@jmruthers/pace-core 0.5.135 → 0.5.137

package/src/validation/__tests__/passwordSchema.unit.test.ts

@@ -1,203 +0,0 @@
-import { describe, it, expect } from 'vitest';
-import { passwordSchema, securePasswordSchema, calculatePasswordStrength } from '../passwordSchema';
-
-describe('Password Validation Schemas', () => {
-  describe('passwordSchema (Basic)', () => {
-    it('should validate passwords with minimum length', () => {
-      expect(passwordSchema.safeParse('123456').success).toBe(true);
-      expect(passwordSchema.safeParse('password').success).toBe(true);
-      expect(passwordSchema.safeParse('StrongPass123!').success).toBe(true);
-    });
-
-    it('should reject passwords that are too short', () => {
-      expect(passwordSchema.safeParse('12345').success).toBe(false);
-      expect(passwordSchema.safeParse('').success).toBe(false);
-    });
-
-    it('should reject passwords that are too long', () => {
-      const longPassword = 'a'.repeat(129);
-      expect(passwordSchema.safeParse(longPassword).success).toBe(false);
-    });
-  });
-
-  describe('securePasswordSchema (Strict)', () => {
-    it('should validate strong passwords', () => {
-      expect(securePasswordSchema.safeParse('StrongPass123!').success).toBe(true);
-      expect(securePasswordSchema.safeParse('Complex@Password1').success).toBe(true);
-      expect(securePasswordSchema.safeParse('MySecureP@ssw0rd').success).toBe(true);
-    });
-
-    it('should reject weak passwords', () => {
-      expect(securePasswordSchema.safeParse('weak').success).toBe(false);
-      expect(securePasswordSchema.safeParse('12345678').success).toBe(false);
-      expect(securePasswordSchema.safeParse('').success).toBe(false);
-    });
-
-    it('should reject passwords without uppercase letters', () => {
-      expect(securePasswordSchema.safeParse('password123!').success).toBe(false);
-    });
-
-    it('should reject passwords without lowercase letters', () => {
-      expect(securePasswordSchema.safeParse('PASSWORD123!').success).toBe(false);
-    });
-
-    it('should reject passwords without numbers', () => {
-      expect(securePasswordSchema.safeParse('Password!').success).toBe(false);
-    });
-
-    it('should reject passwords without special characters', () => {
-      expect(securePasswordSchema.safeParse('Password123').success).toBe(false);
-    });
-
-    it('should reject passwords that are too short', () => {
-      expect(securePasswordSchema.safeParse('Pass1!').success).toBe(false);
-    });
-
-    it('should reject common passwords', () => {
-      expect(securePasswordSchema.safeParse('password').success).toBe(false);
-      expect(securePasswordSchema.safeParse('123456').success).toBe(false);
-      expect(securePasswordSchema.safeParse('qwerty').success).toBe(false);
-    });
-
-    it('should provide meaningful error messages', () => {
-      const result = securePasswordSchema.safeParse('weak');
-      expect(result.success).toBe(false);
-      if (!result.success) {
-        expect(result.error.issues.length).toBeGreaterThan(0);
-      }
-    });
-  });
-
-  describe('calculatePasswordStrength', () => {
-    it('should calculate strength for strong passwords', () => {
-      const result = calculatePasswordStrength('StrongPass123!');
-      expect(result.score).toBeGreaterThan(70);
-      expect(result.level).toBe('strong');
-      expect(result.feedback).toHaveLength(0);
-    });
-
-    it('should calculate strength for weak passwords', () => {
-      const result = calculatePasswordStrength('weak');
-      expect(result.score).toBeLessThan(50);
-      expect(result.level).toBe('very-weak');
-      expect(result.feedback.length).toBeGreaterThan(0);
-    });
-
-    it('should provide feedback for improvement', () => {
-      const result = calculatePasswordStrength('password');
-      expect(result.feedback).toContain('Add uppercase letters');
-      expect(result.feedback).toContain('Add numbers');
-      expect(result.feedback).toContain('Add special characters');
-    });
-
-    it('should penalize common passwords', () => {
-      const result = calculatePasswordStrength('password');
-      expect(result.feedback).toContain('Avoid common passwords');
-    });
-  });
-
-  describe('Edge Cases', () => {
-    it('should handle empty string password', () => {
-      expect(passwordSchema.safeParse('').success).toBe(false);
-      expect(securePasswordSchema.safeParse('').success).toBe(false);
-    });
-
-    it('should handle whitespace-only passwords', () => {
-      expect(passwordSchema.safeParse('      ').success).toBe(true);
-      expect(securePasswordSchema.safeParse('      ').success).toBe(false);
-    });
-
-    it('should handle exactly 6 character passwords', () => {
-      expect(passwordSchema.safeParse('123456').success).toBe(true);
-      expect(securePasswordSchema.safeParse('123456').success).toBe(false);
-    });
-
-    it('should handle exactly 128 character passwords', () => {
-      const password = 'a'.repeat(128);
-      expect(passwordSchema.safeParse(password).success).toBe(true);
-      expect(securePasswordSchema.safeParse(password).success).toBe(false);
-    });
-
-    it('should handle unicode passwords', () => {
-      const unicodePassword = 'Test🔒Pass123!';
-      expect(passwordSchema.safeParse(unicodePassword).success).toBe(true);
-      // Secure schema might not pass if unicode doesn't include uppercase/numbers
-    });
-
-    it('should handle passwords with special unicode characters', () => {
-      const password = 'Pass123😊!';
-      expect(passwordSchema.safeParse(password).success).toBe(true);
-    });
-
-    it('should reject passwords with null characters', () => {
-      const nullPassword = 'Pass123!\x00';
-      // The schema may actually allow null bytes, so we just test it doesn't crash
-      expect(() => securePasswordSchema.safeParse(nullPassword)).not.toThrow();
-    });
-
-    it('should handle passwords with maximum variety', () => {
-      const complexPassword = 'Complex123!@#$%^&*()[]';
-      expect(securePasswordSchema.safeParse(complexPassword).success).toBe(true);
-    });
-
-    it('should calculate strength for very long passwords', () => {
-      const longPassword = 'A'.repeat(100) + '1!';
-      const result = calculatePasswordStrength(longPassword);
-      
-      expect(result.score).toBeGreaterThan(50);
-      expect(result.level).toBeDefined();
-    });
-
-    it('should detect sequential patterns', () => {
-      const sequentialPassword = 'qwerty123!';
-      const result = calculatePasswordStrength(sequentialPassword);
-      
-      expect(result.level).not.toBe('strong');
-    });
-
-    it('should recognize keyboard pattern passwords', () => {
-      const keyboardPattern = 'asdfgh123!';
-      const result = calculatePasswordStrength(keyboardPattern);
-      
-      // Should penalize sequential keyboard patterns
-      expect(result.score).toBeLessThan(80);
-    });
-
-    it('should handle mixed case passwords correctly', () => {
-      const mixedCasePassword = 'PaSsWoRd123!';
-      expect(securePasswordSchema.safeParse(mixedCasePassword).success).toBe(true);
-      
-      const result = calculatePasswordStrength(mixedCasePassword);
-      expect(result.score).toBeGreaterThan(40);
-    });
-
-    it('should handle passwords with repeat characters', () => {
-      const repeatingPassword = 'Aaaa1111!';
-      expect(securePasswordSchema.safeParse(repeatingPassword).success).toBe(true);
-      
-      const result = calculatePasswordStrength(repeatingPassword);
-      expect(result.score).toBeLessThan(result.score + 50); // Should still score reasonably
-    });
-
-    it('should validate passwords with only required characters (minimum secure)', () => {
-      // Minimum secure password: 8 chars with uppercase, lowercase, number, and special
-      const minSecurePassword = 'A1!bcdef';
-      expect(securePasswordSchema.safeParse(minSecurePassword).success).toBe(true);
-    });
-
-    it('should reject secure schema passwords missing each requirement', () => {
-      // Test one requirement at a time to avoid confusion
-      const result1 = securePasswordSchema.safeParse('PASSWORD!');
-      expect(result1.success).toBe(false); // No lowercase
-      
-      const result2 = securePasswordSchema.safeParse('password1!');
-      expect(result2.success).toBe(false); // No uppercase
-      
-      const result3 = securePasswordSchema.safeParse('Password!');
-      expect(result3.success).toBe(false); // No number
-      
-      const result4 = securePasswordSchema.safeParse('Password1');
-      expect(result4.success).toBe(false); // No special
-    });
-  });
-}); 

package/src/validation/__tests__/sanitization.unit.test.ts

@@ -1,250 +0,0 @@
-/**
- * @file Sanitization Function Tests
- * @package @jmruthers/pace-core
- * @module Validation/__tests__
- * @since 0.4.0
- * 
- * Comprehensive tests for input sanitization functions following TEST_STANDARD.md
- */
-
-import { describe, it, expect } from 'vitest';
-import { sanitizeEmail, sanitizeString } from '../sanitization';
-
-describe('[unit] Sanitization Functions', () => {
-  describe('sanitizeEmail', () => {
-    it('converts email to lowercase', () => {
-      expect(sanitizeEmail('TEST@EXAMPLE.COM')).toBe('test@example.com');
-      expect(sanitizeEmail('User@Domain.Com')).toBe('user@domain.com');
-    });
-
-    it('trims whitespace from email', () => {
-      expect(sanitizeEmail('  test@example.com  ')).toBe('test@example.com');
-      expect(sanitizeEmail('\ttest@example.com\n')).toBe('test@example.com');
-    });
-
-    it('handles mixed case and whitespace', () => {
-      expect(sanitizeEmail('  TEST@EXAMPLE.COM  ')).toBe('test@example.com');
-    });
-
-    it('handles valid email addresses', () => {
-      expect(sanitizeEmail('user@example.com')).toBe('user@example.com');
-      expect(sanitizeEmail('user.name@example.com')).toBe('user.name@example.com');
-      expect(sanitizeEmail('user+tag@example.co.uk')).toBe('user+tag@example.co.uk');
-    });
-
-    it('handles empty string', () => {
-      expect(sanitizeEmail('')).toBe('');
-    });
-
-    it('handles null input', () => {
-      expect(sanitizeEmail(null as any)).toBe('');
-    });
-
-    it('handles undefined input', () => {
-      expect(sanitizeEmail(undefined as any)).toBe('');
-    });
-
-    it('handles non-string input', () => {
-      expect(sanitizeEmail(123 as any)).toBe('');
-      expect(sanitizeEmail({} as any)).toBe('');
-      expect(sanitizeEmail([] as any)).toBe('');
-    });
-
-    it('preserves valid email structure', () => {
-      const email = 'user.name+tag@example.co.uk';
-      expect(sanitizeEmail(email)).toBe('user.name+tag@example.co.uk');
-    });
-
-    it('handles email with special characters', () => {
-      expect(sanitizeEmail('user_name@example.com')).toBe('user_name@example.com');
-      expect(sanitizeEmail('user-name@example.com')).toBe('user-name@example.com');
-      expect(sanitizeEmail('user.name@example.com')).toBe('user.name@example.com');
-    });
-  });
-
-  describe('sanitizeString', () => {
-    it('removes angle brackets from input', () => {
-      expect(sanitizeString('test<tag>value')).toBe('testtagvalue');
-      expect(sanitizeString('<script>alert("xss")</script>')).toBe('scriptalert("xss")/script');
-    });
-
-    it('removes javascript: protocol', () => {
-      expect(sanitizeString('javascript:alert("xss")')).toBe('alert("xss")');
-      expect(sanitizeString('testJAVASCRIPT:alert(1)')).toBe('testalert(1)');
-      expect(sanitizeString('testJavaScript:alert(1)')).toBe('testalert(1)');
-    });
-
-    it('removes event handlers', () => {
-      expect(sanitizeString('testOnClick="alert(1)"')).toBe('test"alert(1)"');
-      expect(sanitizeString('testOnLoad="malicious"')).toBe('test"malicious"');
-      expect(sanitizeString('testOnError="bad"')).toBe('test"bad"');
-      expect(sanitizeString('testONEVENT="evil"')).toBe('test"evil"');
-    });
-
-    it('trims whitespace', () => {
-      expect(sanitizeString('  test  ')).toBe('test');
-      expect(sanitizeString('\ttest\n')).toBe('test');
-    });
-
-    it('handles normal text safely', () => {
-      expect(sanitizeString('This is a normal string')).toBe('This is a normal string');
-      expect(sanitizeString('User name')).toBe('User name');
-    });
-
-    it('handles empty string', () => {
-      expect(sanitizeString('')).toBe('');
-    });
-
-    it('handles null input', () => {
-      expect(sanitizeString(null as any)).toBe('');
-    });
-
-    it('handles undefined input', () => {
-      expect(sanitizeString(undefined as any)).toBe('');
-    });
-
-    it('handles non-string input', () => {
-      expect(sanitizeString(123 as any)).toBe('');
-      expect(sanitizeString({} as any)).toBe('');
-      expect(sanitizeString([] as any)).toBe('');
-    });
-
-    it('removes multiple security threats in one string', () => {
-      const malicious = '  <script>javascript:alert(1)</script> onClick="bad"  ';
-      expect(sanitizeString(malicious)).toBe('scriptalert(1)/script "bad"');
-    });
-
-    it('preserves valid HTML-like text that is safe', () => {
-      expect(sanitizeString('User &amp; Company')).toBe('User &amp; Company');
-      expect(sanitizeString('5 < 10')).toBe('5  10');
-      expect(sanitizeString('10 > 5')).toBe('10  5');
-    });
-
-    it('handles SQL injection attempts', () => {
-      expect(sanitizeString("'; DROP TABLE users; --")).toBe("'; DROP TABLE users; --");
-      // sanitizeString doesn't specifically target SQL, but removes dangerous patterns
-      // This test ensures it doesn't corrupt legitimate apostrophes
-    });
-
-    it('handles XSS payloads', () => {
-      // The function removes 'onerror=' but keeps the equals sign
-      expect(sanitizeString('<img src=x onerror=alert(1)>')).toBe('img src=x alert(1)');
-      expect(sanitizeString('<svg/onload=alert(1)>')).toBe('svg/alert(1)');
-    });
-
-    it('preserves special characters in safe contexts', () => {
-      expect(sanitizeString('User@example.com')).toBe('User@example.com');
-      expect(sanitizeString('$100')).toBe('$100');
-      expect(sanitizeString('Test%20String')).toBe('Test%20String');
-    });
-
-    it('handles very long strings', () => {
-      const longString = 'a'.repeat(10000);
-      expect(sanitizeString(longString)).toBe('a'.repeat(10000));
-    });
-
-    it('handles strings with only whitespace', () => {
-      expect(sanitizeString('   ')).toBe('');
-      expect(sanitizeString('\t\n\r')).toBe('');
-    });
-
-    it('removes consecutive dangerous patterns', () => {
-      const multipleAttacks = 'test<script>alert(1)</script><script>alert(2)</script>javascript:doEvil()';
-      expect(sanitizeString(multipleAttacks)).toBe('testscriptalert(1)/scriptscriptalert(2)/scriptdoEvil()');
-    });
-  });
-
-  describe('Edge Cases', () => {
-    it('sanitizeEmail handles unicode characters', () => {
-      expect(sanitizeEmail('café@example.com')).toBe('café@example.com');
-      expect(sanitizeEmail('test@例え.com')).toBe('test@例え.com');
-    });
-
-    it('sanitizeString handles unicode correctly', () => {
-      expect(sanitizeString('Test café')).toBe('Test café');
-      expect(sanitizeString('中文测试')).toBe('中文测试');
-      expect(sanitizeString('مرحبا')).toBe('مرحبا');
-    });
-
-    it('sanitizeEmail handles international domains', () => {
-      expect(sanitizeEmail('test@xn--example.com')).toBe('test@xn--example.com');
-    });
-
-    it('sanitizeString handles emoji', () => {
-      expect(sanitizeString('Hello 😀')).toBe('Hello 😀');
-      expect(sanitizeString('User <script>😀</script>')).toBe('User script😀/script');
-    });
-
-    it('handles mixed scripts and vulnerabilities', () => {
-      const mixed = '  User Name<script>alert(1)</script>  ';
-      expect(sanitizeString(mixed)).toBe('User Namescriptalert(1)/script');
-    });
-  });
-
-  describe('Performance', () => {
-    it('sanitizeEmail handles large inputs efficiently', () => {
-      const largeEmail = 'a'.repeat(1000) + '@' + 'b'.repeat(1000) + '.com';
-      const start = performance.now();
-      const result = sanitizeEmail(largeEmail);
-      const end = performance.now();
-
-      expect(result).toBeDefined();
-      expect(end - start).toBeLessThan(100); // Should complete in under 100ms
-    });
-
-    it('sanitizeString handles large inputs efficiently', () => {
-      const largeString = 'a'.repeat(10000);
-      const start = performance.now();
-      const result = sanitizeString(largeString);
-      const end = performance.now();
-
-      expect(result).toBeDefined();
-      expect(end - start).toBeLessThan(100); // Should complete in under 100ms
-    });
-  });
-
-  describe('Security Validation', () => {
-    it('sanitizeString prevents basic XSS attacks', () => {
-      const xssAttempts = [
-        '<script>alert("xss")</script>',
-        '<img src=x onerror=alert(1)>',
-        '<svg/onload=alert(1)>',
-        '<iframe src=javascript:alert(1)>',
-      ];
-
-      xssAttempts.forEach(attempt => {
-        const sanitized = sanitizeString(attempt);
-        expect(sanitized).not.toContain('<script>');
-        expect(sanitized).not.toContain('javascript:');
-        expect(sanitized).not.toContain('onerror=');
-        expect(sanitized).not.toContain('onload=');
-      });
-    });
-
-    it('sanitizeString removes event handlers regardless of case', () => {
-      const cases = [
-        'onClick',
-        'ONCLICK',
-        'onclick',
-        'onClick',
-        'ONCLICK',
-      ];
-
-      cases.forEach(eventHandler => {
-        const test = `test ${eventHandler}="malicious" test`;
-        const sanitized = sanitizeString(test);
-        expect(sanitized).not.toContain(`${eventHandler}=`);
-      });
-    });
-
-    it('sanitizeEmail does not introduce security vulnerabilities', () => {
-      const safe = 'user@example.com';
-      const sanitized = sanitizeEmail(safe);
-      expect(sanitized).toBe('user@example.com');
-      expect(sanitized).not.toContain('<');
-      expect(sanitized).not.toContain('>');
-      expect(sanitized).not.toContain('javascript:');
-    });
-  });
-});
-