Joders/SkyMoney
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

phase 2: register, login, logout, verify, session, forgat password, delete and cofirm, refresh session all simplified
All checks were successful
Deploy / deploy (push) Successful in 1m31s
Details
Security Tests / security-non-db (push) Successful in 20s
Details
Security Tests / security-db (push) Successful in 25s
Details

Browse Source
This commit is contained in:
Ricearoni1245
2026-03-16 14:19:13 -05:00
parent 60cdcf1fcf
commit a430dfadcf
8 changed files with 879 additions and 641 deletions
Download Patch File Download Diff File Expand all files Collapse all files

30
api/tests/insecure-design.test.ts
View File

@@ -30,22 +30,25 @@ afterAll(async () => {
});
describe("A06 Insecure Design", () => {
it("enforces resend-code cooldown with 429 and Retry-After", async () => {
it("allows one immediate verify resend, then enforces cooldown with 429 and Retry-After", async () => {
const email = `cooldown-${Date.now()}@test.dev`;
const password = "SupersAFE123!";
await request(app.server).post("/auth/register").send({ email, password });
// Registration issues a signup token; immediate resend should be cooldown-blocked.
const resend = await request(app.server).post("/auth/verify/resend").send({ email });
expect(resend.status).toBe(429);
expect(resend.body.code).toBe("EMAIL_TOKEN_COOLDOWN");
expect(resend.headers["retry-after"]).toBeTruthy();
const firstResend = await request(app.server).post("/auth/verify/resend").send({ email });
expect(firstResend.status).toBe(200);
expect(firstResend.body.ok).toBe(true);
const secondResend = await request(app.server).post("/auth/verify/resend").send({ email });
expect(secondResend.status).toBe(429);
expect(secondResend.body.code).toBe("EMAIL_TOKEN_COOLDOWN");
expect(secondResend.headers["retry-after"]).toBeTruthy();
await prisma.user.deleteMany({ where: { email } });
});
it("enforces delete-code cooldown with 429 and Retry-After", async () => {
it("allows one immediate delete resend, then enforces cooldown with 429 and Retry-After", async () => {
const email = `delete-cooldown-${Date.now()}@test.dev`;
const password = "SupersAFE123!";
await prisma.user.create({
@@ -75,9 +78,16 @@ describe("A06 Insecure Design", () => {
.set("Cookie", [sessionCookie as string, `csrf=${csrf}`])
.set("x-csrf-token", csrf as string)
.send({ password });
expect(second.status).toBe(429);
expect(second.body.code).toBe("EMAIL_TOKEN_COOLDOWN");
expect(second.headers["retry-after"]).toBeTruthy();
expect(second.status).toBe(200);
const third = await request(app.server)
.post("/account/delete-request")
.set("Cookie", [sessionCookie as string, `csrf=${csrf}`])
.set("x-csrf-token", csrf as string)
.send({ password });
expect(third.status).toBe(429);
expect(third.body.code).toBe("EMAIL_TOKEN_COOLDOWN");
expect(third.headers["retry-after"]).toBeTruthy();
await prisma.user.deleteMany({ where: { email } });
});