import { describe, it, expect, vi, beforeEach } from 'vitest' import Member from '../../../server/models/member.js' import loginHandler from '../../../server/api/auth/login.post.js' import { resetRateLimit } from '../../../server/utils/rateLimit.js' import { createMockEvent } from '../helpers/createMockEvent.js' vi.mock('../../../server/models/member.js', () => ({ default: { findOne: vi.fn(), findByIdAndUpdate: vi.fn() } })) vi.mock('../../../server/utils/mongoose.js', () => ({ connectDB: vi.fn() })) vi.mock('jsonwebtoken', () => ({ default: { sign: vi.fn().mockReturnValue('mock-jwt-token') } })) vi.mock('resend', () => ({ Resend: class MockResend { constructor() { this.emails = { send: vi.fn().mockResolvedValue({ id: 'email-123' }) } } } })) describe('auth login endpoint', () => { beforeEach(() => { vi.clearAllMocks() resetRateLimit() }) it('returns generic success message for existing member', async () => { Member.findOne.mockResolvedValue({ _id: 'member-123', email: 'exists@example.com' }) const event = createMockEvent({ method: 'POST', path: '/api/auth/login', body: { email: 'exists@example.com' }, headers: { host: 'localhost:3000' } }) const result = await loginHandler(event) expect(result).toEqual({ success: true, message: "If this email is registered, we've sent a login link." }) }) it('returns identical response for non-existing member (anti-enumeration)', async () => { Member.findOne.mockResolvedValue(null) const event = createMockEvent({ method: 'POST', path: '/api/auth/login', body: { email: 'nonexistent@example.com' }, headers: { host: 'localhost:3000' } }) const result = await loginHandler(event) expect(result).toEqual({ success: true, message: "If this email is registered, we've sent a login link." }) }) it('both existing and non-existing produce same shape and message', async () => { // Existing member Member.findOne.mockResolvedValue({ _id: 'member-123', email: 'a@b.com' }) const event1 = createMockEvent({ method: 'POST', path: '/api/auth/login', body: { email: 'a@b.com' }, headers: { host: 'localhost:3000' } }) const result1 = await loginHandler(event1) vi.clearAllMocks() // Non-existing member Member.findOne.mockResolvedValue(null) const event2 = createMockEvent({ method: 'POST', path: '/api/auth/login', body: { email: 'nobody@example.com' }, headers: { host: 'localhost:3000' } }) const result2 = await loginHandler(event2) // Response shape and message must be identical expect(Object.keys(result1).sort()).toEqual(Object.keys(result2).sort()) expect(result1.success).toBe(result2.success) expect(result1.message).toBe(result2.message) }) it('throws 400 when email is missing from body', async () => { const event = createMockEvent({ method: 'POST', path: '/api/auth/login', body: {}, headers: { host: 'localhost:3000' } }) await expect(loginHandler(event)).rejects.toMatchObject({ statusCode: 400, statusMessage: 'Validation failed' }) }) describe('rate limiting', () => { it('allows up to 5 login attempts from a single IP', async () => { Member.findOne.mockResolvedValue({ _id: 'member-123', email: 'ok@example.com' }) // 5 calls succeed (each with a unique email so we don't hit email limit) for (let i = 0; i < 5; i++) { const event = createMockEvent({ method: 'POST', path: '/api/auth/login', body: { email: `u${i}@example.com` }, headers: { host: 'localhost:3000' }, remoteAddress: '10.0.0.1' }) const result = await loginHandler(event) expect(result.success).toBe(true) } }) it('rate-limits a single IP after 5 login attempts', async () => { Member.findOne.mockResolvedValue({ _id: 'member-123', email: 'ok@example.com' }) for (let i = 0; i < 5; i++) { const event = createMockEvent({ method: 'POST', path: '/api/auth/login', body: { email: `u${i}@example.com` }, headers: { host: 'localhost:3000' }, remoteAddress: '10.0.0.1' }) await loginHandler(event) } const event = createMockEvent({ method: 'POST', path: '/api/auth/login', body: { email: 'u6@example.com' }, headers: { host: 'localhost:3000' }, remoteAddress: '10.0.0.1' }) await expect(loginHandler(event)).rejects.toMatchObject({ statusCode: 429 }) }) it('allows up to 3 login attempts for a single email', async () => { Member.findOne.mockResolvedValue({ _id: 'member-123', email: 'shared@example.com' }) // 3 calls from different IPs succeed for (let i = 0; i < 3; i++) { const event = createMockEvent({ method: 'POST', path: '/api/auth/login', body: { email: 'shared@example.com' }, headers: { host: 'localhost:3000' }, remoteAddress: `10.0.0.${i + 10}` }) const result = await loginHandler(event) expect(result.success).toBe(true) } }) it('rate-limits a single email after 3 login attempts (different IPs)', async () => { Member.findOne.mockResolvedValue({ _id: 'member-123', email: 'shared@example.com' }) for (let i = 0; i < 3; i++) { const event = createMockEvent({ method: 'POST', path: '/api/auth/login', body: { email: 'shared@example.com' }, headers: { host: 'localhost:3000' }, remoteAddress: `10.0.0.${i + 10}` }) await loginHandler(event) } const event = createMockEvent({ method: 'POST', path: '/api/auth/login', body: { email: 'shared@example.com' }, headers: { host: 'localhost:3000' }, remoteAddress: '10.0.0.99' }) await expect(loginHandler(event)).rejects.toMatchObject({ statusCode: 429 }) }) }) })