Sami
f61e85d9a7
Full codebase including API server (32 modules + routes), dashboard frontend, DashCA certificate distribution, installer script, and deployment skills.
128 lines
4.1 KiB
JavaScript
128 lines
4.1 KiB
JavaScript
/**
|
|
* Auth Route Tests
|
|
*
|
|
* Tests TOTP configuration, session management, and SSO auth gate
|
|
*/
|
|
|
|
const request = require('supertest');
|
|
const fs = require('fs');
|
|
const path = require('path');
|
|
const os = require('os');
|
|
|
|
const testServicesFile = path.join(os.tmpdir(), `auth-services-${Date.now()}.json`);
|
|
const testConfigFile = path.join(os.tmpdir(), `auth-config-${Date.now()}.json`);
|
|
|
|
process.env.SERVICES_FILE = testServicesFile;
|
|
process.env.CONFIG_FILE = testConfigFile;
|
|
process.env.ENABLE_HEALTH_CHECKER = 'false';
|
|
process.env.NODE_ENV = 'test';
|
|
|
|
fs.writeFileSync(testServicesFile, '[]', 'utf8');
|
|
fs.writeFileSync(testConfigFile, '{}', 'utf8');
|
|
|
|
const app = require('../server');
|
|
|
|
describe('Auth Routes', () => {
|
|
afterAll(() => {
|
|
try { fs.unlinkSync(testServicesFile); } catch (e) { /* ignore */ }
|
|
try { fs.unlinkSync(testConfigFile); } catch (e) { /* ignore */ }
|
|
});
|
|
|
|
describe('GET /api/totp/config', () => {
|
|
test('should return TOTP configuration', async () => {
|
|
const res = await request(app).get('/api/totp/config');
|
|
|
|
expect(res.statusCode).toBe(200);
|
|
expect(res.body.success).toBe(true);
|
|
expect(res.body.config).toHaveProperty('enabled');
|
|
expect(res.body.config).toHaveProperty('sessionDuration');
|
|
expect(res.body.config).toHaveProperty('isSetUp');
|
|
});
|
|
});
|
|
|
|
describe('POST /api/totp/setup', () => {
|
|
test('should generate QR code and secret', async () => {
|
|
const res = await request(app)
|
|
.post('/api/totp/setup')
|
|
.send({});
|
|
|
|
expect(res.statusCode).toBe(200);
|
|
expect(res.body.success).toBe(true);
|
|
expect(res.body).toHaveProperty('qrCode');
|
|
expect(res.body).toHaveProperty('manualKey');
|
|
expect(res.body.qrCode).toMatch(/^data:image\/png;base64,/);
|
|
}, 15000);
|
|
|
|
test('should accept user-provided secret', async () => {
|
|
const res = await request(app)
|
|
.post('/api/totp/setup')
|
|
.send({ secret: 'JBSWY3DPEHPK3PXP' });
|
|
|
|
expect(res.statusCode).toBe(200);
|
|
expect(res.body.success).toBe(true);
|
|
expect(res.body.imported).toBe(true);
|
|
expect(res.body.manualKey).toBe('JBSWY3DPEHPK3PXP');
|
|
});
|
|
|
|
test('should reject invalid secret format', async () => {
|
|
const res = await request(app)
|
|
.post('/api/totp/setup')
|
|
.send({ secret: 'not-base32!' });
|
|
|
|
expect(res.statusCode).toBe(400);
|
|
expect(res.body.success).toBe(false);
|
|
expect(res.body.error).toContain('Invalid secret');
|
|
});
|
|
});
|
|
|
|
describe('POST /api/totp/verify', () => {
|
|
test('should reject missing code', async () => {
|
|
const res = await request(app)
|
|
.post('/api/totp/verify')
|
|
.send({});
|
|
|
|
// Should fail — no code provided
|
|
expect(res.statusCode).toBeGreaterThanOrEqual(400);
|
|
});
|
|
|
|
test('should reject invalid code', async () => {
|
|
const res = await request(app)
|
|
.post('/api/totp/verify')
|
|
.send({ code: '000000' });
|
|
|
|
// Should fail — wrong code (TOTP not set up or wrong)
|
|
expect(res.statusCode).toBeGreaterThanOrEqual(400);
|
|
});
|
|
});
|
|
|
|
describe('GET /api/totp/check-session', () => {
|
|
test('should return session status', async () => {
|
|
const res = await request(app).get('/api/totp/check-session');
|
|
|
|
// If TOTP is not enabled, should return authenticated: true
|
|
// If enabled, should return 401 (no valid session)
|
|
expect([200, 401]).toContain(res.statusCode);
|
|
expect(res.body).toHaveProperty('authenticated');
|
|
});
|
|
});
|
|
|
|
describe('GET /api/auth/gate/:serviceId', () => {
|
|
test('should handle unknown service', async () => {
|
|
const res = await request(app).get('/api/auth/gate/nonexistent');
|
|
|
|
// Should return 200 with credentialsInjected: false (no creds found)
|
|
// or 401 if TOTP required
|
|
expect([200, 401]).toContain(res.statusCode);
|
|
});
|
|
});
|
|
|
|
describe('GET /api/auth/app-token/:serviceId', () => {
|
|
test('should handle unknown service', async () => {
|
|
const res = await request(app).get('/api/auth/app-token/nonexistent');
|
|
|
|
// Should return 404 (service not found) or 401 (TOTP required)
|
|
expect([401, 404, 500]).toContain(res.statusCode);
|
|
});
|
|
});
|
|
});
|