/** * Auth Route Tests * * Tests TOTP configuration, session management, and SSO auth gate */ const request = require('supertest'); const fs = require('fs'); const path = require('path'); const os = require('os'); const testServicesFile = path.join(os.tmpdir(), `auth-services-${Date.now()}.json`); const testConfigFile = path.join(os.tmpdir(), `auth-config-${Date.now()}.json`); process.env.SERVICES_FILE = testServicesFile; process.env.CONFIG_FILE = testConfigFile; process.env.ENABLE_HEALTH_CHECKER = 'false'; process.env.NODE_ENV = 'test'; fs.writeFileSync(testServicesFile, '[]', 'utf8'); fs.writeFileSync(testConfigFile, '{}', 'utf8'); const app = require('../server'); describe('Auth Routes', () => { afterAll(() => { try { fs.unlinkSync(testServicesFile); } catch (e) { /* ignore */ } try { fs.unlinkSync(testConfigFile); } catch (e) { /* ignore */ } }); describe('GET /api/totp/config', () => { test('should return TOTP configuration', async () => { const res = await request(app).get('/api/totp/config'); expect(res.statusCode).toBe(200); expect(res.body.success).toBe(true); expect(res.body.config).toHaveProperty('enabled'); expect(res.body.config).toHaveProperty('sessionDuration'); expect(res.body.config).toHaveProperty('isSetUp'); }); }); describe('POST /api/totp/setup', () => { test('should generate QR code and secret', async () => { const res = await request(app) .post('/api/totp/setup') .send({}); expect(res.statusCode).toBe(200); expect(res.body.success).toBe(true); expect(res.body).toHaveProperty('qrCode'); expect(res.body).toHaveProperty('manualKey'); expect(res.body.qrCode).toMatch(/^data:image\/png;base64,/); }, 15000); test('should accept user-provided secret', async () => { const res = await request(app) .post('/api/totp/setup') .send({ secret: 'JBSWY3DPEHPK3PXP' }); expect(res.statusCode).toBe(200); expect(res.body.success).toBe(true); expect(res.body.imported).toBe(true); expect(res.body.manualKey).toBe('JBSWY3DPEHPK3PXP'); }); test('should reject invalid secret format', async () => { const res = await request(app) .post('/api/totp/setup') .send({ secret: 'not-base32!' }); expect(res.statusCode).toBe(400); expect(res.body.success).toBe(false); expect(res.body.error).toContain('Invalid secret'); }); }); describe('POST /api/totp/verify', () => { test('should reject missing code', async () => { const res = await request(app) .post('/api/totp/verify') .send({}); // Should fail — no code provided expect(res.statusCode).toBeGreaterThanOrEqual(400); }); test('should reject invalid code', async () => { const res = await request(app) .post('/api/totp/verify') .send({ code: '000000' }); // Should fail — wrong code (TOTP not set up or wrong) expect(res.statusCode).toBeGreaterThanOrEqual(400); }); }); describe('GET /api/totp/check-session', () => { test('should return session status', async () => { const res = await request(app).get('/api/totp/check-session'); // If TOTP is not enabled, should return authenticated: true // If enabled, should return 401 (no valid session) expect([200, 401]).toContain(res.statusCode); expect(res.body).toHaveProperty('authenticated'); }); }); describe('GET /api/auth/gate/:serviceId', () => { test('should handle unknown service', async () => { const res = await request(app).get('/api/auth/gate/nonexistent'); // Should return 200 with credentialsInjected: false (no creds found) // or 401 if TOTP required expect([200, 401]).toContain(res.statusCode); }); }); describe('GET /api/auth/app-token/:serviceId', () => { test('should handle unknown service', async () => { const res = await request(app).get('/api/auth/app-token/nonexistent'); // Should return 404 (service not found) or 401 (TOTP required) expect([401, 404, 500]).toContain(res.statusCode); }); }); });