jennie/ghostguild-org
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
ghostguild-org/tests/server/api/auth-verify.test.js

382 lines
11 KiB
JavaScript
Raw Blame History

import { describe, it, expect, vi, beforeEach } from 'vitest'
import jwt from 'jsonwebtoken'
import Member from '../../../server/models/member.js'
import verifyHandler from '../../../server/api/auth/verify.post.js'
import { resetRateLimit } from '../../../server/utils/rateLimit.js'
import { createMockEvent } from '../helpers/createMockEvent.js'
vi.mock('../../../server/models/member.js', () => ({
default: { findById: vi.fn(), findByIdAndUpdate: vi.fn() }
}))
vi.mock('../../../server/utils/mongoose.js', () => ({
connectDB: vi.fn()
}))
vi.mock('jsonwebtoken', () => ({
default: {
verify: vi.fn(),
sign: vi.fn().mockReturnValue('mock-session-token')
}
}))
const baseMember = {
_id: 'member-123',
email: 'test@example.com',
status: 'active',
role: 'member',
magicLinkJti: 'jti-abc',
magicLinkJtiUsed: false,
tokenVersion: 1
}
describe('auth verify endpoint', () => {
beforeEach(() => {
vi.clearAllMocks()
resetRateLimit()
})
it('rejects missing token with 400', async () => {
const event = createMockEvent({
method: 'POST',
path: '/api/auth/verify',
body: {}
})
await expect(verifyHandler(event)).rejects.toMatchObject({
statusCode: 400,
statusMessage: 'Validation failed'
})
})
it('rejects non-string number token with 400 before jwt.verify', async () => {
const event = createMockEvent({
method: 'POST',
path: '/api/auth/verify',
body: { token: 123 }
})
await expect(verifyHandler(event)).rejects.toMatchObject({
statusCode: 400,
statusMessage: 'Validation failed'
})
expect(jwt.verify).not.toHaveBeenCalled()
})
it('rejects non-string boolean token with 400 before jwt.verify', async () => {
const event = createMockEvent({
method: 'POST',
path: '/api/auth/verify',
body: { token: true }
})
await expect(verifyHandler(event)).rejects.toMatchObject({
statusCode: 400,
statusMessage: 'Validation failed'
})
expect(jwt.verify).not.toHaveBeenCalled()
})
it('rejects empty string token with 400 before jwt.verify', async () => {
const event = createMockEvent({
method: 'POST',
path: '/api/auth/verify',
body: { token: '' }
})
await expect(verifyHandler(event)).rejects.toMatchObject({
statusCode: 400,
statusMessage: 'Validation failed'
})
expect(jwt.verify).not.toHaveBeenCalled()
})
it('rejects oversized token (>2000 chars) with 400 before jwt.verify', async () => {
const event = createMockEvent({
method: 'POST',
path: '/api/auth/verify',
body: { token: 'x'.repeat(2001) }
})
await expect(verifyHandler(event)).rejects.toMatchObject({
statusCode: 400,
statusMessage: 'Validation failed'
})
expect(jwt.verify).not.toHaveBeenCalled()
})
it('rejects null body with 400 before jwt.verify', async () => {
const event = createMockEvent({
method: 'POST',
path: '/api/auth/verify',
body: null
})
await expect(verifyHandler(event)).rejects.toMatchObject({
statusCode: 400,
statusMessage: 'Validation failed'
})
expect(jwt.verify).not.toHaveBeenCalled()
})
it('rejects unknown extra keys with 400 before jwt.verify (strict mode)', async () => {
const event = createMockEvent({
method: 'POST',
path: '/api/auth/verify',
body: { token: 'valid-token', email: 'extra@example.com' }
})
await expect(verifyHandler(event)).rejects.toMatchObject({
statusCode: 400,
statusMessage: 'Validation failed'
})
expect(jwt.verify).not.toHaveBeenCalled()
})
it('rejects invalid JWT with 401', async () => {
jwt.verify.mockImplementation(() => { throw new Error('invalid') })
const event = createMockEvent({
method: 'POST',
path: '/api/auth/verify',
body: { token: 'bad-token' }
})
await expect(verifyHandler(event)).rejects.toMatchObject({
statusCode: 401,
statusMessage: 'Invalid or expired token'
})
})
it('rejects when member not found with 401', async () => {
jwt.verify.mockReturnValue({ memberId: 'nonexistent', jti: 'jti-abc' })
Member.findById.mockResolvedValue(null)
const event = createMockEvent({
method: 'POST',
path: '/api/auth/verify',
body: { token: 'valid-token' }
})
await expect(verifyHandler(event)).rejects.toMatchObject({
statusCode: 401,
statusMessage: 'Invalid or expired token'
})
})
it('rejects suspended member with 403', async () => {
jwt.verify.mockReturnValue({ memberId: 'member-123', jti: 'jti-abc' })
Member.findById.mockResolvedValue({ ...baseMember, status: 'suspended' })
const event = createMockEvent({
method: 'POST',
path: '/api/auth/verify',
body: { token: 'valid-token' }
})
await expect(verifyHandler(event)).rejects.toMatchObject({
statusCode: 403,
statusMessage: 'Account is suspended'
})
})
it('rejects cancelled member with 403', async () => {
jwt.verify.mockReturnValue({ memberId: 'member-123', jti: 'jti-abc' })
Member.findById.mockResolvedValue({ ...baseMember, status: 'cancelled' })
const event = createMockEvent({
method: 'POST',
path: '/api/auth/verify',
body: { token: 'valid-token' }
})
await expect(verifyHandler(event)).rejects.toMatchObject({
statusCode: 403,
statusMessage: 'Account is cancelled'
})
})
it('rejects JTI mismatch with 401', async () => {
jwt.verify.mockReturnValue({ memberId: 'member-123', jti: 'wrong-jti' })
Member.findById.mockResolvedValue({ ...baseMember })
const event = createMockEvent({
method: 'POST',
path: '/api/auth/verify',
body: { token: 'valid-token' }
})
await expect(verifyHandler(event)).rejects.toMatchObject({
statusCode: 401,
statusMessage: 'Invalid or expired token'
})
})
it('rejects already-used JTI with 401', async () => {
jwt.verify.mockReturnValue({ memberId: 'member-123', jti: 'jti-abc' })
Member.findById.mockResolvedValue({ ...baseMember, magicLinkJtiUsed: true })
const event = createMockEvent({
method: 'POST',
path: '/api/auth/verify',
body: { token: 'valid-token' }
})
await expect(verifyHandler(event)).rejects.toMatchObject({
statusCode: 401,
statusMessage: 'Invalid or expired token'
})
})
it('burns token atomically via findByIdAndUpdate', async () => {
jwt.verify.mockReturnValue({ memberId: 'member-123', jti: 'jti-abc' })
Member.findById.mockResolvedValue({ ...baseMember })
Member.findByIdAndUpdate.mockResolvedValue({})
const event = createMockEvent({
method: 'POST',
path: '/api/auth/verify',
body: { token: 'valid-token' }
})
await verifyHandler(event)
expect(Member.findByIdAndUpdate).toHaveBeenCalledWith(
'member-123',
{ $set: { magicLinkJtiUsed: true, lastLogin: expect.any(Date) } },
{ runValidators: false }
)
})
it('sets httpOnly session cookie with correct attributes', async () => {
jwt.verify.mockReturnValue({ memberId: 'member-123', jti: 'jti-abc' })
Member.findById.mockResolvedValue({ ...baseMember })
Member.findByIdAndUpdate.mockResolvedValue({})
const event = createMockEvent({
method: 'POST',
path: '/api/auth/verify',
body: { token: 'valid-token' }
})
await verifyHandler(event)
const setCookieHeader = event._testSetHeaders['set-cookie']
expect(setCookieHeader).toBeDefined()
const cookie = Array.isArray(setCookieHeader) ? setCookieHeader.join('; ') : setCookieHeader
expect(cookie).toContain('auth-token=mock-session-token')
expect(cookie).toContain('HttpOnly')
expect(cookie).toContain('SameSite=Lax')
expect(cookie).toContain('Path=/')
expect(cookie).toContain('Max-Age=604800')
})
it('returns admin redirect for admin role', async () => {
jwt.verify.mockReturnValue({ memberId: 'member-123', jti: 'jti-abc' })
Member.findById.mockResolvedValue({ ...baseMember, role: 'admin' })
Member.findByIdAndUpdate.mockResolvedValue({})
const event = createMockEvent({
method: 'POST',
path: '/api/auth/verify',
body: { token: 'valid-token' }
})
const result = await verifyHandler(event)
expect(result).toEqual({ success: true, redirectUrl: '/admin' })
})
it('returns member redirect for non-admin role', async () => {
jwt.verify.mockReturnValue({ memberId: 'member-123', jti: 'jti-abc' })
Member.findById.mockResolvedValue({ ...baseMember })
Member.findByIdAndUpdate.mockResolvedValue({})
const event = createMockEvent({
method: 'POST',
path: '/api/auth/verify',
body: { token: 'valid-token' }
})
const result = await verifyHandler(event)
expect(result).toEqual({ success: true, redirectUrl: '/member/dashboard' })
})
describe('rate limiting', () => {
it('allows up to 5 verify attempts from a single IP', async () => {
jwt.verify.mockImplementation(() => { throw new Error('invalid') })
// 5 calls reach jwt.verify (and fail with 401, but not 429)
for (let i = 0; i < 5; i++) {
const event = createMockEvent({
method: 'POST',
path: '/api/auth/verify',
body: { token: 'bad-token' },
remoteAddress: '10.0.0.1'
})
await expect(verifyHandler(event)).rejects.toMatchObject({
statusCode: 401
})
}
expect(jwt.verify).toHaveBeenCalledTimes(5)
})
it('rate-limits a single IP after 5 verify attempts', async () => {
jwt.verify.mockImplementation(() => { throw new Error('invalid') })
for (let i = 0; i < 5; i++) {
const event = createMockEvent({
method: 'POST',
path: '/api/auth/verify',
body: { token: 'bad-token' },
remoteAddress: '10.0.0.1'
})
await expect(verifyHandler(event)).rejects.toMatchObject({
statusCode: 401
})
}
const event = createMockEvent({
method: 'POST',
path: '/api/auth/verify',
body: { token: 'bad-token' },
remoteAddress: '10.0.0.1'
})
await expect(verifyHandler(event)).rejects.toMatchObject({
statusCode: 429
})
// Rate limit fires before jwt.verify on the 6th call
expect(jwt.verify).toHaveBeenCalledTimes(5)
})
it('does not block different IPs (per-IP keying)', async () => {
jwt.verify.mockImplementation(() => { throw new Error('invalid') })
for (let i = 0; i < 5; i++) {
const event = createMockEvent({
method: 'POST',
path: '/api/auth/verify',
body: { token: 'bad-token' },
remoteAddress: '10.0.0.1'
})
await expect(verifyHandler(event)).rejects.toMatchObject({
statusCode: 401
})
}
// A different IP should still be allowed.
const event = createMockEvent({
method: 'POST',
path: '/api/auth/verify',
body: { token: 'bad-token' },
remoteAddress: '10.0.0.2'
})
await expect(verifyHandler(event)).rejects.toMatchObject({
statusCode: 401
})
})
})
})
Reference in a new issue View git blame Copy permalink