Jackie/rentall-app
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
41d8cf4c04ef38a947d2538c97e69fa24757d188
rentall-app/backend/tests/unit/services/TwoFactorService.test.js
jackiettran 41d8cf4c04 more backend unit test coverage
2026-01-18 19:18:35 -05:00

471 lines
14 KiB
JavaScript
Raw Blame History

const crypto = require('crypto');
const bcrypt = require('bcryptjs');
const { authenticator } = require('otplib');
const QRCode = require('qrcode');
// Mock dependencies
jest.mock('otplib', () => ({
authenticator: {
generateSecret: jest.fn(),
keyuri: jest.fn(),
verify: jest.fn(),
},
}));
jest.mock('qrcode', () => ({
toDataURL: jest.fn(),
}));
jest.mock('bcryptjs', () => ({
hash: jest.fn(),
compare: jest.fn(),
}));
jest.mock('../../../utils/logger', () => ({
info: jest.fn(),
error: jest.fn(),
warn: jest.fn(),
}));
const TwoFactorService = require('../../../services/TwoFactorService');
describe('TwoFactorService', () => {
const originalEnv = process.env;
beforeEach(() => {
jest.clearAllMocks();
process.env = {
...originalEnv,
TOTP_ENCRYPTION_KEY: 'a'.repeat(64), // 64 hex chars = 32 bytes
TOTP_ISSUER: 'TestApp',
TWO_FACTOR_EMAIL_OTP_EXPIRY_MINUTES: '10',
TWO_FACTOR_STEP_UP_VALIDITY_MINUTES: '5',
};
});
afterEach(() => {
process.env = originalEnv;
});
describe('generateTotpSecret', () => {
it('should generate TOTP secret with QR code', async () => {
authenticator.generateSecret.mockReturnValue('test-secret');
authenticator.keyuri.mockReturnValue('otpauth://totp/VillageShare:test@example.com?secret=test-secret');
QRCode.toDataURL.mockResolvedValue('data:image/png;base64,qrcode');
const result = await TwoFactorService.generateTotpSecret('test@example.com');
expect(result.qrCodeDataUrl).toBe('data:image/png;base64,qrcode');
expect(result.encryptedSecret).toBeDefined();
expect(result.encryptedSecretIv).toBeDefined();
// The issuer is loaded at module load time, so it uses the default 'VillageShare'
expect(authenticator.keyuri).toHaveBeenCalledWith('test@example.com', 'VillageShare', 'test-secret');
});
it('should use issuer from environment', async () => {
authenticator.generateSecret.mockReturnValue('test-secret');
authenticator.keyuri.mockReturnValue('otpauth://totp/VillageShare:test@example.com');
QRCode.toDataURL.mockResolvedValue('data:image/png;base64,qrcode');
const result = await TwoFactorService.generateTotpSecret('test@example.com');
expect(result.qrCodeDataUrl).toBeDefined();
expect(authenticator.keyuri).toHaveBeenCalled();
});
});
describe('verifyTotpCode', () => {
it('should return true for valid code', () => {
authenticator.verify.mockReturnValue(true);
// Use actual encryption
const { encrypted, iv } = TwoFactorService._encryptSecret('test-secret');
const result = TwoFactorService.verifyTotpCode(encrypted, iv, '123456');
expect(result).toBe(true);
});
it('should return false for invalid code', () => {
authenticator.verify.mockReturnValue(false);
const { encrypted, iv } = TwoFactorService._encryptSecret('test-secret');
const result = TwoFactorService.verifyTotpCode(encrypted, iv, '654321');
expect(result).toBe(false);
});
it('should return false for non-6-digit code', () => {
const result = TwoFactorService.verifyTotpCode('encrypted', 'iv', '12345');
expect(result).toBe(false);
const result2 = TwoFactorService.verifyTotpCode('encrypted', 'iv', '1234567');
expect(result2).toBe(false);
const result3 = TwoFactorService.verifyTotpCode('encrypted', 'iv', 'abcdef');
expect(result3).toBe(false);
});
it('should return false when decryption fails', () => {
const result = TwoFactorService.verifyTotpCode('invalid-encrypted', 'invalid-iv', '123456');
expect(result).toBe(false);
});
});
describe('generateEmailOtp', () => {
it('should generate 6-digit code', () => {
const result = TwoFactorService.generateEmailOtp();
expect(result.code).toMatch(/^\d{6}$/);
});
it('should return hashed code', () => {
const result = TwoFactorService.generateEmailOtp();
expect(result.hashedCode).toHaveLength(64); // SHA-256 hex
});
it('should set expiry in the future', () => {
const result = TwoFactorService.generateEmailOtp();
const now = new Date();
expect(result.expiry.getTime()).toBeGreaterThan(now.getTime());
});
it('should generate different codes each time', () => {
const result1 = TwoFactorService.generateEmailOtp();
const result2 = TwoFactorService.generateEmailOtp();
// Codes should likely be different (very small chance of collision)
expect(result1.code).not.toBe(result2.code);
});
});
describe('verifyEmailOtp', () => {
it('should return true for valid code', () => {
const code = '123456';
const hashedCode = crypto.createHash('sha256').update(code).digest('hex');
const expiry = new Date(Date.now() + 600000); // 10 minutes from now
const result = TwoFactorService.verifyEmailOtp(code, hashedCode, expiry);
expect(result).toBe(true);
});
it('should return false for invalid code', () => {
const correctHash = crypto.createHash('sha256').update('123456').digest('hex');
const expiry = new Date(Date.now() + 600000);
const result = TwoFactorService.verifyEmailOtp('654321', correctHash, expiry);
expect(result).toBe(false);
});
it('should return false for expired code', () => {
const code = '123456';
const hashedCode = crypto.createHash('sha256').update(code).digest('hex');
const expiry = new Date(Date.now() - 60000); // 1 minute ago
const result = TwoFactorService.verifyEmailOtp(code, hashedCode, expiry);
expect(result).toBe(false);
});
it('should return false for non-6-digit code', () => {
const hashedCode = crypto.createHash('sha256').update('123456').digest('hex');
const expiry = new Date(Date.now() + 600000);
expect(TwoFactorService.verifyEmailOtp('12345', hashedCode, expiry)).toBe(false);
expect(TwoFactorService.verifyEmailOtp('1234567', hashedCode, expiry)).toBe(false);
expect(TwoFactorService.verifyEmailOtp('abcdef', hashedCode, expiry)).toBe(false);
});
it('should return false when no expiry provided', () => {
const code = '123456';
const hashedCode = crypto.createHash('sha256').update(code).digest('hex');
const result = TwoFactorService.verifyEmailOtp(code, hashedCode, null);
expect(result).toBe(false);
});
});
describe('generateRecoveryCodes', () => {
it('should generate 10 recovery codes', async () => {
bcrypt.hash.mockResolvedValue('hashed-code');
const result = await TwoFactorService.generateRecoveryCodes();
expect(result.codes).toHaveLength(10);
expect(result.hashedCodes).toHaveLength(10);
});
it('should generate codes in XXXX-XXXX format', async () => {
bcrypt.hash.mockResolvedValue('hashed-code');
const result = await TwoFactorService.generateRecoveryCodes();
result.codes.forEach(code => {
expect(code).toMatch(/^[A-Z0-9]{4}-[A-Z0-9]{4}$/);
});
});
it('should exclude confusing characters', async () => {
bcrypt.hash.mockResolvedValue('hashed-code');
const result = await TwoFactorService.generateRecoveryCodes();
const confusingChars = ['0', 'O', '1', 'I', 'L'];
result.codes.forEach(code => {
confusingChars.forEach(char => {
expect(code).not.toContain(char);
});
});
});
it('should hash each code with bcrypt', async () => {
bcrypt.hash.mockResolvedValue('hashed-code');
await TwoFactorService.generateRecoveryCodes();
expect(bcrypt.hash).toHaveBeenCalledTimes(10);
});
});
describe('verifyRecoveryCode', () => {
it('should return valid for correct code (new format)', async () => {
bcrypt.compare.mockResolvedValueOnce(false).mockResolvedValueOnce(true);
const recoveryData = {
version: 1,
codes: [
{ hash: 'hash1', used: false, index: 0 },
{ hash: 'hash2', used: false, index: 1 },
],
};
const result = await TwoFactorService.verifyRecoveryCode('XXXX-YYYY', recoveryData);
expect(result.valid).toBe(true);
expect(result.index).toBe(1);
});
it('should return invalid for incorrect code', async () => {
bcrypt.compare.mockResolvedValue(false);
const recoveryData = {
version: 1,
codes: [
{ hash: 'hash1', used: false, index: 0 },
],
};
const result = await TwoFactorService.verifyRecoveryCode('XXXX-YYYY', recoveryData);
expect(result.valid).toBe(false);
expect(result.index).toBe(-1);
});
it('should skip used codes', async () => {
bcrypt.compare.mockResolvedValue(true);
const recoveryData = {
version: 1,
codes: [
{ hash: 'hash1', used: true, index: 0 },
{ hash: 'hash2', used: false, index: 1 },
],
};
await TwoFactorService.verifyRecoveryCode('XXXX-YYYY', recoveryData);
// Should only check the unused code
expect(bcrypt.compare).toHaveBeenCalledTimes(1);
});
it('should normalize input code to uppercase', async () => {
bcrypt.compare.mockResolvedValue(true);
const recoveryData = {
version: 1,
codes: [{ hash: 'hash1', used: false, index: 0 }],
};
await TwoFactorService.verifyRecoveryCode('xxxx-yyyy', recoveryData);
expect(bcrypt.compare).toHaveBeenCalledWith('XXXX-YYYY', 'hash1');
});
it('should return invalid for wrong format', async () => {
const recoveryData = {
version: 1,
codes: [{ hash: 'hash1', used: false, index: 0 }],
};
const result = await TwoFactorService.verifyRecoveryCode('INVALID', recoveryData);
expect(result.valid).toBe(false);
});
it('should handle legacy array format', async () => {
bcrypt.compare.mockResolvedValueOnce(false).mockResolvedValueOnce(true);
const recoveryData = ['hash1', 'hash2', 'hash3'];
const result = await TwoFactorService.verifyRecoveryCode('XXXX-YYYY', recoveryData);
expect(result.valid).toBe(true);
});
it('should skip null entries in legacy format', async () => {
bcrypt.compare.mockResolvedValue(true);
const recoveryData = [null, 'hash2'];
await TwoFactorService.verifyRecoveryCode('XXXX-YYYY', recoveryData);
expect(bcrypt.compare).toHaveBeenCalledTimes(1);
});
});
describe('validateStepUpSession', () => {
it('should return true for valid session', () => {
const user = {
twoFactorVerifiedAt: new Date(Date.now() - 60000), // 1 minute ago
};
const result = TwoFactorService.validateStepUpSession(user);
expect(result).toBe(true);
});
it('should return false for expired session', () => {
const user = {
twoFactorVerifiedAt: new Date(Date.now() - 600000), // 10 minutes ago
};
const result = TwoFactorService.validateStepUpSession(user, 5); // 5 minute window
expect(result).toBe(false);
});
it('should return false when no verification timestamp', () => {
const user = {
twoFactorVerifiedAt: null,
};
const result = TwoFactorService.validateStepUpSession(user);
expect(result).toBe(false);
});
it('should use custom max age when provided', () => {
const user = {
twoFactorVerifiedAt: new Date(Date.now() - 1200000), // 20 minutes ago
};
const result = TwoFactorService.validateStepUpSession(user, 30); // 30 minute window
expect(result).toBe(true);
});
});
describe('getRemainingRecoveryCodesCount', () => {
it('should return count for new format', () => {
const recoveryData = {
version: 1,
codes: [
{ hash: 'hash1', used: false },
{ hash: 'hash2', used: true },
{ hash: 'hash3', used: false },
],
};
const result = TwoFactorService.getRemainingRecoveryCodesCount(recoveryData);
expect(result).toBe(2);
});
it('should return count for legacy array format', () => {
const recoveryData = ['hash1', null, 'hash3', 'hash4', null];
const result = TwoFactorService.getRemainingRecoveryCodesCount(recoveryData);
expect(result).toBe(3);
});
it('should return 0 for null data', () => {
const result = TwoFactorService.getRemainingRecoveryCodesCount(null);
expect(result).toBe(0);
});
it('should return 0 for undefined data', () => {
const result = TwoFactorService.getRemainingRecoveryCodesCount(undefined);
expect(result).toBe(0);
});
it('should handle empty array', () => {
const result = TwoFactorService.getRemainingRecoveryCodesCount([]);
expect(result).toBe(0);
});
it('should handle all used codes', () => {
const recoveryData = {
version: 1,
codes: [
{ hash: 'hash1', used: true },
{ hash: 'hash2', used: true },
],
};
const result = TwoFactorService.getRemainingRecoveryCodesCount(recoveryData);
expect(result).toBe(0);
});
});
describe('isEmailOtpLocked', () => {
it('should return true when max attempts reached', () => {
const result = TwoFactorService.isEmailOtpLocked(3);
expect(result).toBe(true);
});
it('should return true when over max attempts', () => {
const result = TwoFactorService.isEmailOtpLocked(5);
expect(result).toBe(true);
});
it('should return false when under max attempts', () => {
const result = TwoFactorService.isEmailOtpLocked(2);
expect(result).toBe(false);
});
it('should return false for zero attempts', () => {
const result = TwoFactorService.isEmailOtpLocked(0);
expect(result).toBe(false);
});
});
describe('_encryptSecret / _decryptSecret', () => {
it('should encrypt and decrypt correctly', () => {
const secret = 'my-test-secret';
const { encrypted, iv } = TwoFactorService._encryptSecret(secret);
const decrypted = TwoFactorService._decryptSecret(encrypted, iv);
expect(decrypted).toBe(secret);
});
it('should throw error when encryption key is missing', () => {
delete process.env.TOTP_ENCRYPTION_KEY;
expect(() => TwoFactorService._encryptSecret('test')).toThrow('TOTP_ENCRYPTION_KEY');
});
it('should throw error when encryption key is wrong length', () => {
process.env.TOTP_ENCRYPTION_KEY = 'short';
expect(() => TwoFactorService._encryptSecret('test')).toThrow('64-character hex string');
});
});
});
Reference in New Issue View Git Blame Copy Permalink