@tstdl/base 0.93.182 → 0.93.184

package/authentication/tests/authentication.service.test.js

@@ -1,167 +0,0 @@
-import { afterAll, beforeAll, beforeEach, describe, expect, test } from 'vitest';
-import { ActorType, Auditor } from '../../audit/index.js';
-import { NIL_UUID } from '../../constants.js';
-import { clearTenantData, setupIntegrationTest } from '../../testing/index.js';
-import { AuthenticationAncillaryService } from '../server/authentication-ancillary.service.js';
-import { AuthenticationService } from '../server/authentication.service.js';
-import { SubjectService } from '../server/subject.service.js';
-import { DefaultAuthenticationAncillaryService } from './authentication.test-ancillary-service.js';
-describe('AuthenticationService', () => {
-    let injector;
-    let database;
-    let authenticationService;
-    let subjectService;
-    let auditor;
-    let ancillaryService;
-    const schema = 'authentication';
-    const tenantId = crypto.randomUUID();
-    beforeAll(async () => {
-        ({ injector, database } = await setupIntegrationTest({
-            modules: { authentication: true },
-            authentication: {
-                ancillaryService: DefaultAuthenticationAncillaryService,
-            },
-        }));
-        authenticationService = await injector.resolveAsync(AuthenticationService);
-        subjectService = await injector.resolveAsync(SubjectService);
-        auditor = injector.resolve(Auditor);
-        ancillaryService = await injector.resolveAsync(AuthenticationAncillaryService);
-    });
-    afterAll(async () => {
-        await injector?.dispose();
-    });
-    beforeEach(async () => {
-        await clearTenantData(database, schema, ['password', 'session', 'user', 'service_account', 'system_account', 'subject'], tenantId);
-    });
-    test('login should create a session and listSessions should return it', async () => {
-        const user = await subjectService.createUser({
-            tenantId,
-            email: 'test@example.com',
-            firstName: 'John',
-            lastName: 'Doe',
-        });
-        await authenticationService.setPassword(user, 'Strong-Password-2026!');
-        const loginResult = await authenticationService.login({ tenantId, subject: user.id }, 'Strong-Password-2026!', undefined, auditor.with({ actor: user.id, actorType: ActorType.Subject }));
-        expect(loginResult.type).toBe('success');
-        const tokenResult = loginResult.result;
-        expect(tokenResult.token).toBeDefined();
-        const sessions = await authenticationService.listSessions(tenantId, user.id);
-        expect(sessions).toHaveLength(1);
-        expect(sessions[0]?.id).toBe(tokenResult.jsonToken.payload.session);
-    });
-    test('invalidateAllSessions should end all active sessions', async () => {
-        const user = await subjectService.createUser({
-            tenantId,
-            email: 'test@example.com',
-            firstName: 'John',
-            lastName: 'Doe',
-        });
-        await authenticationService.setPassword(user, 'Strong-Password-2026!');
-        const userAuditor = auditor.with({ actor: user.id, actorType: ActorType.Subject });
-        await authenticationService.login({ tenantId, subject: user.id }, 'Strong-Password-2026!', undefined, userAuditor);
-        await authenticationService.login({ tenantId, subject: user.id }, 'Strong-Password-2026!', undefined, userAuditor);
-        let sessions = await authenticationService.listSessions(tenantId, user.id);
-        expect(sessions).toHaveLength(2);
-        const now = Date.now();
-        expect(sessions.every((s) => s.end > now)).toBe(true);
-        await authenticationService.invalidateAllSessions(tenantId, user.id, userAuditor);
-        sessions = await authenticationService.listSessions(tenantId, user.id);
-        expect(sessions).toHaveLength(0);
-    });
-    test('getSession and tryGetSession', async () => {
-        const user = await subjectService.createUser({
-            tenantId,
-            email: 'test@example.com',
-            firstName: 'John',
-            lastName: 'Doe',
-        });
-        await authenticationService.setPassword(user, 'Strong-Password-2026!');
-        const userAuditor = auditor.with({ actor: user.id, actorType: ActorType.Subject });
-        const loginResult = await authenticationService.login({ tenantId, subject: user.id }, 'Strong-Password-2026!', undefined, userAuditor);
-        expect(loginResult.type).toBe('success');
-        const tokenResult = loginResult.result;
-        const sessionId = tokenResult.jsonToken.payload.session;
-        const session = await authenticationService.getSession(sessionId);
-        expect(session.id).toBe(sessionId);
-        const triedSession = await authenticationService.tryGetSession(sessionId);
-        expect(triedSession?.id).toBe(sessionId);
-        const nonExistent = await authenticationService.tryGetSession(NIL_UUID);
-        expect(nonExistent).toBeUndefined();
-    });
-    test('refresh should issue new token and session', async () => {
-        const user = await subjectService.createUser({ tenantId, email: 'refresh@example.com', firstName: 'R', lastName: 'F' });
-        await authenticationService.setPassword(user, 'Strong-Password-2026!');
-        const userAuditor = auditor.with({ actor: user.id, actorType: ActorType.Subject });
-        const loginResult = await authenticationService.login({ tenantId, subject: user.id }, 'Strong-Password-2026!', undefined, userAuditor);
-        expect(loginResult.type).toBe('success');
-        const loginSuccessResult = loginResult.result;
-        const refreshResult = await authenticationService.refresh(loginSuccessResult.refreshToken, undefined, {}, userAuditor);
-        expect(refreshResult.token).toBeDefined();
-        expect(refreshResult.refreshToken).not.toBe(loginSuccessResult.refreshToken);
-    });
-    test('changePassword should update password', async () => {
-        const user = await subjectService.createUser({ tenantId, email: 'change@example.com', firstName: 'C', lastName: 'S' });
-        await authenticationService.setPassword(user, 'Old-Password-2026!');
-        const userAuditor = auditor.with({ actor: user.id, actorType: ActorType.Subject });
-        await authenticationService.changePassword({ tenantId, subject: user.id }, 'Old-Password-2026!', 'New-Password-2026!', userAuditor);
-        const authResult = await authenticationService.authenticateWithPassword({ tenantId, subject: user.id }, 'New-Password-2026!');
-        expect(authResult.success).toBe(true);
-    });
-    test('checkPassword, testPassword, and validatePassword', async () => {
-        const weak = 'abc';
-        const strong = 'Very-Strong-Password-2026-!@#$';
-        expect((await authenticationService.checkPassword(weak)).strength).toBeLessThan(2);
-        expect((await authenticationService.checkPassword(strong)).strength).toBeGreaterThanOrEqual(2);
-        expect((await authenticationService.testPassword(weak)).success).toBe(false);
-        expect((await authenticationService.testPassword(strong)).success).toBe(true);
-        await expect(authenticationService.validatePassword(weak)).rejects.toThrow();
-        await expect(authenticationService.validatePassword(strong)).resolves.not.toThrow();
-    });
-    test('tryResolveSubject and resolveSubject', async () => {
-        const user = await subjectService.createUser({ tenantId, email: 'resolve@example.com', firstName: 'R', lastName: 'S' });
-        const resolved = await authenticationService.tryResolveSubject({ tenantId, subject: user.id });
-        expect(resolved?.id).toBe(user.id);
-        const resolvedByEmail = await authenticationService.resolveSubject({ tenantId, subject: 'resolve@example.com' });
-        expect(resolvedByEmail.id).toBe(user.id);
-        await expect(authenticationService.resolveSubject({ tenantId, subject: 'missing' })).rejects.toThrow();
-    });
-    test('impersonation and unimpersonation', async () => {
-        const admin = await subjectService.createUser({ tenantId, email: 'admin@example.com', firstName: 'A', lastName: 'D' });
-        const user = await subjectService.createUser({ tenantId, email: 'user@example.com', firstName: 'U', lastName: 'S' });
-        const adminAuditor = auditor.with({ actor: admin.id, actorType: ActorType.Subject });
-        const adminToken = await authenticationService.getToken(admin, undefined);
-        const impersonated = await authenticationService.impersonate(adminToken.token, adminToken.refreshToken, user.id, undefined, adminAuditor);
-        expect(impersonated.jsonToken.payload.subject).toBe(user.id);
-        expect(impersonated.jsonToken.payload.impersonator).toBe(admin.id);
-        const unimpersonated = await authenticationService.unimpersonate(impersonated.impersonatorRefreshToken, impersonated.token, undefined, adminAuditor);
-        expect(unimpersonated.jsonToken.payload.subject).toBe(admin.id);
-        expect(unimpersonated.jsonToken.payload.impersonator).toBeUndefined();
-    });
-    test('refresh should throw on invalid token', async () => {
-        await expect(authenticationService.refresh('invalid', undefined, {}, auditor)).rejects.toThrow();
-    });
-    test('login should throw on invalid password', async () => {
-        const user = await subjectService.createUser({ tenantId, email: 'fail@example.com', firstName: 'F', lastName: 'L' });
-        await authenticationService.setPassword(user, 'Very-Strong-Password-2026!');
-        await expect(authenticationService.login({ tenantId, subject: user.id }, 'wrong', undefined, auditor)).rejects.toThrow();
-    });
-    test('endSession should handle non-existent session gracefully', async () => {
-        await expect(authenticationService.endSession(NIL_UUID, auditor)).resolves.not.toThrow();
-    });
-    test('resolveSubject should throw if not found', async () => {
-        await expect(authenticationService.resolveSubject({ tenantId, subject: 'missing' })).rejects.toThrow();
-    });
-    test('password reset flow', async () => {
-        const user = await subjectService.createUser({ tenantId, email: 'reset@example.com', firstName: 'R', lastName: 'E' });
-        const userAuditor = auditor.with({ actor: user.id, actorType: ActorType.Subject });
-        await authenticationService.initPasswordReset({ tenantId, subject: user.id }, undefined, userAuditor);
-        expect(ancillaryService.lastResetData).toBeDefined();
-        await authenticationService.resetPassword(ancillaryService.lastResetData.token, 'New-Password-Reset-2026!', userAuditor);
-        const authResult = await authenticationService.authenticateWithPassword({ tenantId, subject: user.id }, 'New-Password-Reset-2026!');
-        expect(authResult.success).toBe(true);
-    });
-    test('deriveSigningSecrets should work', async () => {
-        // This is mostly covered by initialize, but we can test it implicitly by ensuring service works after init
-        expect(authenticationService).toBeDefined();
-    });
-});

package/authentication/tests/authentication.test-ancillary-service.d.ts

@@ -1,9 +0,0 @@
-import { AuthenticationAncillaryService } from '../server/index.js';
-export declare class DefaultAuthenticationAncillaryService extends AuthenticationAncillaryService<any, any, any> {
-    #private;
-    lastResetData: any;
-    getTokenPayload(): Promise<{}>;
-    handleInitPasswordReset(data: any): Promise<void>;
-    canImpersonate(_token: any, _subject: any, _data: any): Promise<boolean>;
-    resolveSubjects(data: any): Promise<import("../index.js").Subject[]>;
-}

package/authentication/tests/authentication.test-ancillary-service.js

@@ -1,27 +0,0 @@
-var __decorate = (this && this.__decorate) || function (decorators, target, key, desc) {
-    var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
-    if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
-    else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
-    return c > 3 && r && Object.defineProperty(target, key, r), r;
-};
-import { inject, Injector, Singleton } from '../../injector/index.js';
-import { isUndefined } from '../../utils/type-guards.js';
-import { AuthenticationAncillaryService, AuthenticationService } from '../server/index.js';
-let DefaultAuthenticationAncillaryService = class DefaultAuthenticationAncillaryService extends AuthenticationAncillaryService {
-    #injector = inject(Injector);
-    #authenticationService;
-    lastResetData;
-    async getTokenPayload() { return {}; }
-    async handleInitPasswordReset(data) { this.lastResetData = data; }
-    async canImpersonate(_token, _subject, _data) { return true; }
-    async resolveSubjects(data) {
-        if (isUndefined(this.#authenticationService)) {
-            this.#authenticationService = await this.#injector.resolveAsync(AuthenticationService);
-        }
-        return await this.#authenticationService.defaultResolveSubjects(data);
-    }
-};
-DefaultAuthenticationAncillaryService = __decorate([
-    Singleton()
-], DefaultAuthenticationAncillaryService);
-export { DefaultAuthenticationAncillaryService };

package/authentication/tests/brute-force-protection.test.d.ts

@@ -1 +0,0 @@
-export {};

package/authentication/tests/brute-force-protection.test.js

@@ -1,211 +0,0 @@
-import { afterAll, beforeAll, beforeEach, describe, expect, test } from 'vitest';
-import { ApiGateway } from '../../api/server/gateway.js';
-import { Auditor } from '../../audit/index.js';
-import { importKey } from '../../cryptography/index.js';
-import { generateTotpToken } from '../../cryptography/totp.js';
-import { HttpBody } from '../../http/http-body.js';
-import { HttpHeaders } from '../../http/http-headers.js';
-import { HttpQuery } from '../../http/http-query.js';
-import { HttpServerRequest } from '../../http/server/http-server-request.js';
-import { clearTenantData, setupIntegrationTest } from '../../testing/index.js';
-import { currentTimestampSeconds } from '../../utils/date-time.js';
-import { assert } from '../../utils/type-guards.js';
-import { AuthenticationService } from '../server/authentication.service.js';
-import { SubjectService } from '../server/subject.service.js';
-import { DefaultAuthenticationAncillaryService } from './authentication.test-ancillary-service.js';
-describe('Authentication Brute Force Protection (API Level)', () => {
-    let injector;
-    let database;
-    let gateway;
-    let subjectService;
-    let authenticationService;
-    let auditor;
-    const schema = 'authentication';
-    const tenantId = crypto.randomUUID();
-    beforeAll(async () => {
-        ({ injector, database } = await setupIntegrationTest({
-            modules: { authentication: true, rateLimiter: true, api: true },
-            authentication: {
-                ancillaryService: DefaultAuthenticationAncillaryService,
-                options: {
-                    bruteForceProtection: {
-                        subjectBurstCapacity: 2,
-                        subjectRefillInterval: 10000,
-                        ipBurstCapacity: 2,
-                        ipRefillInterval: 10000,
-                    },
-                },
-            },
-        }));
-        gateway = injector.resolve(ApiGateway);
-        subjectService = await injector.resolveAsync(SubjectService);
-        authenticationService = await injector.resolveAsync(AuthenticationService);
-        auditor = injector.resolve(Auditor);
-    });
-    afterAll(async () => {
-        await injector?.dispose();
-    });
-    beforeEach(async () => {
-        await clearTenantData(database, schema, ['used_totp_tokens', 'totp_recovery_code', 'totp', 'password', 'session', 'user', 'service_account', 'system_account', 'subject'], tenantId);
-    });
-    async function callLogin(ip, body) {
-        const headers = new HttpHeaders({ 'Content-Type': 'application/json' });
-        const encodedBody = new TextEncoder().encode(JSON.stringify(body));
-        const request = new HttpServerRequest({
-            url: new URL('http://localhost/api/v1/auth/token'),
-            method: 'POST',
-            headers,
-            query: new HttpQuery(),
-            ip,
-            body: HttpBody.from(encodedBody, headers),
-        });
-        let capturedResponse;
-        const respond = async (response) => { capturedResponse = response; };
-        const close = async () => { };
-        const abortSignal = new AbortController().signal;
-        await gateway.handleHttpServerRequestContext({ request, respond, close, abortSignal, context: {} });
-        return capturedResponse;
-    }
-    async function callDisableTotp(ip, token, body) {
-        const headers = new HttpHeaders({
-            'Content-Type': 'application/json',
-            'Authorization': `Bearer ${token}`
-        });
-        const encodedBody = new TextEncoder().encode(JSON.stringify(body));
-        const request = new HttpServerRequest({
-            url: new URL('http://localhost/api/v1/auth/totp/disable'),
-            method: 'POST',
-            headers,
-            query: new HttpQuery(),
-            ip,
-            body: HttpBody.from(encodedBody, headers),
-        });
-        let capturedResponse;
-        const respond = async (response) => { capturedResponse = response; };
-        const close = async () => { };
-        const abortSignal = new AbortController().signal;
-        await gateway.handleHttpServerRequestContext({ request, respond, close, abortSignal, context: {} });
-        return capturedResponse;
-    }
-    test('should limit login attempts by user', async () => {
-        const user = await subjectService.createUser({ tenantId, email: 'user-limit@example.com', firstName: 'John', lastName: 'Doe' });
-        await authenticationService.setPassword(user, 'Strong-Password-2026!');
-        const body = { tenantId, subject: user.id, password: 'wrong' };
-        // 1st attempt - Fail (InvalidCredentials)
-        let res = await callLogin('1.1.1.1', body);
-        expect(res.statusCode).toBe(401);
-        // 2nd attempt - Fail (InvalidCredentials)
-        res = await callLogin('1.1.1.2', body);
-        expect(res.statusCode).toBe(401);
-        // 3rd attempt - Should be throttled (429)
-        res = await callLogin('1.1.1.3', body);
-        expect(res.statusCode).toBe(429);
-        expect(res.body.json.error.name).toBe('TooManyRequestsError');
-    });
-    test('should limit login attempts by IP', async () => {
-        const ip = '2.2.2.2';
-        const user1 = await subjectService.createUser({ tenantId, email: 'ip-limit-1@example.com', firstName: 'A', lastName: 'B' });
-        const user2 = await subjectService.createUser({ tenantId, email: 'ip-limit-2@example.com', firstName: 'C', lastName: 'D' });
-        await authenticationService.setPassword(user1, 'Strong-Password-2026!');
-        await authenticationService.setPassword(user2, 'Strong-Password-2026!');
-        // Fail for user1
-        let res = await callLogin(ip, { tenantId, subject: user1.id, password: 'wrong' });
-        expect(res.statusCode).toBe(401);
-        // Fail for user2
-        res = await callLogin(ip, { tenantId, subject: user2.id, password: 'wrong' });
-        expect(res.statusCode).toBe(401);
-        // 3rd attempt from same IP - Should be throttled (429)
-        res = await callLogin(ip, { tenantId, subject: 'any', password: 'any' });
-        expect(res.statusCode).toBe(429);
-    });
-    test('should work for multiple successful logins', async () => {
-        const user1 = await subjectService.createUser({ tenantId, email: 'success1@example.com', firstName: 'E', lastName: 'F' });
-        const user2 = await subjectService.createUser({ tenantId, email: 'success2@example.com', firstName: 'E', lastName: 'F' });
-        const user3 = await subjectService.createUser({ tenantId, email: 'success3@example.com', firstName: 'E', lastName: 'F' });
-        await authenticationService.setPassword(user1, 'Strong-Password-2026!');
-        await authenticationService.setPassword(user2, 'Strong-Password-2026!');
-        await authenticationService.setPassword(user3, 'Strong-Password-2026!');
-        // 1st attempt
-        let res = await callLogin('4.4.4.1', { tenantId, subject: user1.id, password: 'Strong-Password-2026!' });
-        expect(res.statusCode).toBe(200);
-        // 2nd attempt
-        res = await callLogin('4.4.4.2', { tenantId, subject: user2.id, password: 'Strong-Password-2026!' });
-        expect(res.statusCode).toBe(200);
-        // 3rd attempt
-        res = await callLogin('4.4.4.3', { tenantId, subject: user3.id, password: 'Strong-Password-2026!' });
-        expect(res.statusCode).toBe(200);
-    });
-    test('should limit disableTotp attempts by user', async () => {
-        const password = 'Strong-Password-2026!';
-        const user = await subjectService.createUser({ tenantId, email: 'totp-limit@example.com', firstName: 'John', lastName: 'Doe' });
-        await authenticationService.setPassword(user, password);
-        // Enable TOTP for the user
-        await authenticationService.initEnrollTotp(tenantId, user.id, auditor);
-        const totpEntry = await authenticationService.tryGetTotp(tenantId, user.id);
-        const secret = await importKey('raw-secret', totpEntry.secret, { name: 'HMAC', hash: authenticationService.getTotpOptions().codeHashAlgorithm }, false, ['sign']);
-        const setupToken = await generateTotpToken(secret, { ...authenticationService.getTotpOptions(), timestamp: currentTimestampSeconds() - 30 });
-        await authenticationService.completeEnrollTotp(tenantId, user.id, setupToken, auditor);
-        // Login to get a session token
-        const loginResult = await authenticationService.login({ tenantId, subject: user.id }, password, undefined, auditor);
-        expect(loginResult.type).toBe('totp');
-        assert(loginResult.type == 'totp', 'Login should have triggered TOTP');
-        const verifyToken = await generateTotpToken(secret, authenticationService.getTotpOptions());
-        const verifyResult = await authenticationService.loginVerifyTotp(loginResult.challengeToken, verifyToken, auditor);
-        expect(verifyResult.type).toBe('success');
-        assert(verifyResult.type == 'success', 'TOTP verification failed');
-        const sessionToken = verifyResult.result.token;
-        // 1st attempt - Fail (Invalid TOTP token)
-        let res = await callDisableTotp('1.1.1.1', sessionToken, { token: '000000' });
-        expect(res.statusCode).toBe(403);
-        // 2nd attempt - Fail (Invalid TOTP token)
-        res = await callDisableTotp('1.1.1.2', sessionToken, { token: '000001' });
-        expect(res.statusCode).toBe(403);
-        // 3rd attempt - Should be throttled (429)
-        res = await callDisableTotp('1.1.1.3', sessionToken, { token: '000002' });
-        expect(res.statusCode).toBe(429);
-        expect(res.body.json.error.name).toBe('TooManyRequestsError');
-    });
-    test('should limit disableTotp attempts by IP', async () => {
-        const password = 'Strong-Password-2026!';
-        const ip = '3.3.3.3';
-        // Create two users with TOTP enabled
-        const user1 = await subjectService.createUser({ tenantId, email: 'totp-ip-1@example.com', firstName: 'A', lastName: 'B' });
-        await authenticationService.setPassword(user1, password);
-        await authenticationService.initEnrollTotp(tenantId, user1.id, auditor);
-        const totpEntry1 = await authenticationService.tryGetTotp(tenantId, user1.id);
-        const secret1 = await importKey('raw-secret', totpEntry1.secret, { name: 'HMAC', hash: authenticationService.getTotpOptions().codeHashAlgorithm }, false, ['sign']);
-        const setupToken1 = await generateTotpToken(secret1, { ...authenticationService.getTotpOptions(), timestamp: currentTimestampSeconds() - 30 });
-        await authenticationService.completeEnrollTotp(tenantId, user1.id, setupToken1, auditor);
-        const user2 = await subjectService.createUser({ tenantId, email: 'totp-ip-2@example.com', firstName: 'C', lastName: 'D' });
-        await authenticationService.setPassword(user2, password);
-        await authenticationService.initEnrollTotp(tenantId, user2.id, auditor);
-        const totpEntry2 = await authenticationService.tryGetTotp(tenantId, user2.id);
-        const secret2 = await importKey('raw-secret', totpEntry2.secret, { name: 'HMAC', hash: authenticationService.getTotpOptions().codeHashAlgorithm }, false, ['sign']);
-        const setupToken2 = await generateTotpToken(secret2, { ...authenticationService.getTotpOptions(), timestamp: currentTimestampSeconds() - 30 });
-        await authenticationService.completeEnrollTotp(tenantId, user2.id, setupToken2, auditor);
-        // Login both users
-        const loginResult1 = await authenticationService.login({ tenantId, subject: user1.id }, password, undefined, auditor);
-        const loginResult2 = await authenticationService.login({ tenantId, subject: user2.id }, password, undefined, auditor);
-        expect(loginResult1.type).toBe('totp');
-        expect(loginResult2.type).toBe('totp');
-        assert(loginResult1.type == 'totp' && loginResult2.type == 'totp', 'Login should have triggered TOTP');
-        const verifyToken1 = await generateTotpToken(secret1, authenticationService.getTotpOptions());
-        const verifyToken2 = await generateTotpToken(secret2, authenticationService.getTotpOptions());
-        const verifyResult1 = await authenticationService.loginVerifyTotp(loginResult1.challengeToken, verifyToken1, auditor);
-        const verifyResult2 = await authenticationService.loginVerifyTotp(loginResult2.challengeToken, verifyToken2, auditor);
-        expect(verifyResult1.type).toBe('success');
-        expect(verifyResult2.type).toBe('success');
-        assert(verifyResult1.type == 'success' && verifyResult2.type == 'success', 'TOTP verification failed');
-        const sessionToken1 = verifyResult1.result.token;
-        const sessionToken2 = verifyResult2.result.token;
-        // Fail for user1 from IP
-        let res = await callDisableTotp(ip, sessionToken1, { token: '000000' });
-        expect(res.statusCode).toBe(403);
-        // Fail for user2 from same IP
-        res = await callDisableTotp(ip, sessionToken2, { token: '000000' });
-        expect(res.statusCode).toBe(403);
-        // 3rd attempt from same IP - Should be throttled (429)
-        res = await callDisableTotp(ip, sessionToken1, { token: 'any' });
-        expect(res.statusCode).toBe(429);
-    });
-});

package/authentication/tests/helper.test.d.ts

@@ -1 +0,0 @@
-export {};

package/authentication/tests/helper.test.js

@@ -1,122 +0,0 @@
-import { beforeAll, describe, expect, test } from 'vitest';
-import { createJwtTokenString, importKmacKey } from '../../cryptography/index.js';
-import { BadRequestError } from '../../errors/bad-request.error.js';
-import { InvalidTokenError } from '../../errors/invalid-token.error.js';
-import { currentTimestampSeconds } from '../../utils/date-time.js';
-import { encodeUtf8 } from '../../utils/encoding.js';
-import { getPasswordResetTokenFromString, getRefreshTokenFromString, getTokenFromRequest, getTokenFromString, tryGetAuthorizationTokenStringFromRequest, tryGetTokenFromRequest } from '../server/helper.js';
-describe('authentication helper', () => {
-    let signingKey;
-    beforeAll(async () => {
-        signingKey = await importKmacKey('raw-secret', 'KMAC256', encodeUtf8('test-secret-with-enough-length-32'));
-    });
-    test('tryGetAuthorizationTokenStringFromRequest should extract bearer token from header', () => {
-        const request = {
-            headers: {
-                tryGet: (name) => name == 'Authorization' ? 'Bearer my-token' : undefined,
-            },
-            cookies: {
-                tryGet: () => undefined,
-            },
-        };
-        expect(tryGetAuthorizationTokenStringFromRequest(request)).toBe('my-token');
-    });
-    test('tryGetAuthorizationTokenStringFromRequest should throw if token without scheme from header', () => {
-        const request = {
-            headers: {
-                tryGet: (name) => name == 'Authorization' ? 'my-token' : undefined,
-            },
-            cookies: {
-                tryGet: () => undefined,
-            },
-        };
-        expect(() => tryGetAuthorizationTokenStringFromRequest(request)).toThrow(BadRequestError);
-    });
-    test('tryGetAuthorizationTokenStringFromRequest should extract bearer token from cookie', () => {
-        const request = {
-            headers: {
-                tryGet: () => undefined,
-            },
-            cookies: {
-                tryGet: (name) => name == 'token' ? 'my-token' : undefined,
-            },
-        };
-        expect(tryGetAuthorizationTokenStringFromRequest(request)).toBe('my-token');
-    });
-    test('tryGetAuthorizationTokenStringFromRequest should throw on unsupported scheme', () => {
-        const request = {
-            headers: {
-                tryGet: (name) => name == 'Authorization' ? 'Basic my-token' : undefined,
-            },
-            cookies: {
-                tryGet: () => undefined,
-            },
-        };
-        expect(() => tryGetAuthorizationTokenStringFromRequest(request)).toThrow(BadRequestError);
-    });
-    test('tryGetAuthorizationTokenStringFromRequest should return undefined if no token found', () => {
-        const request = {
-            headers: {
-                tryGet: () => undefined,
-            },
-            cookies: {
-                tryGet: () => undefined,
-            },
-        };
-        expect(tryGetAuthorizationTokenStringFromRequest(request)).toBeUndefined();
-    });
-    test('getTokenFromString should validate token', async () => {
-        const payload = { exp: currentTimestampSeconds() + 60, tenant: 't', subject: 's', jti: 'j' };
-        const token = await createJwtTokenString({ header: { v: 1, alg: 'KMAC256', typ: 'JWT' }, payload }, signingKey);
-        const validated = await getTokenFromString(token, 1, signingKey);
-        expect(validated.payload).toEqual(payload);
-    });
-    test('getTokenFromString should throw on version mismatch', async () => {
-        const payload = { exp: currentTimestampSeconds() + 60, tenant: 't', subject: 's', jti: 'j' };
-        const token = await createJwtTokenString({ header: { v: 2, alg: 'KMAC256', typ: 'JWT' }, payload }, signingKey);
-        await expect(getTokenFromString(token, 1, signingKey)).rejects.toThrow(InvalidTokenError);
-    });
-    test('getTokenFromString should throw on expired token', async () => {
-        const payload = { exp: currentTimestampSeconds() - 60, tenant: 't', subject: 's', jti: 'j' };
-        const token = await createJwtTokenString({ header: { v: 1, alg: 'KMAC256', typ: 'JWT' }, payload }, signingKey);
-        await expect(getTokenFromString(token, 1, signingKey)).rejects.toThrow('Token expired');
-    });
-    test('getRefreshTokenFromString should validate refresh token', async () => {
-        const payload = { exp: currentTimestampSeconds() + 60, tenant: 't', subject: 's', session: 'sess', secret: 'sec' };
-        const token = await createJwtTokenString({ header: { alg: 'KMAC256', typ: 'JWT' }, payload }, signingKey);
-        const validated = await getRefreshTokenFromString(token, signingKey);
-        expect(validated.payload).toEqual(payload);
-    });
-    test('getPasswordResetTokenFromString should validate password reset token', async () => {
-        const payload = { iat: currentTimestampSeconds(), exp: currentTimestampSeconds() + 60, tenant: 't', subject: 's' };
-        const token = await createJwtTokenString({ header: { alg: 'KMAC256', typ: 'JWT' }, payload }, signingKey);
-        const validated = await getPasswordResetTokenFromString(token, signingKey);
-        expect(validated.payload).toEqual(payload);
-    });
-    test('getTokenFromRequest should extract and validate token', async () => {
-        const payload = { exp: currentTimestampSeconds() + 60, tenant: 't', subject: 's', jti: 'j' };
-        const token = await createJwtTokenString({ header: { v: 1, alg: 'KMAC256', typ: 'JWT' }, payload }, signingKey);
-        const request = {
-            headers: {
-                tryGet: (name) => name == 'Authorization' ? `Bearer ${token}` : undefined,
-            },
-            cookies: {
-                tryGet: () => undefined,
-            },
-        };
-        const validated = await getTokenFromRequest(request, 1, signingKey);
-        expect(validated.payload).toEqual(payload);
-    });
-    test('tryGetTokenFromRequest should return undefined if no token in request', async () => {
-        const request = {
-            headers: {
-                tryGet: () => undefined,
-            },
-            cookies: {
-                tryGet: () => undefined,
-            },
-        };
-        const validated = await tryGetTokenFromRequest(request, 1, signingKey);
-        expect(validated).toBeUndefined();
-    });
-});

package/authentication/tests/password-requirements.error.test.d.ts

@@ -1 +0,0 @@
-export {};

package/authentication/tests/password-requirements.error.test.js

@@ -1,14 +0,0 @@
-import { describe, expect, it } from 'vitest';
-import { PasswordRequirementsError } from '../errors/password-requirements.error.js';
-describe('PasswordRequirementsError', () => {
-    it('should create an error with the given message', () => {
-        const message = 'Password is too weak.';
-        const error = new PasswordRequirementsError(message);
-        expect(error.message).toBe(message);
-        expect(error.name).toBe('PasswordRequirementsError');
-    });
-    it('should have the correct name', () => {
-        const error = new PasswordRequirementsError('any message');
-        expect(error.name).toBe('PasswordRequirementsError');
-    });
-});

package/authentication/tests/remember.api.test.d.ts

@@ -1 +0,0 @@
-export {};