adapt-authoring-auth-local 1.3.1 → 2.0.0

package/index.js

@@ -4,3 +4,4 @@
  */
 export { default } from './lib/LocalAuthModule.js'
 export { default as PasswordUtils } from './lib/PasswordUtils.js'
+export { compare, getRandomHex, validate } from './lib/utils.js'

package/lib/LocalAuthModule.js

@@ -1,6 +1,7 @@
 import _ from 'lodash'
 import { AbstractAuthModule } from 'adapt-authoring-auth'
 import apidefs from './apidefs.js'
+import { compare, getRandomHex, validate } from './utils.js'
 import { formatDistanceToNowStrict as toNow } from 'date-fns'
 import PasswordUtils from './PasswordUtils.js'
 /**
@@ -77,7 +78,7 @@ class LocalAuthModule extends AbstractAuthModule {
     let lastFailedLoginAttempt
     let error
     try {
-      await PasswordUtils.compare(req.body.password, user.password)
+      await compare(req.body.password, user.password)
     } catch (e) {
       if (!user.isPermLocked && !isTempLockTimeout) { // only update failed login data when account isn't locked
         failedLoginAttempts += 1
@@ -105,7 +106,7 @@ class LocalAuthModule extends AbstractAuthModule {
    * @param {Object} user The current user
    */
   async handleLockStatus (user) {
-    const tempLockEndTime = new Date(user.lastFailedLoginAttempt).getTime() + this.getConfig('temporaryLockDuration') * 1000
+    const tempLockEndTime = new Date(user.lastFailedLoginAttempt).getTime() + this.getConfig('temporaryLockDuration')
     const tempLockRemainingSecs = Math.round((tempLockEndTime - Date.now()) / 1000)
 
     if (user.isPermLocked) {
@@ -122,8 +123,8 @@ class LocalAuthModule extends AbstractAuthModule {
 
   /** @override */
   async register (data) {
-    data.password = data.password ?? await PasswordUtils.getRandomHex()
-    await PasswordUtils.validate(data.password)
+    data.password = data.password ?? await getRandomHex()
+    await validate(data.password)
     return super.register({ ...data, password: await PasswordUtils.generate(data.password) })
   }
 
@@ -173,7 +174,7 @@ class LocalAuthModule extends AbstractAuthModule {
     if (!Object.prototype.hasOwnProperty.call(updateData, 'password')) {
       return this.users.update(query, updateData, { schemaName: this.userSchema, useDefaults: false, ignoreRequired: true })
     }
-    await PasswordUtils.validate(updateData.password)
+    await validate(updateData.password)
     updateData.password = await PasswordUtils.generate(updateData.password)
     // password updates required special process
     const [mailer, mongodb] = await this.app.waitForModule('mailer', 'mongodb')
@@ -291,7 +292,7 @@ class LocalAuthModule extends AbstractAuthModule {
         email = req.body.email || req.auth.user.email
         // validate the existing password for security
         const [user] = await this.users.find({ email })
-        await PasswordUtils.compare(req.body.oldPassword, user.password)
+        await compare(req.body.oldPassword, user.password)
       } else { // no authenticated, so should expect body data
         const tokenData = await PasswordUtils.validateReset(req.body.token)
         email = tokenData.email
@@ -320,7 +321,7 @@ class LocalAuthModule extends AbstractAuthModule {
    */
   async validatePasswordHandler (req, res, next) {
     try {
-      await PasswordUtils.validate(req.body.password)
+      await validate(req.body.password)
       res.json({ message: req.translate('app.passwordindicatorstrong') })
     } catch (e) {
       e.data.errors = e.data.errors.map(req.translate).join(', ')

package/lib/PasswordUtils.js

@@ -1,6 +1,6 @@
 import { App } from 'adapt-authoring-core'
 import bcrypt from 'bcryptjs'
-import crypto from 'crypto'
+import { compare, getRandomHex, validate } from './utils.js'
 import { promisify } from 'util'
 
 /** @ignore */ const passwordResetsCollectionName = 'passwordresets'
@@ -30,48 +30,17 @@ class PasswordUtils {
    * @param {String} plainPassword
    * @param {String} hash
    * @return {Promise}
+   * @deprecated Use compare() from 'adapt-authoring-auth-local' instead
    */
-  static async compare (plainPassword, hash) {
-    const error = App.instance.errors.INVALID_LOGIN_DETAILS
-    if (!plainPassword || !hash) {
-      throw error.setData({
-        error: App.instance.errors.INVALID_PARAMS.setData({ params: ['plainPassword', 'hash'] })
-      })
-    }
-    try {
-      const isValid = await promisify(bcrypt.compare)(plainPassword, hash)
-      if (!isValid) throw new Error()
-    } catch (e) {
-      throw error.setData({ error: App.instance.errors.INCORRECT_PASSWORD })
-    }
-  }
+  static async compare (plainPassword, hash) { return compare(plainPassword, hash) }
 
   /**
    * Validates a password against the stored config settings
    * @param {String} password Password to validate
    * @returns {Promise} Resolves if the password passes the validation
+   * @deprecated Use validate() from 'adapt-authoring-auth-local' instead
    */
-  static async validate (password) {
-    const authlocal = await App.instance.waitForModule('auth-local')
-    if (typeof password !== 'string') {
-      throw App.instance.errors.INVALID_PARAMS.setData({ params: ['password'] })
-    }
-    const blacklisted = authlocal.getConfig('blacklistedPasswordValues')
-    const match = (key, re) => !authlocal.getConfig(key) || password.search(re) > -1
-    const validationChecks = {
-      INVALID_PASSWORD_LENGTH: [password.length >= authlocal.getConfig('minPasswordLength'), { length: authlocal.getConfig('minPasswordLength') }],
-      INVALID_PASSWORD_NUMBER: [match('passwordMustHaveNumber', /[0-9]/)],
-      INVALID_PASSWORD_UPPERCASE: [match('passwordMustHaveUppercase', /[A-Z]/)],
-      INVALID_PASSWORD_LOWERCASE: [match('passwordMustHaveLowercase', /[a-z]/)],
-      INVALID_PASSWORD_SPECIAL: [match('passwordMustHaveSpecial', /[#?!@$%^&*-]/)],
-      BLACKLISTED_PASSWORD_VALUE: [blacklisted.length === 0 || blacklisted.some(p => !(password.includes(p)))]
-    }
-    const errors = Object.entries(validationChecks).reduce((m, [code, [isValid, data]]) => {
-      if (!isValid) m.push(App.instance.errors[code].setData(data))
-      return m
-    }, [])
-    if (errors.length) throw App.instance.errors.INVALID_PASSWORD.setData({ errors })
-  }
+  static async validate (password) { return validate(password) }
 
   /**
    * Generates a secure hash from a plain-text password
@@ -119,7 +88,7 @@ class PasswordUtils {
     const { token } = await mongodb.insert(passwordResetsCollectionName, {
       email,
       expiresAt: new Date(Date.now() + lifespan).toISOString(),
-      token: await this.getRandomHex()
+      token: await getRandomHex()
     })
     return token
   }
@@ -138,11 +107,9 @@ class PasswordUtils {
    * Creates a random hex string
    * @param {Number} size Size of string
    * @return {Promise} Resolves with the string value
+   * @deprecated Use getRandomHex() from 'adapt-authoring-auth-local' instead
    */
-  static async getRandomHex (size = 32) {
-    const buffer = await promisify(crypto.randomBytes)(size)
-    return buffer.toString('hex')
-  }
+  static async getRandomHex (size = 32) { return getRandomHex(size) }
 
   /**
    * Validates a password reset token
@@ -164,7 +131,7 @@ class PasswordUtils {
     const [user] = await users.find({ email: tokenData.email })
     if (!user) {
       throw App.instance.errors.NOT_FOUND
-        .setData({ type: 'user', id: token.email })
+        .setData({ type: 'user', id: tokenData.email })
     }
     return tokenData
   }

package/lib/utils/compare.js

@@ -0,0 +1,25 @@
+import { App } from 'adapt-authoring-core'
+import bcrypt from 'bcryptjs'
+import { promisify } from 'util'
+
+/**
+ * Compares a plain password to a hash
+ * @param {String} plainPassword
+ * @param {String} hash
+ * @return {Promise}
+ * @memberof localauth
+ */
+export async function compare (plainPassword, hash) {
+  const error = App.instance.errors.INVALID_LOGIN_DETAILS
+  if (!plainPassword || !hash) {
+    throw error.setData({
+      error: App.instance.errors.INVALID_PARAMS.setData({ params: ['plainPassword', 'hash'] })
+    })
+  }
+  try {
+    const isValid = await promisify(bcrypt.compare)(plainPassword, hash)
+    if (!isValid) throw new Error()
+  } catch (e) {
+    throw error.setData({ error: App.instance.errors.INCORRECT_PASSWORD })
+  }
+}

package/lib/utils/getRandomHex.js

@@ -0,0 +1,13 @@
+import crypto from 'crypto'
+import { promisify } from 'util'
+
+/**
+ * Creates a random hex string
+ * @param {Number} size Size of string
+ * @return {Promise<String>} Resolves with the string value
+ * @memberof localauth
+ */
+export async function getRandomHex (size = 32) {
+  const buffer = await promisify(crypto.randomBytes)(size)
+  return buffer.toString('hex')
+}

package/lib/utils/validate.js

@@ -0,0 +1,29 @@
+import { App } from 'adapt-authoring-core'
+
+/**
+ * Validates a password against the stored config settings
+ * @param {String} password Password to validate
+ * @returns {Promise} Resolves if the password passes the validation
+ * @memberof localauth
+ */
+export async function validate (password) {
+  const authlocal = await App.instance.waitForModule('auth-local')
+  if (typeof password !== 'string') {
+    throw App.instance.errors.INVALID_PARAMS.setData({ params: ['password'] })
+  }
+  const blacklisted = authlocal.getConfig('blacklistedPasswordValues')
+  const match = (key, re) => !authlocal.getConfig(key) || password.search(re) > -1
+  const validationChecks = {
+    INVALID_PASSWORD_LENGTH: [password.length >= authlocal.getConfig('minPasswordLength'), { length: authlocal.getConfig('minPasswordLength') }],
+    INVALID_PASSWORD_NUMBER: [match('passwordMustHaveNumber', /[0-9]/)],
+    INVALID_PASSWORD_UPPERCASE: [match('passwordMustHaveUppercase', /[A-Z]/)],
+    INVALID_PASSWORD_LOWERCASE: [match('passwordMustHaveLowercase', /[a-z]/)],
+    INVALID_PASSWORD_SPECIAL: [match('passwordMustHaveSpecial', /[#?!@$%^&*-]/)],
+    BLACKLISTED_PASSWORD_VALUE: [blacklisted.length === 0 || blacklisted.every(p => !(password.includes(p)))]
+  }
+  const errors = Object.entries(validationChecks).reduce((m, [code, [isValid, data]]) => {
+    if (!isValid) m.push(App.instance.errors[code].setData(data))
+    return m
+  }, [])
+  if (errors.length) throw App.instance.errors.INVALID_PASSWORD.setData({ errors })
+}

package/lib/utils.js

@@ -0,0 +1,3 @@
+export { compare } from './utils/compare.js'
+export { getRandomHex } from './utils/getRandomHex.js'
+export { validate } from './utils/validate.js'

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "adapt-authoring-auth-local",
-  "version": "1.3.1",
+  "version": "2.0.0",
   "description": "Module which implements username/password (local) authentication",
   "homepage": "https://github.com/adapt-security/adapt-authoring-auth-local",
   "license": "GPL-3.0",
@@ -12,7 +12,7 @@
   "repository": "github:adapt-security/adapt-authoring-auth-local",
   "dependencies": {
     "adapt-authoring-auth": "^1.0.7",
-    "adapt-authoring-core": "^1.7.0",
+    "adapt-authoring-core": "^2.0.0",
     "bcryptjs": "3.0.3",
     "date-fns": "^4.1.0",
     "lodash": "^4.17.21"

package/tests/LocalAuthModule.spec.js

@@ -505,10 +505,7 @@ describe('LocalAuthModule', () => {
       const user = {
         isPermLocked: false,
         isTempLocked: true,
-        // NOTE: handleLockStatus multiplies temporaryLockDuration by 1000, which
-        // appears to be a bug if the config value is already in ms (isTimeMs: true).
-        // We set lastFailedLoginAttempt to now so the lock is still active with
-        // the doubled value.
+        // NOTE: lastFailedLoginAttempt is set to now so the lock is still active.
         lastFailedLoginAttempt: new Date().toISOString()
       }
       await assert.rejects(
@@ -649,9 +646,7 @@ describe('LocalAuthModule', () => {
       assert.ok(updateCalls.length > 0)
     })
 
-    // TODO: Bug - setUserEnabled references user.failedAttempts instead of
-    // user.failedLoginAttempts when disabling. See BUGS.md.
-    it('should preserve failedLoginAttempts when disabling a user', { todo: 'references user.failedAttempts instead of user.failedLoginAttempts' }, async () => {
+    it('should preserve failedLoginAttempts when disabling a user', async () => {
       const user = { _id: 'user-1', failedLoginAttempts: 7 }
       await mod.setUserEnabled(user, false)
       const lastUpdate = updateCalls[updateCalls.length - 1]

package/tests/PasswordUtils.spec.js

@@ -374,11 +374,7 @@ describe('PasswordUtils', () => {
       await assert.doesNotReject(() => PasswordUtils.validate('anything1'))
     })
 
-    // TODO: Bug - blacklist check uses .some() instead of .every()
-    // With multiple blacklisted values, a password containing one blacklisted
-    // value passes if another blacklisted value is absent.
-    // See BUGS.md and PasswordUtils.js line 67.
-    it('should throw when password contains any blacklisted value (multiple entries)', { todo: 'blacklist check uses .some() instead of .every()' }, async () => {
+    it('should throw when password contains any blacklisted value (multiple entries)', async () => {
       authlocalConfig.blacklistedPasswordValues = ['password', 'qwerty']
       await assert.rejects(
         () => PasswordUtils.validate('password123'),
@@ -593,10 +589,7 @@ describe('PasswordUtils', () => {
       )
     })
 
-    // TODO: Bug - validateReset uses token.email instead of tokenData.email
-    // in the NOT_FOUND error data. Since token is a string, token.email is
-    // undefined. See PasswordUtils.js line 167.
-    it('should include correct email in NOT_FOUND error when user is missing', { todo: 'uses token.email (string) instead of tokenData.email' }, async () => {
+    it('should include correct email in NOT_FOUND error when user is missing', async () => {
       mockPasswordResetsStore.push({
         token: 'orphan-token',
         email: 'orphan@example.com',

package/tests/utils-compare.spec.js

@@ -0,0 +1,78 @@
+import { describe, it, before, mock } from 'node:test'
+import assert from 'node:assert/strict'
+import bcrypt from 'bcryptjs'
+import { promisify } from 'util'
+
+const mockErrors = {
+  INVALID_LOGIN_DETAILS: { setData: (d) => ({ ...mockErrors.INVALID_LOGIN_DETAILS, data: d, name: 'INVALID_LOGIN_DETAILS' }), name: 'INVALID_LOGIN_DETAILS' },
+  INVALID_PARAMS: { setData: (d) => ({ ...mockErrors.INVALID_PARAMS, data: d, name: 'INVALID_PARAMS' }), name: 'INVALID_PARAMS' },
+  INCORRECT_PASSWORD: { name: 'INCORRECT_PASSWORD' }
+}
+
+mock.module('adapt-authoring-core', {
+  namedExports: { App: { instance: { errors: mockErrors } } }
+})
+
+const { compare } = await import('../lib/utils/compare.js')
+
+describe('compare()', () => {
+  let hash
+
+  before(async () => {
+    const salt = await promisify(bcrypt.genSalt)(10)
+    hash = await promisify(bcrypt.hash)('correctpassword', salt)
+  })
+
+  it('should resolve without error when password matches hash', async () => {
+    await assert.doesNotReject(() => compare('correctpassword', hash))
+  })
+
+  it('should throw when password does not match hash', async () => {
+    await assert.rejects(
+      () => compare('wrongpassword', hash),
+      (err) => err.name === 'INVALID_LOGIN_DETAILS'
+    )
+  })
+
+  it('should throw when plainPassword is empty', async () => {
+    await assert.rejects(
+      () => compare('', hash),
+      (err) => err.name === 'INVALID_LOGIN_DETAILS'
+    )
+  })
+
+  it('should throw when hash is empty', async () => {
+    await assert.rejects(
+      () => compare('password', ''),
+      (err) => err.name === 'INVALID_LOGIN_DETAILS'
+    )
+  })
+
+  it('should throw when both arguments are missing', async () => {
+    await assert.rejects(
+      () => compare(undefined, undefined),
+      (err) => err.name === 'INVALID_LOGIN_DETAILS'
+    )
+  })
+
+  it('should set INCORRECT_PASSWORD as nested error on mismatch', async () => {
+    await assert.rejects(
+      () => compare('wrongpassword', hash),
+      (err) => {
+        assert.equal(err.data.error.name, 'INCORRECT_PASSWORD')
+        return true
+      }
+    )
+  })
+
+  it('should set INVALID_PARAMS as nested error when params missing', async () => {
+    await assert.rejects(
+      () => compare('', ''),
+      (err) => {
+        assert.equal(err.data.error.name, 'INVALID_PARAMS')
+        assert.deepEqual(err.data.error.data.params, ['plainPassword', 'hash'])
+        return true
+      }
+    )
+  })
+})

package/tests/utils-getRandomHex.spec.js

@@ -0,0 +1,36 @@
+import { describe, it } from 'node:test'
+import assert from 'node:assert/strict'
+import { getRandomHex } from '../lib/utils/getRandomHex.js'
+
+describe('getRandomHex()', () => {
+  it('should return a hex string of default length (64 chars for 32 bytes)', async () => {
+    const hex = await getRandomHex()
+    assert.equal(typeof hex, 'string')
+    assert.equal(hex.length, 64)
+    assert.ok(/^[0-9a-f]+$/.test(hex))
+  })
+
+  it('should return a hex string of specified length', async () => {
+    const hex = await getRandomHex(16)
+    assert.equal(hex.length, 32)
+    assert.ok(/^[0-9a-f]+$/.test(hex))
+  })
+
+  it('should return unique values on subsequent calls', async () => {
+    const hex1 = await getRandomHex()
+    const hex2 = await getRandomHex()
+    assert.notEqual(hex1, hex2)
+  })
+
+  it('should handle a size of 1', async () => {
+    const hex = await getRandomHex(1)
+    assert.equal(hex.length, 2)
+    assert.ok(/^[0-9a-f]+$/.test(hex))
+  })
+
+  it('should handle a large size', async () => {
+    const hex = await getRandomHex(256)
+    assert.equal(hex.length, 512)
+    assert.ok(/^[0-9a-f]+$/.test(hex))
+  })
+})

package/tests/utils-validate.spec.js

@@ -0,0 +1,151 @@
+import { describe, it, beforeEach, mock } from 'node:test'
+import assert from 'node:assert/strict'
+
+const mockErrors = {
+  INVALID_PARAMS: { setData: (d) => ({ ...mockErrors.INVALID_PARAMS, data: d, name: 'INVALID_PARAMS' }), name: 'INVALID_PARAMS' },
+  INVALID_PASSWORD: { setData: (d) => ({ ...mockErrors.INVALID_PASSWORD, data: d, name: 'INVALID_PASSWORD' }), name: 'INVALID_PASSWORD' },
+  INVALID_PASSWORD_LENGTH: { setData: (d) => ({ ...mockErrors.INVALID_PASSWORD_LENGTH, data: d, name: 'INVALID_PASSWORD_LENGTH' }), name: 'INVALID_PASSWORD_LENGTH' },
+  INVALID_PASSWORD_NUMBER: { setData: (d) => ({ ...mockErrors.INVALID_PASSWORD_NUMBER, data: d, name: 'INVALID_PASSWORD_NUMBER' }), name: 'INVALID_PASSWORD_NUMBER' },
+  INVALID_PASSWORD_UPPERCASE: { setData: (d) => ({ ...mockErrors.INVALID_PASSWORD_UPPERCASE, data: d, name: 'INVALID_PASSWORD_UPPERCASE' }), name: 'INVALID_PASSWORD_UPPERCASE' },
+  INVALID_PASSWORD_LOWERCASE: { setData: (d) => ({ ...mockErrors.INVALID_PASSWORD_LOWERCASE, data: d, name: 'INVALID_PASSWORD_LOWERCASE' }), name: 'INVALID_PASSWORD_LOWERCASE' },
+  INVALID_PASSWORD_SPECIAL: { setData: (d) => ({ ...mockErrors.INVALID_PASSWORD_SPECIAL, data: d, name: 'INVALID_PASSWORD_SPECIAL' }), name: 'INVALID_PASSWORD_SPECIAL' },
+  BLACKLISTED_PASSWORD_VALUE: { setData: (d) => ({ ...mockErrors.BLACKLISTED_PASSWORD_VALUE, data: d, name: 'BLACKLISTED_PASSWORD_VALUE' }), name: 'BLACKLISTED_PASSWORD_VALUE' }
+}
+
+let authlocalConfig = {
+  minPasswordLength: 8,
+  passwordMustHaveNumber: false,
+  passwordMustHaveUppercase: false,
+  passwordMustHaveLowercase: false,
+  passwordMustHaveSpecial: false,
+  blacklistedPasswordValues: []
+}
+
+const mockAuthlocal = {
+  getConfig: (key) => authlocalConfig[key]
+}
+
+mock.module('adapt-authoring-core', {
+  namedExports: {
+    App: {
+      instance: {
+        errors: mockErrors,
+        waitForModule: async () => mockAuthlocal
+      }
+    }
+  }
+})
+
+const { validate } = await import('../lib/utils/validate.js')
+
+describe('validate()', () => {
+  beforeEach(() => {
+    authlocalConfig = {
+      minPasswordLength: 8,
+      passwordMustHaveNumber: false,
+      passwordMustHaveUppercase: false,
+      passwordMustHaveLowercase: false,
+      passwordMustHaveSpecial: false,
+      blacklistedPasswordValues: []
+    }
+  })
+
+  it('should resolve for a valid password meeting minimum length', async () => {
+    await assert.doesNotReject(() => validate('abcdefgh'))
+  })
+
+  it('should throw when password is not a string', async () => {
+    await assert.rejects(
+      () => validate(12345678),
+      (err) => err.name === 'INVALID_PARAMS'
+    )
+  })
+
+  it('should throw when password is null', async () => {
+    await assert.rejects(
+      () => validate(null),
+      (err) => err.name === 'INVALID_PARAMS'
+    )
+  })
+
+  it('should throw when password is too short', async () => {
+    await assert.rejects(
+      () => validate('short'),
+      (err) => err.name === 'INVALID_PASSWORD'
+    )
+  })
+
+  it('should include minimum length in error data', async () => {
+    await assert.rejects(
+      () => validate('short'),
+      (err) => {
+        assert.equal(err.name, 'INVALID_PASSWORD')
+        const lengthErr = err.data.errors.find(e => e.name === 'INVALID_PASSWORD_LENGTH')
+        assert.ok(lengthErr)
+        assert.equal(lengthErr.data.length, 8)
+        return true
+      }
+    )
+  })
+
+  it('should throw when number is required but missing', async () => {
+    authlocalConfig.passwordMustHaveNumber = true
+    await assert.rejects(
+      () => validate('abcdefgh'),
+      (err) => err.name === 'INVALID_PASSWORD'
+    )
+  })
+
+  it('should accept password with number when required', async () => {
+    authlocalConfig.passwordMustHaveNumber = true
+    await assert.doesNotReject(() => validate('abcdefg1'))
+  })
+
+  it('should throw when uppercase is required but missing', async () => {
+    authlocalConfig.passwordMustHaveUppercase = true
+    await assert.rejects(
+      () => validate('abcdefgh'),
+      (err) => err.name === 'INVALID_PASSWORD'
+    )
+  })
+
+  it('should accept password with uppercase when required', async () => {
+    authlocalConfig.passwordMustHaveUppercase = true
+    await assert.doesNotReject(() => validate('Abcdefgh'))
+  })
+
+  it('should throw when special character is required but missing', async () => {
+    authlocalConfig.passwordMustHaveSpecial = true
+    await assert.rejects(
+      () => validate('abcdefgh'),
+      (err) => err.name === 'INVALID_PASSWORD'
+    )
+  })
+
+  it('should collect multiple validation errors', async () => {
+    authlocalConfig.passwordMustHaveNumber = true
+    authlocalConfig.passwordMustHaveUppercase = true
+    authlocalConfig.passwordMustHaveSpecial = true
+    await assert.rejects(
+      () => validate('abcdefgh'),
+      (err) => {
+        assert.equal(err.name, 'INVALID_PASSWORD')
+        assert.ok(err.data.errors.length >= 3)
+        return true
+      }
+    )
+  })
+
+  it('should throw when password contains a blacklisted value', async () => {
+    authlocalConfig.blacklistedPasswordValues = ['password']
+    await assert.rejects(
+      () => validate('password123'),
+      (err) => err.name === 'INVALID_PASSWORD'
+    )
+  })
+
+  it('should accept password not containing blacklisted values', async () => {
+    authlocalConfig.blacklistedPasswordValues = ['password']
+    await assert.doesNotReject(() => validate('securevalue'))
+  })
+})