SkyMoney/api/tests/insecure-design.test.ts

import { randomUUID } from "node:crypto";
import { afterAll, beforeAll, describe, expect, it } from "vitest";
import request from "supertest";
import type { FastifyInstance } from "fastify";
import { PrismaClient } from "@prisma/client";
import argon2 from "argon2";
import { buildApp } from "../src/server";

const prisma = new PrismaClient();
let app: FastifyInstance;

function readCookieValue(setCookie: string[] | undefined, cookieName: string): string | null {
  if (!setCookie) return null;
  for (const raw of setCookie) {
    const firstPart = raw.split(";")[0] ?? "";
    const [name, value] = firstPart.split("=");
    if (name?.trim() === cookieName && value) return value.trim();
  }
  return null;
}

beforeAll(async () => {
  app = await buildApp({ AUTH_DISABLED: false, SEED_DEFAULT_BUDGET: false });
  await app.ready();
});

afterAll(async () => {
  if (app) await app.close();
  await prisma.$disconnect();
});

describe("A06 Insecure Design", () => {
  it("enforces resend-code cooldown with 429 and Retry-After", async () => {
    const email = `cooldown-${Date.now()}@test.dev`;
    const password = "SupersAFE123!";

    await request(app.server).post("/auth/register").send({ email, password });

    // Registration issues a signup token; immediate resend should be cooldown-blocked.
    const resend = await request(app.server).post("/auth/verify/resend").send({ email });
    expect(resend.status).toBe(429);
    expect(resend.body.code).toBe("EMAIL_TOKEN_COOLDOWN");
    expect(resend.headers["retry-after"]).toBeTruthy();

    await prisma.user.deleteMany({ where: { email } });
  });

  it("enforces delete-code cooldown with 429 and Retry-After", async () => {
    const email = `delete-cooldown-${Date.now()}@test.dev`;
    const password = "SupersAFE123!";
    await prisma.user.create({
      data: {
        email,
        passwordHash: await argon2.hash(password),
        emailVerified: true,
      },
    });

    const login = await request(app.server).post("/auth/login").send({ email, password });
    expect(login.status).toBe(200);
    const csrf = readCookieValue(login.headers["set-cookie"], "csrf");
    const sessionCookie = (login.headers["set-cookie"] ?? []).find((c) => c.startsWith("session="));
    expect(csrf).toBeTruthy();
    expect(sessionCookie).toBeTruthy();

    const first = await request(app.server)
      .post("/account/delete-request")
      .set("Cookie", [sessionCookie as string, `csrf=${csrf}`])
      .set("x-csrf-token", csrf as string)
      .send({ password });
    expect(first.status).toBe(200);

    const second = await request(app.server)
      .post("/account/delete-request")
      .set("Cookie", [sessionCookie as string, `csrf=${csrf}`])
      .set("x-csrf-token", csrf as string)
      .send({ password });
    expect(second.status).toBe(429);
    expect(second.body.code).toBe("EMAIL_TOKEN_COOLDOWN");
    expect(second.headers["retry-after"]).toBeTruthy();

    await prisma.user.deleteMany({ where: { email } });
  });

  it("rate-limits repeated invalid verification attempts", async () => {
    const email = `verify-rate-${Date.now()}@test.dev`;
    const password = "SupersAFE123!";
    await request(app.server).post("/auth/register").send({ email, password });

    let limited = false;
    for (let i = 0; i < 12; i++) {
      const res = await request(app.server)
        .post("/auth/verify")
        .send({ email, code: randomUUID().slice(0, 6) });
      if (res.status === 429) {
        limited = true;
        break;
      }
    }
    expect(limited).toBe(true);

    await prisma.user.deleteMany({ where: { email } });
  });
});