npm - @tstdl/base - Versions diffs - 0.93.178 → 0.93.180 - Mend

@tstdl/base 0.93.178 → 0.93.180

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (207) hide show

package/authentication/tests/remember.api.test.js CHANGED Viewed

@@ -19,8 +19,10 @@ describe('AuthenticationApiController Remember Functionality', () => {
     const tenantId = crypto.randomUUID();
     beforeAll(async () => {
         ({ injector, database } = await setupIntegrationTest({
-            modules: { authentication: true, audit: true, keyValueStore: true },
-            authenticationAncillaryService: DefaultAuthenticationAncillaryService,
+            modules: { authentication: true, audit: true, keyValueStore: true, signals: true, api: true },
+            authentication: {
+                ancillaryService: DefaultAuthenticationAncillaryService,
+            },
         }));
         authenticationService = await injector.resolveAsync(AuthenticationService);
         subjectService = await injector.resolveAsync(SubjectService);
@@ -31,13 +33,14 @@ describe('AuthenticationApiController Remember Functionality', () => {
         await injector?.dispose();
     });
     beforeEach(async () => {
-        await clearTenantData(database, schema, ['credentials', 'session', 'user', 'service_account', 'system_account', 'subject'], tenantId);
+        await clearTenantData(database, schema, ['used_totp_tokens', 'totp_recovery_code', 'totp', 'password', 'session', 'user', 'service_account', 'system_account', 'subject'], tenantId);
     });
     test('login with remember: true should have Expires in cookies', async () => {
         const user = await subjectService.createUser({ tenantId, email: 'api-rem@example.com', firstName: 'A', lastName: 'L' });
-        await authenticationService.setCredentials(user, 'Pass-R3m3mb3r-2026!');
+        await authenticationService.setPassword(user, 'Pass-R3m3mb3r-2026!');
         const context = {
-            parameters: { tenantId, subject: user.id, secret: 'Pass-R3m3mb3r-2026!', remember: true, data: undefined },
+            request: { ip: '127.0.0.1' },
+            parameters: { tenantId, subject: user.id, password: 'Pass-R3m3mb3r-2026!', remember: true, data: undefined },
             getAuditor: async () => auditor,
         };
         const response = await controller.login(context);
@@ -50,9 +53,10 @@ describe('AuthenticationApiController Remember Functionality', () => {
     });
     test('login with remember: false should NOT have Expires in cookies', async () => {
         const user = await subjectService.createUser({ tenantId, email: 'api-no-rem@example.com', firstName: 'A', lastName: 'L' });
-        await authenticationService.setCredentials(user, 'Pass-R3m3mb3r-2026!');
+        await authenticationService.setPassword(user, 'Pass-R3m3mb3r-2026!');
         const context = {
-            parameters: { tenantId, subject: user.id, secret: 'Pass-R3m3mb3r-2026!', remember: false, data: undefined },
+            request: { ip: '127.0.0.1' },
+            parameters: { tenantId, subject: user.id, password: 'Pass-R3m3mb3r-2026!', remember: false, data: undefined },
             getAuditor: async () => auditor,
         };
         const response = await controller.login(context);
@@ -64,18 +68,20 @@ describe('AuthenticationApiController Remember Functionality', () => {
     });
     test('refresh should propagate remember status to cookies', async () => {
         const user = await subjectService.createUser({ tenantId, email: 'api-refresh-rem@example.com', firstName: 'A', lastName: 'L' });
-        await authenticationService.setCredentials(user, 'Pass-R3m3mb3r-2026!');
+        await authenticationService.setPassword(user, 'Pass-R3m3mb3r-2026!');
         // 1. Login with remember: true
         const loginResult = await authenticationService.login({ tenantId, subject: user.id }, 'Pass-R3m3mb3r-2026!', undefined, auditor, true);
+        expect(loginResult.type).toBe('success');
         // 2. Refresh
         const context = {
             request: {
+                ip: '127.0.0.1',
                 headers: new HttpHeaders({
-                    'X-Refresh-Token': `Bearer ${loginResult.refreshToken}`
+                    'X-Refresh-Token': `Bearer ${loginResult.result.refreshToken}`,
                 }),
                 cookies: {
-                    tryGet: () => undefined
-                }
+                    tryGet: () => undefined,
+                },
             },
             parameters: { data: undefined },
             getAuditor: async () => auditor,
@@ -87,15 +93,17 @@ describe('AuthenticationApiController Remember Functionality', () => {
         }
         // 3. Login with remember: false
         const loginResultNoRem = await authenticationService.login({ tenantId, subject: user.id }, 'Pass-R3m3mb3r-2026!', undefined, auditor, false);
+        expect(loginResultNoRem.type).toBe('success');
         // 4. Refresh
         const contextNoRem = {
             request: {
+                ip: '127.0.0.1',
                 headers: new HttpHeaders({
-                    'X-Refresh-Token': `Bearer ${loginResultNoRem.refreshToken}`
+                    'X-Refresh-Token': `Bearer ${loginResultNoRem.result.refreshToken}`,
                 }),
                 cookies: {
-                    tryGet: () => undefined
-                }
+                    tryGet: () => undefined,
+                },
             },
             parameters: { data: undefined },
             getAuditor: async () => auditor,

package/authentication/tests/remember.service.test.js CHANGED Viewed

@@ -2,7 +2,6 @@ import { afterAll, beforeAll, beforeEach, describe, expect, test } from 'vitest'
 import { Auditor } from '../../audit/index.js';
 import { clearTenantData, setupIntegrationTest } from '../../testing/index.js';
 import { AuthenticationService } from '../server/authentication.service.js';
-import { getRefreshTokenFromString } from '../server/helper.js';
 import { SubjectService } from '../server/subject.service.js';
 import { DefaultAuthenticationAncillaryService } from './authentication.test-ancillary-service.js';
 describe('AuthenticationService Remember Functionality', () => {
@@ -16,7 +15,9 @@ describe('AuthenticationService Remember Functionality', () => {
     beforeAll(async () => {
         ({ injector, database } = await setupIntegrationTest({
             modules: { authentication: true },
-            authenticationAncillaryService: DefaultAuthenticationAncillaryService,
+            authentication: {
+                ancillaryService: DefaultAuthenticationAncillaryService,
+            },
         }));
         authenticationService = await injector.resolveAsync(AuthenticationService);
         subjectService = await injector.resolveAsync(SubjectService);
@@ -26,7 +27,7 @@ describe('AuthenticationService Remember Functionality', () => {
         await injector?.dispose();
     });
     beforeEach(async () => {
-        await clearTenantData(database, schema, ['credentials', 'session', 'user', 'service_account', 'system_account', 'subject'], tenantId);
+        await clearTenantData(database, schema, ['password', 'session', 'user', 'service_account', 'system_account', 'subject'], tenantId);
     });
     test('RefreshToken should contain remember flag', async () => {
         const user = await subjectService.createUser({
@@ -36,7 +37,7 @@ describe('AuthenticationService Remember Functionality', () => {
             lastName: 'Ember',
         });
         const tokenResult = await authenticationService.getToken(user, undefined, { remember: true });
-        const refreshToken = await getRefreshTokenFromString(tokenResult.refreshToken, authenticationService.derivedRefreshTokenSigningSecret);
+        const refreshToken = await authenticationService.validateRefreshToken(tokenResult.refreshToken);
         expect(refreshToken.payload).toHaveProperty('remember', true);
         expect(tokenResult.remember).toBe(true);
     });
@@ -44,33 +45,39 @@ describe('AuthenticationService Remember Functionality', () => {
         const user = await subjectService.createUser({ tenantId, email: 'ttl@example.com', firstName: 'T', lastName: 'L' });
         const normalResult = await authenticationService.getToken(user, undefined, { remember: false });
         const rememberResult = await authenticationService.getToken(user, undefined, { remember: true });
-        const normalToken = await getRefreshTokenFromString(normalResult.refreshToken, authenticationService.derivedRefreshTokenSigningSecret);
-        const rememberToken = await getRefreshTokenFromString(rememberResult.refreshToken, authenticationService.derivedRefreshTokenSigningSecret);
+        const normalToken = await authenticationService.validateRefreshToken(normalResult.refreshToken);
+        const rememberToken = await authenticationService.validateRefreshToken(rememberResult.refreshToken);
         expect(rememberToken.payload.exp).toBeGreaterThan(normalToken.payload.exp);
     });
     test('login should pass remember flag to getToken', async () => {
         const user = await subjectService.createUser({ tenantId, email: 'login-rem@example.com', firstName: 'L', lastName: 'R' });
-        await authenticationService.setCredentials(user, 'Strong-Password-2026!');
+        await authenticationService.setPassword(user, 'Strong-Password-2026!');
         const result = await authenticationService.login({ tenantId, subject: user.id }, 'Strong-Password-2026!', undefined, auditor, true);
-        expect(result.remember).toBe(true);
-        const refreshToken = await getRefreshTokenFromString(result.refreshToken, authenticationService.derivedRefreshTokenSigningSecret);
+        expect(result.type).toBe('success');
+        const tokenResult = result.result;
+        expect(tokenResult.remember).toBe(true);
+        const refreshToken = await authenticationService.validateRefreshToken(tokenResult.refreshToken);
         expect(refreshToken.payload.remember).toBe(true);
     });
     test('refresh should propagate remember flag', async () => {
         const user = await subjectService.createUser({ tenantId, email: 'refresh-rem@example.com', firstName: 'R', lastName: 'R' });
-        await authenticationService.setCredentials(user, 'Strong-Password-2026!');
+        await authenticationService.setPassword(user, 'Strong-Password-2026!');
         const loginResult = await authenticationService.login({ tenantId, subject: user.id }, 'Strong-Password-2026!', undefined, auditor, true);
-        expect(loginResult.remember).toBe(true);
-        const refreshResult = await authenticationService.refresh(loginResult.refreshToken, undefined, {}, auditor);
+        expect(loginResult.type).toBe('success');
+        const loginSuccessResult = loginResult.result;
+        expect(loginSuccessResult.remember).toBe(true);
+        const refreshResult = await authenticationService.refresh(loginSuccessResult.refreshToken, undefined, {}, auditor);
         expect(refreshResult.remember).toBe(true);
-        const newRefreshToken = await getRefreshTokenFromString(refreshResult.refreshToken, authenticationService.derivedRefreshTokenSigningSecret);
+        const newRefreshToken = await authenticationService.validateRefreshToken(refreshResult.refreshToken);
         expect(newRefreshToken.payload.remember).toBe(true);
         // Verify it also works when not remembered
         const loginResultNoRem = await authenticationService.login({ tenantId, subject: user.id }, 'Strong-Password-2026!', undefined, auditor, false);
-        expect(loginResultNoRem.remember).toBe(false);
-        const refreshResultNoRem = await authenticationService.refresh(loginResultNoRem.refreshToken, undefined, {}, auditor);
+        expect(loginResultNoRem.type).toBe('success');
+        const loginSuccessResultNoRem = loginResultNoRem.result;
+        expect(loginSuccessResultNoRem.remember).toBe(false);
+        const refreshResultNoRem = await authenticationService.refresh(loginSuccessResultNoRem.refreshToken, undefined, {}, auditor);
         expect(refreshResultNoRem.remember).toBe(false);
-        const newRefreshTokenNoRem = await getRefreshTokenFromString(refreshResultNoRem.refreshToken, authenticationService.derivedRefreshTokenSigningSecret);
+        const newRefreshTokenNoRem = await authenticationService.validateRefreshToken(refreshResultNoRem.refreshToken);
         expect(newRefreshTokenNoRem.payload.remember).toBe(false);
     });
 });

package/authentication/tests/subject.service.test.js CHANGED Viewed

@@ -92,11 +92,11 @@ describe('SubjectService', () => {
     test('updateUser should update user details', async () => {
         await runInInjectionContext(injector, async () => {
             const user = await subjectService.createUser({ tenantId, email: 'update@example.com', firstName: 'Old', lastName: 'Name' });
-            await subjectService.updateUser(tenantId, user.id, { firstName: 'New', status: SubjectStatus.Inactive });
+            await subjectService.updateUser(tenantId, user.id, { firstName: 'New', status: SubjectStatus.Suspended });
             const updated = await subjectService.getUser(tenantId, user.id);
             expect(updated.firstName).toBe('New');
             expect(updated.lastName).toBe('Name');
-            expect(updated.status).toBe(SubjectStatus.Inactive);
+            expect(updated.status).toBe(SubjectStatus.Suspended);
         });
     });
     test('updateUserEmail should update user email', async () => {

package/authentication/tests/suspended-subject.test.d.ts ADDED Viewed

	@@ -0,0 +1 @@
1	+ export {};

package/authentication/tests/suspended-subject.test.js ADDED Viewed

@@ -0,0 +1,120 @@
+import { afterAll, beforeAll, beforeEach, describe, expect, test } from 'vitest';
+import { ActorType, Auditor } from '../../audit/index.js';
+import { clearTenantData, setupIntegrationTest } from '../../testing/index.js';
+import { SubjectStatus } from '../models/index.js';
+import { AuthenticationAncillaryService } from '../server/authentication-ancillary.service.js';
+import { AuthenticationService } from '../server/authentication.service.js';
+import { SubjectService } from '../server/subject.service.js';
+import { DefaultAuthenticationAncillaryService } from './authentication.test-ancillary-service.js';
+describe('Suspended Subject Authentication', () => {
+    let injector;
+    let database;
+    let authenticationService;
+    let subjectService;
+    let auditor;
+    const schema = 'authentication';
+    const tenantId = crypto.randomUUID();
+    beforeAll(async () => {
+        ({ injector, database } = await setupIntegrationTest({
+            modules: { authentication: true },
+            authentication: {
+                ancillaryService: DefaultAuthenticationAncillaryService,
+            },
+        }));
+        authenticationService = await injector.resolveAsync(AuthenticationService);
+        subjectService = await injector.resolveAsync(SubjectService);
+        auditor = injector.resolve(Auditor);
+    });
+    afterAll(async () => {
+        await injector?.dispose();
+    });
+    beforeEach(async () => {
+        await clearTenantData(database, schema, ['totp_recovery_code', 'totp', 'password', 'session', 'user', 'service_account', 'system_account', 'subject'], tenantId);
+    });
+    test('login should FAIL for suspended user', async () => {
+        const user = await subjectService.createUser({
+            tenantId,
+            email: 'suspended@example.com',
+            firstName: 'Suspended',
+            lastName: 'User',
+            status: SubjectStatus.Suspended,
+        });
+        await authenticationService.setPassword(user, 'Strong-Password-2026!');
+        const loginPromise = authenticationService.login({ tenantId, subject: user.id }, 'Strong-Password-2026!', undefined, auditor.with({ actor: user.id, actorType: ActorType.Subject }));
+        await expect(loginPromise).rejects.toThrow('Invalid credentials.');
+    });
+    test('refresh should FAIL for suspended user', async () => {
+        const user = await subjectService.createUser({
+            tenantId,
+            email: 'suspended-refresh@example.com',
+            firstName: 'Suspended',
+            lastName: 'Refresh',
+            status: SubjectStatus.Active, // Start active to get a token
+        });
+        await authenticationService.setPassword(user, 'Strong-Password-2026!');
+        const userAuditor = auditor.with({ actor: user.id, actorType: ActorType.Subject });
+        const loginResult = await authenticationService.login({ tenantId, subject: user.id }, 'Strong-Password-2026!', undefined, userAuditor);
+        expect(loginResult.type).toBe('success');
+        // Now suspend the user
+        await subjectService.updateUser(tenantId, user.id, { status: SubjectStatus.Suspended });
+        const refreshPromise = authenticationService.refresh(loginResult.result.refreshToken, undefined, {}, userAuditor);
+        await expect(refreshPromise).rejects.toThrow('Subject is suspended.');
+    });
+    test('impersonate should FAIL if target is suspended', async () => {
+        const admin = await subjectService.createUser({ tenantId, email: 'admin@example.com', firstName: 'A', lastName: 'D' });
+        const user = await subjectService.createUser({
+            tenantId,
+            email: 'suspended-target@example.com',
+            firstName: 'S',
+            lastName: 'T',
+            status: SubjectStatus.Suspended,
+        });
+        const adminAuditor = auditor.with({ actor: admin.id, actorType: ActorType.Subject });
+        const adminToken = await authenticationService.getToken(admin, undefined);
+        const impersonatePromise = authenticationService.impersonate(adminToken.token, adminToken.refreshToken, user.id, undefined, adminAuditor);
+        await expect(impersonatePromise).rejects.toThrow('Subject is suspended.');
+    });
+    test('changePassword should FAIL for suspended user', async () => {
+        const user = await subjectService.createUser({
+            tenantId,
+            email: 'suspended-change@example.com',
+            firstName: 'S',
+            lastName: 'C',
+            status: SubjectStatus.Suspended,
+        });
+        await authenticationService.setPassword(user, 'Old-Password-2026!');
+        const userAuditor = auditor.with({ actor: user.id, actorType: ActorType.Subject });
+        const changePasswordPromise = authenticationService.changePassword({ tenantId, subject: user.id }, 'Old-Password-2026!', 'New-Password-2026!', userAuditor);
+        await expect(changePasswordPromise).rejects.toThrow('Invalid credentials.');
+    });
+    test('resetPassword should FAIL for suspended user', async () => {
+        const user = await subjectService.createUser({
+            tenantId,
+            email: 'suspended-reset@example.com',
+            firstName: 'S',
+            lastName: 'R',
+            status: SubjectStatus.Active,
+        });
+        const userAuditor = auditor.with({ actor: user.id, actorType: ActorType.Subject });
+        // @ts-ignore - access private for test or use public init
+        const passwordResetToken = await authenticationService.createPasswordResetToken(user, Date.now() + 100000);
+        // Suspend after token issue
+        await subjectService.updateUser(tenantId, user.id, { status: SubjectStatus.Suspended });
+        const resetPasswordPromise = authenticationService.resetPassword(passwordResetToken.token, 'New-Password-Reset-2026!', userAuditor);
+        await expect(resetPasswordPromise).rejects.toThrow('Subject is suspended.');
+    });
+    test('initPasswordReset should SILENTLY IGNORE suspended user', async () => {
+        const user = await subjectService.createUser({
+            tenantId,
+            email: 'suspended-init-reset@example.com',
+            firstName: 'S',
+            lastName: 'IR',
+            status: SubjectStatus.Suspended,
+        });
+        const userAuditor = auditor.with({ actor: user.id, actorType: ActorType.Subject });
+        const ancillaryService = await injector.resolveAsync(AuthenticationAncillaryService);
+        ancillaryService.lastResetData = undefined;
+        await authenticationService.initPasswordReset({ tenantId, subject: user.id }, undefined, userAuditor);
+        expect(ancillaryService.lastResetData).toBeUndefined();
+    });
+});

package/authentication/tests/totp.enrollment.test.d.ts ADDED Viewed

	@@ -0,0 +1 @@
1	+ export {};

package/authentication/tests/totp.enrollment.test.js ADDED Viewed

@@ -0,0 +1,123 @@
+import { afterAll, beforeAll, beforeEach, describe, expect, test } from 'vitest';
+import { ActorType, Auditor } from '../../audit/index.js';
+import { importHmacKey, importKey } from '../../cryptography/index.js';
+import { generateTotpToken } from '../../cryptography/totp.js';
+import { clearTenantData, setupIntegrationTest } from '../../testing/index.js';
+import { currentTimestampSeconds } from '../../utils/date-time.js';
+import { TotpStatus } from '../models/authentication-totp.model.js';
+import { AuthenticationService } from '../server/authentication.service.js';
+import { SubjectService } from '../server/subject.service.js';
+import { DefaultAuthenticationAncillaryService } from './authentication.test-ancillary-service.js';
+describe('TOTP Enrollment', () => {
+    let injector;
+    let database;
+    let authenticationService;
+    let subjectService;
+    let auditor;
+    const schema = 'authentication';
+    const tenantId = crypto.randomUUID();
+    beforeAll(async () => {
+        ({ injector, database } = await setupIntegrationTest({
+            modules: { authentication: true },
+            authentication: {
+                ancillaryService: DefaultAuthenticationAncillaryService,
+            },
+        }));
+        authenticationService = await injector.resolveAsync(AuthenticationService);
+        subjectService = await injector.resolveAsync(SubjectService);
+        auditor = injector.resolve(Auditor);
+    });
+    afterAll(async () => {
+        await injector?.dispose();
+    });
+    beforeEach(async () => {
+        await clearTenantData(database, schema, ['used_totp_tokens', 'totp_recovery_code', 'totp', 'password', 'session', 'user', 'service_account', 'system_account', 'subject'], tenantId);
+    });
+    test('initEnrollTotp should initiate enrollment', async () => {
+        const user = await subjectService.createUser({
+            tenantId,
+            email: 'totp-test@example.com',
+            firstName: 'Totp',
+            lastName: 'User',
+        });
+        const userAuditor = auditor.with({ actor: user.id, actorType: ActorType.Subject });
+        const result = await authenticationService.initEnrollTotp(tenantId, user.id, userAuditor);
+        expect(result.secret).toBeDefined();
+        expect(result.uri).toContain('otpauth://totp/');
+        expect(result.uri).toContain('secret=' + result.secret);
+        const totpEntry = await authenticationService.tryGetTotp(tenantId, user.id);
+        expect(totpEntry).toBeDefined();
+        expect(totpEntry.status).toBe(TotpStatus.Pending);
+    });
+    test('completeEnrollTotp should activate TOTP after verification', async () => {
+        const user = await subjectService.createUser({
+            tenantId,
+            email: 'totp-test-complete@example.com',
+            firstName: 'Totp',
+            lastName: 'Complete',
+        });
+        const userAuditor = auditor.with({ actor: user.id, actorType: ActorType.Subject });
+        const { secret } = await authenticationService.initEnrollTotp(tenantId, user.id, userAuditor);
+        // We need to convert base32 secret back to Uint8Array for generateTotpToken if it's base32
+        // But the utility probably expects Uint8Array or we use the utility's own secret generation
+        // Actually initEnrollTotp returns base32 secret for the user to enter in app.
+        // For testing, let's assume we can get the raw secret from the DB or similar.
+        const totpEntry = await authenticationService.tryGetTotp(tenantId, user.id);
+        const secretKey = await importKey('raw-secret', totpEntry.secret, { name: 'HMAC', hash: authenticationService.getTotpOptions().codeHashAlgorithm }, false, ['sign']);
+        const token = await generateTotpToken(secretKey, authenticationService.getTotpOptions());
+        const completeResult = await authenticationService.completeEnrollTotp(tenantId, user.id, token, userAuditor);
+        expect(completeResult.recoveryCodes).toHaveLength(10);
+        const activeTotpEntry = await authenticationService.tryGetTotp(tenantId, user.id);
+        expect(activeTotpEntry.status).toBe(TotpStatus.Active);
+    });
+    test('disableTotp should deactivate TOTP', async () => {
+        const user = await subjectService.createUser({
+            tenantId,
+            email: 'totp-test-disable@example.com',
+            firstName: 'Totp',
+            lastName: 'Disable',
+        });
+        const userAuditor = auditor.with({ actor: user.id, actorType: ActorType.Subject });
+        await authenticationService.initEnrollTotp(tenantId, user.id, userAuditor);
+        const totpEntry = await authenticationService.tryGetTotp(tenantId, user.id);
+        const secretKey = await importKey('raw-secret', totpEntry.secret, { name: 'HMAC', hash: authenticationService.getTotpOptions().codeHashAlgorithm }, false, ['sign']);
+        const token = await generateTotpToken(secretKey, { ...authenticationService.getTotpOptions(), timestamp: currentTimestampSeconds() - 30 });
+        await authenticationService.completeEnrollTotp(tenantId, user.id, token, userAuditor);
+        const token2 = await generateTotpToken(secretKey, authenticationService.getTotpOptions());
+        await authenticationService.disableTotp(tenantId, user.id, token2, userAuditor);
+        const disabledTotpEntry = await authenticationService.tryGetTotp(tenantId, user.id);
+        expect(disabledTotpEntry).toBeUndefined();
+    });
+    test('disableTotp should fail with recovery code (decoupled)', async () => {
+        const user = await subjectService.createUser({
+            tenantId,
+            email: 'totp-test-disable-fail@example.com',
+            firstName: 'Totp',
+            lastName: 'DisableFail',
+        });
+        const userAuditor = auditor.with({ actor: user.id, actorType: ActorType.Subject });
+        await authenticationService.initEnrollTotp(tenantId, user.id, userAuditor);
+        const totpEntry = (await authenticationService.tryGetTotp(tenantId, user.id));
+        const secretKey = await importHmacKey('raw-secret', authenticationService.getTotpOptions().codeHashAlgorithm, totpEntry.secret, false);
+        const token = await generateTotpToken(secretKey, { ...authenticationService.getTotpOptions(), timestamp: currentTimestampSeconds() - 30 });
+        const { recoveryCodes } = await authenticationService.completeEnrollTotp(tenantId, user.id, token, userAuditor);
+        await expect(authenticationService.disableTotp(tenantId, user.id, recoveryCodes[0], userAuditor)).rejects.toThrow();
+    });
+    test('disableTotpWithRecoveryCode should deactivate TOTP', async () => {
+        const user = await subjectService.createUser({
+            tenantId,
+            email: 'totp-test-disable-recovery@example.com',
+            firstName: 'Totp',
+            lastName: 'DisableRecovery',
+        });
+        const userAuditor = auditor.with({ actor: user.id, actorType: ActorType.Subject });
+        await authenticationService.initEnrollTotp(tenantId, user.id, userAuditor);
+        const totpEntry = (await authenticationService.tryGetTotp(tenantId, user.id));
+        const secretKey = await importHmacKey('raw-secret', authenticationService.getTotpOptions().codeHashAlgorithm, totpEntry.secret, false);
+        const token = await generateTotpToken(secretKey, { ...authenticationService.getTotpOptions(), timestamp: currentTimestampSeconds() - 30 });
+        const { recoveryCodes } = await authenticationService.completeEnrollTotp(tenantId, user.id, token, userAuditor);
+        await authenticationService.disableTotpWithRecoveryCode(tenantId, user.id, recoveryCodes[0], userAuditor);
+        const disabledTotpEntry = await authenticationService.tryGetTotp(tenantId, user.id);
+        expect(disabledTotpEntry).toBeUndefined();
+    });
+});

package/authentication/tests/totp.login.test.d.ts ADDED Viewed

	@@ -0,0 +1 @@
1	+ export {};