chore: ran security check for OWASP top 10
Some checks failed
Deploy / deploy (push) Has been cancelled
Some checks failed
Deploy / deploy (push) Has been cancelled
This commit is contained in:
@@ -2,18 +2,33 @@ import { afterAll, beforeAll, describe, expect, it } from "vitest";
|
||||
import request from "supertest";
|
||||
import type { FastifyInstance } from "fastify";
|
||||
import { PrismaClient } from "@prisma/client";
|
||||
import argon2 from "argon2";
|
||||
import { buildApp } from "../src/server";
|
||||
|
||||
const prisma = new PrismaClient();
|
||||
let app: FastifyInstance;
|
||||
|
||||
function readCookieValue(setCookie: string[] | undefined, cookieName: string): string | null {
|
||||
if (!setCookie) return null;
|
||||
for (const raw of setCookie) {
|
||||
const firstPart = raw.split(";")[0] ?? "";
|
||||
const [name, value] = firstPart.split("=");
|
||||
if (name?.trim() === cookieName && value) {
|
||||
return value.trim();
|
||||
}
|
||||
}
|
||||
return null;
|
||||
}
|
||||
|
||||
beforeAll(async () => {
|
||||
app = await buildApp({ AUTH_DISABLED: false, SEED_DEFAULT_BUDGET: true });
|
||||
await app.ready();
|
||||
});
|
||||
|
||||
afterAll(async () => {
|
||||
await app.close();
|
||||
if (app) {
|
||||
await app.close();
|
||||
}
|
||||
await prisma.$disconnect();
|
||||
});
|
||||
|
||||
@@ -24,6 +39,26 @@ describe("Auth routes", () => {
|
||||
expect(res.body.code).toBe("UNAUTHENTICATED");
|
||||
});
|
||||
|
||||
it("rejects spoofed x-user-id when auth is enabled", async () => {
|
||||
const res = await request(app.server)
|
||||
.get("/dashboard")
|
||||
.set("x-user-id", "spoofed-user-id");
|
||||
expect(res.status).toBe(401);
|
||||
expect(res.body.code).toBe("UNAUTHENTICATED");
|
||||
});
|
||||
|
||||
it("rejects weak passwords on registration", async () => {
|
||||
const agent = request.agent(app.server);
|
||||
const email = `weak-${Date.now()}@test.dev`;
|
||||
const password = "weakpass123";
|
||||
const register = await agent.post("/auth/register").send({ email, password });
|
||||
expect(register.status).toBe(400);
|
||||
expect(register.body.ok).toBe(false);
|
||||
|
||||
const user = await prisma.user.findUnique({ where: { email } });
|
||||
expect(user).toBeNull();
|
||||
});
|
||||
|
||||
it("registers a user and grants access via cookie session", async () => {
|
||||
const agent = request.agent(app.server);
|
||||
const email = `reg-${Date.now()}@test.dev`;
|
||||
@@ -31,9 +66,10 @@ describe("Auth routes", () => {
|
||||
|
||||
const register = await agent.post("/auth/register").send({ email, password });
|
||||
expect(register.status).toBe(200);
|
||||
expect(register.body.needsVerification).toBe(true);
|
||||
|
||||
const dash = await agent.get("/dashboard");
|
||||
expect(dash.status).toBe(200);
|
||||
expect(dash.status).toBe(401);
|
||||
|
||||
const created = await prisma.user.findUniqueOrThrow({ where: { email } });
|
||||
const [catCount, planCount] = await Promise.all([
|
||||
@@ -52,7 +88,10 @@ describe("Auth routes", () => {
|
||||
const password = "SupersAFE123!";
|
||||
|
||||
await agent.post("/auth/register").send({ email, password });
|
||||
await agent.post("/auth/logout");
|
||||
await prisma.user.update({
|
||||
where: { email },
|
||||
data: { emailVerified: true },
|
||||
});
|
||||
|
||||
const login = await agent.post("/auth/login").send({ email, password });
|
||||
expect(login.status).toBe(200);
|
||||
@@ -69,15 +108,54 @@ describe("Auth routes", () => {
|
||||
const password = "SupersAFE123!";
|
||||
|
||||
await agent.post("/auth/register").send({ email, password });
|
||||
await prisma.user.update({
|
||||
where: { email },
|
||||
data: { emailVerified: true },
|
||||
});
|
||||
const login = await agent.post("/auth/login").send({ email, password });
|
||||
expect(login.status).toBe(200);
|
||||
const csrf = readCookieValue(login.headers["set-cookie"], "csrf");
|
||||
expect(csrf).toBeTruthy();
|
||||
|
||||
const session = await agent.get("/auth/session");
|
||||
expect(session.status).toBe(200);
|
||||
expect(session.body.userId).toBeDefined();
|
||||
|
||||
await agent.post("/auth/logout");
|
||||
await agent
|
||||
.post("/auth/logout")
|
||||
.set("x-csrf-token", csrf as string);
|
||||
const afterLogout = await agent.get("/dashboard");
|
||||
expect(afterLogout.status).toBe(401);
|
||||
|
||||
await prisma.user.deleteMany({ where: { email } });
|
||||
});
|
||||
|
||||
it("locks login after repeated failed attempts", async () => {
|
||||
const agent = request.agent(app.server);
|
||||
const email = `locked-${Date.now()}@test.dev`;
|
||||
const password = "SupersAFE123!";
|
||||
await prisma.user.create({
|
||||
data: {
|
||||
email,
|
||||
passwordHash: await argon2.hash(password),
|
||||
emailVerified: true,
|
||||
},
|
||||
});
|
||||
|
||||
for (let attempt = 1; attempt <= 4; attempt++) {
|
||||
const res = await agent.post("/auth/login").send({ email, password: "WrongPass123!" });
|
||||
expect(res.status).toBe(401);
|
||||
}
|
||||
|
||||
const locked = await agent.post("/auth/login").send({ email, password: "WrongPass123!" });
|
||||
expect(locked.status).toBe(429);
|
||||
expect(locked.body.code).toBe("LOGIN_LOCKED");
|
||||
expect(locked.headers["retry-after"]).toBeTruthy();
|
||||
|
||||
const blockedValid = await agent.post("/auth/login").send({ email, password });
|
||||
expect(blockedValid.status).toBe(429);
|
||||
expect(blockedValid.body.code).toBe("LOGIN_LOCKED");
|
||||
|
||||
await prisma.user.deleteMany({ where: { email } });
|
||||
});
|
||||
});
|
||||
|
||||
Reference in New Issue
Block a user