chore: ran security check for OWASP top 10

api/tests/insecure-design.test.ts

@@ -0,0 +1,104 @@
+import { randomUUID } from "node:crypto";
+import { afterAll, beforeAll, describe, expect, it } from "vitest";
+import request from "supertest";
+import type { FastifyInstance } from "fastify";
+import { PrismaClient } from "@prisma/client";
+import argon2 from "argon2";
+import { buildApp } from "../src/server";
+
+const prisma = new PrismaClient();
+let app: FastifyInstance;
+
+function readCookieValue(setCookie: string[] | undefined, cookieName: string): string | null {
+  if (!setCookie) return null;
+  for (const raw of setCookie) {
+    const firstPart = raw.split(";")[0] ?? "";
+    const [name, value] = firstPart.split("=");
+    if (name?.trim() === cookieName && value) return value.trim();
+  }
+  return null;
+}
+
+beforeAll(async () => {
+  app = await buildApp({ AUTH_DISABLED: false, SEED_DEFAULT_BUDGET: false });
+  await app.ready();
+});
+
+afterAll(async () => {
+  if (app) await app.close();
+  await prisma.$disconnect();
+});
+
+describe("A06 Insecure Design", () => {
+  it("enforces resend-code cooldown with 429 and Retry-After", async () => {
+    const email = `cooldown-${Date.now()}@test.dev`;
+    const password = "SupersAFE123!";
+
+    await request(app.server).post("/auth/register").send({ email, password });
+
+    // Registration issues a signup token; immediate resend should be cooldown-blocked.
+    const resend = await request(app.server).post("/auth/verify/resend").send({ email });
+    expect(resend.status).toBe(429);
+    expect(resend.body.code).toBe("EMAIL_TOKEN_COOLDOWN");
+    expect(resend.headers["retry-after"]).toBeTruthy();
+
+    await prisma.user.deleteMany({ where: { email } });
+  });
+
+  it("enforces delete-code cooldown with 429 and Retry-After", async () => {
+    const email = `delete-cooldown-${Date.now()}@test.dev`;
+    const password = "SupersAFE123!";
+    await prisma.user.create({
+      data: {
+        email,
+        passwordHash: await argon2.hash(password),
+        emailVerified: true,
+      },
+    });
+
+    const login = await request(app.server).post("/auth/login").send({ email, password });
+    expect(login.status).toBe(200);
+    const csrf = readCookieValue(login.headers["set-cookie"], "csrf");
+    const sessionCookie = (login.headers["set-cookie"] ?? []).find((c) => c.startsWith("session="));
+    expect(csrf).toBeTruthy();
+    expect(sessionCookie).toBeTruthy();
+
+    const first = await request(app.server)
+      .post("/account/delete-request")
+      .set("Cookie", [sessionCookie as string, `csrf=${csrf}`])
+      .set("x-csrf-token", csrf as string)
+      .send({ password });
+    expect(first.status).toBe(200);
+
+    const second = await request(app.server)
+      .post("/account/delete-request")
+      .set("Cookie", [sessionCookie as string, `csrf=${csrf}`])
+      .set("x-csrf-token", csrf as string)
+      .send({ password });
+    expect(second.status).toBe(429);
+    expect(second.body.code).toBe("EMAIL_TOKEN_COOLDOWN");
+    expect(second.headers["retry-after"]).toBeTruthy();
+
+    await prisma.user.deleteMany({ where: { email } });
+  });
+
+  it("rate-limits repeated invalid verification attempts", async () => {
+    const email = `verify-rate-${Date.now()}@test.dev`;
+    const password = "SupersAFE123!";
+    await request(app.server).post("/auth/register").send({ email, password });
+
+    let limited = false;
+    for (let i = 0; i < 12; i++) {
+      const res = await request(app.server)
+        .post("/auth/verify")
+        .send({ email, code: randomUUID().slice(0, 6) });
+      if (res.status === 429) {
+        limited = true;
+        break;
+      }
+    }
+    expect(limited).toBe(true);
+
+    await prisma.user.deleteMany({ where: { email } });
+  });
+});