@jmruthers/pace-core 0.5.135 → 0.5.136

package/src/validation/__tests__/csrf.unit.test.ts

@@ -1,365 +0,0 @@
-/**
- * @file CSRF Protection Unit Tests
- * @package @jmruthers/pace-core
- * @module Validation/CSRF/Tests
- * @since 0.1.0
- */
-
-import { describe, it, expect, vi, beforeEach, afterEach } from 'vitest';
-import {
-  generateCSRFToken,
-  validateCSRFToken,
-  getCSRFToken,
-  csrfManager,
-  CSRFTokenData,
-} from '../csrf';
-
-// Mock crypto for testing
-const mockCrypto = {
-  getRandomValues: vi.fn(),
-};
-
-Object.defineProperty(global, 'crypto', {
-  value: mockCrypto,
-  writable: true,
-});
-
-// Mock secure storage
-vi.mock('../../utils/secureStorage', () => ({
-  secureStorage: {
-    setItem: vi.fn().mockResolvedValue(undefined),
-    getItem: vi.fn().mockResolvedValue(null),
-    removeItem: vi.fn().mockResolvedValue(undefined),
-  },
-}));
-
-describe('CSRF Protection', () => {
-  const testSessionId = 'test-session-123';
-  const testSessionId2 = 'test-session-456';
-
-  beforeEach(() => {
-    vi.clearAllMocks();
-    mockCrypto.getRandomValues.mockImplementation((array) => {
-      for (let i = 0; i < array.length; i++) {
-        array[i] = Math.floor(Math.random() * 256);
-      }
-      return array;
-    });
-  });
-
-  afterEach(async () => {
-    // Clear session tokens
-    await csrfManager.clearSession(testSessionId);
-    await csrfManager.clearSession(testSessionId2);
-  });
-
-  describe('generateCSRFToken', () => {
-    it('should generate a valid CSRF token', async () => {
-      const token = await generateCSRFToken(testSessionId);
-      
-      expect(token).toBeDefined();
-      expect(typeof token).toBe('string');
-      expect(token.length).toBe(64); // 32 bytes * 2 hex chars
-    });
-
-    it('should generate different tokens on subsequent calls', async () => {
-      const token1 = await generateCSRFToken(testSessionId);
-      const token2 = await generateCSRFToken(testSessionId);
-      
-      expect(token1).not.toBe(token2);
-    });
-
-    it('should generate tokens for different sessions', async () => {
-      const token1 = await generateCSRFToken(testSessionId);
-      const token2 = await generateCSRFToken(testSessionId2);
-      
-      expect(token1).not.toBe(token2);
-    });
-
-    it('should handle crypto.getRandomValues errors', async () => {
-      mockCrypto.getRandomValues.mockImplementation(() => {
-        throw new Error('Crypto unavailable');
-      });
-
-      await expect(generateCSRFToken(testSessionId)).rejects.toThrow('CSRF token generation failed');
-    });
-  });
-
-  describe('validateCSRFToken', () => {
-    it('should validate a valid token for correct session', async () => {
-      const token = await generateCSRFToken(testSessionId);
-      const isValid = await validateCSRFToken(token, testSessionId);
-      
-      expect(isValid).toBe(true);
-    });
-
-    it('should reject token for wrong session', async () => {
-      const token = await generateCSRFToken(testSessionId);
-      const isValid = await validateCSRFToken(token, testSessionId2);
-      
-      expect(isValid).toBe(false);
-    });
-
-    it('should reject invalid token format', async () => {
-      const invalidToken = 'invalid-token';
-      const isValid = await validateCSRFToken(invalidToken, testSessionId);
-      
-      expect(isValid).toBe(false);
-    });
-
-    it('should reject reused tokens (one-time use)', async () => {
-      const token = await generateCSRFToken(testSessionId);
-      
-      // First use should succeed
-      const firstUse = await validateCSRFToken(token, testSessionId);
-      expect(firstUse).toBe(true);
-      
-      // Second use should fail
-      const secondUse = await validateCSRFToken(token, testSessionId);
-      expect(secondUse).toBe(false);
-    });
-
-    it('should handle empty or null tokens', async () => {
-      expect(await validateCSRFToken('', testSessionId)).toBe(false);
-      expect(await validateCSRFToken(null as any, testSessionId)).toBe(false);
-      expect(await validateCSRFToken(undefined as any, testSessionId)).toBe(false);
-    });
-  });
-
-  describe('getCSRFToken', () => {
-    it('should return existing valid token for session', async () => {
-      const generatedToken = await generateCSRFToken(testSessionId);
-      const retrievedToken = await getCSRFToken(testSessionId);
-      
-      expect(retrievedToken).toBeDefined();
-      expect(typeof retrievedToken).toBe('string');
-    });
-
-    it('should generate new token if none exists', async () => {
-      const token = await getCSRFToken(testSessionId);
-      
-      expect(token).toBeDefined();
-      expect(typeof token).toBe('string');
-      expect(token!.length).toBe(64);
-    });
-
-    it('should return different tokens for different sessions', async () => {
-      const token1 = await getCSRFToken(testSessionId);
-      const token2 = await getCSRFToken(testSessionId2);
-      
-      expect(token1).not.toBe(token2);
-    });
-  });
-
-  describe('csrfManager', () => {
-    it('should manage multiple sessions', async () => {
-      const token1 = await csrfManager.generateToken(testSessionId);
-      const token2 = await csrfManager.generateToken(testSessionId2);
-      
-      expect(await csrfManager.validateToken(token1, testSessionId)).toBe(true);
-      expect(await csrfManager.validateToken(token2, testSessionId2)).toBe(true);
-      
-      // Cross-session validation should fail
-      expect(await csrfManager.validateToken(token1, testSessionId2)).toBe(false);
-      expect(await csrfManager.validateToken(token2, testSessionId)).toBe(false);
-    });
-
-    it('should clear session tokens', async () => {
-      const token = await csrfManager.generateToken(testSessionId);
-      
-      // Token should be valid
-      expect(await csrfManager.validateToken(token, testSessionId)).toBe(true);
-      
-      // Clear session
-      await csrfManager.clearSession(testSessionId);
-      
-      // Token should no longer be valid
-      expect(await csrfManager.validateToken(token, testSessionId)).toBe(false);
-    });
-
-    it('should handle getCurrentToken for existing session', async () => {
-      await csrfManager.generateToken(testSessionId);
-      const currentToken = await csrfManager.getCurrentToken(testSessionId);
-      
-      expect(currentToken).toBeDefined();
-      expect(typeof currentToken).toBe('string');
-    });
-
-    it('should handle getCurrentToken for new session', async () => {
-      const currentToken = await csrfManager.getCurrentToken('new-session-789');
-      
-      expect(currentToken).toBeDefined();
-      expect(typeof currentToken).toBe('string');
-      expect(currentToken!.length).toBe(64);
-    });
-  });
-
-  describe('Token Lifecycle and Expiry', () => {
-    it('should handle token expiry', async () => {
-      // Mock Date.now to simulate time passage
-      const originalNow = Date.now;
-      const mockNow = vi.fn();
-      Date.now = mockNow;
-
-      try {
-        const initialTime = 1000000;
-        mockNow.mockReturnValue(initialTime);
-
-        const token = await generateCSRFToken(testSessionId);
-        
-        // Token should be valid immediately
-        expect(await validateCSRFToken(token, testSessionId)).toBe(true);
-        
-        // Regenerate token since it was consumed
-        const token2 = await generateCSRFToken(testSessionId);
-        
-        // Simulate time passage beyond expiry (30 minutes + 1 second)
-        mockNow.mockReturnValue(initialTime + (30 * 60 * 1000) + 1000);
-        
-        // Token should now be expired
-        expect(await validateCSRFToken(token2, testSessionId)).toBe(false);
-      } finally {
-        Date.now = originalNow;
-      }
-    });
-  });
-
-  describe('Security Features', () => {
-    it('should limit tokens per session', async () => {
-      // Generate maximum tokens for session
-      const tokens: string[] = [];
-      for (let i = 0; i < 15; i++) { // More than MAX_TOKENS_PER_SESSION (10)
-        const token = await generateCSRFToken(testSessionId);
-        tokens.push(token);
-      }
-      
-      expect(tokens.length).toBe(15);
-      expect(new Set(tokens).size).toBe(15); // All should be unique
-    });
-
-    it('should use cryptographically secure random values', async () => {
-      const calledValues: Uint8Array[] = [];
-      mockCrypto.getRandomValues.mockImplementation((array) => {
-        calledValues.push(new Uint8Array(array));
-        for (let i = 0; i < array.length; i++) {
-          array[i] = i % 256; // Deterministic but different values
-        }
-        return array;
-      });
-
-      await generateCSRFToken(testSessionId);
-      
-      expect(mockCrypto.getRandomValues).toHaveBeenCalledTimes(1);
-      expect(calledValues[0].length).toBe(32); // 32 bytes
-    });
-  });
-
-  describe('Error Handling', () => {
-    it('should handle storage failures gracefully', async () => {
-      // Mock storage to fail
-      const { secureStorage } = await import('../../utils/secureStorage');
-      vi.mocked(secureStorage.setItem).mockRejectedValue(new Error('Storage failed'));
-
-      // Should still generate token despite storage failure
-      const token = await generateCSRFToken(testSessionId);
-      expect(token).toBeDefined();
-    });
-
-    it('should handle storage retrieval failures', async () => {
-      const { secureStorage } = await import('../../utils/secureStorage');
-      vi.mocked(secureStorage.getItem).mockRejectedValue(new Error('Retrieval failed'));
-
-      // Should still work by creating new tokens
-      const token = await getCSRFToken(testSessionId);
-      expect(token).toBeDefined();
-    });
-
-    it('should handle malformed stored data', async () => {
-      const { secureStorage } = await import('../../utils/secureStorage');
-      vi.mocked(secureStorage.getItem).mockResolvedValue('invalid-json');
-
-      // Should clear cache and continue working
-      const token = await getCSRFToken(testSessionId);
-      expect(token).toBeDefined();
-    });
-  });
-
-     describe('Type Safety', () => {
-     it('should have correct CSRFTokenData interface', () => {
-       const tokenData: CSRFTokenData = {
-         token: 'test-token',
-         sessionId: 'test-session',
-         timestamp: Date.now(),
-         used: false,
-       };
-
-       expect(tokenData.token).toBe('test-token');
-       expect(tokenData.sessionId).toBe('test-session');
-       expect(typeof tokenData.timestamp).toBe('number');
-       expect(typeof tokenData.used).toBe('boolean');
-     });
-   });
-
-   describe('Edge Cases', () => {
-     it('should handle very long session IDs', async () => {
-       const longSessionId = 'a'.repeat(500);
-       const token = await generateCSRFToken(longSessionId);
-       
-       expect(token).toBeDefined();
-       expect(token.length).toBe(64);
-       
-       // Should be valid for that session
-       const isValid = await validateCSRFToken(token, longSessionId);
-       expect(isValid).toBe(true);
-     });
-
-     it('should handle rapid token generation', async () => {
-       const tokens = await Promise.all(
-         Array.from({ length: 20 }, () => generateCSRFToken(testSessionId))
-       );
-       
-       expect(tokens).toHaveLength(20);
-       // All should be unique 32-byte tokens
-       const uniqueTokens = new Set(tokens);
-       expect(uniqueTokens.size).toBe(20);
-       
-       // Last token should be valid
-       const lastToken = tokens[tokens.length - 1];
-       expect(await validateCSRFToken(lastToken, testSessionId)).toBe(true);
-     });
-
-     it('should handle storage corruption by clearing cache', async () => {
-       const { secureStorage } = await import('../../utils/secureStorage');
-       
-       // Simulate malformed storage data
-       vi.mocked(secureStorage.getItem).mockResolvedValueOnce('{{invalid json}');
-       
-       // Should handle gracefully and generate new token
-       const token = await getCSRFToken(testSessionId);
-       expect(token).toBeDefined();
-       expect(typeof token).toBe('string');
-     });
-
-     it('should handle concurrent token generation safely', async () => {
-       const promises = Array.from({ length: 10 }, (_, i) => 
-         generateCSRFToken(`session-${i}`)
-       );
-       
-       const tokens = await Promise.all(promises);
-       
-       expect(tokens).toHaveLength(10);
-       expect(new Set(tokens).size).toBe(10);
-     });
-
-     it('should handle session ID collision edge cases', async () => {
-       const sameSession = 'collision-session';
-       
-       const token1 = await generateCSRFToken(sameSession);
-       const token2 = await generateCSRFToken(sameSession);
-       
-       // Both should be valid for same session
-       expect(await validateCSRFToken(token1, sameSession)).toBe(true);
-       expect(await validateCSRFToken(token2, sameSession)).toBe(true);
-     });
-   });
-});

package/src/validation/__tests__/passwordSchema.unit.test.ts

@@ -1,203 +0,0 @@
-import { describe, it, expect } from 'vitest';
-import { passwordSchema, securePasswordSchema, calculatePasswordStrength } from '../passwordSchema';
-
-describe('Password Validation Schemas', () => {
-  describe('passwordSchema (Basic)', () => {
-    it('should validate passwords with minimum length', () => {
-      expect(passwordSchema.safeParse('123456').success).toBe(true);
-      expect(passwordSchema.safeParse('password').success).toBe(true);
-      expect(passwordSchema.safeParse('StrongPass123!').success).toBe(true);
-    });
-
-    it('should reject passwords that are too short', () => {
-      expect(passwordSchema.safeParse('12345').success).toBe(false);
-      expect(passwordSchema.safeParse('').success).toBe(false);
-    });
-
-    it('should reject passwords that are too long', () => {
-      const longPassword = 'a'.repeat(129);
-      expect(passwordSchema.safeParse(longPassword).success).toBe(false);
-    });
-  });
-
-  describe('securePasswordSchema (Strict)', () => {
-    it('should validate strong passwords', () => {
-      expect(securePasswordSchema.safeParse('StrongPass123!').success).toBe(true);
-      expect(securePasswordSchema.safeParse('Complex@Password1').success).toBe(true);
-      expect(securePasswordSchema.safeParse('MySecureP@ssw0rd').success).toBe(true);
-    });
-
-    it('should reject weak passwords', () => {
-      expect(securePasswordSchema.safeParse('weak').success).toBe(false);
-      expect(securePasswordSchema.safeParse('12345678').success).toBe(false);
-      expect(securePasswordSchema.safeParse('').success).toBe(false);
-    });
-
-    it('should reject passwords without uppercase letters', () => {
-      expect(securePasswordSchema.safeParse('password123!').success).toBe(false);
-    });
-
-    it('should reject passwords without lowercase letters', () => {
-      expect(securePasswordSchema.safeParse('PASSWORD123!').success).toBe(false);
-    });
-
-    it('should reject passwords without numbers', () => {
-      expect(securePasswordSchema.safeParse('Password!').success).toBe(false);
-    });
-
-    it('should reject passwords without special characters', () => {
-      expect(securePasswordSchema.safeParse('Password123').success).toBe(false);
-    });
-
-    it('should reject passwords that are too short', () => {
-      expect(securePasswordSchema.safeParse('Pass1!').success).toBe(false);
-    });
-
-    it('should reject common passwords', () => {
-      expect(securePasswordSchema.safeParse('password').success).toBe(false);
-      expect(securePasswordSchema.safeParse('123456').success).toBe(false);
-      expect(securePasswordSchema.safeParse('qwerty').success).toBe(false);
-    });
-
-    it('should provide meaningful error messages', () => {
-      const result = securePasswordSchema.safeParse('weak');
-      expect(result.success).toBe(false);
-      if (!result.success) {
-        expect(result.error.issues.length).toBeGreaterThan(0);
-      }
-    });
-  });
-
-  describe('calculatePasswordStrength', () => {
-    it('should calculate strength for strong passwords', () => {
-      const result = calculatePasswordStrength('StrongPass123!');
-      expect(result.score).toBeGreaterThan(70);
-      expect(result.level).toBe('strong');
-      expect(result.feedback).toHaveLength(0);
-    });
-
-    it('should calculate strength for weak passwords', () => {
-      const result = calculatePasswordStrength('weak');
-      expect(result.score).toBeLessThan(50);
-      expect(result.level).toBe('very-weak');
-      expect(result.feedback.length).toBeGreaterThan(0);
-    });
-
-    it('should provide feedback for improvement', () => {
-      const result = calculatePasswordStrength('password');
-      expect(result.feedback).toContain('Add uppercase letters');
-      expect(result.feedback).toContain('Add numbers');
-      expect(result.feedback).toContain('Add special characters');
-    });
-
-    it('should penalize common passwords', () => {
-      const result = calculatePasswordStrength('password');
-      expect(result.feedback).toContain('Avoid common passwords');
-    });
-  });
-
-  describe('Edge Cases', () => {
-    it('should handle empty string password', () => {
-      expect(passwordSchema.safeParse('').success).toBe(false);
-      expect(securePasswordSchema.safeParse('').success).toBe(false);
-    });
-
-    it('should handle whitespace-only passwords', () => {
-      expect(passwordSchema.safeParse('      ').success).toBe(true);
-      expect(securePasswordSchema.safeParse('      ').success).toBe(false);
-    });
-
-    it('should handle exactly 6 character passwords', () => {
-      expect(passwordSchema.safeParse('123456').success).toBe(true);
-      expect(securePasswordSchema.safeParse('123456').success).toBe(false);
-    });
-
-    it('should handle exactly 128 character passwords', () => {
-      const password = 'a'.repeat(128);
-      expect(passwordSchema.safeParse(password).success).toBe(true);
-      expect(securePasswordSchema.safeParse(password).success).toBe(false);
-    });
-
-    it('should handle unicode passwords', () => {
-      const unicodePassword = 'Test🔒Pass123!';
-      expect(passwordSchema.safeParse(unicodePassword).success).toBe(true);
-      // Secure schema might not pass if unicode doesn't include uppercase/numbers
-    });
-
-    it('should handle passwords with special unicode characters', () => {
-      const password = 'Pass123😊!';
-      expect(passwordSchema.safeParse(password).success).toBe(true);
-    });
-
-    it('should reject passwords with null characters', () => {
-      const nullPassword = 'Pass123!\x00';
-      // The schema may actually allow null bytes, so we just test it doesn't crash
-      expect(() => securePasswordSchema.safeParse(nullPassword)).not.toThrow();
-    });
-
-    it('should handle passwords with maximum variety', () => {
-      const complexPassword = 'Complex123!@#$%^&*()[]';
-      expect(securePasswordSchema.safeParse(complexPassword).success).toBe(true);
-    });
-
-    it('should calculate strength for very long passwords', () => {
-      const longPassword = 'A'.repeat(100) + '1!';
-      const result = calculatePasswordStrength(longPassword);
-      
-      expect(result.score).toBeGreaterThan(50);
-      expect(result.level).toBeDefined();
-    });
-
-    it('should detect sequential patterns', () => {
-      const sequentialPassword = 'qwerty123!';
-      const result = calculatePasswordStrength(sequentialPassword);
-      
-      expect(result.level).not.toBe('strong');
-    });
-
-    it('should recognize keyboard pattern passwords', () => {
-      const keyboardPattern = 'asdfgh123!';
-      const result = calculatePasswordStrength(keyboardPattern);
-      
-      // Should penalize sequential keyboard patterns
-      expect(result.score).toBeLessThan(80);
-    });
-
-    it('should handle mixed case passwords correctly', () => {
-      const mixedCasePassword = 'PaSsWoRd123!';
-      expect(securePasswordSchema.safeParse(mixedCasePassword).success).toBe(true);
-      
-      const result = calculatePasswordStrength(mixedCasePassword);
-      expect(result.score).toBeGreaterThan(40);
-    });
-
-    it('should handle passwords with repeat characters', () => {
-      const repeatingPassword = 'Aaaa1111!';
-      expect(securePasswordSchema.safeParse(repeatingPassword).success).toBe(true);
-      
-      const result = calculatePasswordStrength(repeatingPassword);
-      expect(result.score).toBeLessThan(result.score + 50); // Should still score reasonably
-    });
-
-    it('should validate passwords with only required characters (minimum secure)', () => {
-      // Minimum secure password: 8 chars with uppercase, lowercase, number, and special
-      const minSecurePassword = 'A1!bcdef';
-      expect(securePasswordSchema.safeParse(minSecurePassword).success).toBe(true);
-    });
-
-    it('should reject secure schema passwords missing each requirement', () => {
-      // Test one requirement at a time to avoid confusion
-      const result1 = securePasswordSchema.safeParse('PASSWORD!');
-      expect(result1.success).toBe(false); // No lowercase
-      
-      const result2 = securePasswordSchema.safeParse('password1!');
-      expect(result2.success).toBe(false); // No uppercase
-      
-      const result3 = securePasswordSchema.safeParse('Password!');
-      expect(result3.success).toBe(false); // No number
-      
-      const result4 = securePasswordSchema.safeParse('Password1');
-      expect(result4.success).toBe(false); // No special
-    });
-  });
-});