jennie/ghostguild-org
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
ghostguild-org/tests/server/api/auth-login.test.js

203 lines
6.1 KiB
JavaScript
Raw Blame History

import { describe, it, expect, vi, beforeEach } from 'vitest'
import Member from '../../../server/models/member.js'
import loginHandler from '../../../server/api/auth/login.post.js'
import { resetRateLimit } from '../../../server/utils/rateLimit.js'
import { createMockEvent } from '../helpers/createMockEvent.js'
vi.mock('../../../server/models/member.js', () => ({
default: { findOne: vi.fn(), findByIdAndUpdate: vi.fn() }
}))
vi.mock('../../../server/utils/mongoose.js', () => ({
connectDB: vi.fn()
}))
vi.mock('jsonwebtoken', () => ({
default: { sign: vi.fn().mockReturnValue('mock-jwt-token') }
}))
vi.mock('resend', () => ({
Resend: class MockResend {
constructor() {
this.emails = { send: vi.fn().mockResolvedValue({ id: 'email-123' }) }
}
}
}))
describe('auth login endpoint', () => {
beforeEach(() => {
vi.clearAllMocks()
resetRateLimit()
})
it('returns generic success message for existing member', async () => {
Member.findOne.mockResolvedValue({
_id: 'member-123',
email: 'exists@example.com'
})
const event = createMockEvent({
method: 'POST',
path: '/api/auth/login',
body: { email: 'exists@example.com' },
headers: { host: 'localhost:3000' }
})
const result = await loginHandler(event)
expect(result).toEqual({
success: true,
message: "If this email is registered, we've sent a login link."
})
})
it('returns identical response for non-existing member (anti-enumeration)', async () => {
Member.findOne.mockResolvedValue(null)
const event = createMockEvent({
method: 'POST',
path: '/api/auth/login',
body: { email: 'nonexistent@example.com' },
headers: { host: 'localhost:3000' }
})
const result = await loginHandler(event)
expect(result).toEqual({
success: true,
message: "If this email is registered, we've sent a login link."
})
})
it('both existing and non-existing produce same shape and message', async () => {
// Existing member
Member.findOne.mockResolvedValue({ _id: 'member-123', email: 'a@b.com' })
const event1 = createMockEvent({
method: 'POST',
path: '/api/auth/login',
body: { email: 'a@b.com' },
headers: { host: 'localhost:3000' }
})
const result1 = await loginHandler(event1)
vi.clearAllMocks()
// Non-existing member
Member.findOne.mockResolvedValue(null)
const event2 = createMockEvent({
method: 'POST',
path: '/api/auth/login',
body: { email: 'nobody@example.com' },
headers: { host: 'localhost:3000' }
})
const result2 = await loginHandler(event2)
// Response shape and message must be identical
expect(Object.keys(result1).sort()).toEqual(Object.keys(result2).sort())
expect(result1.success).toBe(result2.success)
expect(result1.message).toBe(result2.message)
})
it('throws 400 when email is missing from body', async () => {
const event = createMockEvent({
method: 'POST',
path: '/api/auth/login',
body: {},
headers: { host: 'localhost:3000' }
})
await expect(loginHandler(event)).rejects.toMatchObject({
statusCode: 400,
statusMessage: 'Validation failed'
})
})
describe('rate limiting', () => {
it('allows up to 5 login attempts from a single IP', async () => {
Member.findOne.mockResolvedValue({ _id: 'member-123', email: 'ok@example.com' })
// 5 calls succeed (each with a unique email so we don't hit email limit)
for (let i = 0; i < 5; i++) {
const event = createMockEvent({
method: 'POST',
path: '/api/auth/login',
body: { email: `u${i}@example.com` },
headers: { host: 'localhost:3000' },
remoteAddress: '10.0.0.1'
})
const result = await loginHandler(event)
expect(result.success).toBe(true)
}
})
it('rate-limits a single IP after 5 login attempts', async () => {
Member.findOne.mockResolvedValue({ _id: 'member-123', email: 'ok@example.com' })
for (let i = 0; i < 5; i++) {
const event = createMockEvent({
method: 'POST',
path: '/api/auth/login',
body: { email: `u${i}@example.com` },
headers: { host: 'localhost:3000' },
remoteAddress: '10.0.0.1'
})
await loginHandler(event)
}
const event = createMockEvent({
method: 'POST',
path: '/api/auth/login',
body: { email: 'u6@example.com' },
headers: { host: 'localhost:3000' },
remoteAddress: '10.0.0.1'
})
await expect(loginHandler(event)).rejects.toMatchObject({
statusCode: 429
})
})
it('allows up to 3 login attempts for a single email', async () => {
Member.findOne.mockResolvedValue({ _id: 'member-123', email: 'shared@example.com' })
// 3 calls from different IPs succeed
for (let i = 0; i < 3; i++) {
const event = createMockEvent({
method: 'POST',
path: '/api/auth/login',
body: { email: 'shared@example.com' },
headers: { host: 'localhost:3000' },
remoteAddress: `10.0.0.${i + 10}`
})
const result = await loginHandler(event)
expect(result.success).toBe(true)
}
})
it('rate-limits a single email after 3 login attempts (different IPs)', async () => {
Member.findOne.mockResolvedValue({ _id: 'member-123', email: 'shared@example.com' })
for (let i = 0; i < 3; i++) {
const event = createMockEvent({
method: 'POST',
path: '/api/auth/login',
body: { email: 'shared@example.com' },
headers: { host: 'localhost:3000' },
remoteAddress: `10.0.0.${i + 10}`
})
await loginHandler(event)
}
const event = createMockEvent({
method: 'POST',
path: '/api/auth/login',
body: { email: 'shared@example.com' },
headers: { host: 'localhost:3000' },
remoteAddress: '10.0.0.99'
})
await expect(loginHandler(event)).rejects.toMatchObject({
statusCode: 429
})
})
})
})
Reference in a new issue View git blame Copy permalink