sveltekit-auth-example 5.6.1 → 5.8.3

package/src/routes/auth/login/+server.unit.test.ts

@@ -0,0 +1,221 @@
+import { describe, it, expect, vi, beforeEach } from 'vitest'
+
+vi.mock('$env/dynamic/private', () => ({ env: { JWT_SECRET: 'test-secret' } }))
+vi.mock('$lib/server/db', () => ({ query: vi.fn() }))
+vi.mock('$lib/server/email', () => ({ sendMfaCodeEmail: vi.fn() }))
+vi.mock('$lib/server/turnstile', () => ({ verifyTurnstileToken: vi.fn() }))
+
+import { POST } from './+server'
+import { query } from '$lib/server/db'
+import { sendMfaCodeEmail } from '$lib/server/email'
+import { verifyTurnstileToken } from '$lib/server/turnstile'
+import jwt from 'jsonwebtoken'
+
+const mockQuery = vi.mocked(query)
+const mockSendMfaCodeEmail = vi.mocked(sendMfaCodeEmail)
+const mockVerifyTurnstileToken = vi.mocked(verifyTurnstileToken)
+
+const mockUser: User = { id: 7, email: 'user@example.com', firstName: 'Jane', lastName: 'Doe', role: 'user' }
+
+const successResult: AuthenticationResult = {
+	user: mockUser,
+	sessionId: 'sess-123',
+	status: 'Login successful.',
+	statusCode: 200
+}
+
+const failResult: AuthenticationResult = {
+	user: null,
+	sessionId: '',
+	status: 'Invalid credentials.',
+	statusCode: 401
+}
+
+function makeEvent({
+	body = { email: 'user@example.com', password: 'Password1!', turnstileToken: 'tok' } as Record<string, unknown>,
+	mfaTrustedCookie = undefined as string | undefined
+} = {}) {
+	return {
+		request: {
+			json: vi.fn().mockResolvedValue(body),
+			headers: { get: vi.fn().mockReturnValue(null) }
+		},
+		cookies: {
+			get: vi.fn().mockReturnValue(mfaTrustedCookie),
+			set: vi.fn(),
+			delete: vi.fn()
+		},
+		locals: {} as App.Locals,
+		getClientAddress: vi.fn().mockReturnValue('127.0.0.1')
+	} as unknown as Parameters<typeof POST>[0]
+}
+
+beforeEach(() => {
+	vi.clearAllMocks()
+	mockVerifyTurnstileToken.mockResolvedValue(true)
+})
+
+// ── MFA flow ─────────────────────────────────────────────────────────────────
+
+describe('POST /auth/login — MFA flow', () => {
+	beforeEach(() => {
+		mockQuery
+			.mockResolvedValueOnce({ rows: [{ authenticationResult: successResult }] } as any) // authenticate
+			.mockResolvedValueOnce({ rows: [] } as any)                                         // delete_session
+			.mockResolvedValueOnce({ rows: [{ code: '123456' }] } as any)                       // create_mfa_code
+	})
+
+	it('returns { mfaRequired: true } when no trusted cookie is present', async () => {
+		const res = await POST(makeEvent())
+
+		expect(res.status).toBe(200)
+		const body = await res.json()
+		expect(body).toEqual({ mfaRequired: true })
+	})
+
+	it('emails the MFA code to the user', async () => {
+		await POST(makeEvent())
+
+		expect(mockSendMfaCodeEmail).toHaveBeenCalledWith('user@example.com', '123456')
+	})
+
+	it('deletes the pre-created session before sending the MFA code', async () => {
+		await POST(makeEvent())
+
+		expect(mockQuery).toHaveBeenCalledWith(expect.stringContaining('delete_session'), [mockUser.id])
+	})
+
+	it('does not set a session cookie', async () => {
+		const event = makeEvent()
+		await POST(event)
+		expect(event.cookies.set).not.toHaveBeenCalled()
+	})
+})
+
+// ── MFA trusted device ───────────────────────────────────────────────────────
+
+describe('POST /auth/login — MFA trusted device', () => {
+	it('skips MFA and returns { message, user } when trusted cookie is valid', async () => {
+		const trustedToken = jwt.sign({ userId: mockUser.id, purpose: 'mfa-trusted' }, 'test-secret')
+		mockQuery.mockResolvedValueOnce({ rows: [{ authenticationResult: successResult }] } as any)
+
+		const res = await POST(makeEvent({ mfaTrustedCookie: trustedToken }))
+
+		expect(res.status).toBe(200)
+		const body = await res.json()
+		expect(body.user).toEqual(mockUser)
+		expect(body.mfaRequired).toBeUndefined()
+	})
+
+	it('sets a session cookie when the trusted cookie is valid', async () => {
+		const trustedToken = jwt.sign({ userId: mockUser.id, purpose: 'mfa-trusted' }, 'test-secret')
+		mockQuery.mockResolvedValueOnce({ rows: [{ authenticationResult: successResult }] } as any)
+		const event = makeEvent({ mfaTrustedCookie: trustedToken })
+
+		await POST(event)
+
+		expect(event.cookies.set).toHaveBeenCalledWith('session', 'sess-123', expect.objectContaining({
+			httpOnly: true,
+			sameSite: 'lax',
+			secure: true,
+			path: '/'
+		}))
+	})
+
+	it('sets event.locals.user when the trusted cookie is valid', async () => {
+		const trustedToken = jwt.sign({ userId: mockUser.id, purpose: 'mfa-trusted' }, 'test-secret')
+		mockQuery.mockResolvedValueOnce({ rows: [{ authenticationResult: successResult }] } as any)
+		const event = makeEvent({ mfaTrustedCookie: trustedToken })
+
+		await POST(event)
+
+		expect(event.locals.user).toEqual(mockUser)
+	})
+
+	it('falls through to MFA when the trusted cookie has the wrong purpose', async () => {
+		const badToken = jwt.sign({ userId: mockUser.id, purpose: 'other' }, 'test-secret')
+		mockQuery
+			.mockResolvedValueOnce({ rows: [{ authenticationResult: successResult }] } as any)
+			.mockResolvedValueOnce({ rows: [] } as any)
+			.mockResolvedValueOnce({ rows: [{ code: '654321' }] } as any)
+
+		const res = await POST(makeEvent({ mfaTrustedCookie: badToken }))
+
+		expect((await res.json()).mfaRequired).toBe(true)
+	})
+
+	it('falls through to MFA and deletes cookie when trusted token is expired', async () => {
+		const expiredToken = jwt.sign({ userId: mockUser.id, purpose: 'mfa-trusted' }, 'test-secret', { expiresIn: -1 })
+		mockQuery
+			.mockResolvedValueOnce({ rows: [{ authenticationResult: successResult }] } as any)
+			.mockResolvedValueOnce({ rows: [] } as any)
+			.mockResolvedValueOnce({ rows: [{ code: '654321' }] } as any)
+		const event = makeEvent({ mfaTrustedCookie: expiredToken })
+
+		await POST(event)
+
+		expect(event.cookies.delete).toHaveBeenCalledWith('mfa_trusted', { path: '/' })
+	})
+})
+
+// ── Credential failures ───────────────────────────────────────────────────────
+
+describe('POST /auth/login — credential failures', () => {
+	it('throws the DB status code on invalid credentials', async () => {
+		mockQuery.mockResolvedValueOnce({ rows: [{ authenticationResult: failResult }] } as any)
+
+		await expect(POST(makeEvent())).rejects.toMatchObject({ status: 401 })
+	})
+
+	it('throws 503 when the database is unreachable', async () => {
+		mockQuery.mockRejectedValueOnce(new Error('db down'))
+
+		await expect(POST(makeEvent())).rejects.toMatchObject({ status: 503 })
+	})
+
+	it('throws 400 when the request body is invalid JSON', async () => {
+		const event = makeEvent()
+		vi.mocked(event.request.json).mockRejectedValue(new SyntaxError('Unexpected token'))
+
+		await expect(POST(event)).rejects.toMatchObject({ status: 400 })
+	})
+
+	it('throws 400 when Turnstile verification fails', async () => {
+		mockVerifyTurnstileToken.mockResolvedValue(false)
+
+		await expect(POST(makeEvent())).rejects.toMatchObject({ status: 400 })
+	})
+})
+
+// ── Brute-force lockout ───────────────────────────────────────────────────────
+
+describe('POST /auth/login — brute-force lockout', () => {
+	it('throws 429 after 5 failed attempts', async () => {
+		mockQuery.mockResolvedValue({ rows: [{ authenticationResult: failResult }] } as any)
+
+		// 5 failures to trigger lockout
+		for (let i = 0; i < 5; i++) {
+			await POST(makeEvent({ body: { email: 'lockout@example.com', password: 'wrong', turnstileToken: 'tok' } })).catch(() => {})
+		}
+
+		await expect(
+			POST(makeEvent({ body: { email: 'lockout@example.com', password: 'wrong', turnstileToken: 'tok' } }))
+		).rejects.toMatchObject({ status: 429 })
+	})
+
+	it('clears the lockout tracker on successful login', async () => {
+		// Register a failed attempt first
+		mockQuery.mockResolvedValueOnce({ rows: [{ authenticationResult: failResult }] } as any)
+		await POST(makeEvent({ body: { email: 'clear@example.com', password: 'wrong', turnstileToken: 'tok' } })).catch(() => {})
+
+		// Then succeed — mfa flow needs 3 query responses
+		mockQuery
+			.mockResolvedValueOnce({ rows: [{ authenticationResult: successResult }] } as any)
+			.mockResolvedValueOnce({ rows: [] } as any)
+			.mockResolvedValueOnce({ rows: [{ code: '000000' }] } as any)
+
+		// Should not throw 429
+		const res = await POST(makeEvent({ body: { email: 'clear@example.com', password: 'Password1!', turnstileToken: 'tok' } }))
+		expect((await res.json()).mfaRequired).toBe(true)
+	})
+})

package/src/routes/auth/logout/+server.unit.test.ts

@@ -0,0 +1,85 @@
+import { describe, it, expect, vi, beforeEach } from 'vitest'
+
+vi.mock('$lib/server/db', () => ({ query: vi.fn() }))
+
+import { POST } from './+server'
+import { query } from '$lib/server/db'
+
+const mockQuery = vi.mocked(query)
+
+const mockUser: User = { id: 3, email: 'user@example.com', firstName: 'Jane', lastName: 'Doe', role: 'user' }
+
+function makeEvent({ noUser = false } = {}) {
+	return {
+		locals: { user: noUser ? undefined : mockUser },
+		cookies: { delete: vi.fn() }
+	} as unknown as Parameters<typeof POST>[0]
+}
+
+beforeEach(() => {
+	vi.clearAllMocks()
+})
+
+describe('POST /auth/logout', () => {
+	it('returns 200 with a logout message', async () => {
+		mockQuery.mockResolvedValue({ rows: [] } as any)
+		const res = await POST(makeEvent())
+
+		expect(res.status).toBe(200)
+		const body = await res.json()
+		expect(body.message).toBe('Logout successful.')
+	})
+
+	it('deletes the session cookie', async () => {
+		mockQuery.mockResolvedValue({ rows: [] } as any)
+		const event = makeEvent()
+
+		await POST(event)
+
+		expect(event.cookies.delete).toHaveBeenCalledWith('session', { path: '/' })
+	})
+
+	it('calls delete_session with the user id when authenticated', async () => {
+		mockQuery.mockResolvedValue({ rows: [] } as any)
+
+		await POST(makeEvent())
+
+		expect(mockQuery).toHaveBeenCalledWith(
+			expect.stringContaining('delete_session'),
+			[mockUser.id]
+		)
+	})
+
+	it('skips the DB call when no user is authenticated', async () => {
+		const event = makeEvent({ noUser: true })
+
+		await POST(event)
+
+		expect(mockQuery).not.toHaveBeenCalled()
+	})
+
+	it('still deletes the cookie when no user is authenticated', async () => {
+		const event = makeEvent({ noUser: true })
+
+		await POST(event)
+
+		expect(event.cookies.delete).toHaveBeenCalledWith('session', { path: '/' })
+	})
+
+	it('still deletes the cookie when the DB call fails', async () => {
+		mockQuery.mockRejectedValue(new Error('db down'))
+		const event = makeEvent()
+
+		await POST(event)
+
+		expect(event.cookies.delete).toHaveBeenCalledWith('session', { path: '/' })
+	})
+
+	it('still returns 200 when the DB call fails', async () => {
+		mockQuery.mockRejectedValue(new Error('db down'))
+
+		const res = await POST(makeEvent())
+
+		expect(res.status).toBe(200)
+	})
+})

package/src/routes/auth/mfa/+server.ts

@@ -2,8 +2,9 @@ import { error, json } from '@sveltejs/kit'
 import type { RequestHandler } from './$types'
 import type { Secret } from 'jsonwebtoken'
 import jwt from 'jsonwebtoken'
-import { JWT_SECRET } from '$env/static/private'
+import { env } from '$env/dynamic/private'
 import { query } from '$lib/server/db'
+import { verifyTurnstileToken } from '$lib/server/turnstile'
 
 /** Name of the cookie used to mark a device as MFA-trusted. */
 const MFA_TRUSTED_COOKIE = 'mfa_trusted'
@@ -26,7 +27,7 @@ const MFA_TRUSTED_MAX_AGE = 30 * 24 * 60 * 60 // 30 days in seconds
 export const POST: RequestHandler = async event => {
 	const { cookies } = event
 
-	let body: { email?: string; code?: string }
+	let body: { email?: string; code?: string; turnstileToken?: string }
 	try {
 		body = await event.request.json()
 	} catch {
@@ -35,6 +36,10 @@ export const POST: RequestHandler = async event => {
 
 	if (!body.email || !body.code) error(400, 'Email and verification code are required.')
 
+	const ip = event.request.headers.get('CF-Connecting-IP') ?? event.getClientAddress()
+	const turnstileOk = await verifyTurnstileToken(body.turnstileToken ?? '', ip)
+	if (!turnstileOk) error(400, 'Security challenge failed. Please try again.')
+
 	// Verify the code; returns user_id on success, NULL on failure/expiry
 	const verifyResult = await query(`SELECT verify_mfa_code($1, $2) AS "userId";`, [
 		body.email.toLowerCase(),
@@ -60,7 +65,7 @@ export const POST: RequestHandler = async event => {
 	})
 
 	// Issue a 30-day trusted-device cookie so MFA is not required again on this device
-	const trustedToken = jwt.sign({ userId, purpose: 'mfa-trusted' }, JWT_SECRET as Secret, {
+	const trustedToken = jwt.sign({ userId, purpose: 'mfa-trusted' }, env.JWT_SECRET as Secret, {
 		expiresIn: '30d'
 	})
 	cookies.set(MFA_TRUSTED_COOKIE, trustedToken, {

package/src/routes/auth/mfa/+server.unit.test.ts

@@ -0,0 +1,153 @@
+import { describe, it, expect, vi, beforeEach } from 'vitest'
+
+vi.mock('$env/dynamic/private', () => ({ env: { JWT_SECRET: 'test-secret' } }))
+vi.mock('$lib/server/db', () => ({ query: vi.fn() }))
+vi.mock('$lib/server/turnstile', () => ({ verifyTurnstileToken: vi.fn() }))
+
+import { POST } from './+server'
+import { query } from '$lib/server/db'
+import { verifyTurnstileToken } from '$lib/server/turnstile'
+import jwt from 'jsonwebtoken'
+
+const mockQuery = vi.mocked(query)
+const mockVerifyTurnstileToken = vi.mocked(verifyTurnstileToken)
+
+const mockUser: User = { id: 5, email: 'user@example.com', firstName: 'Jane', lastName: 'Doe', role: 'user' }
+
+function makeEvent(body: Record<string, unknown> = { email: 'user@example.com', code: '123456', turnstileToken: 'tok' }) {
+	return {
+		request: {
+			json: vi.fn().mockResolvedValue(body),
+			headers: { get: vi.fn().mockReturnValue(null) }
+		},
+		cookies: { set: vi.fn() },
+		getClientAddress: vi.fn().mockReturnValue('127.0.0.1')
+	} as unknown as Parameters<typeof POST>[0]
+}
+
+/** Set up the three DB calls needed for a successful MFA verification. */
+function setupSuccessQueries() {
+	mockQuery
+		.mockResolvedValueOnce({ rows: [{ userId: mockUser.id }] } as any)     // verify_mfa_code
+		.mockResolvedValueOnce({ rows: [{ sessionId: 'sess-xyz' }] } as any)   // create_session
+		.mockResolvedValueOnce({ rows: [{ get_session: mockUser }] } as any)    // get_session
+}
+
+beforeEach(() => {
+	vi.clearAllMocks()
+	mockVerifyTurnstileToken.mockResolvedValue(true)
+})
+
+describe('POST /auth/mfa', () => {
+	it('returns 200 with message and user on success', async () => {
+		setupSuccessQueries()
+
+		const res = await POST(makeEvent())
+
+		expect(res.status).toBe(200)
+		const body = await res.json()
+		expect(body.message).toBe('Login successful.')
+		expect(body.user).toEqual(mockUser)
+	})
+
+	it('sets an httpOnly session cookie on success', async () => {
+		setupSuccessQueries()
+		const event = makeEvent()
+
+		await POST(event)
+
+		expect(event.cookies.set).toHaveBeenCalledWith('session', 'sess-xyz', expect.objectContaining({
+			httpOnly: true,
+			sameSite: 'lax',
+			secure: true,
+			path: '/'
+		}))
+	})
+
+	it('sets an mfa_trusted cookie on success', async () => {
+		setupSuccessQueries()
+		const event = makeEvent()
+
+		await POST(event)
+
+		expect(event.cookies.set).toHaveBeenCalledWith('mfa_trusted', expect.any(String), expect.objectContaining({
+			httpOnly: true,
+			sameSite: 'lax',
+			secure: true,
+			path: '/',
+			maxAge: 30 * 24 * 60 * 60
+		}))
+	})
+
+	it('mfa_trusted cookie is a valid JWT with correct payload', async () => {
+		setupSuccessQueries()
+		const event = makeEvent()
+
+		await POST(event)
+
+		const [, trustedToken] = vi.mocked(event.cookies.set).mock.calls.find(([name]) => name === 'mfa_trusted')!
+		const payload = jwt.verify(trustedToken as string, 'test-secret') as Record<string, unknown>
+		expect(payload.userId).toBe(mockUser.id)
+		expect(payload.purpose).toBe('mfa-trusted')
+	})
+
+	it('verifies the MFA code with the lowercased email', async () => {
+		setupSuccessQueries()
+
+		await POST(makeEvent({ email: 'User@Example.COM', code: '123456', turnstileToken: 'tok' }))
+
+		expect(mockQuery).toHaveBeenCalledWith(
+			expect.stringContaining('verify_mfa_code'),
+			['user@example.com', '123456']
+		)
+	})
+
+	it('throws 401 when the MFA code is invalid or expired', async () => {
+		mockQuery.mockResolvedValueOnce({ rows: [{ userId: null }] } as any)
+
+		await expect(POST(makeEvent())).rejects.toMatchObject({ status: 401 })
+	})
+
+	it('throws 400 when email is missing', async () => {
+		await expect(
+			POST(makeEvent({ code: '123456', turnstileToken: 'tok' }))
+		).rejects.toMatchObject({ status: 400 })
+	})
+
+	it('throws 400 when code is missing', async () => {
+		await expect(
+			POST(makeEvent({ email: 'user@example.com', turnstileToken: 'tok' }))
+		).rejects.toMatchObject({ status: 400 })
+	})
+
+	it('throws 400 when the request body is invalid JSON', async () => {
+		const event = makeEvent()
+		vi.mocked(event.request.json).mockRejectedValue(new SyntaxError('Unexpected token'))
+
+		await expect(POST(event)).rejects.toMatchObject({ status: 400 })
+	})
+
+	it('throws 400 when Turnstile verification fails', async () => {
+		mockVerifyTurnstileToken.mockResolvedValue(false)
+
+		await expect(POST(makeEvent())).rejects.toMatchObject({ status: 400 })
+	})
+
+	it('uses CF-Connecting-IP header when present', async () => {
+		setupSuccessQueries()
+		const event = makeEvent()
+		vi.mocked(event.request.headers.get).mockReturnValue('9.9.9.9')
+
+		await POST(event)
+
+		expect(mockVerifyTurnstileToken).toHaveBeenCalledWith('tok', '9.9.9.9')
+	})
+
+	it('falls back to getClientAddress when CF-Connecting-IP is absent', async () => {
+		setupSuccessQueries()
+
+		await POST(makeEvent())
+
+		expect(mockVerifyTurnstileToken).toHaveBeenCalledWith('tok', '127.0.0.1')
+	})
+})

package/src/routes/auth/register/+server.ts

@@ -1,9 +1,10 @@
 import { error, json } from '@sveltejs/kit'
 import type { RequestHandler } from './$types'
 import jwt from 'jsonwebtoken'
-import { JWT_SECRET } from '$env/static/private'
+import { env } from '$env/dynamic/private'
 import { query } from '$lib/server/db'
 import { sendVerificationEmail } from '$lib/server/email'
+import { verifyTurnstileToken } from '$lib/server/turnstile'
 
 /**
  * Registers a new user account.
@@ -23,13 +24,23 @@ import { sendVerificationEmail } from '$lib/server/email'
  * @throws The status code from the registration result on other failures (e.g. duplicate email).
  */
 export const POST: RequestHandler = async event => {
-	let body: { email?: string; password?: string; firstName?: string; lastName?: string }
+	let body: {
+		email?: string
+		password?: string
+		firstName?: string
+		lastName?: string
+		turnstileToken?: string
+	}
 	try {
 		body = await event.request.json()
 	} catch {
 		error(400, 'Invalid request body.')
 	}
 
+	const ip = event.request.headers.get('CF-Connecting-IP') ?? event.getClientAddress()
+	const turnstileOk = await verifyTurnstileToken(body.turnstileToken ?? '', ip)
+	if (!turnstileOk) error(400, 'Security challenge failed. Please try again.')
+
 	if (!body.email || !body.password || !body.firstName || !body.lastName)
 		error(400, 'Please supply all required fields: email, password, first and last name.')
 
@@ -62,7 +73,7 @@ export const POST: RequestHandler = async event => {
 
 	const token = jwt.sign(
 		{ subject: authenticationResult.user.id, purpose: 'verify-email' },
-		JWT_SECRET as jwt.Secret,
+		env.JWT_SECRET as jwt.Secret,
 		{ expiresIn: '24h' }
 	)