2023-11-07 06:35:43 -08:00
|
|
|
import Container from 'typedi';
|
2024-06-19 04:33:57 -07:00
|
|
|
import { randomInt, randomString } from 'n8n-workflow';
|
2024-02-28 04:12:28 -08:00
|
|
|
|
|
|
|
|
import { AuthService } from '@/auth/auth.service';
|
2023-08-23 19:59:16 -07:00
|
|
|
import config from '@/config';
|
|
|
|
|
import type { User } from '@db/entities/User';
|
2024-05-31 00:40:19 -07:00
|
|
|
import { AuthUserRepository } from '@db/repositories/authUser.repository';
|
2023-08-23 19:59:16 -07:00
|
|
|
import { TOTPService } from '@/Mfa/totp.service';
|
2024-02-28 04:12:28 -08:00
|
|
|
|
2023-11-07 06:35:43 -08:00
|
|
|
import * as testDb from '../shared/testDb';
|
|
|
|
|
import * as utils from '../shared/utils';
|
2024-06-19 04:33:57 -07:00
|
|
|
import { randomValidPassword, uniqueId } from '../shared/random';
|
2023-11-08 07:29:39 -08:00
|
|
|
import { createUser, createUserWithMfaEnabled } from '../shared/db/users';
|
2023-08-23 19:59:16 -07:00
|
|
|
|
|
|
|
|
jest.mock('@/telemetry');
|
|
|
|
|
|
|
|
|
|
let owner: User;
|
|
|
|
|
|
|
|
|
|
const testServer = utils.setupTestServer({
|
|
|
|
|
endpointGroups: ['mfa', 'auth', 'me', 'passwordReset'],
|
|
|
|
|
});
|
|
|
|
|
|
|
|
|
|
beforeEach(async () => {
|
|
|
|
|
await testDb.truncate(['User']);
|
|
|
|
|
|
2024-01-24 04:38:57 -08:00
|
|
|
owner = await createUser({ role: 'global:owner' });
|
2023-08-23 19:59:16 -07:00
|
|
|
|
|
|
|
|
config.set('userManagement.disabled', false);
|
|
|
|
|
});
|
|
|
|
|
|
|
|
|
|
afterAll(async () => {
|
|
|
|
|
await testDb.terminate();
|
|
|
|
|
});
|
|
|
|
|
|
|
|
|
|
describe('Enable MFA setup', () => {
|
|
|
|
|
describe('Step one', () => {
|
|
|
|
|
test('GET /qr should fail due to unauthenticated user', async () => {
|
2024-05-31 00:40:19 -07:00
|
|
|
await testServer.authlessAgent.get('/mfa/qr').expect(401);
|
2023-08-23 19:59:16 -07:00
|
|
|
});
|
|
|
|
|
|
|
|
|
|
test('GET /qr should reuse secret and recovery codes until setup is complete', async () => {
|
2024-05-31 00:40:19 -07:00
|
|
|
const firstCall = await testServer.authAgentFor(owner).get('/mfa/qr').expect(200);
|
2023-08-23 19:59:16 -07:00
|
|
|
|
2024-05-31 00:40:19 -07:00
|
|
|
const secondCall = await testServer.authAgentFor(owner).get('/mfa/qr').expect(200);
|
2023-08-23 19:59:16 -07:00
|
|
|
|
|
|
|
|
expect(firstCall.body.data.secret).toBe(secondCall.body.data.secret);
|
|
|
|
|
expect(firstCall.body.data.recoveryCodes.join('')).toBe(
|
|
|
|
|
secondCall.body.data.recoveryCodes.join(''),
|
|
|
|
|
);
|
|
|
|
|
|
2024-08-13 05:56:54 -07:00
|
|
|
const token = new TOTPService().generateTOTP(firstCall.body.data.secret);
|
|
|
|
|
await testServer.authAgentFor(owner).post('/mfa/disable').send({ token }).expect(200);
|
2023-08-23 19:59:16 -07:00
|
|
|
|
2024-05-31 00:40:19 -07:00
|
|
|
const thirdCall = await testServer.authAgentFor(owner).get('/mfa/qr').expect(200);
|
2023-08-23 19:59:16 -07:00
|
|
|
|
|
|
|
|
expect(firstCall.body.data.secret).not.toBe(thirdCall.body.data.secret);
|
|
|
|
|
expect(firstCall.body.data.recoveryCodes.join('')).not.toBe(
|
|
|
|
|
thirdCall.body.data.recoveryCodes.join(''),
|
|
|
|
|
);
|
|
|
|
|
});
|
|
|
|
|
|
|
|
|
|
test('GET /qr should return qr, secret and recovery codes', async () => {
|
2024-05-31 00:40:19 -07:00
|
|
|
const response = await testServer.authAgentFor(owner).get('/mfa/qr').expect(200);
|
2023-08-23 19:59:16 -07:00
|
|
|
|
|
|
|
|
const { data } = response.body;
|
|
|
|
|
|
|
|
|
|
expect(data.secret).toBeDefined();
|
|
|
|
|
expect(data.qrCode).toBeDefined();
|
|
|
|
|
expect(data.recoveryCodes).toBeDefined();
|
|
|
|
|
expect(data.recoveryCodes).not.toBeEmptyArray();
|
|
|
|
|
expect(data.recoveryCodes.length).toBe(10);
|
|
|
|
|
});
|
|
|
|
|
});
|
|
|
|
|
|
|
|
|
|
describe('Step two', () => {
|
|
|
|
|
test('POST /verify should fail due to unauthenticated user', async () => {
|
2024-05-31 00:40:19 -07:00
|
|
|
await testServer.authlessAgent.post('/mfa/verify').expect(401);
|
2023-08-23 19:59:16 -07:00
|
|
|
});
|
|
|
|
|
|
|
|
|
|
test('POST /verify should fail due to invalid MFA token', async () => {
|
2024-05-31 00:40:19 -07:00
|
|
|
await testServer.authAgentFor(owner).post('/mfa/verify').send({ token: '123' }).expect(400);
|
2023-08-23 19:59:16 -07:00
|
|
|
});
|
|
|
|
|
|
|
|
|
|
test('POST /verify should fail due to missing token parameter', async () => {
|
2024-05-31 00:40:19 -07:00
|
|
|
await testServer.authAgentFor(owner).get('/mfa/qr').expect(200);
|
|
|
|
|
await testServer.authAgentFor(owner).post('/mfa/verify').send({ token: '' }).expect(400);
|
2023-08-23 19:59:16 -07:00
|
|
|
});
|
|
|
|
|
|
|
|
|
|
test('POST /verify should validate MFA token', async () => {
|
2024-05-31 00:40:19 -07:00
|
|
|
const response = await testServer.authAgentFor(owner).get('/mfa/qr').expect(200);
|
2023-08-23 19:59:16 -07:00
|
|
|
|
|
|
|
|
const { secret } = response.body.data;
|
|
|
|
|
const token = new TOTPService().generateTOTP(secret);
|
|
|
|
|
|
2024-05-31 00:40:19 -07:00
|
|
|
await testServer.authAgentFor(owner).post('/mfa/verify').send({ token }).expect(200);
|
2023-08-23 19:59:16 -07:00
|
|
|
});
|
|
|
|
|
});
|
|
|
|
|
|
|
|
|
|
describe('Step three', () => {
|
|
|
|
|
test('POST /enable should fail due to unauthenticated user', async () => {
|
2024-05-31 00:40:19 -07:00
|
|
|
await testServer.authlessAgent.post('/mfa/enable').expect(401);
|
2023-08-23 19:59:16 -07:00
|
|
|
});
|
|
|
|
|
|
|
|
|
|
test('POST /verify should fail due to missing token parameter', async () => {
|
2024-05-31 00:40:19 -07:00
|
|
|
await testServer.authAgentFor(owner).post('/mfa/verify').send({ token: '' }).expect(400);
|
2023-08-23 19:59:16 -07:00
|
|
|
});
|
|
|
|
|
|
|
|
|
|
test('POST /enable should fail due to invalid MFA token', async () => {
|
2024-05-31 00:40:19 -07:00
|
|
|
await testServer.authAgentFor(owner).get('/mfa/qr').expect(200);
|
|
|
|
|
await testServer.authAgentFor(owner).post('/mfa/enable').send({ token: '123' }).expect(400);
|
2023-08-23 19:59:16 -07:00
|
|
|
});
|
|
|
|
|
|
|
|
|
|
test('POST /enable should fail due to empty secret and recovery codes', async () => {
|
2024-05-31 00:40:19 -07:00
|
|
|
await testServer.authAgentFor(owner).post('/mfa/enable').expect(400);
|
2023-08-23 19:59:16 -07:00
|
|
|
});
|
|
|
|
|
|
|
|
|
|
test('POST /enable should enable MFA in account', async () => {
|
2024-05-31 00:40:19 -07:00
|
|
|
const response = await testServer.authAgentFor(owner).get('/mfa/qr').expect(200);
|
2023-08-23 19:59:16 -07:00
|
|
|
|
|
|
|
|
const { secret } = response.body.data;
|
|
|
|
|
const token = new TOTPService().generateTOTP(secret);
|
|
|
|
|
|
2024-05-31 00:40:19 -07:00
|
|
|
await testServer.authAgentFor(owner).post('/mfa/verify').send({ token }).expect(200);
|
|
|
|
|
await testServer.authAgentFor(owner).post('/mfa/enable').send({ token }).expect(200);
|
2023-08-23 19:59:16 -07:00
|
|
|
|
2024-05-31 00:40:19 -07:00
|
|
|
const user = await Container.get(AuthUserRepository).findOneOrFail({
|
2023-08-23 19:59:16 -07:00
|
|
|
where: {},
|
|
|
|
|
});
|
|
|
|
|
|
|
|
|
|
expect(user.mfaEnabled).toBe(true);
|
|
|
|
|
expect(user.mfaRecoveryCodes).toBeDefined();
|
|
|
|
|
expect(user.mfaSecret).toBeDefined();
|
|
|
|
|
});
|
|
|
|
|
});
|
|
|
|
|
});
|
|
|
|
|
|
|
|
|
|
describe('Disable MFA setup', () => {
|
|
|
|
|
test('POST /disable should disable login with MFA', async () => {
|
2024-08-13 05:56:54 -07:00
|
|
|
const { user, rawSecret } = await createUserWithMfaEnabled();
|
|
|
|
|
const token = new TOTPService().generateTOTP(rawSecret);
|
2023-08-23 19:59:16 -07:00
|
|
|
|
2024-08-13 05:56:54 -07:00
|
|
|
await testServer
|
|
|
|
|
.authAgentFor(user)
|
|
|
|
|
.post('/mfa/disable')
|
|
|
|
|
.send({
|
|
|
|
|
token,
|
|
|
|
|
})
|
|
|
|
|
.expect(200);
|
2023-08-23 19:59:16 -07:00
|
|
|
|
2024-05-31 00:40:19 -07:00
|
|
|
const dbUser = await Container.get(AuthUserRepository).findOneOrFail({
|
2023-08-23 19:59:16 -07:00
|
|
|
where: { id: user.id },
|
|
|
|
|
});
|
|
|
|
|
|
|
|
|
|
expect(dbUser.mfaEnabled).toBe(false);
|
|
|
|
|
expect(dbUser.mfaSecret).toBe(null);
|
|
|
|
|
expect(dbUser.mfaRecoveryCodes.length).toBe(0);
|
|
|
|
|
});
|
2024-08-13 05:56:54 -07:00
|
|
|
|
|
|
|
|
test('POST /disable should fail if invalid token is given', async () => {
|
|
|
|
|
const { user } = await createUserWithMfaEnabled();
|
|
|
|
|
|
|
|
|
|
await testServer
|
|
|
|
|
.authAgentFor(user)
|
|
|
|
|
.post('/mfa/disable')
|
|
|
|
|
.send({
|
|
|
|
|
token: 'invalid token',
|
|
|
|
|
})
|
|
|
|
|
.expect(403);
|
|
|
|
|
});
|
2023-08-23 19:59:16 -07:00
|
|
|
});
|
|
|
|
|
|
|
|
|
|
describe('Change password with MFA enabled', () => {
|
|
|
|
|
test('POST /change-password should fail due to missing MFA token', async () => {
|
2023-11-08 07:29:39 -08:00
|
|
|
await createUserWithMfaEnabled();
|
2023-08-23 19:59:16 -07:00
|
|
|
|
|
|
|
|
const newPassword = randomValidPassword();
|
|
|
|
|
const resetPasswordToken = uniqueId();
|
|
|
|
|
|
2024-05-31 00:40:19 -07:00
|
|
|
await testServer.authlessAgent
|
2023-08-23 19:59:16 -07:00
|
|
|
.post('/change-password')
|
2024-05-31 00:40:19 -07:00
|
|
|
.send({ password: newPassword, token: resetPasswordToken })
|
|
|
|
|
.expect(404);
|
2023-08-23 19:59:16 -07:00
|
|
|
});
|
|
|
|
|
|
|
|
|
|
test('POST /change-password should fail due to invalid MFA token', async () => {
|
2023-11-08 07:29:39 -08:00
|
|
|
await createUserWithMfaEnabled();
|
2023-08-23 19:59:16 -07:00
|
|
|
|
|
|
|
|
const newPassword = randomValidPassword();
|
|
|
|
|
const resetPasswordToken = uniqueId();
|
|
|
|
|
|
2024-05-31 00:40:19 -07:00
|
|
|
await testServer.authlessAgent
|
|
|
|
|
.post('/change-password')
|
|
|
|
|
.send({
|
|
|
|
|
password: newPassword,
|
|
|
|
|
token: resetPasswordToken,
|
2024-06-19 04:33:57 -07:00
|
|
|
mfaToken: randomInt(10),
|
2024-05-31 00:40:19 -07:00
|
|
|
})
|
|
|
|
|
.expect(404);
|
2023-08-23 19:59:16 -07:00
|
|
|
});
|
|
|
|
|
|
|
|
|
|
test('POST /change-password should update password', async () => {
|
2023-11-08 07:29:39 -08:00
|
|
|
const { user, rawSecret } = await createUserWithMfaEnabled();
|
2023-08-23 19:59:16 -07:00
|
|
|
|
|
|
|
|
const newPassword = randomValidPassword();
|
|
|
|
|
|
|
|
|
|
config.set('userManagement.jwtSecret', randomString(5, 10));
|
|
|
|
|
|
2024-02-28 04:12:28 -08:00
|
|
|
const resetPasswordToken = Container.get(AuthService).generatePasswordResetToken(user);
|
2023-08-23 19:59:16 -07:00
|
|
|
|
|
|
|
|
const mfaToken = new TOTPService().generateTOTP(rawSecret);
|
|
|
|
|
|
2024-05-31 00:40:19 -07:00
|
|
|
await testServer.authlessAgent
|
|
|
|
|
.post('/change-password')
|
|
|
|
|
.send({
|
|
|
|
|
password: newPassword,
|
|
|
|
|
token: resetPasswordToken,
|
|
|
|
|
mfaToken,
|
|
|
|
|
})
|
|
|
|
|
.expect(200);
|
2023-08-23 19:59:16 -07:00
|
|
|
|
|
|
|
|
const loginResponse = await testServer
|
|
|
|
|
.authAgentFor(user)
|
|
|
|
|
.post('/login')
|
|
|
|
|
.send({
|
|
|
|
|
email: user.email,
|
|
|
|
|
password: newPassword,
|
|
|
|
|
mfaToken: new TOTPService().generateTOTP(rawSecret),
|
2024-05-31 00:40:19 -07:00
|
|
|
})
|
|
|
|
|
.expect(200);
|
2023-08-23 19:59:16 -07:00
|
|
|
|
|
|
|
|
expect(loginResponse.body).toHaveProperty('data');
|
|
|
|
|
});
|
|
|
|
|
});
|
|
|
|
|
|
|
|
|
|
describe('Login', () => {
|
|
|
|
|
test('POST /login with email/password should succeed when mfa is disabled', async () => {
|
2024-06-19 04:33:57 -07:00
|
|
|
const password = randomString(8);
|
2023-08-23 19:59:16 -07:00
|
|
|
|
2023-11-08 07:29:39 -08:00
|
|
|
const user = await createUser({ password });
|
2023-08-23 19:59:16 -07:00
|
|
|
|
2024-05-31 00:40:19 -07:00
|
|
|
await testServer.authlessAgent.post('/login').send({ email: user.email, password }).expect(200);
|
2023-08-23 19:59:16 -07:00
|
|
|
});
|
|
|
|
|
|
|
|
|
|
test('GET /login should not include mfaSecret and mfaRecoveryCodes property in response', async () => {
|
2024-05-31 00:40:19 -07:00
|
|
|
const response = await testServer.authAgentFor(owner).get('/login').expect(200);
|
2023-08-23 19:59:16 -07:00
|
|
|
|
|
|
|
|
const { data } = response.body;
|
|
|
|
|
|
|
|
|
|
expect(data.recoveryCodes).not.toBeDefined();
|
|
|
|
|
expect(data.mfaSecret).not.toBeDefined();
|
|
|
|
|
});
|
|
|
|
|
|
|
|
|
|
test('POST /login with email/password should fail when mfa is enabled', async () => {
|
2023-11-08 07:29:39 -08:00
|
|
|
const { user, rawPassword } = await createUserWithMfaEnabled();
|
2023-08-23 19:59:16 -07:00
|
|
|
|
2024-05-31 00:40:19 -07:00
|
|
|
await testServer.authlessAgent
|
2023-08-23 19:59:16 -07:00
|
|
|
.post('/login')
|
2024-05-31 00:40:19 -07:00
|
|
|
.send({ email: user.email, password: rawPassword })
|
|
|
|
|
.expect(401);
|
2023-08-23 19:59:16 -07:00
|
|
|
});
|
|
|
|
|
|
|
|
|
|
describe('Login with MFA token', () => {
|
|
|
|
|
test('POST /login should fail due to invalid MFA token', async () => {
|
2023-11-08 07:29:39 -08:00
|
|
|
const { user, rawPassword } = await createUserWithMfaEnabled();
|
2023-08-23 19:59:16 -07:00
|
|
|
|
2024-05-31 00:40:19 -07:00
|
|
|
await testServer.authlessAgent
|
2023-08-23 19:59:16 -07:00
|
|
|
.post('/login')
|
2024-05-31 00:40:19 -07:00
|
|
|
.send({ email: user.email, password: rawPassword, mfaToken: 'wrongvalue' })
|
|
|
|
|
.expect(401);
|
2023-08-23 19:59:16 -07:00
|
|
|
});
|
|
|
|
|
|
|
|
|
|
test('POST /login should fail due two MFA step needed', async () => {
|
2023-11-08 07:29:39 -08:00
|
|
|
const { user, rawPassword } = await createUserWithMfaEnabled();
|
2023-08-23 19:59:16 -07:00
|
|
|
|
|
|
|
|
const response = await testServer.authlessAgent
|
|
|
|
|
.post('/login')
|
2024-05-31 00:40:19 -07:00
|
|
|
.send({ email: user.email, password: rawPassword })
|
|
|
|
|
.expect(401);
|
2023-08-23 19:59:16 -07:00
|
|
|
|
|
|
|
|
expect(response.body.code).toBe(998);
|
|
|
|
|
});
|
|
|
|
|
|
|
|
|
|
test('POST /login should succeed with MFA token', async () => {
|
2023-11-08 07:29:39 -08:00
|
|
|
const { user, rawSecret, rawPassword } = await createUserWithMfaEnabled();
|
2023-08-23 19:59:16 -07:00
|
|
|
|
|
|
|
|
const token = new TOTPService().generateTOTP(rawSecret);
|
|
|
|
|
|
|
|
|
|
const response = await testServer.authlessAgent
|
|
|
|
|
.post('/login')
|
2024-05-31 00:40:19 -07:00
|
|
|
.send({ email: user.email, password: rawPassword, mfaToken: token })
|
|
|
|
|
.expect(200);
|
2023-08-23 19:59:16 -07:00
|
|
|
|
|
|
|
|
const data = response.body.data;
|
|
|
|
|
|
|
|
|
|
expect(data.mfaEnabled).toBe(true);
|
|
|
|
|
});
|
|
|
|
|
});
|
|
|
|
|
|
|
|
|
|
describe('Login with recovery code', () => {
|
|
|
|
|
test('POST /login should fail due to invalid MFA recovery code', async () => {
|
2023-11-08 07:29:39 -08:00
|
|
|
const { user, rawPassword } = await createUserWithMfaEnabled();
|
2023-08-23 19:59:16 -07:00
|
|
|
|
2024-05-31 00:40:19 -07:00
|
|
|
await testServer.authlessAgent
|
2023-08-23 19:59:16 -07:00
|
|
|
.post('/login')
|
2024-05-31 00:40:19 -07:00
|
|
|
.send({ email: user.email, password: rawPassword, mfaRecoveryCode: 'wrongvalue' })
|
|
|
|
|
.expect(401);
|
2023-08-23 19:59:16 -07:00
|
|
|
});
|
|
|
|
|
|
|
|
|
|
test('POST /login should succeed with MFA recovery code', async () => {
|
2023-11-08 07:29:39 -08:00
|
|
|
const { user, rawPassword, rawRecoveryCodes } = await createUserWithMfaEnabled();
|
2023-08-23 19:59:16 -07:00
|
|
|
|
|
|
|
|
const response = await testServer.authlessAgent
|
|
|
|
|
.post('/login')
|
2024-05-31 00:40:19 -07:00
|
|
|
.send({ email: user.email, password: rawPassword, mfaRecoveryCode: rawRecoveryCodes[0] })
|
|
|
|
|
.expect(200);
|
2023-08-23 19:59:16 -07:00
|
|
|
|
|
|
|
|
const data = response.body.data;
|
|
|
|
|
expect(data.mfaEnabled).toBe(true);
|
|
|
|
|
|
2024-05-31 00:40:19 -07:00
|
|
|
const dbUser = await Container.get(AuthUserRepository).findOneOrFail({
|
2023-08-23 19:59:16 -07:00
|
|
|
where: { id: user.id },
|
|
|
|
|
});
|
|
|
|
|
|
|
|
|
|
// Make sure the recovery code used was removed
|
|
|
|
|
expect(dbUser.mfaRecoveryCodes.length).toBe(rawRecoveryCodes.length - 1);
|
|
|
|
|
expect(dbUser.mfaRecoveryCodes.includes(rawRecoveryCodes[0])).toBe(false);
|
|
|
|
|
});
|
|
|
|
|
});
|
|
|
|
|
});
|
