Initial commit: DashCaddy v1.0

Full codebase including API server (32 modules + routes), dashboard frontend,
DashCA certificate distribution, installer script, and deployment skills.

dashcaddy-api/__tests__/auth.test.js

@@ -0,0 +1,127 @@
+/**
+ * Auth Route Tests
+ *
+ * Tests TOTP configuration, session management, and SSO auth gate
+ */
+
+const request = require('supertest');
+const fs = require('fs');
+const path = require('path');
+const os = require('os');
+
+const testServicesFile = path.join(os.tmpdir(), `auth-services-${Date.now()}.json`);
+const testConfigFile = path.join(os.tmpdir(), `auth-config-${Date.now()}.json`);
+
+process.env.SERVICES_FILE = testServicesFile;
+process.env.CONFIG_FILE = testConfigFile;
+process.env.ENABLE_HEALTH_CHECKER = 'false';
+process.env.NODE_ENV = 'test';
+
+fs.writeFileSync(testServicesFile, '[]', 'utf8');
+fs.writeFileSync(testConfigFile, '{}', 'utf8');
+
+const app = require('../server');
+
+describe('Auth Routes', () => {
+  afterAll(() => {
+    try { fs.unlinkSync(testServicesFile); } catch (e) { /* ignore */ }
+    try { fs.unlinkSync(testConfigFile); } catch (e) { /* ignore */ }
+  });
+
+  describe('GET /api/totp/config', () => {
+    test('should return TOTP configuration', async () => {
+      const res = await request(app).get('/api/totp/config');
+
+      expect(res.statusCode).toBe(200);
+      expect(res.body.success).toBe(true);
+      expect(res.body.config).toHaveProperty('enabled');
+      expect(res.body.config).toHaveProperty('sessionDuration');
+      expect(res.body.config).toHaveProperty('isSetUp');
+    });
+  });
+
+  describe('POST /api/totp/setup', () => {
+    test('should generate QR code and secret', async () => {
+      const res = await request(app)
+        .post('/api/totp/setup')
+        .send({});
+
+      expect(res.statusCode).toBe(200);
+      expect(res.body.success).toBe(true);
+      expect(res.body).toHaveProperty('qrCode');
+      expect(res.body).toHaveProperty('manualKey');
+      expect(res.body.qrCode).toMatch(/^data:image\/png;base64,/);
+    }, 15000);
+
+    test('should accept user-provided secret', async () => {
+      const res = await request(app)
+        .post('/api/totp/setup')
+        .send({ secret: 'JBSWY3DPEHPK3PXP' });
+
+      expect(res.statusCode).toBe(200);
+      expect(res.body.success).toBe(true);
+      expect(res.body.imported).toBe(true);
+      expect(res.body.manualKey).toBe('JBSWY3DPEHPK3PXP');
+    });
+
+    test('should reject invalid secret format', async () => {
+      const res = await request(app)
+        .post('/api/totp/setup')
+        .send({ secret: 'not-base32!' });
+
+      expect(res.statusCode).toBe(400);
+      expect(res.body.success).toBe(false);
+      expect(res.body.error).toContain('Invalid secret');
+    });
+  });
+
+  describe('POST /api/totp/verify', () => {
+    test('should reject missing code', async () => {
+      const res = await request(app)
+        .post('/api/totp/verify')
+        .send({});
+
+      // Should fail — no code provided
+      expect(res.statusCode).toBeGreaterThanOrEqual(400);
+    });
+
+    test('should reject invalid code', async () => {
+      const res = await request(app)
+        .post('/api/totp/verify')
+        .send({ code: '000000' });
+
+      // Should fail — wrong code (TOTP not set up or wrong)
+      expect(res.statusCode).toBeGreaterThanOrEqual(400);
+    });
+  });
+
+  describe('GET /api/totp/check-session', () => {
+    test('should return session status', async () => {
+      const res = await request(app).get('/api/totp/check-session');
+
+      // If TOTP is not enabled, should return authenticated: true
+      // If enabled, should return 401 (no valid session)
+      expect([200, 401]).toContain(res.statusCode);
+      expect(res.body).toHaveProperty('authenticated');
+    });
+  });
+
+  describe('GET /api/auth/gate/:serviceId', () => {
+    test('should handle unknown service', async () => {
+      const res = await request(app).get('/api/auth/gate/nonexistent');
+
+      // Should return 200 with credentialsInjected: false (no creds found)
+      // or 401 if TOTP required
+      expect([200, 401]).toContain(res.statusCode);
+    });
+  });
+
+  describe('GET /api/auth/app-token/:serviceId', () => {
+    test('should handle unknown service', async () => {
+      const res = await request(app).get('/api/auth/app-token/nonexistent');
+
+      // Should return 404 (service not found) or 401 (TOTP required)
+      expect([401, 404, 500]).toContain(res.statusCode);
+    });
+  });
+});