@tuturuuu/utils 0.0.3 → 0.6.1

package/src/abuse-protection/__tests__/edge.test.ts

@@ -0,0 +1,136 @@
+import { afterEach, beforeEach, describe, expect, it, vi } from 'vitest';
+
+const mocks = vi.hoisted(() => ({
+  getRedis: vi.fn(),
+  redis: {
+    expire: vi.fn(),
+    get: vi.fn(),
+    incr: vi.fn(),
+    set: vi.fn(),
+  },
+}));
+
+vi.mock('../../upstash-rest', () => ({
+  getUpstashRestRedisClient: () => mocks.getRedis(),
+}));
+
+import {
+  extractIPFromRequest,
+  recordMalformedAuthCookieEdge,
+  recordSuspiciousApiRequestEdge,
+} from '../edge';
+
+describe('abuse-protection edge', () => {
+  beforeEach(() => {
+    vi.useFakeTimers();
+    vi.setSystemTime(new Date());
+    vi.clearAllMocks();
+    mocks.getRedis.mockResolvedValue(mocks.redis);
+    mocks.redis.expire.mockResolvedValue(1);
+    mocks.redis.get.mockResolvedValue(0);
+    mocks.redis.incr.mockResolvedValue(1);
+    mocks.redis.set.mockResolvedValue('OK');
+  });
+
+  afterEach(() => {
+    vi.useRealTimers();
+  });
+
+  describe('extractIPFromRequest', () => {
+    it('prefers cf-connecting-ip over x-forwarded-for', () => {
+      const headers = new Headers();
+      headers.set('cf-connecting-ip', '203.0.113.10');
+      headers.set('x-forwarded-for', '198.51.100.10, 10.0.0.1');
+
+      expect(extractIPFromRequest(headers)).toBe('203.0.113.10');
+    });
+
+    it('falls back to true-client-ip before generic proxy headers', () => {
+      const headers = new Headers();
+      headers.set('true-client-ip', '203.0.113.20');
+      headers.set('x-forwarded-for', '198.51.100.20, 10.0.0.1');
+
+      expect(extractIPFromRequest(headers)).toBe('203.0.113.20');
+    });
+
+    it('falls back to x-forwarded-for when cloud proxy headers are absent', () => {
+      const headers = new Headers();
+      headers.set('x-forwarded-for', '198.51.100.30, 10.0.0.1');
+
+      expect(extractIPFromRequest(headers)).toBe('198.51.100.30');
+    });
+  });
+
+  describe('recordMalformedAuthCookieEdge', () => {
+    it('tracks malformed-cookie hits without blocking on the first offense', async () => {
+      mocks.redis.incr.mockResolvedValueOnce(1);
+
+      const blockInfo = await recordMalformedAuthCookieEdge('203.0.113.10');
+
+      expect(blockInfo).toBeNull();
+      expect(mocks.redis.expire).toHaveBeenCalledWith(
+        'api:auth:malformed-cookie:203.0.113.10',
+        60
+      );
+      expect(mocks.redis.set).not.toHaveBeenCalledWith(
+        'ip:blocked:203.0.113.10',
+        expect.anything(),
+        expect.anything()
+      );
+    });
+
+    it('escalates repeated malformed-cookie hits into an IP block', async () => {
+      mocks.redis.incr.mockResolvedValueOnce(3);
+      mocks.redis.get.mockResolvedValueOnce(0);
+
+      const blockInfo = await recordMalformedAuthCookieEdge('203.0.113.10');
+
+      expect(blockInfo?.blockLevel).toBe(1);
+      expect(blockInfo?.reason).toBe('api_abuse');
+      expect(mocks.redis.set).toHaveBeenCalledWith(
+        'ip:blocked:203.0.113.10',
+        expect.any(String),
+        expect.objectContaining({ ex: 300 })
+      );
+      expect(mocks.redis.set).toHaveBeenCalledWith(
+        'ip:block:level:203.0.113.10',
+        1,
+        expect.objectContaining({ ex: 86400 })
+      );
+    });
+  });
+
+  describe('recordSuspiciousApiRequestEdge', () => {
+    it('tracks suspicious anonymous hits without blocking on the first offense', async () => {
+      mocks.redis.incr.mockResolvedValueOnce(1);
+
+      const blockInfo = await recordSuspiciousApiRequestEdge('203.0.113.20');
+
+      expect(blockInfo).toBeNull();
+      expect(mocks.redis.expire).toHaveBeenCalledWith(
+        'api:suspicious:203.0.113.20',
+        60
+      );
+      expect(mocks.redis.set).not.toHaveBeenCalledWith(
+        'ip:blocked:203.0.113.20',
+        expect.anything(),
+        expect.anything()
+      );
+    });
+
+    it('escalates repeated suspicious anonymous hits into an IP block', async () => {
+      mocks.redis.incr.mockResolvedValueOnce(3);
+      mocks.redis.get.mockResolvedValueOnce(0);
+
+      const blockInfo = await recordSuspiciousApiRequestEdge('203.0.113.20');
+
+      expect(blockInfo?.blockLevel).toBe(1);
+      expect(blockInfo?.reason).toBe('api_abuse');
+      expect(mocks.redis.set).toHaveBeenCalledWith(
+        'ip:blocked:203.0.113.20',
+        expect.any(String),
+        expect.objectContaining({ ex: 300 })
+      );
+    });
+  });
+});

package/src/abuse-protection/__tests__/index.test.ts

@@ -0,0 +1,562 @@
+/**
+ * Unit tests for OTP Abuse Protection System
+ */
+
+import { afterEach, describe, expect, it, vi } from 'vitest';
+import {
+  ABUSE_THRESHOLDS,
+  BLOCK_DURATIONS,
+  checkOTPSendAllowed,
+  classifyPotentialSpamUserAgent,
+  extractIPFromHeaders,
+  hashEmail,
+  MAX_BLOCK_LEVEL,
+  REDIS_KEYS,
+  recordOTPSendSuccess,
+  resetOtpLimitsForEmail,
+  WINDOW_MS,
+} from '../index';
+
+describe('abuse-protection', () => {
+  afterEach(() => {
+    vi.useRealTimers();
+    vi.unstubAllEnvs();
+  });
+
+  describe('extractIPFromHeaders', () => {
+    it('should extract IP from x-forwarded-for header', () => {
+      const headers = new Headers();
+      headers.set('x-forwarded-for', '192.168.1.1, 10.0.0.1');
+      expect(extractIPFromHeaders(headers)).toBe('192.168.1.1');
+    });
+
+    it('should extract single IP from x-forwarded-for', () => {
+      const headers = new Headers();
+      headers.set('x-forwarded-for', '203.0.113.50');
+      expect(extractIPFromHeaders(headers)).toBe('203.0.113.50');
+    });
+
+    it('should extract IP from x-real-ip header', () => {
+      const headers = new Headers();
+      headers.set('x-real-ip', '192.168.1.100');
+      expect(extractIPFromHeaders(headers)).toBe('192.168.1.100');
+    });
+
+    it('should extract IP from cf-connecting-ip header (Cloudflare)', () => {
+      const headers = new Headers();
+      headers.set('cf-connecting-ip', '172.16.0.1');
+      expect(extractIPFromHeaders(headers)).toBe('172.16.0.1');
+    });
+
+    it('should prefer cf-connecting-ip over forwarded proxy headers', () => {
+      const headers = new Headers();
+      headers.set('x-forwarded-for', '192.168.1.1');
+      headers.set('x-real-ip', '192.168.1.2');
+      headers.set('cf-connecting-ip', '192.168.1.3');
+      expect(extractIPFromHeaders(headers)).toBe('192.168.1.3');
+    });
+
+    it('should prefer true-client-ip when cf-connecting-ip is absent', () => {
+      const headers = new Headers();
+      headers.set('x-forwarded-for', '192.168.1.1');
+      headers.set('x-real-ip', '192.168.1.2');
+      headers.set('true-client-ip', '192.168.1.4');
+      expect(extractIPFromHeaders(headers)).toBe('192.168.1.4');
+    });
+
+    it('should fall back to x-forwarded-for if explicit client IP headers are invalid', () => {
+      const headers = new Headers();
+      headers.set('cf-connecting-ip', 'invalid-ip');
+      headers.set('true-client-ip', 'also-invalid');
+      headers.set('x-forwarded-for', '192.168.1.100, 10.0.0.1');
+      expect(extractIPFromHeaders(headers)).toBe('192.168.1.100');
+    });
+
+    it('should return "unknown" when no valid IP is found', () => {
+      const headers = new Headers();
+      expect(extractIPFromHeaders(headers)).toBe('unknown');
+    });
+
+    it('should return "unknown" for invalid IP formats', () => {
+      const headers = new Headers();
+      headers.set('x-forwarded-for', 'not-an-ip');
+      headers.set('x-real-ip', 'also-invalid');
+      headers.set('cf-connecting-ip', 'still.not.valid');
+      expect(extractIPFromHeaders(headers)).toBe('unknown');
+    });
+
+    it('should accept IPs with values matching format regex', () => {
+      // Note: The regex validates format, not IPv4 value ranges
+      // 999.999.999.999 matches the pattern \d{1,3}.\d{1,3}.\d{1,3}.\d{1,3}
+      const headers = new Headers();
+      headers.set('x-forwarded-for', '999.999.999.999');
+      expect(extractIPFromHeaders(headers)).toBe('999.999.999.999');
+    });
+
+    it('should work with Map-based headers', () => {
+      const headers = new Map<string, string>();
+      headers.set('x-forwarded-for', '10.0.0.5');
+      expect(extractIPFromHeaders(headers)).toBe('10.0.0.5');
+    });
+
+    it('should work with plain object headers', () => {
+      const headers: Record<string, string | null> = {
+        'x-forwarded-for': '10.0.0.10',
+      };
+      expect(extractIPFromHeaders(headers)).toBe('10.0.0.10');
+    });
+
+    it('should handle IPv6 addresses', () => {
+      const headers = new Headers();
+      headers.set('x-forwarded-for', '2001:db8::1');
+      expect(extractIPFromHeaders(headers)).toBe('2001:db8::1');
+    });
+
+    it('should handle IPv6 in x-real-ip', () => {
+      const headers = new Headers();
+      headers.set('x-real-ip', '::1');
+      expect(extractIPFromHeaders(headers)).toBe('::1');
+    });
+
+    it('should handle whitespace in IP list', () => {
+      const headers = new Headers();
+      headers.set('x-forwarded-for', '  192.168.1.1  , 10.0.0.1');
+      expect(extractIPFromHeaders(headers)).toBe('192.168.1.1');
+    });
+  });
+
+  describe('hashEmail', () => {
+    it('should return a 16-character hex string', () => {
+      const hash = hashEmail('test@example.com');
+      expect(hash).toMatch(/^[a-f0-9]{16}$/);
+    });
+
+    it('should be case-insensitive', () => {
+      const hash1 = hashEmail('Test@Example.COM');
+      const hash2 = hashEmail('test@example.com');
+      expect(hash1).toBe(hash2);
+    });
+
+    it('should produce different hashes for different emails', () => {
+      const hash1 = hashEmail('user1@example.com');
+      const hash2 = hashEmail('user2@example.com');
+      expect(hash1).not.toBe(hash2);
+    });
+
+    it('should be deterministic', () => {
+      const email = 'consistent@test.com';
+      const hash1 = hashEmail(email);
+      const hash2 = hashEmail(email);
+      expect(hash1).toBe(hash2);
+    });
+
+    it('should handle special characters in email', () => {
+      const hash = hashEmail('user+tag@example.com');
+      expect(hash).toMatch(/^[a-f0-9]{16}$/);
+    });
+
+    it('should handle unicode in email', () => {
+      const hash = hashEmail('用户@example.com');
+      expect(hash).toMatch(/^[a-f0-9]{16}$/);
+    });
+  });
+
+  describe('classifyPotentialSpamUserAgent', () => {
+    it('blocks known automation frameworks', () => {
+      expect(
+        classifyPotentialSpamUserAgent('Mozilla/5.0 HeadlessChrome Playwright')
+      ).toMatchObject({
+        reason: 'known_automation_framework',
+        riskLevel: 'block',
+      });
+    });
+
+    it('blocks scripted HTTP clients', () => {
+      expect(classifyPotentialSpamUserAgent('curl/8.7.1')).toMatchObject({
+        reason: 'scripted_http_client',
+        riskLevel: 'block',
+      });
+    });
+
+    it('allows common browser user agents', () => {
+      expect(
+        classifyPotentialSpamUserAgent(
+          'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/136.0.0.0 Safari/537.36'
+        )
+      ).toMatchObject({
+        reason: null,
+        riskLevel: 'allow',
+      });
+    });
+
+    it('allows native mobile app user agents when requested', () => {
+      expect(
+        classifyPotentialSpamUserAgent('Dart/3.9 (dart:io)', {
+          allowNativeAppUserAgents: true,
+        })
+      ).toMatchObject({
+        reason: null,
+        riskLevel: 'allow',
+      });
+    });
+  });
+
+  describe('ABUSE_THRESHOLDS constants', () => {
+    it('should have valid OTP send limits', () => {
+      expect(ABUSE_THRESHOLDS.OTP_SEND_PER_MINUTE).toBe(30);
+      expect(ABUSE_THRESHOLDS.OTP_SEND_PER_HOUR).toBe(180);
+      expect(ABUSE_THRESHOLDS.OTP_SEND_PER_DAY).toBe(300);
+      expect(ABUSE_THRESHOLDS.OTP_SEND_EMAIL_COOLDOWN_WINDOW_MS).toBe(
+        15 * 60 * 1000
+      );
+      expect(ABUSE_THRESHOLDS.OTP_SEND_EMAIL_PER_HOUR).toBe(2);
+      expect(ABUSE_THRESHOLDS.OTP_SEND_EMAIL_PER_DAY).toBe(4);
+    });
+
+    it('should have valid OTP verify limits', () => {
+      expect(ABUSE_THRESHOLDS.OTP_VERIFY_FAILED_WINDOW_MS).toBe(5 * 60 * 1000);
+      expect(ABUSE_THRESHOLDS.OTP_VERIFY_FAILED_MAX).toBe(5);
+      expect(ABUSE_THRESHOLDS.OTP_VERIFY_FAILED_EMAIL_WINDOW_MS).toBe(
+        15 * 60 * 1000
+      );
+      expect(ABUSE_THRESHOLDS.OTP_VERIFY_FAILED_EMAIL_MAX).toBe(10);
+    });
+
+    it('should have valid MFA limits', () => {
+      expect(ABUSE_THRESHOLDS.MFA_CHALLENGE_PER_MINUTE).toBe(5);
+      expect(ABUSE_THRESHOLDS.MFA_VERIFY_FAILED_WINDOW_MS).toBe(5 * 60 * 1000);
+      expect(ABUSE_THRESHOLDS.MFA_VERIFY_FAILED_MAX).toBe(5);
+    });
+
+    it('should have valid reauth limits', () => {
+      expect(ABUSE_THRESHOLDS.REAUTH_SEND_PER_MINUTE).toBe(3);
+      expect(ABUSE_THRESHOLDS.REAUTH_VERIFY_FAILED_WINDOW_MS).toBe(
+        5 * 60 * 1000
+      );
+      expect(ABUSE_THRESHOLDS.REAUTH_VERIFY_FAILED_MAX).toBe(5);
+    });
+
+    it('should have valid password login limits', () => {
+      expect(ABUSE_THRESHOLDS.PASSWORD_LOGIN_FAILED_WINDOW_MS).toBe(
+        5 * 60 * 1000
+      );
+      expect(ABUSE_THRESHOLDS.PASSWORD_LOGIN_FAILED_MAX).toBe(10);
+    });
+  });
+
+  describe('BLOCK_DURATIONS constants', () => {
+    it('should have level 1 at 5 minutes', () => {
+      expect(BLOCK_DURATIONS[1]).toBe(5 * 60);
+    });
+
+    it('should have level 2 at 15 minutes', () => {
+      expect(BLOCK_DURATIONS[2]).toBe(15 * 60);
+    });
+
+    it('should have level 3 at 1 hour', () => {
+      expect(BLOCK_DURATIONS[3]).toBe(60 * 60);
+    });
+
+    it('should have level 4 at 24 hours', () => {
+      expect(BLOCK_DURATIONS[4]).toBe(24 * 60 * 60);
+    });
+
+    it('should have progressively increasing durations', () => {
+      expect(BLOCK_DURATIONS[1]).toBeLessThan(BLOCK_DURATIONS[2]);
+      expect(BLOCK_DURATIONS[2]).toBeLessThan(BLOCK_DURATIONS[3]);
+      expect(BLOCK_DURATIONS[3]).toBeLessThan(BLOCK_DURATIONS[4]);
+    });
+  });
+
+  describe('MAX_BLOCK_LEVEL constant', () => {
+    it('should be 4', () => {
+      expect(MAX_BLOCK_LEVEL).toBe(4);
+    });
+  });
+
+  describe('REDIS_KEYS', () => {
+    const testIP = '192.168.1.1';
+    const testEmailHash = 'abc123';
+
+    it('should generate correct OTP send keys', () => {
+      expect(REDIS_KEYS.OTP_SEND(testIP)).toBe(`otp:send:${testIP}`);
+      expect(REDIS_KEYS.OTP_SEND_HOURLY(testIP)).toBe(
+        `otp:send:hourly:${testIP}`
+      );
+      expect(REDIS_KEYS.OTP_SEND_DAILY(testIP)).toBe(
+        `otp:send:daily:${testIP}`
+      );
+      expect(REDIS_KEYS.OTP_SEND_EMAIL_COOLDOWN(testEmailHash)).toBe(
+        `otp:send:email:cooldown:${testEmailHash}`
+      );
+      expect(REDIS_KEYS.OTP_SEND_EMAIL_HOURLY(testEmailHash)).toBe(
+        `otp:send:email:hourly:${testEmailHash}`
+      );
+      expect(REDIS_KEYS.OTP_SEND_EMAIL_DAILY(testEmailHash)).toBe(
+        `otp:send:email:daily:${testEmailHash}`
+      );
+    });
+
+    it('should generate correct OTP verify keys', () => {
+      expect(REDIS_KEYS.OTP_VERIFY_FAILED(testIP)).toBe(
+        `otp:verify:failed:${testIP}`
+      );
+      expect(REDIS_KEYS.OTP_VERIFY_FAILED_EMAIL(testEmailHash)).toBe(
+        `otp:verify:failed:email:${testEmailHash}`
+      );
+    });
+
+    it('should generate correct MFA keys', () => {
+      expect(REDIS_KEYS.MFA_CHALLENGE(testIP)).toBe(`mfa:challenge:${testIP}`);
+      expect(REDIS_KEYS.MFA_VERIFY_FAILED(testIP)).toBe(
+        `mfa:verify:failed:${testIP}`
+      );
+    });
+
+    it('should generate correct reauth keys', () => {
+      expect(REDIS_KEYS.REAUTH_SEND(testIP)).toBe(`reauth:send:${testIP}`);
+      expect(REDIS_KEYS.REAUTH_VERIFY_FAILED(testIP)).toBe(
+        `reauth:verify:failed:${testIP}`
+      );
+    });
+
+    it('should generate correct password login keys', () => {
+      expect(REDIS_KEYS.PASSWORD_LOGIN_FAILED(testIP)).toBe(
+        `password:login:failed:${testIP}`
+      );
+    });
+
+    it('should generate correct IP block keys', () => {
+      expect(REDIS_KEYS.IP_BLOCKED(testIP)).toBe(`ip:blocked:${testIP}`);
+      expect(REDIS_KEYS.IP_BLOCK_LEVEL(testIP)).toBe(
+        `ip:block:level:${testIP}`
+      );
+    });
+  });
+
+  describe('WINDOW_MS constants', () => {
+    it('should have correct time windows', () => {
+      expect(WINDOW_MS.ONE_MINUTE).toBe(60 * 1000);
+      expect(WINDOW_MS.TEN_MINUTES).toBe(10 * 60 * 1000);
+      expect(WINDOW_MS.ONE_HOUR).toBe(60 * 60 * 1000);
+      expect(WINDOW_MS.TWENTY_FOUR_HOURS).toBe(24 * 60 * 60 * 1000);
+    });
+
+    it('should have windows in proper order', () => {
+      expect(WINDOW_MS.ONE_MINUTE).toBeLessThan(WINDOW_MS.ONE_HOUR);
+      expect(WINDOW_MS.TEN_MINUTES).toBeLessThan(WINDOW_MS.ONE_HOUR);
+      expect(WINDOW_MS.ONE_HOUR).toBeLessThan(WINDOW_MS.TWENTY_FOUR_HOURS);
+    });
+  });
+
+  describe('checkOTPSendAllowed', () => {
+    it('does not consume quota during preflight checks', async () => {
+      const email = `preflight-${Date.now()}@example.com`;
+
+      const firstAttempt = await checkOTPSendAllowed('198.51.100.1', email);
+      const secondAttempt = await checkOTPSendAllowed('198.51.100.2', email);
+
+      expect(firstAttempt.allowed).toBe(true);
+      expect(secondAttempt.allowed).toBe(true);
+    });
+
+    it('blocks repeated sends to the same email across different IPs during cooldown', async () => {
+      const email = `cooldown-${Date.now()}@example.com`;
+
+      const firstAttempt = await checkOTPSendAllowed('198.51.100.1', email);
+      await recordOTPSendSuccess('198.51.100.1', email);
+      const secondAttempt = await checkOTPSendAllowed('198.51.100.2', email);
+
+      expect(firstAttempt.allowed).toBe(true);
+      expect(secondAttempt.allowed).toBe(false);
+      expect(secondAttempt.retryAfter).toBeGreaterThan(0);
+    });
+
+    it('allows multiple unique teachers behind one shared IP', async () => {
+      const emailBase = `shared-ip-${Date.now()}`;
+
+      for (let attempt = 0; attempt < 4; attempt++) {
+        const allowedAttempt = await checkOTPSendAllowed(
+          '198.51.100.10',
+          `${emailBase}-${attempt}@example.com`
+        );
+        expect(allowedAttempt.allowed).toBe(true);
+        await recordOTPSendSuccess(
+          '198.51.100.10',
+          `${emailBase}-${attempt}@example.com`
+        );
+      }
+    });
+
+    it('honors configured per-minute shared-IP OTP send limits', async () => {
+      vi.stubEnv('ABUSE_OTP_SEND_IP_LIMIT_MINUTE', '2');
+
+      const emailBase = `configured-minute-${Date.now()}`;
+      for (let attempt = 0; attempt < 2; attempt++) {
+        const allowedAttempt = await checkOTPSendAllowed(
+          '198.51.100.11',
+          `${emailBase}-${attempt}@example.com`
+        );
+        expect(allowedAttempt.allowed).toBe(true);
+        await recordOTPSendSuccess(
+          '198.51.100.11',
+          `${emailBase}-${attempt}@example.com`
+        );
+      }
+
+      const blockedAttempt = await checkOTPSendAllowed(
+        '198.51.100.11',
+        `${emailBase}-2@example.com`
+      );
+
+      expect(blockedAttempt.allowed).toBe(false);
+      expect(blockedAttempt.retryAfter).toBeGreaterThan(0);
+    });
+
+    it('caps successful sends for the same email across distributed IPs within an hour', async () => {
+      vi.useFakeTimers();
+      vi.setSystemTime(new Date('2026-03-12T00:00:00.000Z'));
+
+      const email = `hourly-${Date.now()}@example.com`;
+
+      const first = await checkOTPSendAllowed('203.0.113.1', email);
+      await recordOTPSendSuccess('203.0.113.1', email);
+      vi.advanceTimersByTime(
+        ABUSE_THRESHOLDS.OTP_SEND_EMAIL_COOLDOWN_WINDOW_MS + 1
+      );
+      const second = await checkOTPSendAllowed('203.0.113.2', email);
+      await recordOTPSendSuccess('203.0.113.2', email);
+      vi.advanceTimersByTime(
+        ABUSE_THRESHOLDS.OTP_SEND_EMAIL_COOLDOWN_WINDOW_MS + 1
+      );
+      const third = await checkOTPSendAllowed('203.0.113.3', email);
+
+      expect(first.allowed).toBe(true);
+      expect(second.allowed).toBe(true);
+      expect(third.allowed).toBe(false);
+      expect(third.retryAfter).toBeGreaterThan(0);
+    });
+
+    it('caps slow OTP send abuse from a single IP over a day', async () => {
+      vi.useFakeTimers();
+      vi.setSystemTime(new Date('2026-03-12T00:00:00.000Z'));
+      const configuredDayLimit = 12;
+      vi.stubEnv('ABUSE_OTP_SEND_IP_LIMIT_DAY', String(configuredDayLimit));
+
+      const emailBase = `slow-ip-${Date.now()}`;
+      let lastAttempt = await checkOTPSendAllowed(
+        '198.51.100.20',
+        `${emailBase}-0@example.com`
+      );
+      await recordOTPSendSuccess('198.51.100.20', `${emailBase}-0@example.com`);
+
+      for (let attempt = 1; attempt <= configuredDayLimit; attempt++) {
+        vi.advanceTimersByTime(90 * 60 * 1000);
+        lastAttempt = await checkOTPSendAllowed(
+          '198.51.100.20',
+          `${emailBase}-${attempt}@example.com`
+        );
+        if (lastAttempt.allowed) {
+          await recordOTPSendSuccess(
+            '198.51.100.20',
+            `${emailBase}-${attempt}@example.com`
+          );
+        }
+      }
+
+      expect(lastAttempt.allowed).toBe(false);
+      expect(lastAttempt.retryAfter).toBeGreaterThan(0);
+    });
+
+    it('reports remaining attempts based on the next accepted send', async () => {
+      const email = `remaining-${Date.now()}@example.com`;
+
+      const attempt = await checkOTPSendAllowed('198.51.100.50', email);
+
+      expect(attempt.allowed).toBe(true);
+      expect(attempt.remainingAttempts).toBe(
+        ABUSE_THRESHOLDS.OTP_SEND_PER_MINUTE - 1
+      );
+    });
+  });
+
+  describe('resetOtpLimitsForEmail', () => {
+    it.each([
+      'user@@example.com',
+      'user@example',
+      'user..name@example.com',
+      'user@-example.com',
+      'user@example..com',
+    ])('rejects malformed email input: %s', async (email) => {
+      await expect(
+        resetOtpLimitsForEmail({
+          email,
+          clearEmailScoped: true,
+          clearRelatedIpCounters: false,
+          clearRelatedIpBlocks: false,
+          adminUserId: 'admin-user-id',
+        })
+      ).rejects.toThrow('Email is invalid');
+    });
+  });
+});
+
+describe('abuse-protection types', () => {
+  it('should have all expected abuse event types as valid strings', () => {
+    // These are the valid AbuseEventType values as defined in types.ts
+    const validTypes = [
+      'otp_send',
+      'otp_verify_failed',
+      'mfa_challenge',
+      'mfa_verify_failed',
+      'reauth_send',
+      'reauth_verify_failed',
+      'password_login_failed',
+      'manual',
+    ];
+    // Just verify these are valid string values
+    validTypes.forEach((type) => {
+      expect(typeof type).toBe('string');
+    });
+  });
+});
+
+describe('IP address validation', () => {
+  // Test IPv4 validation through extractIPFromHeaders
+  describe('IPv4 addresses', () => {
+    it('should accept valid IPv4 addresses', () => {
+      const validIPs = [
+        '0.0.0.0',
+        '192.168.1.1',
+        '255.255.255.255',
+        '10.0.0.1',
+        '172.16.0.1',
+      ];
+      validIPs.forEach((ip) => {
+        const headers = new Headers();
+        headers.set('x-forwarded-for', ip);
+        expect(extractIPFromHeaders(headers)).toBe(ip);
+      });
+    });
+  });
+
+  describe('IPv6 addresses', () => {
+    it('should accept common IPv6 addresses', () => {
+      // Test the IPv6 addresses that match the current regex pattern
+      const supportedIPs = ['::1', '2001:db8::1', 'fe80::1'];
+      supportedIPs.forEach((ip) => {
+        const headers = new Headers();
+        headers.set('x-forwarded-for', ip);
+        expect(extractIPFromHeaders(headers)).toBe(ip);
+      });
+    });
+
+    it('should handle IPv6 formats matching the regex pattern', () => {
+      // The regex pattern is basic and may not match all valid IPv6 formats
+      // like ::ffff:192.168.1.1 (IPv4-mapped IPv6)
+      const headers = new Headers();
+      headers.set('x-forwarded-for', '::1');
+      expect(extractIPFromHeaders(headers)).toBe('::1');
+    });
+  });
+});