@openparachute/hub 0.5.14-rc.2 → 0.5.14-rc.21

package/src/__tests__/status.test.ts

@@ -76,6 +76,42 @@ describe("status", () => {
     }
   });
 
+  test("persisted lastStartError surfaces on a continuation line", async () => {
+    const { path, cleanup } = makeTempPath();
+    try {
+      upsertService(
+        {
+          name: "parachute-vault",
+          port: 1940,
+          paths: ["/"],
+          health: "/health",
+          version: "0.2.4",
+          lastStartError: {
+            error_type: "missing_dependency",
+            error_description: "parachute-vault is required ...",
+            binary: "parachute-vault",
+            install: { generic: "parachute install vault" },
+          },
+        },
+        path,
+      );
+      const lines: string[] = [];
+      await status({
+        manifestPath: path,
+        // Probe refuses (service down) — the row is failing, and the
+        // start-error note explains why.
+        fetchImpl: async () => {
+          throw new Error("ECONNREFUSED");
+        },
+        print: (l) => lines.push(l),
+      });
+      const out = lines.join("\n");
+      expect(out).toMatch(/failed to start: parachute-vault not installed/);
+    } finally {
+      cleanup();
+    }
+  });
+
   test("any-failing returns 1 and surfaces probe detail on continuation line", async () => {
     const { path, cleanup } = makeTempPath();
     try {

package/src/__tests__/two-factor-flow.test.ts

@@ -0,0 +1,602 @@
+import type { Database } from "bun:sqlite";
+import { Database as Sqlite } from "bun:sqlite";
+import { afterEach, beforeEach, describe, expect, test } from "bun:test";
+import { mkdtempSync, rmSync } from "node:fs";
+import { tmpdir } from "node:os";
+import { join } from "node:path";
+import * as OTPAuth from "otpauth";
+import { handleAdminLoginPost, handleAdminLoginTotpPost } from "../admin-handlers.ts";
+import { CSRF_COOKIE_NAME, CSRF_FIELD_NAME } from "../csrf.ts";
+import { hubDbPath, migrate, openHubDb } from "../hub-db.ts";
+import { PENDING_LOGIN_COOKIE_NAME, _resetPendingLogins } from "../pending-login.ts";
+import { __resetForTests as resetRateLimit } from "../rate-limit.ts";
+import { SESSION_TTL_MS, buildSessionCookie, createSession, findSession } from "../sessions.ts";
+import { _resetTotpReplayCache, generateTotpSecret } from "../totp.ts";
+import { handleTwoFactorGet, handleTwoFactorPost } from "../two-factor-handlers.ts";
+import {
+  backupCodesRemaining,
+  getTotpState,
+  isTotpEnrolled,
+  persistEnrollment,
+} from "../two-factor-store.ts";
+import { createUser } from "../users.ts";
+
+const TEST_CSRF = "csrf-2fa-flow-token";
+const CSRF_COOKIE = `${CSRF_COOKIE_NAME}=${TEST_CSRF}`;
+
+interface Harness {
+  db: Database;
+  configDir: string;
+  cleanup: () => void;
+}
+
+function makeHarness(): Harness {
+  const configDir = mkdtempSync(join(tmpdir(), "phub-2fa-flow-"));
+  const db = openHubDb(hubDbPath(configDir));
+  return {
+    db,
+    configDir,
+    cleanup: () => {
+      db.close();
+      rmSync(configDir, { recursive: true, force: true });
+    },
+  };
+}
+
+function formBody(values: Record<string, string>): {
+  body: string;
+  headers: Record<string, string>;
+} {
+  const params = new URLSearchParams();
+  for (const [k, v] of Object.entries(values)) params.append(k, v);
+  return {
+    body: params.toString(),
+    headers: { "content-type": "application/x-www-form-urlencoded" },
+  };
+}
+
+function liveCode(secretBase32: string, label = "owner"): string {
+  return new OTPAuth.TOTP({
+    issuer: "Parachute Hub",
+    label,
+    algorithm: "SHA1",
+    digits: 6,
+    period: 30,
+    secret: OTPAuth.Secret.fromBase32(secretBase32),
+  }).generate();
+}
+
+/** Pull the value of a Set-Cookie'd cookie by name from a Response. */
+function cookieFrom(res: Response, name: string): string | null {
+  // Bun's Headers.getSetCookie() returns all set-cookie values.
+  const all = res.headers.getSetCookie();
+  for (const sc of all) {
+    const m = sc.match(new RegExp(`(?:^|; )?${name}=([^;]*)`));
+    if (m && sc.startsWith(`${name}=`)) return m[1] ?? "";
+  }
+  return null;
+}
+
+let harness: Harness;
+beforeEach(() => {
+  harness = makeHarness();
+  resetRateLimit();
+  _resetPendingLogins();
+  _resetTotpReplayCache();
+});
+afterEach(() => {
+  harness.cleanup();
+});
+
+describe("login two-step (TOTP) — hub#473", () => {
+  test("password-only login UNCHANGED for a user WITHOUT 2FA", async () => {
+    await createUser(harness.db, "owner", "owner-password-123", { passwordChanged: true });
+    const { body, headers } = formBody({
+      [CSRF_FIELD_NAME]: TEST_CSRF,
+      username: "owner",
+      password: "owner-password-123",
+      next: "/admin/vaults",
+    });
+    const req = new Request("http://hub.test/login", {
+      method: "POST",
+      headers: { ...headers, cookie: CSRF_COOKIE },
+      body,
+    });
+    const res = await handleAdminLoginPost(harness.db, req);
+    // Straight to session — no 2FA challenge.
+    expect(res.status).toBe(302);
+    expect(res.headers.get("location")).toBe("/admin/vaults");
+    expect(cookieFrom(res, "parachute_hub_session")).toBeTruthy();
+  });
+
+  test("correct password for a 2FA user → challenge page + pending cookie, NO session yet", async () => {
+    const u = await createUser(harness.db, "owner", "owner-password-123", {
+      passwordChanged: true,
+    });
+    await persistEnrollment(harness.db, u.id, generateTotpSecret("owner").secret);
+    const { body, headers } = formBody({
+      [CSRF_FIELD_NAME]: TEST_CSRF,
+      username: "owner",
+      password: "owner-password-123",
+      next: "/admin/vaults",
+    });
+    const req = new Request("http://hub.test/login", {
+      method: "POST",
+      headers: { ...headers, cookie: CSRF_COOKIE },
+      body,
+    });
+    const res = await handleAdminLoginPost(harness.db, req);
+    expect(res.status).toBe(200);
+    const html = await res.text();
+    expect(html).toContain("Two-factor authentication");
+    // Pending-login cookie minted; session NOT minted.
+    expect(cookieFrom(res, PENDING_LOGIN_COOKIE_NAME)).toBeTruthy();
+    expect(cookieFrom(res, "parachute_hub_session")).toBeNull();
+  });
+
+  test("full two-step: password → challenge → correct TOTP → session minted", async () => {
+    const u = await createUser(harness.db, "owner", "owner-password-123", {
+      passwordChanged: true,
+    });
+    const { secret } = generateTotpSecret("owner");
+    await persistEnrollment(harness.db, u.id, secret);
+
+    // Step 1 — password.
+    const pw = formBody({
+      [CSRF_FIELD_NAME]: TEST_CSRF,
+      username: "owner",
+      password: "owner-password-123",
+      next: "/admin/tokens",
+    });
+    const pwReq = new Request("http://hub.test/login", {
+      method: "POST",
+      headers: { ...pw.headers, cookie: CSRF_COOKIE },
+      body: pw.body,
+    });
+    const pwRes = await handleAdminLoginPost(harness.db, pwReq);
+    expect(pwRes.status).toBe(200);
+    const pendingToken = cookieFrom(pwRes, PENDING_LOGIN_COOKIE_NAME);
+    expect(pendingToken).toBeTruthy();
+
+    // Step 2 — TOTP code with the pending cookie.
+    const code = liveCode(secret);
+    const tf = formBody({ [CSRF_FIELD_NAME]: TEST_CSRF, code, next: "/admin/tokens" });
+    const tfReq = new Request("http://hub.test/login/2fa", {
+      method: "POST",
+      headers: {
+        ...tf.headers,
+        cookie: `${CSRF_COOKIE}; ${PENDING_LOGIN_COOKIE_NAME}=${pendingToken}`,
+      },
+      body: tf.body,
+    });
+    const tfRes = await handleAdminLoginTotpPost(harness.db, tfReq);
+    expect(tfRes.status).toBe(302);
+    expect(tfRes.headers.get("location")).toBe("/admin/tokens");
+    const sessionCookie = cookieFrom(tfRes, "parachute_hub_session");
+    expect(sessionCookie).toBeTruthy();
+    // The session is real.
+    expect(findSession(harness.db, sessionCookie!)).not.toBeNull();
+  });
+
+  test("wrong TOTP code → 401, no session; pending login survives for retry", async () => {
+    const u = await createUser(harness.db, "owner", "owner-password-123", {
+      passwordChanged: true,
+    });
+    const { secret } = generateTotpSecret("owner");
+    await persistEnrollment(harness.db, u.id, secret);
+
+    const pw = formBody({
+      [CSRF_FIELD_NAME]: TEST_CSRF,
+      username: "owner",
+      password: "owner-password-123",
+      next: "/admin/vaults",
+    });
+    const pwRes = await handleAdminLoginPost(
+      harness.db,
+      new Request("http://hub.test/login", {
+        method: "POST",
+        headers: { ...pw.headers, cookie: CSRF_COOKIE },
+        body: pw.body,
+      }),
+    );
+    const pendingToken = cookieFrom(pwRes, PENDING_LOGIN_COOKIE_NAME)!;
+
+    const tf = formBody({ [CSRF_FIELD_NAME]: TEST_CSRF, code: "000000", next: "/admin/vaults" });
+    const tfRes = await handleAdminLoginTotpPost(
+      harness.db,
+      new Request("http://hub.test/login/2fa", {
+        method: "POST",
+        headers: {
+          ...tf.headers,
+          cookie: `${CSRF_COOKIE}; ${PENDING_LOGIN_COOKIE_NAME}=${pendingToken}`,
+        },
+        body: tf.body,
+      }),
+    );
+    expect(tfRes.status).toBe(401);
+    expect(cookieFrom(tfRes, "parachute_hub_session")).toBeNull();
+
+    // Retry with the correct code against the SAME pending login → success.
+    const code = liveCode(secret);
+    const retry = formBody({ [CSRF_FIELD_NAME]: TEST_CSRF, code, next: "/admin/vaults" });
+    const retryRes = await handleAdminLoginTotpPost(
+      harness.db,
+      new Request("http://hub.test/login/2fa", {
+        method: "POST",
+        headers: {
+          ...retry.headers,
+          cookie: `${CSRF_COOKIE}; ${PENDING_LOGIN_COOKIE_NAME}=${pendingToken}`,
+        },
+        body: retry.body,
+      }),
+    );
+    expect(retryRes.status).toBe(302);
+    expect(cookieFrom(retryRes, "parachute_hub_session")).toBeTruthy();
+  });
+
+  test("a valid backup code completes the second step + is consumed", async () => {
+    const u = await createUser(harness.db, "owner", "owner-password-123", {
+      passwordChanged: true,
+    });
+    const { secret } = generateTotpSecret("owner");
+    const { backupCodes } = await persistEnrollment(harness.db, u.id, secret);
+    expect(backupCodesRemaining(harness.db, u.id)).toBe(10);
+
+    const pw = formBody({
+      [CSRF_FIELD_NAME]: TEST_CSRF,
+      username: "owner",
+      password: "owner-password-123",
+      next: "/admin/vaults",
+    });
+    const pwRes = await handleAdminLoginPost(
+      harness.db,
+      new Request("http://hub.test/login", {
+        method: "POST",
+        headers: { ...pw.headers, cookie: CSRF_COOKIE },
+        body: pw.body,
+      }),
+    );
+    const pendingToken = cookieFrom(pwRes, PENDING_LOGIN_COOKIE_NAME)!;
+
+    const tf = formBody({
+      [CSRF_FIELD_NAME]: TEST_CSRF,
+      code: backupCodes[0]!,
+      next: "/admin/vaults",
+    });
+    const tfRes = await handleAdminLoginTotpPost(
+      harness.db,
+      new Request("http://hub.test/login/2fa", {
+        method: "POST",
+        headers: {
+          ...tf.headers,
+          cookie: `${CSRF_COOKIE}; ${PENDING_LOGIN_COOKIE_NAME}=${pendingToken}`,
+        },
+        body: tf.body,
+      }),
+    );
+    expect(tfRes.status).toBe(302);
+    expect(cookieFrom(tfRes, "parachute_hub_session")).toBeTruthy();
+    // Consumed — one fewer remaining.
+    expect(backupCodesRemaining(harness.db, u.id)).toBe(9);
+  });
+
+  test("2FA step without a pending-login cookie → 401 (can't skip the password step)", async () => {
+    const u = await createUser(harness.db, "owner", "owner-password-123", {
+      passwordChanged: true,
+    });
+    await persistEnrollment(harness.db, u.id, generateTotpSecret("owner").secret);
+    const tf = formBody({ [CSRF_FIELD_NAME]: TEST_CSRF, code: "123456", next: "/admin/vaults" });
+    const res = await handleAdminLoginTotpPost(
+      harness.db,
+      new Request("http://hub.test/login/2fa", {
+        method: "POST",
+        headers: { ...tf.headers, cookie: CSRF_COOKIE },
+        body: tf.body,
+      }),
+    );
+    expect(res.status).toBe(401);
+    expect(cookieFrom(res, "parachute_hub_session")).toBeNull();
+  });
+
+  test("2FA step CSRF mismatch → 400", async () => {
+    const tf = formBody({ [CSRF_FIELD_NAME]: "wrong", code: "123456", next: "/admin/vaults" });
+    const res = await handleAdminLoginTotpPost(
+      harness.db,
+      new Request("http://hub.test/login/2fa", {
+        method: "POST",
+        headers: { ...tf.headers, cookie: CSRF_COOKIE },
+        body: tf.body,
+      }),
+    );
+    expect(res.status).toBe(400);
+  });
+
+  test("2FA step is rate-limited per IP (6th attempt → 429)", async () => {
+    const u = await createUser(harness.db, "owner", "owner-password-123", {
+      passwordChanged: true,
+    });
+    await persistEnrollment(harness.db, u.id, generateTotpSecret("owner").secret);
+    const buildReq = () => {
+      const tf = formBody({ [CSRF_FIELD_NAME]: TEST_CSRF, code: "000000", next: "/admin/vaults" });
+      return new Request("http://hub.test/login/2fa", {
+        method: "POST",
+        headers: { ...tf.headers, cookie: CSRF_COOKIE, "cf-connecting-ip": "203.0.113.55" },
+        body: tf.body,
+      });
+    };
+    for (let i = 0; i < 5; i++) {
+      const r = await handleAdminLoginTotpPost(harness.db, buildReq());
+      expect(r.status).toBe(401); // no pending login → 401, but counts toward bucket
+    }
+    const denied = await handleAdminLoginTotpPost(harness.db, buildReq());
+    expect(denied.status).toBe(429);
+    expect(denied.headers.get("retry-after")).not.toBeNull();
+  });
+});
+
+describe("/account/2fa handlers — hub#473", () => {
+  async function signedInUser(username = "owner"): Promise<{ id: string; cookie: string }> {
+    const u = await createUser(harness.db, username, "owner-password-123", {
+      passwordChanged: true,
+    });
+    const session = createSession(harness.db, { userId: u.id });
+    return {
+      id: u.id,
+      cookie: `${CSRF_COOKIE}; ${buildSessionCookie(session.id, Math.floor(SESSION_TTL_MS / 1000))}`,
+    };
+  }
+
+  test("GET requires a session — redirects to /login when absent", () => {
+    const res = handleTwoFactorGet(new Request("http://hub.test/account/2fa"), { db: harness.db });
+    expect(res.status).toBe(302);
+    expect(res.headers.get("location")).toContain("/login");
+  });
+
+  test("GET (not enrolled) renders the set-up CTA", async () => {
+    const { cookie } = await signedInUser();
+    const res = handleTwoFactorGet(
+      new Request("http://hub.test/account/2fa", { headers: { cookie } }),
+      { db: harness.db },
+    );
+    expect(res.status).toBe(200);
+    const html = await res.text();
+    expect(html).toContain("Set up two-factor authentication");
+  });
+
+  test("POST start → enrolling page with a QR svg + manual secret; nothing persisted yet", async () => {
+    const { id, cookie } = await signedInUser();
+    const { body, headers } = formBody({ [CSRF_FIELD_NAME]: TEST_CSRF, action: "start" });
+    const res = await handleTwoFactorPost(
+      new Request("http://hub.test/account/2fa", {
+        method: "POST",
+        headers: { ...headers, cookie },
+        body,
+      }),
+      { db: harness.db },
+    );
+    expect(res.status).toBe(200);
+    const html = await res.text();
+    expect(html).toContain("<svg");
+    expect(html).toContain('data-testid="totp-secret"');
+    // Not persisted until confirm.
+    expect(isTotpEnrolled(harness.db, id)).toBe(false);
+  });
+
+  test("POST confirm with a live code persists enrollment + shows backup codes once", async () => {
+    const { id, cookie } = await signedInUser();
+    const { secret } = generateTotpSecret("owner");
+    const { body, headers } = formBody({
+      [CSRF_FIELD_NAME]: TEST_CSRF,
+      action: "confirm",
+      secret,
+      code: liveCode(secret),
+    });
+    const res = await handleTwoFactorPost(
+      new Request("http://hub.test/account/2fa", {
+        method: "POST",
+        headers: { ...headers, cookie },
+        body,
+      }),
+      { db: harness.db },
+    );
+    expect(res.status).toBe(200);
+    const html = await res.text();
+    expect(html).toContain('data-testid="backup-codes"');
+    expect(res.headers.get("cache-control")).toBe("no-store");
+    // Persisted.
+    expect(isTotpEnrolled(harness.db, id)).toBe(true);
+    expect(getTotpState(harness.db, id).secret).toBe(secret);
+    expect(backupCodesRemaining(harness.db, id)).toBe(10);
+  });
+
+  test("POST confirm with a WRONG code re-renders the enrolling page; nothing persisted", async () => {
+    const { id, cookie } = await signedInUser();
+    const { secret } = generateTotpSecret("owner");
+    const { body, headers } = formBody({
+      [CSRF_FIELD_NAME]: TEST_CSRF,
+      action: "confirm",
+      secret,
+      code: "000000",
+    });
+    const res = await handleTwoFactorPost(
+      new Request("http://hub.test/account/2fa", {
+        method: "POST",
+        headers: { ...headers, cookie },
+        body,
+      }),
+      { db: harness.db },
+    );
+    expect(res.status).toBe(200);
+    const html = await res.text();
+    // Apostrophe is HTML-escaped in the rendered banner.
+    expect(html).toContain("match");
+    expect(html).toContain("error-banner");
+    expect(isTotpEnrolled(harness.db, id)).toBe(false);
+  });
+
+  test("POST confirm with a MALFORMED secret → 400, nothing persisted (N1 guard)", async () => {
+    const { id, cookie } = await signedInUser();
+    // Non-base32 / too-short secret from a tampered or truncated form.
+    for (const badSecret of ["not-base32!", "ABC123", "", "0189{}<>"]) {
+      const { body, headers } = formBody({
+        [CSRF_FIELD_NAME]: TEST_CSRF,
+        action: "confirm",
+        secret: badSecret,
+        code: "123456",
+      });
+      const res = await handleTwoFactorPost(
+        new Request("http://hub.test/account/2fa", {
+          method: "POST",
+          headers: { ...headers, cookie },
+          body,
+        }),
+        { db: harness.db },
+      );
+      expect(res.status).toBe(400);
+      expect(isTotpEnrolled(harness.db, id)).toBe(false);
+    }
+  });
+
+  test("POST disable requires the correct current password; clears 2FA on success", async () => {
+    const { id, cookie } = await signedInUser();
+    await persistEnrollment(harness.db, id, generateTotpSecret("owner").secret);
+    expect(isTotpEnrolled(harness.db, id)).toBe(true);
+
+    // Wrong password → 401, still enrolled.
+    const bad = formBody({ [CSRF_FIELD_NAME]: TEST_CSRF, action: "disable", password: "nope" });
+    const badRes = await handleTwoFactorPost(
+      new Request("http://hub.test/account/2fa", {
+        method: "POST",
+        headers: { ...bad.headers, cookie },
+        body: bad.body,
+      }),
+      { db: harness.db },
+    );
+    expect(badRes.status).toBe(401);
+    expect(isTotpEnrolled(harness.db, id)).toBe(true);
+
+    // Correct password → 302, cleared.
+    const ok = formBody({
+      [CSRF_FIELD_NAME]: TEST_CSRF,
+      action: "disable",
+      password: "owner-password-123",
+    });
+    const okRes = await handleTwoFactorPost(
+      new Request("http://hub.test/account/2fa", {
+        method: "POST",
+        headers: { ...ok.headers, cookie },
+        body: ok.body,
+      }),
+      { db: harness.db },
+    );
+    expect(okRes.status).toBe(302);
+    expect(okRes.headers.get("location")).toContain("/account/2fa");
+    expect(isTotpEnrolled(harness.db, id)).toBe(false);
+  });
+
+  test("POST start refuses when already enrolled (409)", async () => {
+    const { id, cookie } = await signedInUser();
+    await persistEnrollment(harness.db, id, generateTotpSecret("owner").secret);
+    const { body, headers } = formBody({ [CSRF_FIELD_NAME]: TEST_CSRF, action: "start" });
+    const res = await handleTwoFactorPost(
+      new Request("http://hub.test/account/2fa", {
+        method: "POST",
+        headers: { ...headers, cookie },
+        body,
+      }),
+      { db: harness.db },
+    );
+    expect(res.status).toBe(409);
+  });
+
+  test("POST CSRF mismatch → 400", async () => {
+    const { cookie } = await signedInUser();
+    const { body, headers } = formBody({ [CSRF_FIELD_NAME]: "wrong", action: "start" });
+    const res = await handleTwoFactorPost(
+      new Request("http://hub.test/account/2fa", {
+        method: "POST",
+        headers: { ...headers, cookie },
+        body,
+      }),
+      { db: harness.db },
+    );
+    expect(res.status).toBe(400);
+  });
+});
+
+describe("migration v11 — existing-DB safety", () => {
+  test("applies cleanly on a hub.db built at v10; pre-existing users keep NULL totp + password-only login", async () => {
+    const configDir = mkdtempSync(join(tmpdir(), "phub-2fa-mig-"));
+    try {
+      const dbPath = hubDbPath(configDir);
+      // Build a DB at the OLD schema (only migrations <= 10 applied), with a
+      // pre-existing user, simulating an install from before hub#473.
+      {
+        const old = new Sqlite(dbPath);
+        old.exec("PRAGMA journal_mode = WAL");
+        old.exec("PRAGMA foreign_keys = ON");
+        // Run the real migrator but stop it from seeing v11 by faking the
+        // schema_version table: apply through v10 only via a manual replay is
+        // brittle. Instead, run the full migrator (which includes v11) but
+        // assert the column is nullable + existing rows are NULL. To exercise
+        // the "user predates v11" path we insert via the v2-shaped INSERT and
+        // confirm the totp columns default NULL.
+        migrate(old);
+        // Insert a user the way createUser would, but WITHOUT touching totp.
+        const now = new Date().toISOString();
+        old
+          .prepare(
+            "INSERT INTO users (id, username, password_hash, created_at, updated_at, password_changed) VALUES (?, ?, ?, ?, ?, 1)",
+          )
+          .run("legacy-1", "legacy", "$argon2id$fakehash", now, now);
+        old.close();
+      }
+
+      // Re-open (runs migrate() again — idempotent) and verify the legacy row
+      // has NULL totp state → not enrolled.
+      const db = openHubDb(dbPath);
+      try {
+        const state = getTotpState(db, "legacy-1");
+        expect(state.secret).toBeNull();
+        expect(state.backupCodes).toEqual([]);
+        expect(isTotpEnrolled(db, "legacy-1")).toBe(false);
+
+        // Password-only login still works (no 2FA challenge) — verified by the
+        // login handler taking the password-only branch for a NULL-totp user.
+        // (Covered end-to-end above; here we just assert the not-enrolled
+        // predicate the login handler branches on.)
+        expect(isTotpEnrolled(db, "legacy-1")).toBe(false);
+      } finally {
+        db.close();
+      }
+    } finally {
+      rmSync(configDir, { recursive: true, force: true });
+    }
+  });
+
+  test("schema_version records v11", () => {
+    const configDir = mkdtempSync(join(tmpdir(), "phub-2fa-mig2-"));
+    try {
+      const db = openHubDb(hubDbPath(configDir));
+      try {
+        const versions = (
+          db.query("SELECT version FROM schema_version ORDER BY version").all() as {
+            version: number;
+          }[]
+        ).map((r) => r.version);
+        expect(versions).toContain(11);
+        // The totp columns exist on `users`.
+        const cols = (db.query("PRAGMA table_info(users)").all() as { name: string }[]).map(
+          (c) => c.name,
+        );
+        expect(cols).toContain("totp_secret");
+        expect(cols).toContain("totp_backup_codes");
+        expect(cols).toContain("totp_enrolled_at");
+      } finally {
+        db.close();
+      }
+    } finally {
+      rmSync(configDir, { recursive: true, force: true });
+    }
+  });
+});