chore: ran security check for OWASP top 10

api/tests/identification-auth-failures.test.ts

@@ -0,0 +1,94 @@
+import { afterAll, beforeAll, describe, expect, it } from "vitest";
+import request from "supertest";
+import type { FastifyInstance } from "fastify";
+import { PrismaClient } from "@prisma/client";
+import argon2 from "argon2";
+import { buildApp } from "../src/server";
+
+const prisma = new PrismaClient();
+let app: FastifyInstance;
+
+function readCookieValue(setCookie: string[] | undefined, cookieName: string): string | null {
+  if (!setCookie) return null;
+  for (const raw of setCookie) {
+    const firstPart = raw.split(";")[0] ?? "";
+    const [name, value] = firstPart.split("=");
+    if (name?.trim() === cookieName && value) return value.trim();
+  }
+  return null;
+}
+
+beforeAll(async () => {
+  app = await buildApp({
+    AUTH_DISABLED: false,
+    SEED_DEFAULT_BUDGET: false,
+    AUTH_MAX_FAILED_ATTEMPTS: 3,
+    AUTH_LOCKOUT_WINDOW_MS: 120_000,
+  });
+  await app.ready();
+});
+
+afterAll(async () => {
+  if (app) await app.close();
+  await prisma.$disconnect();
+});
+
+describe("A07 Identification and Authentication Failures", () => {
+  it("rejects weak passwords on registration and password updates", async () => {
+    const regEmail = `weak-reg-${Date.now()}@test.dev`;
+    const weakRegister = await request(app.server)
+      .post("/auth/register")
+      .send({ email: regEmail, password: "weakpass123" });
+    expect(weakRegister.status).toBe(400);
+
+    const email = `pw-update-${Date.now()}@test.dev`;
+    const password = "SupersAFE123!";
+    await prisma.user.create({
+      data: { email, passwordHash: await argon2.hash(password), emailVerified: true },
+    });
+    const login = await request(app.server).post("/auth/login").send({ email, password });
+    expect(login.status).toBe(200);
+    const csrf = readCookieValue(login.headers["set-cookie"], "csrf");
+    const sessionCookie = (login.headers["set-cookie"] ?? []).find((c) => c.startsWith("session="));
+    expect(csrf).toBeTruthy();
+    expect(sessionCookie).toBeTruthy();
+
+    const weakUpdate = await request(app.server)
+      .patch("/me/password")
+      .set("Cookie", [sessionCookie as string, `csrf=${csrf}`])
+      .set("x-csrf-token", csrf as string)
+      .send({ currentPassword: password, newPassword: "weakpass123" });
+    expect(weakUpdate.status).toBe(400);
+
+    await prisma.user.deleteMany({ where: { email } });
+  });
+
+  it("locks login according to configured threshold/window", async () => {
+    const email = `lockout-threshold-${Date.now()}@test.dev`;
+    const password = "SupersAFE123!";
+    await prisma.user.create({
+      data: { email, passwordHash: await argon2.hash(password), emailVerified: true },
+    });
+
+    for (let i = 0; i < 2; i++) {
+      const fail = await request(app.server).post("/auth/login").send({
+        email,
+        password: "WrongPass123!",
+      });
+      expect(fail.status).toBe(401);
+    }
+
+    const locked = await request(app.server).post("/auth/login").send({
+      email,
+      password: "WrongPass123!",
+    });
+    expect(locked.status).toBe(429);
+    expect(locked.body.code).toBe("LOGIN_LOCKED");
+    expect(locked.headers["retry-after"]).toBeTruthy();
+
+    const blockedValid = await request(app.server).post("/auth/login").send({ email, password });
+    expect(blockedValid.status).toBe(429);
+
+    await prisma.user.deleteMany({ where: { email } });
+  });
+});