905c7d460b
* add test suite, mostly covers integration testing, tests are only backend side * workflow runs the correct script * workflow runs the correct script * workflow runs the correct script * unit tests incoming * Fix multer silent rejections and error handler info leak - Revert cb(null, false) to cb(new Error(...)) in auth.ts, collab.ts, and files.ts so invalid uploads return an error instead of silently dropping the file - Error handler in app.ts now always returns 500 / "Internal server error" instead of forwarding err.message to the client * Use statusCode consistently for multer errors and error handler - Error handler in app.ts reads err.statusCode to forward the correct HTTP status while keeping the response body generic
59 lines
2.2 KiB
TypeScript
59 lines
2.2 KiB
TypeScript
import { describe, it, expect, vi } from 'vitest';
|
|
|
|
// Inline factory to avoid vi.mock hoisting issue (no imported vars allowed)
|
|
vi.mock('../../../src/config', () => ({
|
|
JWT_SECRET: 'test-jwt-secret-for-trek-testing-only',
|
|
ENCRYPTION_KEY: 'a1b2c3d4e5f6a7b8c9d0e1f2a3b4c5d6a7b8c9d0e1f2a3b4c5d6a7b8c9d0e1f2',
|
|
updateJwtSecret: () => {},
|
|
}));
|
|
|
|
import { encryptMfaSecret, decryptMfaSecret } from '../../../src/services/mfaCrypto';
|
|
|
|
describe('mfaCrypto', () => {
|
|
const TOTP_SECRET = 'JBSWY3DPEHPK3PXP'; // typical base32 TOTP secret
|
|
|
|
// SEC-009 — Encrypted MFA secrets not exposed
|
|
describe('encryptMfaSecret', () => {
|
|
it('SEC-009: returns a base64 string (not the plaintext)', () => {
|
|
const encrypted = encryptMfaSecret(TOTP_SECRET);
|
|
expect(encrypted).not.toBe(TOTP_SECRET);
|
|
// Should be valid base64
|
|
expect(() => Buffer.from(encrypted, 'base64')).not.toThrow();
|
|
});
|
|
|
|
it('different calls produce different ciphertext (random IV)', () => {
|
|
const enc1 = encryptMfaSecret(TOTP_SECRET);
|
|
const enc2 = encryptMfaSecret(TOTP_SECRET);
|
|
expect(enc1).not.toBe(enc2);
|
|
});
|
|
|
|
it('encrypted value does not contain plaintext', () => {
|
|
const encrypted = encryptMfaSecret(TOTP_SECRET);
|
|
expect(encrypted).not.toContain(TOTP_SECRET);
|
|
});
|
|
});
|
|
|
|
describe('decryptMfaSecret', () => {
|
|
it('SEC-009: roundtrip — decrypt returns original secret', () => {
|
|
const encrypted = encryptMfaSecret(TOTP_SECRET);
|
|
const decrypted = decryptMfaSecret(encrypted);
|
|
expect(decrypted).toBe(TOTP_SECRET);
|
|
});
|
|
|
|
it('handles secrets of varying lengths', () => {
|
|
const short = 'ABC123';
|
|
const long = 'JBSWY3DPEHPK3PXPJBSWY3DPEHPK3PXPJBSWY3DPEHPK3PXP';
|
|
expect(decryptMfaSecret(encryptMfaSecret(short))).toBe(short);
|
|
expect(decryptMfaSecret(encryptMfaSecret(long))).toBe(long);
|
|
});
|
|
|
|
it('throws or returns garbage on tampered ciphertext', () => {
|
|
const encrypted = encryptMfaSecret(TOTP_SECRET);
|
|
const buf = Buffer.from(encrypted, 'base64');
|
|
buf[buf.length - 1] ^= 0xff; // flip last byte
|
|
const tampered = buf.toString('base64');
|
|
expect(() => decryptMfaSecret(tampered)).toThrow();
|
|
});
|
|
});
|
|
});
|