare.mockResolvedValue(false);
const recoveryData = {
version: 1,
codes: [{ hash: "hash1", used: false, index: 0 }],
};
const result = await TwoFactorService.verifyRecoveryCode(
"XXXX-YYYY",
recoveryData,
);
expect(result.valid).toBe(false);
expect(result.index).toBe(-1);
});
it("should skip used codes", async () => {
bcrypt.compare.mockResolvedValue(true);
const recoveryData = {
version: 1,
codes: [
{ hash: "hash1", used: true, index: 0 },
{ hash: "hash2", used: false, index: 1 },
],
};
await TwoFactorService.verifyRecoveryCode("XXXX-YYYY", recoveryData);
// Should only check the unused code
expect(bcrypt.compare).toHaveBeenCalledTimes(1);
});
it("should normalize input code to uppercase", async () => {
bcrypt.compare.mockResolvedValue(true);
const recoveryData = {
version: 1,
codes: [{ hash: "hash1", used: false, index: 0 }],
};
await TwoFactorService.verifyRecoveryCode("xxxx-yyyy", recoveryData);
expect(bcrypt.compare).toHaveBeenCalledWith("XXXX-YYYY", "hash1");
});
it("should return invalid for wrong format", async () => {
const recoveryData = {
version: 1,
codes: [{ hash: "hash1", used: false, index: 0 }],
};
const result = await TwoFactorService.verifyRecoveryCode(
"INVALID",
recoveryData,
);
expect(result.valid).toBe(false);
});
it("should handle legacy array format", async () => {
bcrypt.compare.mockResolvedValueOnce(false).mockResolvedValueOnce(true);
const recoveryData = ["hash1", "hash2", "hash3"];
const result = await TwoFactorService.verifyRecoveryCode(
"XXXX-YYYY",
recoveryData,
);
expect(result.valid).toBe(true);
});
it("should skip null entries in legacy format", async () => {
bcrypt.compare.mockResolvedValue(true);
const recoveryData = [null, "hash2"];
await TwoFactorService.verifyRecoveryCode("XXXX-YYYY", recoveryData);
expect(bcrypt.compare).toHaveBeenCalledTimes(1);
});
});
describe("validateStepUpSession", () => {
it("should return true for valid session", () => {
const user = {
twoFactorVerifiedAt: new Date(Date.now() - 60000), // 1 minute ago
};
const result = TwoFactorService.validateStepUpSession(user);
expect(result).toBe(true);
});
it("should return false for expired session", () => {
const user = {
twoFactorVerifiedAt: new Date(Date.now() - 600000), // 10 minutes ago
};
const result = TwoFactorService.validateStepUpSession(user, 5); // 5 minute window
expect(result).toBe(false);
});
it("should return false when no verification timestamp", () => {
const user = {
twoFactorVerifiedAt: null,
};
const result = TwoFactorService.validateStepUpSession(user);
expect(result).toBe(false);
});
it("should use custom max age when provided", () => {
const user = {
twoFactorVerifiedAt: new Date(Date.now() - 1200000), // 20 minutes ago
};
const result = TwoFactorService.validateStepUpSession(user, 30); // 30 minute window
expect(result).toBe(true);
});
});
describe("getRemainingRecoveryCodesCount", () => {
it("should return count for new format", () => {
const recoveryData = {
version: 1,
codes: [
{ hash: "hash1", used: false },
{ hash: "hash2", used: true },
{ hash: "hash3", used: false },
],
};
const result =
TwoFactorService.getRemainingRecoveryCodesCount(recoveryData);
expect(result).toBe(2);
});
it("should return count for legacy array format", () => {
const recoveryData = ["hash1", null, "hash3", "hash4", null];
const result =
TwoFactorService.getRemainingRecoveryCodesCount(recoveryData);
expect(result).toBe(3);
});
it("should return 0 for null data", () => {
const result = TwoFactorService.getRemainingRecoveryCodesCount(null);
expect(result).toBe(0);
});
it("should return 0 for undefined data", () => {
const result = TwoFactorService.getRemainingRecoveryCodesCount(undefined);
expect(result).toBe(0);
});
it("should handle empty array", () => {
const result = TwoFactorService.getRemainingRecoveryCodesCount([]);
expect(result).toBe(0);
});
it("should handle all used codes", () => {
const recoveryData = {
version: 1,
codes: [
{ hash: "hash1", used: true },
{ hash: "hash2", used: true },
],
};
const result =
TwoFactorService.getRemainingRecoveryCodesCount(recoveryData);
expect(result).toBe(0);
});
});
describe("isEmailOtpLocked", () => {
it("should return true when max attempts reached", () => {
const result = TwoFactorService.isEmailOtpLocked(3);
expect(result).toBe(true);
});
it("should return true when over max attempts", () => {
const result = TwoFactorService.isEmailOtpLocked(5);
expect(result).toBe(true);
});
it("should return false when under max attempts", () => {
const result = TwoFactorService.isEmailOtpLocked(2);
expect(result).toBe(false);
});
it("should return false for zero attempts", () => {
const result = TwoFactorService.isEmailOtpLocked(0);
expect(result).toBe(false);
});
});
describe("_encryptSecret / _decryptSecret", () => {
it("should encrypt and decrypt correctly", () => {
const secret = "my-test-secret";
const { encrypted, iv } = TwoFactorService._encryptSecret(secret);
const decrypted = TwoFactorService._decryptSecret(encrypted, iv);
expect(decrypted).toBe(secret);
});
it("should throw error when encryption key is missing", () => {
delete process.env.TOTP_ENCRYPTION_KEY;
expect(() => TwoFactorService._encryptSecret("test")).toThrow(
"TOTP_ENCRYPTION_KEY",
);
});
it("should throw error when encryption key is wrong length", () => {
process.env.TOTP_ENCRYPTION_KEY = "short";
expect(() => TwoFactorService._encryptSecret("test")).toThrow(
"64-character hex string",
);
});
});
});
Reference in New Issue View Git Blame Copy Permalink