mirror of
https://github.com/mauriceboe/TREK.git
synced 2026-06-19 21:31:46 +00:00
Julien G.
6072b969d6
* fix: collab chat input hidden by mobile bottom nav bar Closes #939 * chore: prepare database for nest + typeorm * fix(ssrf): relax internal network resolution (#947) * docs(ssrf): update Internal-Network-Access wiki to reflect relaxed guard Loopback, link-local, and .local/.internal hostnames are now all overridable with ALLOW_INTERNAL_NETWORK=true (commit9a08368). Merge the two-tier "always blocked / conditionally blocked" structure into a single table, add a warning about cloud metadata exposure. * fix(ssrf): let .local/.internal hostnames pass to IP-level checks The pre-DNS hostname block was redundant: any .local/.internal host that resolves to a private IP is already gated by isPrivateNetwork + ALLOW_INTERNAL_NETWORK, and any that resolves to loopback/link-local is caught by isAlwaysBlocked unconditionally. Dropping the hostname pre-check means Docker/LAN deployments can reach services on .local hostnames (e.g. immich.local) with ALLOW_INTERNAL_NETWORK=true, while loopback and link-local IPs (including 169.254.169.254) remain hard-blocked with no override. Reverts the isAlwaysBlocked guard loosening from9a08368. * fix(auth): trim username and email on all write paths Self-registration stored values verbatim, so trailing whitespace could produce rows that lookup code (which trims input) silently misses. Trim username and email before validation and INSERT in registerUser, adminService.updateUser, and oidcService.findOrCreateUser. updateSettings and adminService.createUser already trimmed correctly. Adds a one-shot backfill migration (trimUserWhitespace) that trims existing dirty rows; collisions are resolved by appending __migrated_<id> to the value with a loud console.warn so operators can review affected accounts. 18 new tests covering registration trim, duplicate detection, admin update trim, trip-member lookup regression, and all migration branches. * feat(notices): add v3014-whitespace-collision admin notice Adds a dismissible banner for admins on v3.0.14+ that fires only when the whitespace-trimming migration detected a username/email collision (stored in app_settings as whitespace_migration_collision=true). Notice conditions: existingUserBeforeVersion(3.0.14) + role=admin + custom predicate reading the app_settings flag. Predicate registered in registry.ts; migration step writes the flag when hadCollision=true. All 15 translation files updated with title/body keys. 7 integration tests added (SN-COLLISION-1 through -7) covering all condition branches: shown when all conditions met, hidden when flag absent/false, hidden for non-admin, hidden for new user, hidden below min app version, hidden after dismissal.
878 lines
44 KiB
TypeScript
878 lines
44 KiB
TypeScript
/**
|
|
* Authentication integration tests.
|
|
* Covers AUTH-001 to AUTH-022, AUTH-028 to AUTH-033.
|
|
* OIDC scenarios (AUTH-023 to AUTH-027) require a real IdP and are excluded.
|
|
* Rate limiting scenarios (AUTH-004, AUTH-018) are at the end of this file.
|
|
*/
|
|
import { describe, it, expect, vi, beforeAll, beforeEach, afterAll } from 'vitest';
|
|
import request from 'supertest';
|
|
import type { Application } from 'express';
|
|
import { authenticator } from 'otplib';
|
|
|
|
// ─────────────────────────────────────────────────────────────────────────────
|
|
// Step 1: Bare in-memory DB — schema applied in beforeAll after mocks register
|
|
// ─────────────────────────────────────────────────────────────────────────────
|
|
const { testDb, dbMock } = vi.hoisted(() => {
|
|
const Database = require('better-sqlite3');
|
|
const db = new Database(':memory:');
|
|
db.exec('PRAGMA journal_mode = WAL');
|
|
db.exec('PRAGMA foreign_keys = ON');
|
|
db.exec('PRAGMA busy_timeout = 5000');
|
|
|
|
const mock = {
|
|
db,
|
|
closeDb: () => {},
|
|
reinitialize: () => {},
|
|
getPlaceWithTags: (placeId: number) => {
|
|
const place: any = db.prepare(`
|
|
SELECT p.*, c.name as category_name, c.color as category_color, c.icon as category_icon
|
|
FROM places p LEFT JOIN categories c ON p.category_id = c.id WHERE p.id = ?
|
|
`).get(placeId);
|
|
if (!place) return null;
|
|
const tags = db.prepare(`SELECT t.* FROM tags t JOIN place_tags pt ON t.id = pt.tag_id WHERE pt.place_id = ?`).all(placeId);
|
|
return { ...place, category: place.category_id ? { id: place.category_id, name: place.category_name, color: place.category_color, icon: place.category_icon } : null, tags };
|
|
},
|
|
canAccessTrip: (tripId: any, userId: number) =>
|
|
db.prepare(`SELECT t.id, t.user_id FROM trips t LEFT JOIN trip_members m ON m.trip_id = t.id AND m.user_id = ? WHERE t.id = ? AND (t.user_id = ? OR m.user_id IS NOT NULL)`).get(userId, tripId, userId),
|
|
isOwner: (tripId: any, userId: number) =>
|
|
!!db.prepare('SELECT id FROM trips WHERE id = ? AND user_id = ?').get(tripId, userId),
|
|
};
|
|
|
|
return { testDb: db, dbMock: mock };
|
|
});
|
|
|
|
vi.mock('../../src/db/database', () => dbMock);
|
|
vi.mock('../../src/config', () => ({
|
|
JWT_SECRET: 'test-jwt-secret-for-trek-testing-only',
|
|
ENCRYPTION_KEY: 'a1b2c3d4e5f6a7b8c9d0e1f2a3b4c5d6a7b8c9d0e1f2a3b4c5d6a7b8c9d0e1f2',
|
|
updateJwtSecret: () => {},
|
|
}));
|
|
|
|
import { createApp } from '../../src/app';
|
|
import { createTables } from '../../src/db/schema';
|
|
import { runMigrations } from '../../src/db/migrations';
|
|
import { resetTestDb } from '../helpers/test-db';
|
|
import { createUser, createAdmin, createUserWithMfa, createInviteToken, createTrip, createBudgetItem, createJourney, createJourneyEntry, addJourneyContributor, addTripPhoto, createCategory, createTag, createTodoItem, createMcpToken, createBucketListItem, createVisitedCountry, createCollabNote, addTripMember } from '../helpers/factories';
|
|
import { authCookie, authHeader } from '../helpers/auth';
|
|
import { loginAttempts, mfaAttempts } from '../../src/routes/auth';
|
|
|
|
const app: Application = createApp();
|
|
|
|
beforeAll(() => {
|
|
createTables(testDb);
|
|
runMigrations(testDb);
|
|
});
|
|
|
|
beforeEach(() => {
|
|
resetTestDb(testDb);
|
|
// Reset rate limiter state between tests so they don't interfere
|
|
loginAttempts.clear();
|
|
mfaAttempts.clear();
|
|
});
|
|
|
|
afterAll(() => {
|
|
testDb.close();
|
|
});
|
|
|
|
// ─────────────────────────────────────────────────────────────────────────────
|
|
// Login
|
|
// ─────────────────────────────────────────────────────────────────────────────
|
|
|
|
describe('Login', () => {
|
|
it('AUTH-001 — successful login returns 200, user object, and trek_session cookie', async () => {
|
|
const { user, password } = createUser(testDb);
|
|
const res = await request(app).post('/api/auth/login').send({ email: user.email, password });
|
|
expect(res.status).toBe(200);
|
|
expect(res.body.user).toBeDefined();
|
|
expect(res.body.user.email).toBe(user.email);
|
|
expect(res.body.user.password_hash).toBeUndefined();
|
|
const cookies: string[] = Array.isArray(res.headers['set-cookie'])
|
|
? res.headers['set-cookie']
|
|
: [res.headers['set-cookie']];
|
|
expect(cookies.some((c: string) => c.includes('trek_session'))).toBe(true);
|
|
});
|
|
|
|
it('AUTH-002 — wrong password returns 401 with generic message', async () => {
|
|
const { user } = createUser(testDb);
|
|
const res = await request(app).post('/api/auth/login').send({ email: user.email, password: 'WrongPass1!' });
|
|
expect(res.status).toBe(401);
|
|
expect(res.body.error).toContain('Invalid email or password');
|
|
});
|
|
|
|
it('AUTH-003 — non-existent email returns 401 with same generic message (no user enumeration)', async () => {
|
|
const res = await request(app).post('/api/auth/login').send({ email: 'nobody@example.com', password: 'SomePass1!' });
|
|
expect(res.status).toBe(401);
|
|
// Must be same message as wrong-password to avoid email enumeration
|
|
expect(res.body.error).toContain('Invalid email or password');
|
|
});
|
|
|
|
it('AUTH-013 — POST /api/auth/logout clears session cookie', async () => {
|
|
const res = await request(app).post('/api/auth/logout');
|
|
expect(res.status).toBe(200);
|
|
const cookies: string[] = Array.isArray(res.headers['set-cookie'])
|
|
? res.headers['set-cookie']
|
|
: (res.headers['set-cookie'] ? [res.headers['set-cookie']] : []);
|
|
const sessionCookie = cookies.find((c: string) => c.includes('trek_session'));
|
|
expect(sessionCookie).toBeDefined();
|
|
expect(sessionCookie).toMatch(/expires=Thu, 01 Jan 1970|Max-Age=0/i);
|
|
});
|
|
});
|
|
|
|
// ─────────────────────────────────────────────────────────────────────────────
|
|
// Registration
|
|
// ─────────────────────────────────────────────────────────────────────────────
|
|
|
|
describe('Registration', () => {
|
|
it('AUTH-005 — first user registration creates admin role and returns 201 + cookie', async () => {
|
|
const res = await request(app).post('/api/auth/register').send({
|
|
username: 'firstadmin',
|
|
email: 'admin@example.com',
|
|
password: 'Str0ng!Pass',
|
|
});
|
|
expect(res.status).toBe(201);
|
|
expect(res.body.user.role).toBe('admin');
|
|
const cookies: string[] = Array.isArray(res.headers['set-cookie'])
|
|
? res.headers['set-cookie']
|
|
: [res.headers['set-cookie']];
|
|
expect(cookies.some((c: string) => c.includes('trek_session'))).toBe(true);
|
|
});
|
|
|
|
it('AUTH-006 — registration with weak password is rejected', async () => {
|
|
const res = await request(app).post('/api/auth/register').send({
|
|
username: 'weakpwduser',
|
|
email: 'weak@example.com',
|
|
password: 'short',
|
|
});
|
|
expect(res.status).toBe(400);
|
|
expect(res.body.error).toBeDefined();
|
|
});
|
|
|
|
it('AUTH-007 — registration with common password is rejected', async () => {
|
|
const res = await request(app).post('/api/auth/register').send({
|
|
username: 'commonpwd',
|
|
email: 'common@example.com',
|
|
password: 'Password1', // 'password1' is in the COMMON_PASSWORDS set
|
|
});
|
|
expect(res.status).toBe(400);
|
|
expect(res.body.error).toMatch(/common/i);
|
|
});
|
|
|
|
it('AUTH-008 — registration with duplicate email returns 409', async () => {
|
|
createUser(testDb, { email: 'taken@example.com' });
|
|
const res = await request(app).post('/api/auth/register').send({
|
|
username: 'newuser',
|
|
email: 'taken@example.com',
|
|
password: 'Str0ng!Pass',
|
|
});
|
|
expect(res.status).toBe(409);
|
|
});
|
|
|
|
it('AUTH-009 — registration disabled by admin returns 403', async () => {
|
|
createUser(testDb);
|
|
testDb.prepare("INSERT INTO app_settings (key, value) VALUES ('allow_registration', 'false')").run();
|
|
const res = await request(app).post('/api/auth/register').send({
|
|
username: 'blocked',
|
|
email: 'blocked@example.com',
|
|
password: 'Str0ng!Pass',
|
|
});
|
|
expect(res.status).toBe(403);
|
|
expect(res.body.error).toMatch(/disabled/i);
|
|
});
|
|
|
|
it('AUTH-010 — registration with valid invite token succeeds even when registration disabled', async () => {
|
|
const { user: admin } = createAdmin(testDb);
|
|
testDb.prepare("INSERT INTO app_settings (key, value) VALUES ('allow_registration', 'false')").run();
|
|
const invite = createInviteToken(testDb, { max_uses: 1, created_by: admin.id });
|
|
|
|
const res = await request(app).post('/api/auth/register').send({
|
|
username: 'invited',
|
|
email: 'invited@example.com',
|
|
password: 'Str0ng!Pass',
|
|
invite_token: invite.token,
|
|
});
|
|
expect(res.status).toBe(201);
|
|
|
|
const row = testDb.prepare('SELECT used_count FROM invite_tokens WHERE id = ?').get(invite.id) as { used_count: number };
|
|
expect(row.used_count).toBe(1);
|
|
});
|
|
|
|
it('AUTH-011 — GET /api/auth/invite/:token with expired token returns 410', async () => {
|
|
const { user: admin } = createAdmin(testDb);
|
|
const yesterday = new Date(Date.now() - 86_400_000).toISOString();
|
|
const invite = createInviteToken(testDb, { expires_at: yesterday, created_by: admin.id });
|
|
|
|
const res = await request(app).get(`/api/auth/invite/${invite.token}`);
|
|
expect(res.status).toBe(410);
|
|
expect(res.body.error).toMatch(/expired/i);
|
|
});
|
|
|
|
it('AUTH-012 — GET /api/auth/invite/:token with exhausted token returns 410', async () => {
|
|
const { user: admin } = createAdmin(testDb);
|
|
const invite = createInviteToken(testDb, { max_uses: 1, created_by: admin.id });
|
|
// Mark as exhausted
|
|
testDb.prepare('UPDATE invite_tokens SET used_count = 1 WHERE id = ?').run(invite.id);
|
|
|
|
const res = await request(app).get(`/api/auth/invite/${invite.token}`);
|
|
expect(res.status).toBe(410);
|
|
expect(res.body.error).toMatch(/fully used/i);
|
|
});
|
|
});
|
|
|
|
// ─────────────────────────────────────────────────────────────────────────────
|
|
// Registration — whitespace normalization
|
|
// ─────────────────────────────────────────────────────────────────────────────
|
|
|
|
describe('Registration — whitespace normalization', () => {
|
|
it('AUTH-REG-TRIM-1 — username with surrounding whitespace is trimmed before storage', async () => {
|
|
const res = await request(app).post('/api/auth/register').send({
|
|
username: ' trimmeduser ',
|
|
email: 'trimmed@example.com',
|
|
password: 'Str0ng!Pass',
|
|
});
|
|
expect(res.status).toBe(201);
|
|
const row = testDb.prepare('SELECT username FROM users WHERE email = ?').get('trimmed@example.com') as { username: string };
|
|
expect(row.username).toBe('trimmeduser');
|
|
});
|
|
|
|
it('AUTH-REG-TRIM-2 — email with surrounding whitespace is trimmed before storage', async () => {
|
|
const res = await request(app).post('/api/auth/register').send({
|
|
username: 'emailtrimuser',
|
|
email: ' emailtrim@example.com ',
|
|
password: 'Str0ng!Pass',
|
|
});
|
|
expect(res.status).toBe(201);
|
|
const row = testDb.prepare('SELECT email FROM users WHERE username = ?').get('emailtrimuser') as { email: string };
|
|
expect(row.email).toBe('emailtrim@example.com');
|
|
});
|
|
|
|
it('AUTH-REG-TRIM-3 — whitespace-padded username that trims to existing username returns 409', async () => {
|
|
createUser(testDb, { username: 'alice', email: 'alice@example.com' });
|
|
const res = await request(app).post('/api/auth/register').send({
|
|
username: ' alice ',
|
|
email: 'alice2@example.com',
|
|
password: 'Str0ng!Pass',
|
|
});
|
|
expect(res.status).toBe(409);
|
|
});
|
|
|
|
it('AUTH-REG-TRIM-4 — whitespace-padded email that trims to existing email returns 409', async () => {
|
|
createUser(testDb, { username: 'bob', email: 'bob@example.com' });
|
|
const res = await request(app).post('/api/auth/register').send({
|
|
username: 'bob2',
|
|
email: ' bob@example.com ',
|
|
password: 'Str0ng!Pass',
|
|
});
|
|
expect(res.status).toBe(409);
|
|
});
|
|
});
|
|
|
|
// ─────────────────────────────────────────────────────────────────────────────
|
|
// Session / Me
|
|
// ─────────────────────────────────────────────────────────────────────────────
|
|
|
|
describe('Session', () => {
|
|
it('AUTH-014 — GET /api/auth/me without session returns 401 AUTH_REQUIRED', async () => {
|
|
const res = await request(app).get('/api/auth/me');
|
|
expect(res.status).toBe(401);
|
|
expect(res.body.code).toBe('AUTH_REQUIRED');
|
|
});
|
|
|
|
it('AUTH-014 — GET /api/auth/me with valid cookie returns safe user object', async () => {
|
|
const { user } = createUser(testDb);
|
|
const res = await request(app).get('/api/auth/me').set('Cookie', authCookie(user.id));
|
|
expect(res.status).toBe(200);
|
|
expect(res.body.user.id).toBe(user.id);
|
|
expect(res.body.user.email).toBe(user.email);
|
|
expect(res.body.user.password_hash).toBeUndefined();
|
|
expect(res.body.user.mfa_secret).toBeUndefined();
|
|
});
|
|
|
|
it('AUTH-021 — user with must_change_password=1 sees the flag in their profile', async () => {
|
|
const { user } = createUser(testDb);
|
|
testDb.prepare('UPDATE users SET must_change_password = 1 WHERE id = ?').run(user.id);
|
|
|
|
const res = await request(app).get('/api/auth/me').set('Cookie', authCookie(user.id));
|
|
expect(res.status).toBe(200);
|
|
expect(res.body.user.must_change_password).toBe(true);
|
|
});
|
|
});
|
|
|
|
// ─────────────────────────────────────────────────────────────────────────────
|
|
// App Config (AUTH-028)
|
|
// ─────────────────────────────────────────────────────────────────────────────
|
|
|
|
describe('App config', () => {
|
|
it('AUTH-028 — GET /api/auth/app-config returns expected flags', async () => {
|
|
const res = await request(app).get('/api/auth/app-config');
|
|
expect(res.status).toBe(200);
|
|
expect(res.body).toHaveProperty('allow_registration');
|
|
expect(res.body).toHaveProperty('oidc_configured');
|
|
expect(res.body).toHaveProperty('demo_mode');
|
|
expect(res.body).toHaveProperty('has_users');
|
|
expect(res.body).toHaveProperty('setup_complete');
|
|
});
|
|
|
|
it('AUTH-028 — allow_registration is false after admin disables it', async () => {
|
|
createUser(testDb);
|
|
testDb.prepare("INSERT INTO app_settings (key, value) VALUES ('allow_registration', 'false')").run();
|
|
const res = await request(app).get('/api/auth/app-config');
|
|
expect(res.status).toBe(200);
|
|
expect(res.body.allow_registration).toBe(false);
|
|
});
|
|
});
|
|
|
|
// ─────────────────────────────────────────────────────────────────────────────
|
|
// Demo Login (AUTH-022)
|
|
// ─────────────────────────────────────────────────────────────────────────────
|
|
|
|
describe('Demo login', () => {
|
|
it('AUTH-022 — POST /api/auth/demo-login without DEMO_MODE returns 404', async () => {
|
|
delete process.env.DEMO_MODE;
|
|
const res = await request(app).post('/api/auth/demo-login');
|
|
expect(res.status).toBe(404);
|
|
});
|
|
|
|
it('AUTH-022 — POST /api/auth/demo-login with DEMO_MODE and demo user returns 200 + cookie', async () => {
|
|
testDb.prepare(
|
|
"INSERT INTO users (username, email, password_hash, role) VALUES ('demo', 'demo@trek.app', 'x', 'user')"
|
|
).run();
|
|
process.env.DEMO_MODE = 'true';
|
|
try {
|
|
const res = await request(app).post('/api/auth/demo-login');
|
|
expect(res.status).toBe(200);
|
|
expect(res.body.user.email).toBe('demo@trek.app');
|
|
} finally {
|
|
delete process.env.DEMO_MODE;
|
|
}
|
|
});
|
|
});
|
|
|
|
// ─────────────────────────────────────────────────────────────────────────────
|
|
// MFA (AUTH-015 to AUTH-019)
|
|
// ─────────────────────────────────────────────────────────────────────────────
|
|
|
|
describe('MFA', () => {
|
|
it('AUTH-015 — POST /api/auth/mfa/setup returns secret and QR data URL', async () => {
|
|
const { user } = createUser(testDb);
|
|
const res = await request(app)
|
|
.post('/api/auth/mfa/setup')
|
|
.set('Cookie', authCookie(user.id));
|
|
expect(res.status).toBe(200);
|
|
expect(res.body.secret).toBeDefined();
|
|
expect(res.body.otpauth_url).toContain('otpauth://');
|
|
expect(res.body.qr_svg).toMatch(/^<svg/);
|
|
});
|
|
|
|
it('AUTH-015 — POST /api/auth/mfa/enable with valid TOTP code enables MFA', async () => {
|
|
const { user } = createUser(testDb);
|
|
|
|
const setupRes = await request(app)
|
|
.post('/api/auth/mfa/setup')
|
|
.set('Cookie', authCookie(user.id));
|
|
expect(setupRes.status).toBe(200);
|
|
|
|
const enableRes = await request(app)
|
|
.post('/api/auth/mfa/enable')
|
|
.set('Cookie', authCookie(user.id))
|
|
.send({ code: authenticator.generate(setupRes.body.secret) });
|
|
expect(enableRes.status).toBe(200);
|
|
expect(enableRes.body.mfa_enabled).toBe(true);
|
|
expect(Array.isArray(enableRes.body.backup_codes)).toBe(true);
|
|
});
|
|
|
|
it('AUTH-016 — login with MFA-enabled account returns mfa_required + mfa_token', async () => {
|
|
const { user, password } = createUserWithMfa(testDb);
|
|
const loginRes = await request(app)
|
|
.post('/api/auth/login')
|
|
.send({ email: user.email, password });
|
|
expect(loginRes.status).toBe(200);
|
|
expect(loginRes.body.mfa_required).toBe(true);
|
|
expect(typeof loginRes.body.mfa_token).toBe('string');
|
|
});
|
|
|
|
it('AUTH-016 — POST /api/auth/mfa/verify-login with valid code completes login', async () => {
|
|
const { user, password, totpSecret } = createUserWithMfa(testDb);
|
|
|
|
const loginRes = await request(app)
|
|
.post('/api/auth/login')
|
|
.send({ email: user.email, password });
|
|
const { mfa_token } = loginRes.body;
|
|
|
|
const verifyRes = await request(app)
|
|
.post('/api/auth/mfa/verify-login')
|
|
.send({ mfa_token, code: authenticator.generate(totpSecret) });
|
|
expect(verifyRes.status).toBe(200);
|
|
expect(verifyRes.body.user).toBeDefined();
|
|
const cookies: string[] = Array.isArray(verifyRes.headers['set-cookie'])
|
|
? verifyRes.headers['set-cookie']
|
|
: [verifyRes.headers['set-cookie']];
|
|
expect(cookies.some((c: string) => c.includes('trek_session'))).toBe(true);
|
|
});
|
|
|
|
it('AUTH-017 — verify-login with invalid TOTP code returns 401', async () => {
|
|
const { user, password } = createUserWithMfa(testDb);
|
|
const loginRes = await request(app)
|
|
.post('/api/auth/login')
|
|
.send({ email: user.email, password });
|
|
|
|
const verifyRes = await request(app)
|
|
.post('/api/auth/mfa/verify-login')
|
|
.send({ mfa_token: loginRes.body.mfa_token, code: '000000' });
|
|
expect(verifyRes.status).toBe(401);
|
|
expect(verifyRes.body.error).toMatch(/invalid/i);
|
|
});
|
|
|
|
it('AUTH-019 — disable MFA with valid password and TOTP code', async () => {
|
|
const { user, password, totpSecret } = createUserWithMfa(testDb);
|
|
|
|
const disableRes = await request(app)
|
|
.post('/api/auth/mfa/disable')
|
|
.set('Cookie', authCookie(user.id))
|
|
.send({ password, code: authenticator.generate(totpSecret) });
|
|
expect(disableRes.status).toBe(200);
|
|
expect(disableRes.body.mfa_enabled).toBe(false);
|
|
});
|
|
});
|
|
|
|
// ─────────────────────────────────────────────────────────────────────────────
|
|
// Forced MFA Policy (AUTH-020)
|
|
// ─────────────────────────────────────────────────────────────────────────────
|
|
|
|
describe('Forced MFA policy', () => {
|
|
it('AUTH-020 — non-MFA user is blocked (403 MFA_REQUIRED) when require_mfa is true', async () => {
|
|
const { user } = createUser(testDb);
|
|
testDb.prepare("INSERT INTO app_settings (key, value) VALUES ('require_mfa', 'true')").run();
|
|
|
|
// mfaPolicy checks Authorization: Bearer header
|
|
const res = await request(app).get('/api/trips').set(authHeader(user.id));
|
|
expect(res.status).toBe(403);
|
|
expect(res.body.code).toBe('MFA_REQUIRED');
|
|
});
|
|
|
|
it('AUTH-020 — /api/auth/me and MFA setup endpoints are exempt from require_mfa', async () => {
|
|
const { user } = createUser(testDb);
|
|
testDb.prepare("INSERT INTO app_settings (key, value) VALUES ('require_mfa', 'true')").run();
|
|
|
|
const meRes = await request(app).get('/api/auth/me').set(authHeader(user.id));
|
|
expect(meRes.status).toBe(200);
|
|
|
|
const setupRes = await request(app).post('/api/auth/mfa/setup').set(authHeader(user.id));
|
|
expect(setupRes.status).toBe(200);
|
|
});
|
|
|
|
it('AUTH-020 — MFA-enabled user passes through require_mfa policy', async () => {
|
|
const { user } = createUserWithMfa(testDb);
|
|
testDb.prepare("INSERT INTO app_settings (key, value) VALUES ('require_mfa', 'true')").run();
|
|
|
|
const res = await request(app).get('/api/trips').set(authHeader(user.id));
|
|
expect(res.status).toBe(200);
|
|
});
|
|
});
|
|
|
|
// ─────────────────────────────────────────────────────────────────────────────
|
|
// Short-lived tokens (AUTH-029, AUTH-030)
|
|
// ─────────────────────────────────────────────────────────────────────────────
|
|
|
|
describe('Short-lived tokens', () => {
|
|
it('AUTH-029 — POST /api/auth/ws-token returns a single-use token', async () => {
|
|
const { user } = createUser(testDb);
|
|
const res = await request(app)
|
|
.post('/api/auth/ws-token')
|
|
.set('Cookie', authCookie(user.id));
|
|
expect(res.status).toBe(200);
|
|
expect(typeof res.body.token).toBe('string');
|
|
expect(res.body.token.length).toBeGreaterThan(0);
|
|
});
|
|
|
|
it('AUTH-030 — POST /api/auth/resource-token returns a single-use token', async () => {
|
|
const { user } = createUser(testDb);
|
|
const res = await request(app)
|
|
.post('/api/auth/resource-token')
|
|
.set('Cookie', authCookie(user.id))
|
|
.send({ purpose: 'download' });
|
|
expect(res.status).toBe(200);
|
|
expect(typeof res.body.token).toBe('string');
|
|
expect(res.body.token.length).toBeGreaterThan(0);
|
|
});
|
|
});
|
|
|
|
// ─────────────────────────────────────────────────────────────────────────────
|
|
// Extended scenarios (AUTH-031 to AUTH-033)
|
|
// ─────────────────────────────────────────────────────────────────────────────
|
|
|
|
describe('Extended auth scenarios', () => {
|
|
it('AUTH-031 — login succeeds with uppercased email (case-insensitive lookup)', async () => {
|
|
const { user, password } = createUser(testDb, { email: 'alice@example.com' });
|
|
|
|
const res = await request(app)
|
|
.post('/api/auth/login')
|
|
.send({ email: 'ALICE@EXAMPLE.COM', password });
|
|
expect(res.status).toBe(200);
|
|
expect(res.body.user).toBeDefined();
|
|
});
|
|
|
|
it('AUTH-032 — registration with duplicate username returns 409', async () => {
|
|
createUser(testDb, { username: 'alice' });
|
|
|
|
const res = await request(app)
|
|
.post('/api/auth/register')
|
|
.send({ username: 'alice', email: 'alice2@example.com', password: 'Str0ng!Pass' });
|
|
expect(res.status).toBe(409);
|
|
});
|
|
|
|
it('AUTH-033 — MFA backup code login succeeds and invalidates the used code', async () => {
|
|
const { hashBackupCode, generateBackupCodes } = await import('../../src/services/authService');
|
|
const { user, password } = createUserWithMfa(testDb);
|
|
|
|
// Generate and store backup codes on the MFA-enabled user
|
|
const backupCodes = generateBackupCodes();
|
|
const backupHashes = backupCodes.map(hashBackupCode);
|
|
testDb.prepare('UPDATE users SET mfa_backup_codes = ? WHERE id = ?')
|
|
.run(JSON.stringify(backupHashes), user.id);
|
|
|
|
// Step 1: login to get mfa_token
|
|
const loginRes = await request(app)
|
|
.post('/api/auth/login')
|
|
.send({ email: user.email, password });
|
|
expect(loginRes.body.mfa_required).toBe(true);
|
|
const { mfa_token } = loginRes.body;
|
|
|
|
// Step 2: verify with a backup code
|
|
const res = await request(app)
|
|
.post('/api/auth/mfa/verify-login')
|
|
.send({ mfa_token, code: backupCodes[0] });
|
|
expect(res.status).toBe(200);
|
|
expect(res.body.user).toBeDefined();
|
|
|
|
// Step 3: same backup code is now consumed — second login attempt fails
|
|
const loginRes2 = await request(app)
|
|
.post('/api/auth/login')
|
|
.send({ email: user.email, password });
|
|
const { mfa_token: mfa_token2 } = loginRes2.body;
|
|
|
|
const res2 = await request(app)
|
|
.post('/api/auth/mfa/verify-login')
|
|
.send({ mfa_token: mfa_token2, code: backupCodes[0] });
|
|
expect(res2.status).toBe(401);
|
|
});
|
|
});
|
|
|
|
// ─────────────────────────────────────────────────────────────────────────────
|
|
// Account deletion
|
|
// ─────────────────────────────────────────────────────────────────────────────
|
|
|
|
describe('Account deletion', () => {
|
|
it('AUTH-040 — DELETE /auth/me succeeds when user has FK references', async () => {
|
|
const { user: admin } = createAdmin(testDb);
|
|
const { user: target } = createUser(testDb);
|
|
const { user: otherUser } = createUser(testDb);
|
|
const { user: thirdUser } = createUser(testDb);
|
|
|
|
// trip_members.invited_by: target invited thirdUser to otherUser's trip
|
|
// (trip survives deletion; only invited_by should become NULL)
|
|
const otherTrip = createTrip(testDb, otherUser.id);
|
|
testDb.prepare('INSERT INTO trip_members (trip_id, user_id, invited_by) VALUES (?, ?, ?)').run(otherTrip.id, thirdUser.id, target.id);
|
|
|
|
// share_tokens.created_by: target created a share token for otherUser's trip
|
|
testDb.prepare("INSERT INTO share_tokens (trip_id, token, created_by) VALUES (?, 'tok-auth-test', ?)").run(otherTrip.id, target.id);
|
|
|
|
// budget_items.paid_by_user_id: target paid for an expense on otherUser's trip
|
|
const budgetItem = createBudgetItem(testDb, otherTrip.id);
|
|
testDb.prepare('UPDATE budget_items SET paid_by_user_id = ? WHERE id = ?').run(target.id, budgetItem.id);
|
|
|
|
// journey_contributors: target is a contributor on otherUser's journey
|
|
const otherJourney = createJourney(testDb, otherUser.id);
|
|
addJourneyContributor(testDb, otherJourney.id, target.id);
|
|
|
|
// journey_entries: target authored an entry on otherUser's journey
|
|
createJourneyEntry(testDb, otherJourney.id, target.id);
|
|
|
|
// journey_share_tokens: target created a share token for otherUser's journey
|
|
testDb.prepare("INSERT INTO journey_share_tokens (journey_id, token, created_by) VALUES (?, 'jst-auth-test', ?)").run(otherJourney.id, target.id);
|
|
|
|
// notifications.sender_id (SET NULL): target sent a notification to otherUser
|
|
const sentNotif = testDb.prepare(
|
|
"INSERT INTO notifications (type, scope, target, sender_id, recipient_id, title_key, text_key) VALUES ('simple', 'trip', ?, ?, ?, 'k', 'k')"
|
|
).run(otherTrip.id, target.id, otherUser.id);
|
|
// notifications.recipient_id (CASCADE): otherUser sent a notification to target
|
|
testDb.prepare(
|
|
"INSERT INTO notifications (type, scope, target, sender_id, recipient_id, title_key, text_key) VALUES ('simple', 'trip', ?, ?, ?, 'k', 'k')"
|
|
).run(otherTrip.id, otherUser.id, target.id);
|
|
|
|
// user_notice_dismissals (CASCADE): target dismissed a notice
|
|
testDb.prepare(
|
|
"INSERT INTO user_notice_dismissals (user_id, notice_id, dismissed_at) VALUES (?, 'test-notice', ?)"
|
|
).run(target.id, Date.now());
|
|
|
|
// owned journey: target owns a journey with an entry (cascade-deletes on journey deletion)
|
|
const ownedJourney = createJourney(testDb, target.id);
|
|
createJourneyEntry(testDb, ownedJourney.id, target.id);
|
|
|
|
// trip_files.uploaded_by (SET NULL): target uploaded a file to otherUser's trip
|
|
const fileRow = testDb.prepare(
|
|
"INSERT INTO trip_files (trip_id, filename, original_name, uploaded_by) VALUES (?, 'f.pdf', 'file.pdf', ?)"
|
|
).run(otherTrip.id, target.id);
|
|
|
|
// trek_photos.owner_id (SET NULL): target owns a photo in the central registry
|
|
const trekPhotoRow = testDb.prepare(
|
|
"INSERT INTO trek_photos (provider, asset_id, owner_id) VALUES ('immich', 'asset-auth-test', ?)"
|
|
).run(target.id);
|
|
|
|
// trip_photos.user_id (CASCADE): target added a photo to otherUser's trip
|
|
addTripPhoto(testDb, otherTrip.id, target.id, 'asset-tp-auth', 'immich');
|
|
|
|
// trips.user_id (CASCADE): target owns a trip
|
|
const ownedTrip = createTrip(testDb, target.id);
|
|
|
|
// trip_members.user_id (CASCADE): target is a member of otherUser's trip
|
|
addTripMember(testDb, otherTrip.id, target.id);
|
|
|
|
// categories.user_id (SET NULL): target created a category
|
|
const userCategory = createCategory(testDb, { user_id: target.id });
|
|
|
|
// tags.user_id (CASCADE): target created a tag
|
|
const userTag = createTag(testDb, target.id);
|
|
|
|
// todo_items.assigned_user_id (SET NULL): target is assigned to a todo on otherUser's trip
|
|
const todoItem = createTodoItem(testDb, otherTrip.id);
|
|
testDb.prepare('UPDATE todo_items SET assigned_user_id = ? WHERE id = ?').run(target.id, todoItem.id);
|
|
|
|
// packing_bags.user_id (SET NULL): target owns a packing bag on otherUser's trip
|
|
const packBagRow = testDb.prepare(
|
|
"INSERT INTO packing_bags (trip_id, name, color, user_id) VALUES (?, 'Bag', '#ff0000', ?)"
|
|
).run(otherTrip.id, target.id);
|
|
|
|
// mcp_tokens.user_id (CASCADE): target has an MCP API token
|
|
createMcpToken(testDb, target.id);
|
|
|
|
// oauth_tokens/consents.user_id (CASCADE): target has tokens from otherUser's OAuth client
|
|
testDb.prepare(
|
|
"INSERT INTO oauth_clients (id, user_id, name, client_id, client_secret_hash) VALUES ('cl-auth-test', ?, 'App', 'cid-auth-test', 'h')"
|
|
).run(otherUser.id);
|
|
testDb.prepare(
|
|
"INSERT INTO oauth_tokens (client_id, user_id, access_token_hash, refresh_token_hash, access_token_expires_at, refresh_token_expires_at) VALUES ('cid-auth-test', ?, 'ath-auth', 'rth-auth', datetime('now','+1 hour'), datetime('now','+30 days'))"
|
|
).run(target.id);
|
|
testDb.prepare(
|
|
"INSERT INTO oauth_consents (client_id, user_id) VALUES ('cid-auth-test', ?)"
|
|
).run(target.id);
|
|
|
|
// vacay_plans.owner_id (CASCADE): target owns a vacation plan
|
|
const vacayPlanRow = testDb.prepare("INSERT INTO vacay_plans (owner_id) VALUES (?)").run(target.id);
|
|
|
|
// vacay_plan_members.user_id (CASCADE): target is a member of otherUser's vacay plan
|
|
const otherVacayPlanRow = testDb.prepare("INSERT INTO vacay_plans (owner_id) VALUES (?)").run(otherUser.id);
|
|
testDb.prepare("INSERT INTO vacay_plan_members (plan_id, user_id) VALUES (?, ?)").run(otherVacayPlanRow.lastInsertRowid, target.id);
|
|
|
|
// bucket_list.user_id (CASCADE): target has a bucket list item
|
|
createBucketListItem(testDb, target.id);
|
|
|
|
// visited_countries.user_id (CASCADE): target has visited a country
|
|
createVisitedCountry(testDb, target.id, 'JP');
|
|
|
|
// visited_regions.user_id (CASCADE): target has visited a region
|
|
testDb.prepare(
|
|
"INSERT INTO visited_regions (user_id, region_code, region_name, country_code) VALUES (?, 'JP-13', 'Tokyo', 'JP')"
|
|
).run(target.id);
|
|
|
|
// packing_templates.created_by (CASCADE): target created a packing template
|
|
const packTemplateRow = testDb.prepare(
|
|
"INSERT INTO packing_templates (name, created_by) VALUES ('My Template', ?)"
|
|
).run(target.id);
|
|
|
|
// invite_tokens.created_by (CASCADE): target created an invite token
|
|
createInviteToken(testDb, { created_by: target.id });
|
|
|
|
// collab_notes.user_id (CASCADE): target authored a collab note on otherUser's trip
|
|
createCollabNote(testDb, otherTrip.id, target.id);
|
|
|
|
// settings.user_id (CASCADE): target has a user setting
|
|
testDb.prepare("INSERT INTO settings (user_id, key, value) VALUES (?, 'theme', 'dark')").run(target.id);
|
|
|
|
// password_reset_tokens.user_id (CASCADE): target has a pending password reset
|
|
testDb.prepare(
|
|
"INSERT INTO password_reset_tokens (user_id, token_hash, expires_at) VALUES (?, 'prt-hash-auth', datetime('now','+1 hour'))"
|
|
).run(target.id);
|
|
|
|
// audit_log.user_id (SET NULL): target performed an audited action
|
|
const auditRow = testDb.prepare(
|
|
"INSERT INTO audit_log (user_id, action, ip) VALUES (?, 'test.action', '127.0.0.1')"
|
|
).run(target.id);
|
|
|
|
// notification_channel_preferences.user_id (CASCADE): target has notification preferences
|
|
testDb.prepare("INSERT OR IGNORE INTO notification_channel_preferences (user_id, event_type, channel) VALUES (?, 'trip_invite', 'email')").run(target.id);
|
|
|
|
// admin exists to ensure target (non-admin user) passes the last-admin guard
|
|
void admin;
|
|
|
|
const res = await request(app)
|
|
.delete('/api/auth/me')
|
|
.set('Cookie', authCookie(target.id));
|
|
expect(res.status).toBe(200);
|
|
expect(res.body.success).toBe(true);
|
|
|
|
expect(testDb.prepare('SELECT id FROM users WHERE id = ?').get(target.id)).toBeUndefined();
|
|
// trip_members row survives but invited_by is now NULL
|
|
expect((testDb.prepare('SELECT invited_by FROM trip_members WHERE trip_id = ? AND user_id = ?').get(otherTrip.id, thirdUser.id) as any).invited_by).toBeNull();
|
|
expect(testDb.prepare('SELECT id FROM share_tokens WHERE created_by = ?').get(target.id)).toBeUndefined();
|
|
expect((testDb.prepare('SELECT paid_by_user_id FROM budget_items WHERE id = ?').get(budgetItem.id) as any).paid_by_user_id).toBeNull();
|
|
expect(testDb.prepare('SELECT user_id FROM journey_contributors WHERE journey_id = ? AND user_id = ?').get(otherJourney.id, target.id)).toBeUndefined();
|
|
expect(testDb.prepare('SELECT id FROM journey_entries WHERE author_id = ?').get(target.id)).toBeUndefined();
|
|
expect(testDb.prepare('SELECT id FROM journey_share_tokens WHERE created_by = ?').get(target.id)).toBeUndefined();
|
|
// sent notification survives but sender_id becomes NULL
|
|
expect((testDb.prepare('SELECT sender_id FROM notifications WHERE id = ?').get(sentNotif.lastInsertRowid) as any).sender_id).toBeNull();
|
|
// received notification is cascade-deleted
|
|
expect(testDb.prepare('SELECT id FROM notifications WHERE recipient_id = ?').get(target.id)).toBeUndefined();
|
|
// notice dismissals are cascade-deleted
|
|
expect(testDb.prepare("SELECT user_id FROM user_notice_dismissals WHERE user_id = ? AND notice_id = 'test-notice'").get(target.id)).toBeUndefined();
|
|
// owned journey and its entries are cascade-deleted
|
|
expect(testDb.prepare('SELECT id FROM journeys WHERE user_id = ?').get(target.id)).toBeUndefined();
|
|
expect(testDb.prepare('SELECT id FROM journey_entries WHERE journey_id = ?').get(ownedJourney.id)).toBeUndefined();
|
|
// uploaded file survives but uploaded_by is now NULL
|
|
expect((testDb.prepare('SELECT uploaded_by FROM trip_files WHERE id = ?').get(fileRow.lastInsertRowid) as any).uploaded_by).toBeNull();
|
|
// trek_photos row survives but owner_id is now NULL
|
|
expect((testDb.prepare('SELECT owner_id FROM trek_photos WHERE id = ?').get(trekPhotoRow.lastInsertRowid) as any).owner_id).toBeNull();
|
|
// trip_photos row for target is cascade-deleted
|
|
expect(testDb.prepare("SELECT id FROM trip_photos WHERE trip_id = ? AND user_id = ?").get(otherTrip.id, target.id)).toBeUndefined();
|
|
// owned trip is cascade-deleted
|
|
expect(testDb.prepare('SELECT id FROM trips WHERE id = ?').get(ownedTrip.id)).toBeUndefined();
|
|
// trip membership on others' trips is removed
|
|
expect(testDb.prepare('SELECT id FROM trip_members WHERE trip_id = ? AND user_id = ?').get(otherTrip.id, target.id)).toBeUndefined();
|
|
// category survives but user_id is NULL
|
|
expect((testDb.prepare('SELECT user_id FROM categories WHERE id = ?').get(userCategory.id) as any).user_id).toBeNull();
|
|
// tag is deleted
|
|
expect(testDb.prepare('SELECT id FROM tags WHERE id = ?').get(userTag.id)).toBeUndefined();
|
|
// todo assigned_user_id is NULL
|
|
expect((testDb.prepare('SELECT assigned_user_id FROM todo_items WHERE id = ?').get(todoItem.id) as any).assigned_user_id).toBeNull();
|
|
// packing bag survives but user_id is NULL
|
|
expect((testDb.prepare('SELECT user_id FROM packing_bags WHERE id = ?').get(packBagRow.lastInsertRowid) as any).user_id).toBeNull();
|
|
// MCP tokens are deleted
|
|
expect(testDb.prepare('SELECT id FROM mcp_tokens WHERE user_id = ?').get(target.id)).toBeUndefined();
|
|
// OAuth tokens and consents are deleted
|
|
expect(testDb.prepare('SELECT id FROM oauth_tokens WHERE user_id = ?').get(target.id)).toBeUndefined();
|
|
expect(testDb.prepare('SELECT id FROM oauth_consents WHERE user_id = ?').get(target.id)).toBeUndefined();
|
|
// owned vacay plan is deleted
|
|
expect(testDb.prepare('SELECT id FROM vacay_plans WHERE id = ?').get(vacayPlanRow.lastInsertRowid)).toBeUndefined();
|
|
// vacay plan membership on others' plans is removed
|
|
expect(testDb.prepare('SELECT id FROM vacay_plan_members WHERE plan_id = ? AND user_id = ?').get(otherVacayPlanRow.lastInsertRowid, target.id)).toBeUndefined();
|
|
// bucket list items are deleted
|
|
expect(testDb.prepare('SELECT id FROM bucket_list WHERE user_id = ?').get(target.id)).toBeUndefined();
|
|
// travel history is deleted
|
|
expect(testDb.prepare('SELECT user_id FROM visited_countries WHERE user_id = ? AND country_code = ?').get(target.id, 'JP')).toBeUndefined();
|
|
expect(testDb.prepare('SELECT id FROM visited_regions WHERE user_id = ?').get(target.id)).toBeUndefined();
|
|
// packing template is deleted
|
|
expect(testDb.prepare('SELECT id FROM packing_templates WHERE id = ?').get(packTemplateRow.lastInsertRowid)).toBeUndefined();
|
|
// invite tokens created by target are deleted
|
|
expect(testDb.prepare('SELECT id FROM invite_tokens WHERE created_by = ?').get(target.id)).toBeUndefined();
|
|
// collab content is deleted
|
|
expect(testDb.prepare('SELECT id FROM collab_notes WHERE user_id = ? AND trip_id = ?').get(target.id, otherTrip.id)).toBeUndefined();
|
|
// user settings are deleted
|
|
expect(testDb.prepare("SELECT id FROM settings WHERE user_id = ?").get(target.id)).toBeUndefined();
|
|
// password reset tokens are deleted
|
|
expect(testDb.prepare('SELECT id FROM password_reset_tokens WHERE user_id = ?').get(target.id)).toBeUndefined();
|
|
// audit log entry survives but user_id is NULL
|
|
expect((testDb.prepare('SELECT user_id FROM audit_log WHERE id = ?').get(auditRow.lastInsertRowid) as any).user_id).toBeNull();
|
|
// notification channel preferences are deleted
|
|
expect(testDb.prepare("SELECT user_id FROM notification_channel_preferences WHERE user_id = ? AND event_type = 'trip_invite'").get(target.id)).toBeUndefined();
|
|
});
|
|
});
|
|
|
|
// ─────────────────────────────────────────────────────────────────────────────
|
|
// Rate limiting (AUTH-004, AUTH-018) — placed last
|
|
// ─────────────────────────────────────────────────────────────────────────────
|
|
|
|
describe('Rate limiting', () => {
|
|
it('AUTH-004 — login endpoint rate-limits after 10 attempts from the same IP', async () => {
|
|
// beforeEach has cleared loginAttempts; we fill up exactly to the limit
|
|
let lastStatus = 0;
|
|
for (let i = 0; i <= 10; i++) {
|
|
const res = await request(app)
|
|
.post('/api/auth/login')
|
|
.send({ email: 'ratelimit@example.com', password: 'wrong' });
|
|
lastStatus = res.status;
|
|
if (lastStatus === 429) break;
|
|
}
|
|
expect(lastStatus).toBe(429);
|
|
});
|
|
|
|
it('AUTH-018 — MFA verify-login endpoint rate-limits after 5 attempts', async () => {
|
|
let lastStatus = 0;
|
|
for (let i = 0; i <= 5; i++) {
|
|
const res = await request(app)
|
|
.post('/api/auth/mfa/verify-login')
|
|
.send({ mfa_token: 'badtoken', code: '000000' });
|
|
lastStatus = res.status;
|
|
if (lastStatus === 429) break;
|
|
}
|
|
expect(lastStatus).toBe(429);
|
|
});
|
|
});
|
|
|
|
// ─────────────────────────────────────────────────────────────────────────────
|
|
// MCP token management (AUTH-034 to AUTH-039)
|
|
// ─────────────────────────────────────────────────────────────────────────────
|
|
|
|
describe('MCP token management', () => {
|
|
it('AUTH-034 — GET /auth/mcp-tokens returns empty list initially', async () => {
|
|
const { user } = createUser(testDb);
|
|
const res = await request(app)
|
|
.get('/api/auth/mcp-tokens')
|
|
.set('Cookie', authCookie(user.id));
|
|
expect(res.status).toBe(200);
|
|
expect(res.body.tokens).toEqual([]);
|
|
});
|
|
|
|
it('AUTH-035 — POST /auth/mcp-tokens creates a token', async () => {
|
|
const { user } = createUser(testDb);
|
|
const res = await request(app)
|
|
.post('/api/auth/mcp-tokens')
|
|
.set('Cookie', authCookie(user.id))
|
|
.send({ name: 'my-token' });
|
|
expect(res.status).toBe(201);
|
|
expect(res.body.token).toBeDefined();
|
|
expect(typeof res.body.token.raw_token).toBe('string');
|
|
});
|
|
|
|
it('AUTH-036 — POST /auth/mcp-tokens without name returns 400', async () => {
|
|
const { user } = createUser(testDb);
|
|
const res = await request(app)
|
|
.post('/api/auth/mcp-tokens')
|
|
.set('Cookie', authCookie(user.id))
|
|
.send({});
|
|
expect(res.status).toBe(400);
|
|
});
|
|
|
|
it('AUTH-037 — DELETE /auth/mcp-tokens/:id deletes the token', async () => {
|
|
const { user } = createUser(testDb);
|
|
const createRes = await request(app)
|
|
.post('/api/auth/mcp-tokens')
|
|
.set('Cookie', authCookie(user.id))
|
|
.send({ name: 'to-delete' });
|
|
expect(createRes.status).toBe(201);
|
|
const tokenId = createRes.body.token.id;
|
|
|
|
const delRes = await request(app)
|
|
.delete(`/api/auth/mcp-tokens/${tokenId}`)
|
|
.set('Cookie', authCookie(user.id));
|
|
expect(delRes.status).toBe(200);
|
|
expect(delRes.body.success).toBe(true);
|
|
|
|
const listRes = await request(app)
|
|
.get('/api/auth/mcp-tokens')
|
|
.set('Cookie', authCookie(user.id));
|
|
expect(listRes.body.tokens).toEqual([]);
|
|
});
|
|
|
|
it('AUTH-038 — DELETE /auth/mcp-tokens/:id returns 404 for non-existent', async () => {
|
|
const { user } = createUser(testDb);
|
|
const res = await request(app)
|
|
.delete('/api/auth/mcp-tokens/99999')
|
|
.set('Cookie', authCookie(user.id));
|
|
expect(res.status).toBe(404);
|
|
});
|
|
|
|
it('AUTH-039 — unauthenticated GET /auth/mcp-tokens returns 401', async () => {
|
|
const res = await request(app).get('/api/auth/mcp-tokens');
|
|
expect(res.status).toBe(401);
|
|
});
|
|
});
|