github/TREK
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
905c7d460be157613499b20c4668f8c51d0566ae
TREK/server/tests/unit/middleware/mfaPolicy.test.ts
Julien G. 905c7d460b Add comprehensive backend test suite (#339) 
* add test suite, mostly covers integration testing, tests are only backend side

* workflow runs the correct script

* workflow runs the correct script

* workflow runs the correct script

* unit tests incoming

* Fix multer silent rejections and error handler info leak

- Revert cb(null, false) to cb(new Error(...)) in auth.ts, collab.ts,
  and files.ts so invalid uploads return an error instead of silently
  dropping the file
- Error handler in app.ts now always returns 500 / "Internal server
  error" instead of forwarding err.message to the client

* Use statusCode consistently for multer errors and error handler

- Error handler in app.ts reads err.statusCode to forward the correct
  HTTP status while keeping the response body generic
2026-04-03 13:17:53 +02:00

101 lines
3.7 KiB
TypeScript
Raw Blame History

import { describe, it, expect, vi } from 'vitest';
vi.mock('../../../src/db/database', () => ({
db: { prepare: () => ({ get: vi.fn(), all: vi.fn() }) },
}));
vi.mock('../../../src/config', () => ({ JWT_SECRET: 'test-secret' }));
import { isPublicApiPath, isMfaSetupExemptPath } from '../../../src/middleware/mfaPolicy';
// ── isPublicApiPath ──────────────────────────────────────────────────────────
describe('isPublicApiPath', () => {
// AUTH-001 — Public paths must bypass MFA
it('AUTH-001: GET /api/health is public', () => {
expect(isPublicApiPath('GET', '/api/health')).toBe(true);
});
it('GET /api/auth/app-config is public', () => {
expect(isPublicApiPath('GET', '/api/auth/app-config')).toBe(true);
});
it('POST /api/auth/login is public', () => {
expect(isPublicApiPath('POST', '/api/auth/login')).toBe(true);
});
it('POST /api/auth/register is public', () => {
expect(isPublicApiPath('POST', '/api/auth/register')).toBe(true);
});
it('POST /api/auth/demo-login is public', () => {
expect(isPublicApiPath('POST', '/api/auth/demo-login')).toBe(true);
});
it('GET /api/auth/invite/<token> is public', () => {
expect(isPublicApiPath('GET', '/api/auth/invite/abc123')).toBe(true);
expect(isPublicApiPath('GET', '/api/auth/invite/xyz-789')).toBe(true);
});
it('POST /api/auth/mfa/verify-login is public', () => {
expect(isPublicApiPath('POST', '/api/auth/mfa/verify-login')).toBe(true);
});
it('OIDC paths are public (any method)', () => {
expect(isPublicApiPath('GET', '/api/auth/oidc/callback')).toBe(true);
expect(isPublicApiPath('POST', '/api/auth/oidc/login')).toBe(true);
expect(isPublicApiPath('GET', '/api/auth/oidc/discovery')).toBe(true);
});
it('GET /api/trips is not public', () => {
expect(isPublicApiPath('GET', '/api/trips')).toBe(false);
});
it('POST /api/auth/login with wrong method (GET) is not public', () => {
expect(isPublicApiPath('GET', '/api/auth/login')).toBe(false);
});
it('GET /api/auth/me is not public', () => {
expect(isPublicApiPath('GET', '/api/auth/me')).toBe(false);
});
it('DELETE /api/auth/logout is not public', () => {
expect(isPublicApiPath('DELETE', '/api/auth/logout')).toBe(false);
});
});
// ── isMfaSetupExemptPath ─────────────────────────────────────────────────────
describe('isMfaSetupExemptPath', () => {
it('GET /api/auth/me is MFA-setup exempt', () => {
expect(isMfaSetupExemptPath('GET', '/api/auth/me')).toBe(true);
});
it('POST /api/auth/mfa/setup is MFA-setup exempt', () => {
expect(isMfaSetupExemptPath('POST', '/api/auth/mfa/setup')).toBe(true);
});
it('POST /api/auth/mfa/enable is MFA-setup exempt', () => {
expect(isMfaSetupExemptPath('POST', '/api/auth/mfa/enable')).toBe(true);
});
it('GET /api/auth/app-settings is MFA-setup exempt', () => {
expect(isMfaSetupExemptPath('GET', '/api/auth/app-settings')).toBe(true);
});
it('PUT /api/auth/app-settings is MFA-setup exempt', () => {
expect(isMfaSetupExemptPath('PUT', '/api/auth/app-settings')).toBe(true);
});
it('POST /api/auth/app-settings is NOT exempt (wrong method)', () => {
expect(isMfaSetupExemptPath('POST', '/api/auth/app-settings')).toBe(false);
});
it('GET /api/trips is NOT exempt', () => {
expect(isMfaSetupExemptPath('GET', '/api/trips')).toBe(false);
});
it('GET /api/auth/logout is NOT exempt', () => {
expect(isMfaSetupExemptPath('GET', '/api/auth/logout')).toBe(false);
});
});
Reference in New Issue View Git Blame Copy Permalink