pryv 3.0.3 → 3.1.0

package/src/lib/MfaRequiredError.js

@@ -0,0 +1,46 @@
+/**
+ * @license
+ * [BSD-3-Clause](https://github.com/pryv/lib-js/blob/master/LICENSE)
+ */
+
+const PryvError = require('./PryvError');
+
+/**
+ * Thrown by `Service.login` when the platform replied with `{ mfaToken }`
+ * instead of `{ token }`. Consumers catch this, prompt the user for the
+ * SMS code, then call `Service.mfaVerify(userId, err.mfaToken, code)`.
+ *
+ *   try { conn = await service.login(u, p, app) }
+ *   catch (err) {
+ *     if (err instanceof MfaRequiredError) {
+ *       const code = await prompt()
+ *       conn = await service.mfaVerify(u, err.mfaToken, code)
+ *     } else { throw err }
+ *   }
+ *
+ * @extends PryvError
+ */
+class MfaRequiredError extends PryvError {
+  /**
+   * @param {string} mfaToken - The token returned by the API (use with mfa.challenge / mfa.verify)
+   * @param {Response} response - The fetch Response object
+   * @param {Object} [body] - Parsed JSON body
+   */
+  constructor (mfaToken, response, body) {
+    const apiErr = body && body.error;
+    const message = (apiErr && apiErr.message) || 'MFA required';
+    super(message);
+    this.name = 'MfaRequiredError';
+    /** @type {string} */
+    this.mfaToken = mfaToken;
+    this.id = (apiErr && apiErr.id) || 'mfa-required';
+    this.status = response && response.status;
+    this.response = { body, status: response && response.status };
+
+    if (Error.captureStackTrace) {
+      Error.captureStackTrace(this, MfaRequiredError);
+    }
+  }
+}
+
+module.exports = MfaRequiredError;

package/src/lib/PryvError.js

@@ -5,26 +5,60 @@
 
 /**
  * Custom error class for Pryv library errors.
- * Includes an innerObject property for wrapping underlying errors.
+ *
+ * Two construction patterns are supported (additive — both stay valid):
+ *
+ *   // Legacy: wrap an underlying error or value
+ *   throw new PryvError('Failed to do X', innerError)
+ *
+ *   // Structured: carry the API error id, HTTP status, and raw response
+ *   throw PryvError.fromApiResponse(response, body)
+ *
+ * Structured fields (`id`, `status`, `response`) are `undefined` unless set
+ * via the static factory or assigned post-hoc.
+ *
  * @extends Error
  */
 class PryvError extends Error {
   /**
-   * Create a PryvError
    * @param {string} message - Error message
-   * @param {Error|Object} [innerObject] - The underlying error or object that caused this error
+   * @param {Error|Object} [innerObject] - Underlying error or value
    */
   constructor (message, innerObject) {
     super(message);
     this.name = 'PryvError';
     /** @type {Error|Object|undefined} */
     this.innerObject = innerObject;
+    /** @type {string|undefined} Pryv API error id, e.g. `'unknown-user'` */
+    this.id = undefined;
+    /** @type {number|undefined} HTTP status that produced this error */
+    this.status = undefined;
+    /** @type {{ body: any, status: number }|undefined} Raw response */
+    this.response = undefined;
 
-    // Maintains proper stack trace for where error was thrown (only in V8)
     if (Error.captureStackTrace) {
       Error.captureStackTrace(this, PryvError);
     }
   }
+
+  /**
+   * Build a PryvError from a fetch Response and its parsed JSON body.
+   * Pulls `id` and `message` from `body.error` when present (Pryv API shape).
+   *
+   * @param {Response} response - The fetch Response object
+   * @param {Object} [body] - Parsed JSON body
+   * @returns {PryvError}
+   */
+  static fromApiResponse (response, body) {
+    const apiErr = body && body.error;
+    const message = (apiErr && apiErr.message) ||
+      `Pryv API error (HTTP ${response.status})`;
+    const err = new PryvError(message);
+    err.id = apiErr && apiErr.id;
+    err.status = response.status;
+    err.response = { body, status: response.status };
+    return err;
+  }
 }
 
 module.exports = PryvError;

package/src/lib/StaleAccessIdError.js

@@ -0,0 +1,40 @@
+/**
+ * @license
+ * [BSD-3-Clause](https://github.com/pryv/lib-js/blob/master/LICENSE)
+ */
+
+const PryvError = require('./PryvError');
+
+/**
+ * Plan 66: typed error surfaced when a Pryv.io server (≥ 2.0.0-pre.X)
+ * rejects an `accesses.update` or `accesses.delete` call with a
+ * 409 `stale-resource` response.
+ *
+ * The composite access id `<base>:<serial>` carries the version the
+ * caller last observed. If the access has since been updated, the
+ * server rejects the call so the caller refetches the current head
+ * (`connection.api('accesses.getOne', { id: base })`) and retries
+ * with the fresh composite id.
+ *
+ * Reach for `.data.provided` to see what the caller sent and
+ * `.data.currentSerial` to see what the server currently has.
+ *
+ * @extends PryvError
+ */
+class StaleAccessIdError extends PryvError {
+  /**
+   * @param {string} message
+   * @param {{ provided?: string, currentSerial?: number | null }} data
+   */
+  constructor (message, data) {
+    super(message);
+    this.name = 'StaleAccessIdError';
+    /** @type {{ provided?: string, currentSerial?: number | null }} */
+    this.data = data || {};
+    if (Error.captureStackTrace) {
+      Error.captureStackTrace(this, StaleAccessIdError);
+    }
+  }
+}
+
+module.exports = StaleAccessIdError;

package/src/lib/errorIds.js

@@ -0,0 +1,67 @@
+/**
+ * @license
+ * [BSD-3-Clause](https://github.com/pryv/lib-js/blob/master/LICENSE)
+ */
+
+/**
+ * Catalogue of Pryv API error ids.
+ *
+ * Mirrors `open-pryv.io/components/errors/src/ErrorIds.js`. Use these
+ * constants instead of hardcoding error-id strings:
+ *
+ *   if (err instanceof PryvError && err.id === pryv.ERRORS.UNKNOWN_USER) { … }
+ *
+ * Adding a new id here is safe; renaming or removing one is a breaking
+ * change for consumers using the constant.
+ */
+const ERRORS = Object.freeze({
+  API_UNAVAILABLE: 'api-unavailable',
+  CORRUPTED_DATA: 'corrupted-data',
+  FORBIDDEN: 'forbidden',
+  INVALID_ACCESS_TOKEN: 'invalid-access-token',
+  INVALID_CREDENTIALS: 'invalid-credentials',
+  UNSUPPORTED_OPERATION: 'unsupported-operation',
+  INVALID_EVENT_TYPE: 'invalid-event-type',
+  INVALID_ITEM_ID: 'invalid-item-id',
+  INVALID_METHOD: 'invalid-method',
+  INVALID_OPERATION: 'invalid-operation',
+  INVALID_PARAMETERS_FORMAT: 'invalid-parameters-format',
+  INVALID_REQUEST_STRUCTURE: 'invalid-request-structure',
+  ITEM_ALREADY_EXISTS: 'item-already-exists',
+  MISSING_HEADER: 'missing-header',
+  UNEXPECTED_ERROR: 'unexpected-error',
+  UNKNOWN_REFERENCED_RESOURCE: 'unknown-referenced-resource',
+  UNKNOWN_RESOURCE: 'unknown-resource',
+  UNSUPPORTED_CONTENT_TYPE: 'unsupported-content-type',
+  TOO_MANY_RESULTS: 'too-many-results',
+  GONE: 'removed-method',
+  UNAVAILABLE_METHOD: 'unavailable-method',
+
+  // Registration / unique-field validation
+  INVALID_INVITATION_TOKEN: 'invitationToken-invalid',
+  INVALID_USERNAME: 'username-invalid',
+  USERNAME_REQUIRED: 'username-required',
+  INVALID_EMAIL: 'email-invalid',
+  INVALID_LANGUAGE: 'language-invalid',
+  INVALID_APP_ID: 'appid-invalid',
+  INVALID_PASSWORD: 'password-invalid',
+  INVALID_REFERER: 'referer-invalid',
+  EMAIL_REQUIRED: 'email-required',
+  PASSWORD_REQUIRED: 'password-required',
+  MISSING_REQUIRED_FIELD: 'missing-required-field',
+  NEW_PASSWORD_FIELD_IS_REQUIRED: 'newPassword-required',
+
+  // Account-stream / system-stream protections
+  DENIED_STREAM_ACCESS: 'denied-stream-access',
+  TOO_HIGH_ACCESS_FOR_SYSTEM_STREAMS: 'too-high-access-for-account-stream',
+  FORBIDDEN_MULTIPLE_ACCOUNT_STREAMS: 'forbidden-multiple-account-streams-events',
+  FORBIDDEN_ACCOUNT_EVENT_MODIFICATION: 'forbidden-none-editable-account-streams',
+  FORBIDDEN_TO_CHANGE_ACCOUNT_STREAM_ID: 'forbidden-change-account-streams-id',
+  FORBIDDEN_TO_EDIT_NONEDITABLE_ACCOUNT_FIELDS: 'forbidden-to-edit-noneditable-account-fields',
+
+  // Pre-auth lookups (returned by `/reg/:email/uid` and similar)
+  UNKNOWN_USER: 'unknown-user',
+  UNKNOWN_EMAIL: 'unknown-email'
+});
+
+module.exports = ERRORS;

package/src/utils.js

@@ -155,6 +155,56 @@ const utils = module.exports = {
     return url.replace(PRYV_REGEXP, '');
   },
 
+  /**
+   * Plan 66 (open-pryv.io ≥ 2.0.0-pre.X): parse a wire-format access
+   * reference into `{ base, serial }`. Accepts both bare cuid
+   * (`"abc123"` → `{ base: 'abc123', serial: null }`) and composite
+   * (`"abc123:3"` → `{ base: 'abc123', serial: 3 }`). Throws on
+   * malformed input. Apply this to `access.id`, `access.createdBy`,
+   * `access.modifiedBy`, and `streamIds` entries of the form
+   * `access-<base>:<serial>` from audit events.
+   * @memberof pryv.utils
+   * @param {string} ref - Access reference string
+   * @returns {{ base: string, serial: number | null }}
+   */
+  parseAccessRef: function (ref) {
+    if (typeof ref !== 'string' || ref.length === 0) {
+      throw new Error('parseAccessRef: expected a non-empty string, got ' + JSON.stringify(ref));
+    }
+    const colonIdx = ref.indexOf(':');
+    if (colonIdx === -1) return { base: ref, serial: null };
+    const base = ref.slice(0, colonIdx);
+    const tail = ref.slice(colonIdx + 1);
+    if (base.length === 0) {
+      throw new Error('parseAccessRef: empty base in ' + JSON.stringify(ref));
+    }
+    const serial = Number(tail);
+    if (!Number.isInteger(serial) || serial < 1) {
+      throw new Error('parseAccessRef: serial must be a positive integer, got ' + JSON.stringify(tail));
+    }
+    return { base, serial };
+  },
+
+  /**
+   * Plan 66: render an `{ base, serial }` pair back to the wire
+   * format. Bare cuid when serial is null/undefined; `<base>:<serial>`
+   * otherwise. Mostly used to construct the composite id when calling
+   * `connection.api()` for `accesses.update` / `accesses.delete`.
+   * @memberof pryv.utils
+   * @param {{ base: string, serial?: number | null }} ref
+   * @returns {string}
+   */
+  serializeAccessRef: function (ref) {
+    if (ref == null || typeof ref.base !== 'string' || ref.base.length === 0) {
+      throw new Error('serializeAccessRef: ref.base must be a non-empty string');
+    }
+    if (ref.serial == null) return ref.base;
+    if (!Number.isInteger(ref.serial) || ref.serial < 1) {
+      throw new Error('serializeAccessRef: serial must be a positive integer, got ' + JSON.stringify(ref.serial));
+    }
+    return ref.base + ':' + ref.serial;
+  },
+
   /**
    * Extract query parameters from a URL
    * @memberof pryv.utils

package/test/Connection.test.js

@@ -499,5 +499,31 @@ describe('[CONX] Connection', () => {
       expect(accessInfoUser.token).to.exist;
       expect(newUser.access.token).to.equal(accessInfoUser.token);
     });
+
+    // Plan 66 — accessInfo caching + forceRefresh.
+
+    it('[CAIC] accessInfo() memoizes — second call returns the same object reference', async () => {
+      const regexAPIandToken = /(.+):\/\/(.+)/gm;
+      const res = regexAPIandToken.exec(testData.apiEndpoint);
+      const apiEndpointWithToken = res[1] + '://' + newUser.access.token + '@' + res[2];
+      const cachingConn = new pryv.Connection(apiEndpointWithToken);
+      const first = await cachingConn.accessInfo();
+      const second = await cachingConn.accessInfo();
+      expect(second).to.equal(first); // same reference — served from cache
+    });
+
+    it('[CAID] accessInfo(true) forces a refresh and replaces the cached object', async () => {
+      const regexAPIandToken = /(.+):\/\/(.+)/gm;
+      const res = regexAPIandToken.exec(testData.apiEndpoint);
+      const apiEndpointWithToken = res[1] + '://' + newUser.access.token + '@' + res[2];
+      const cachingConn = new pryv.Connection(apiEndpointWithToken);
+      const first = await cachingConn.accessInfo();
+      const refreshed = await cachingConn.accessInfo(true);
+      expect(refreshed).to.not.equal(first); // distinct object — re-fetched
+      expect(refreshed.token).to.equal(first.token); // same content
+      // Next non-forced call returns the refreshed copy from cache.
+      const cached = await cachingConn.accessInfo();
+      expect(cached).to.equal(refreshed);
+    });
   });
 });

package/test/PryvError.test.js

@@ -37,4 +37,38 @@ describe('[PERX] PryvError', function () {
     const error = new PryvError('No inner');
     expect(error.innerObject).to.be.undefined;
   });
+
+  it('[PERF] structured fields default to undefined for legacy constructor', function () {
+    const error = new PryvError('Test');
+    expect(error.id).to.be.undefined;
+    expect(error.status).to.be.undefined;
+    expect(error.response).to.be.undefined;
+  });
+
+  it('[PERG] fromApiResponse populates id/status/response from API body', function () {
+    const fakeResponse = { status: 404 };
+    const body = { error: { id: 'unknown-user', message: 'Unknown user' } };
+    const error = PryvError.fromApiResponse(fakeResponse, body);
+    expect(error).to.be.instanceOf(PryvError);
+    expect(error.id).to.equal('unknown-user');
+    expect(error.status).to.equal(404);
+    expect(error.response).to.deep.equal({ body, status: 404 });
+    expect(error.message).to.equal('Unknown user');
+    expect(error.innerObject).to.be.undefined;
+  });
+
+  it('[PERH] fromApiResponse falls back to a generic message when body has no error', function () {
+    const fakeResponse = { status: 500 };
+    const error = PryvError.fromApiResponse(fakeResponse, { foo: 'bar' });
+    expect(error.id).to.be.undefined;
+    expect(error.status).to.equal(500);
+    expect(error.message).to.match(/HTTP 500/);
+  });
+
+  it('[PERI] fromApiResponse handles null/undefined body without throwing', function () {
+    const fakeResponse = { status: 502 };
+    const error = PryvError.fromApiResponse(fakeResponse, undefined);
+    expect(error.status).to.equal(502);
+    expect(error.response).to.deep.equal({ body: undefined, status: 502 });
+  });
 });

package/test/Service.accessRequest.test.js

@@ -0,0 +1,78 @@
+/**
+ * @license
+ * [BSD-3-Clause](https://github.com/pryv/lib-js/blob/master/LICENSE)
+ */
+/* global describe, it, before, expect, pryv, testData */
+
+describe('[ARQX] Service access-request init', function () {
+  let service;
+
+  before(async function () {
+    this.timeout(15000);
+    await testData.prepare();
+    service = new pryv.Service(testData.serviceInfoUrl);
+  });
+
+  describe('[ASTX] Service.startAccessRequest', function () {
+    it('[ASTA] rejects when requestingAppId is missing', async function () {
+      let caught;
+      try { await service.startAccessRequest({}); } catch (e) { caught = e; }
+      expect(caught).to.be.instanceOf(pryv.PryvError);
+    });
+
+    it('[ASTB] returns { key, authUrl, poll, pollRateMs }', async function () {
+      this.timeout(15000);
+      const env = await service.startAccessRequest({
+        requestingAppId: 'jslib-test',
+        requestedPermissions: [{
+          streamId: 'data',
+          level: 'read',
+          defaultName: 'Test'
+        }]
+      });
+      expect(env.key).to.be.a('string');
+      expect(env.authUrl).to.be.a('string');
+      expect(env.poll).to.be.a('string');
+      expect(env.poll).to.match(/^https?:\/\//);
+      expect(env.pollRateMs).to.be.a('number');
+    });
+  });
+
+  describe('[APRX] Service.pollAccessRequest', function () {
+    it('[APRA] rejects when key is missing', async function () {
+      let caught;
+      try { await service.pollAccessRequest(); } catch (e) { caught = e; }
+      expect(caught).to.be.instanceOf(pryv.PryvError);
+    });
+
+    it('[APRB] polling a fresh request returns NEED_SIGNIN', async function () {
+      this.timeout(15000);
+      const env = await service.startAccessRequest({
+        requestingAppId: 'jslib-test',
+        requestedPermissions: [{
+          streamId: 'data',
+          level: 'read',
+          defaultName: 'Test'
+        }]
+      });
+      const state = await service.pollAccessRequest(env.poll);
+      expect(state).to.exist;
+      expect(state.status).to.equal('NEED_SIGNIN');
+    });
+
+    it('[APRC] accepts a bare key (no scheme) and builds the URL', async function () {
+      this.timeout(15000);
+      const env = await service.startAccessRequest({
+        requestingAppId: 'jslib-test',
+        requestedPermissions: [{
+          streamId: 'data',
+          level: 'read',
+          defaultName: 'Test'
+        }]
+      });
+      const state = await service.pollAccessRequest(env.key);
+      expect(state).to.exist;
+      expect(state.status).to.equal('NEED_SIGNIN');
+    });
+  });
+});

package/test/Service.createUser.test.js

@@ -0,0 +1,104 @@
+/**
+ * @license
+ * [BSD-3-Clause](https://github.com/pryv/lib-js/blob/master/LICENSE)
+ */
+/* global describe, it, before, expect, pryv, testData */
+
+const { createId: cuid } = require('@paralleldrive/cuid2');
+
+describe('[CRUX] Service.createUser', function () {
+  let service;
+  let hostingKey;
+
+  before(async function () {
+    this.timeout(15000);
+    await testData.prepare();
+    service = new pryv.Service(testData.serviceInfoUrl);
+    const serviceInfo = await service.info();
+    // Discover any available hosting key — equivalent to what the deferred
+    // 1.4 `flatHostings()` will eventually do.
+    const res = await fetch(serviceInfo.register + 'hostings');
+    const tree = await res.json();
+    hostingKey = findFirstAvailableHostingKey(tree);
+    if (!hostingKey) this.skip();
+  });
+
+  it('[CRUA] rejects when required fields are missing', async function () {
+    let caught;
+    try {
+      await service.createUser({ username: 'foo' });
+    } catch (e) {
+      caught = e;
+    }
+    expect(caught).to.be.instanceOf(pryv.PryvError);
+    expect(caught.message).to.match(/createUser requires/);
+  });
+
+  it('[CRUB] creates a fresh user and returns username + apiEndpoint', async function () {
+    this.timeout(20000);
+    const username = 'jslibcr' + cuid().slice(0, 8);
+    const result = await service.createUser({
+      username,
+      password: username + 'PASS!1',
+      email: username + '@example.com',
+      hosting: hostingKey,
+      appId: 'jslib-test',
+      language: 'en'
+    });
+    expect(result.username).to.equal(username);
+    expect(result.apiEndpoint).to.be.a('string');
+    expect(result.apiEndpoint).to.include(username);
+
+    // Sanity: the new user can be looked up
+    const exists = await service.userExists(username);
+    expect(exists).to.equal(true);
+  });
+
+  it('[CRUC] throws PryvError when re-creating an existing user', async function () {
+    this.timeout(20000);
+    let caught;
+    try {
+      await service.createUser({
+        username: testData.username,
+        password: testData.password,
+        email: testData.username + '@pryv.io',
+        hosting: hostingKey,
+        appId: 'jslib-test'
+      });
+    } catch (e) {
+      caught = e;
+    }
+    expect(caught).to.be.instanceOf(pryv.PryvError);
+    expect(caught.status).to.be.gte(400);
+    // Server-side validation order varies; we don't pin the exact id.
+    expect(caught.response).to.have.property('status');
+  });
+
+  it('[CRUD] hosting: "auto" picks the first available hosting', async function () {
+    this.timeout(20000);
+    const username = 'jsliba' + cuid().slice(0, 8);
+    const result = await service.createUser({
+      username,
+      password: username + 'PASS!1',
+      email: username + '@example.com',
+      hosting: 'auto',
+      appId: 'jslib-test'
+    });
+    expect(result.username).to.equal(username);
+    expect(result.apiEndpoint).to.be.a('string');
+  });
+});
+
+function findFirstAvailableHostingKey (tree) {
+  const regions = (tree && tree.regions) || {};
+  for (const region of Object.values(regions)) {
+    const zones = region.zones || {};
+    for (const zone of Object.values(zones)) {
+      const hostings = zone.hostings || {};
+      for (const [key, h] of Object.entries(hostings)) {
+        if (h && h.available) return key;
+      }
+    }
+  }
+  return null;
+}

package/test/Service.hostings.test.js

@@ -0,0 +1,53 @@
+/**
+ * @license
+ * [BSD-3-Clause](https://github.com/pryv/lib-js/blob/master/LICENSE)
+ */
+/* global describe, it, before, expect, pryv, testData */
+
+describe('[HSTX] Service.availableHostings + flatHostings', function () {
+  let service;
+
+  before(async function () {
+    this.timeout(15000);
+    await testData.prepare();
+    service = new pryv.Service(testData.serviceInfoUrl);
+  });
+
+  it('[HSTA] availableHostings() returns the raw regions tree', async function () {
+    this.timeout(15000);
+    const tree = await service.availableHostings();
+    expect(tree).to.be.an('object');
+    expect(tree.regions).to.be.an('object');
+    // At least one region with at least one zone with at least one hosting
+    const regions = Object.values(tree.regions);
+    expect(regions.length).to.be.gte(1);
+  });
+
+  it('[HSTB] flatHostings() returns a list with key/name/region/zone fields', async function () {
+    this.timeout(15000);
+    const list = await service.flatHostings();
+    expect(list).to.be.an('array');
+    expect(list.length).to.be.gte(1);
+    for (const item of list) {
+      expect(item.key).to.be.a('string');
+      expect(item.name).to.be.a('string');
+      expect(item.region).to.be.a('string');
+      expect(item.zone).to.be.a('string');
+      expect(item.availableCore).to.be.a('string');
+      expect(item.available).to.be.a('boolean');
+    }
+  });
+
+  it('[HSTC] flatHostings() shape matches availableHostings() leaf nodes', async function () {
+    this.timeout(15000);
+    const tree = await service.availableHostings();
+    const flat = await service.flatHostings();
+    let leafCount = 0;
+    for (const region of Object.values(tree.regions || {})) {
+      for (const zone of Object.values(region.zones || {})) {
+        leafCount += Object.keys(zone.hostings || {}).length;
+      }
+    }
+    expect(flat.length).to.equal(leafCount);
+  });
+});

package/test/Service.mfa.test.js

@@ -0,0 +1,94 @@
+/**
+ * @license
+ * [BSD-3-Clause](https://github.com/pryv/lib-js/blob/master/LICENSE)
+ */
+/* global describe, it, before, expect, pryv, testData */
+
+const { createId: cuid } = require('@paralleldrive/cuid2');
+
+// Note: testData.username is a non-MFA-protected test user, so we cannot
+// exercise the success paths of mfaChallenge / mfaVerify against pryv.me.
+// What we can verify:
+//   - argument validation
+//   - bogus mfaToken → PryvError on the wire
+//   - MfaRequiredError type + export shape
+// The happy path is exercised end-to-end by open-pryv.io's MFA test suite
+// (which spins up a fake SMS provider); replicating that here would require
+// a mock layer the project doesn't ship.
+
+describe('[MFLX] Service MFA', function () {
+  let service;
+
+  before(async function () {
+    this.timeout(15000);
+    await testData.prepare();
+    service = new pryv.Service(testData.serviceInfoUrl);
+  });
+
+  describe('[MCHX] Service.mfaChallenge', function () {
+    it('[MCHA] rejects when args are missing', async function () {
+      let caught;
+      try { await service.mfaChallenge(testData.username); } catch (e) { caught = e; }
+      expect(caught).to.be.instanceOf(pryv.PryvError);
+    });
+
+    it('[MCHB] throws PryvError on bogus mfaToken', async function () {
+      this.timeout(15000);
+      let caught;
+      try {
+        await service.mfaChallenge(testData.username, 'bogus-' + cuid().slice(0, 8));
+      } catch (e) { caught = e; }
+      expect(caught).to.be.instanceOf(pryv.PryvError);
+      expect(caught.status).to.be.gte(400);
+    });
+  });
+
+  describe('[MVRX] Service.mfaVerify', function () {
+    it('[MVRA] rejects when args are missing', async function () {
+      let caught;
+      try { await service.mfaVerify(testData.username, 'token'); } catch (e) { caught = e; }
+      expect(caught).to.be.instanceOf(pryv.PryvError);
+    });
+
+    it('[MVRB] throws PryvError on bogus mfaToken', async function () {
+      this.timeout(15000);
+      let caught;
+      try {
+        await service.mfaVerify(
+          testData.username,
+          'bogus-' + cuid().slice(0, 8),
+          '123456'
+        );
+      } catch (e) { caught = e; }
+      expect(caught).to.be.instanceOf(pryv.PryvError);
+      expect(caught.status).to.be.gte(400);
+    });
+  });
+
+  describe('[MERX] MfaRequiredError', function () {
+    it('[MERA] is exported on the package root and extends PryvError', function () {
+      expect(pryv.MfaRequiredError).to.be.a('function');
+      const err = new pryv.MfaRequiredError(
+        'tok-abc',
+        { status: 200 },
+        { mfaToken: 'tok-abc' }
+      );
+      expect(err).to.be.instanceOf(pryv.MfaRequiredError);
+      expect(err).to.be.instanceOf(pryv.PryvError);
+      expect(err.mfaToken).to.equal('tok-abc');
+      expect(err.id).to.equal('mfa-required');
+      expect(err.status).to.equal(200);
+      expect(err.name).to.equal('MfaRequiredError');
+    });
+
+    it('[MERB] picks up id/message from API error body when provided', function () {
+      const err = new pryv.MfaRequiredError(
+        'tok-xyz',
+        { status: 401 },
+        { error: { id: 'custom-id', message: 'custom msg' } }
+      );
+      expect(err.id).to.equal('custom-id');
+      expect(err.message).to.equal('custom msg');
+    });
+  });
+});