Merge pull request #19996 from mozilla/fxa-12559-v2

Add auth server jest setup and initial unit tests

Author: vbudhram

packages/fxa-auth-server/.eslintrc.json

@@ -25,5 +25,16 @@
     "dist",
     "fxa-*",
     "vendor"
+  ],
+  "overrides": [
+    {
+      "files": ["**/*.spec.ts"],
+      "env": {
+        "jest": true
+      },
+      "rules": {
+        "fxa/async-crypto-random": "off"
+      }
+    }
   ]
 }

packages/fxa-auth-server/config/index.spec.ts

@@ -0,0 +1,48 @@
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+describe('Config', () => {
+  describe('NODE_ENV=prod', () => {
+    let originalEnv: Record<string, string | undefined>;
+
+    function mockEnv(key: string, value: string) {
+      originalEnv[key] = process.env[key];
+      process.env[key] = value;
+    }
+
+    beforeEach(() => {
+      originalEnv = {};
+      jest.resetModules();
+      mockEnv('NODE_ENV', 'prod');
+    });
+
+    afterEach(() => {
+      for (const key in originalEnv) {
+        if (originalEnv[key] === undefined) {
+          delete process.env[key];
+        } else {
+          process.env[key] = originalEnv[key];
+        }
+      }
+    });
+
+    it('errors when secret settings have their default values', () => {
+      expect(() => {
+        require('./index');
+      }).toThrow(/Config '[a-zA-Z._]+' must be set in production/);
+    });
+
+    it('succeeds when secret settings have all been configured', () => {
+      mockEnv('FLOW_ID_KEY', 'production secret here');
+      mockEnv('OAUTH_SERVER_SECRET_KEY', 'production secret here');
+      mockEnv(
+        'PROFILE_SERVER_AUTH_SECRET_BEARER_TOKEN',
+        'production secret here'
+      );
+      expect(() => {
+        require('./index');
+      }).not.toThrow();
+    });
+  });
+});

packages/fxa-auth-server/jest.config.js

@@ -0,0 +1,41 @@
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+module.exports = {
+  preset: 'ts-jest',
+  testEnvironment: 'node',
+  rootDir: '.',
+  testMatch: [
+    '<rootDir>/lib/**/*.spec.ts',
+    '<rootDir>/config/**/*.spec.ts',
+  ],
+  moduleFileExtensions: ['ts', 'js', 'json'],
+  transform: {
+    '^.+\\.[tj]sx?$': ['ts-jest', { tsconfig: { isolatedModules: true } }],
+  },
+  transformIgnorePatterns: [
+    '/node_modules/(?!(@fxa|fxa-shared)/)',
+  ],
+  moduleNameMapper: {
+    '^@fxa/shared/(.*)$': '<rootDir>/../../libs/shared/$1/src',
+    '^@fxa/accounts/(.*)$': '<rootDir>/../../libs/accounts/$1/src',
+    '^@fxa/payments/(.*)$': '<rootDir>/../../libs/payments/$1/src',
+    '^@fxa/profile/(.*)$': '<rootDir>/../../libs/profile/$1/src',
+    '^fxa-shared/(.*)$': '<rootDir>/../fxa-shared/$1',
+  },
+  testTimeout: 10000,
+  clearMocks: true,
+  setupFiles: ['<rootDir>/jest.setup.js'],
+  testPathIgnorePatterns: ['/node_modules/'],
+  // Coverage configuration (enabled via --coverage flag)
+  collectCoverageFrom: [
+    'lib/**/*.{ts,js}',
+    'config/**/*.{ts,js}',
+    '!lib/**/*.spec.{ts,js}',
+    '!config/**/*.spec.{ts,js}',
+    '!**/node_modules/**',
+  ],
+  coverageDirectory: '../../artifacts/coverage/fxa-auth-server-jest',
+  coverageReporters: ['text', 'lcov', 'html'],
+};

packages/fxa-auth-server/jest.setup.js

@@ -0,0 +1,14 @@
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+/**
+ * Jest global setup - runs before each test file.
+ *
+ * The OAuth keys exist in config/key.json but the config module's path
+ * resolution can behave differently under Jest's module transformation.
+ * This sets the env var to allow tests to run without requiring the
+ * OAuth key validation (which is a runtime concern, not a unit test concern).
+ */
+
+process.env.FXA_OPENID_UNSAFELY_ALLOW_MISSING_ACTIVE_KEY = 'true';

packages/fxa-auth-server/lib/authMethods.spec.ts

@@ -0,0 +1,133 @@
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+import sinon from 'sinon';
+import { AppError as error } from '@fxa/accounts/errors';
+import * as authMethods from './authMethods';
+
+const MOCK_ACCOUNT = {
+  uid: 'abcdef123456',
+};
+
+function mockDB() {
+  return {
+    totpToken: sinon.stub(),
+    // Add other DB methods as needed
+  };
+}
+
+describe('availableAuthenticationMethods', () => {
+  let mockDbInstance: ReturnType<typeof mockDB>;
+
+  beforeEach(() => {
+    mockDbInstance = mockDB();
+  });
+
+  it('returns [`pwd`,`email`] for non-TOTP-enabled accounts', async () => {
+    mockDbInstance.totpToken = sinon.stub().rejects(error.totpTokenNotFound());
+    const amr = await authMethods.availableAuthenticationMethods(
+      mockDbInstance as any,
+      MOCK_ACCOUNT as any
+    );
+    expect(mockDbInstance.totpToken.calledWithExactly(MOCK_ACCOUNT.uid)).toBe(true);
+    expect(Array.from(amr).sort()).toEqual(['email', 'pwd']);
+  });
+
+  it('returns [`pwd`,`email`,`otp`] for TOTP-enabled accounts', async () => {
+    mockDbInstance.totpToken = sinon.stub().resolves({
+      verified: true,
+      enabled: true,
+      sharedSecret: 'secret!',
+    });
+    const amr = await authMethods.availableAuthenticationMethods(
+      mockDbInstance as any,
+      MOCK_ACCOUNT as any
+    );
+    expect(mockDbInstance.totpToken.calledWithExactly(MOCK_ACCOUNT.uid)).toBe(true);
+    expect(Array.from(amr).sort()).toEqual(['email', 'otp', 'pwd']);
+  });
+
+  it('returns [`pwd`,`email`] when TOTP token is not yet enabled', async () => {
+    mockDbInstance.totpToken = sinon.stub().resolves({
+      verified: true,
+      enabled: false,
+      sharedSecret: 'secret!',
+    });
+    const amr = await authMethods.availableAuthenticationMethods(
+      mockDbInstance as any,
+      MOCK_ACCOUNT as any
+    );
+    expect(mockDbInstance.totpToken.calledWithExactly(MOCK_ACCOUNT.uid)).toBe(true);
+    expect(Array.from(amr).sort()).toEqual(['email', 'pwd']);
+  });
+
+  it('rethrows unexpected DB errors', async () => {
+    mockDbInstance.totpToken = sinon.stub().rejects(error.serviceUnavailable());
+    try {
+      await authMethods.availableAuthenticationMethods(
+        mockDbInstance as any,
+        MOCK_ACCOUNT as any
+      );
+      throw new Error('error should have been re-thrown');
+    } catch (err: any) {
+      expect(mockDbInstance.totpToken.calledWithExactly(MOCK_ACCOUNT.uid)).toBe(true);
+      expect(err.errno).toBe(error.ERRNO.SERVER_BUSY);
+    }
+  });
+});
+
+describe('verificationMethodToAMR', () => {
+  it('maps `email` to `email`', () => {
+    expect(authMethods.verificationMethodToAMR('email')).toBe('email');
+  });
+
+  it('maps `email-captcha` to `email`', () => {
+    expect(authMethods.verificationMethodToAMR('email-captcha')).toBe('email');
+  });
+
+  it('maps `email-2fa` to `email`', () => {
+    expect(authMethods.verificationMethodToAMR('email-2fa')).toBe('email');
+  });
+
+  it('maps `totp-2fa` to `otp`', () => {
+    expect(authMethods.verificationMethodToAMR('totp-2fa')).toBe('otp');
+  });
+
+  it('maps `recovery-code` to `otp`', () => {
+    expect(authMethods.verificationMethodToAMR('recovery-code')).toBe('otp');
+  });
+
+  it('throws when given an unknown verification method', () => {
+    expect(() => {
+      authMethods.verificationMethodToAMR('email-gotcha' as any);
+    }).toThrow(/unknown verificationMethod/);
+  });
+});
+
+describe('maximumAssuranceLevel', () => {
+  it('returns 0 when no authentication methods are used', () => {
+    expect(authMethods.maximumAssuranceLevel([])).toBe(0);
+    expect(authMethods.maximumAssuranceLevel(new Set())).toBe(0);
+  });
+
+  it('returns 1 when only `pwd` auth is used', () => {
+    expect(authMethods.maximumAssuranceLevel(['pwd'])).toBe(1);
+  });
+
+  it('returns 1 when only `email` auth is used', () => {
+    expect(authMethods.maximumAssuranceLevel(['email'])).toBe(1);
+  });
+
+  it('returns 1 when only `otp` auth is used', () => {
+    expect(authMethods.maximumAssuranceLevel(['otp'])).toBe(1);
+  });
+
+  it('returns 1 when only things-you-know auth mechanisms are used', () => {
+    expect(authMethods.maximumAssuranceLevel(['email', 'pwd'])).toBe(1);
+  });
+
+  it('returns 2 when both `pwd` and `otp` methods are used', () => {
+    expect(authMethods.maximumAssuranceLevel(['pwd', 'otp'])).toBe(2);
+  });
+});

packages/fxa-auth-server/lib/crypto/butil.spec.ts

@@ -0,0 +1,35 @@
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+import * as butil from './butil';
+
+describe('butil', () => {
+  describe('.buffersAreEqual', () => {
+    it('returns false if lengths are different', () => {
+      expect(butil.buffersAreEqual(Buffer.alloc(2), Buffer.alloc(4))).toBe(
+        false
+      );
+    });
+
+    it('returns true if buffers have same bytes', () => {
+      const b1 = Buffer.from('abcd', 'hex');
+      const b2 = Buffer.from('abcd', 'hex');
+      expect(butil.buffersAreEqual(b1, b2)).toBe(true);
+    });
+  });
+
+  describe('.xorBuffers', () => {
+    it('throws an Error if lengths are different', () => {
+      expect(() => {
+        butil.xorBuffers(Buffer.alloc(2), Buffer.alloc(4));
+      }).toThrow();
+    });
+
+    it('should return a Buffer with bits ORed', () => {
+      const b1 = Buffer.from('e5', 'hex');
+      const b2 = Buffer.from('5e', 'hex');
+      expect(butil.xorBuffers(b1, b2)).toEqual(Buffer.from('bb', 'hex'));
+    });
+  });
+});

packages/fxa-auth-server/lib/crypto/hkdf.spec.ts

@@ -0,0 +1,32 @@
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+import hkdf from './hkdf';
+
+describe('hkdf', () => {
+  it('should extract', async () => {
+    const stretchedPw =
+      'c16d46c31bee242cb31f916e9e38d60b76431d3f5304549cc75ae4bc20c7108c';
+    const stretchedPwBuffer = Buffer.from(stretchedPw, 'hex');
+    const info = 'mainKDF';
+    const salt = Buffer.from(
+      '00f000000000000000000000000000000000000000000000000000000000034d',
+      'hex'
+    );
+    const lengthHkdf = 2 * 32;
+
+    const hkdfResult = await hkdf(stretchedPwBuffer, info, salt, lengthHkdf);
+    const hkdfStr = hkdfResult.toString('hex');
+
+    expect(hkdfStr.substring(0, 64)).toBe(
+      '00f9b71800ab5337d51177d8fbc682a3653fa6dae5b87628eeec43a18af59a9d'
+    );
+    expect(hkdfStr.substring(64, 128)).toBe(
+      '6ea660be9c89ec355397f89afb282ea0bf21095760c8c5009bbcc894155bbe2a'
+    );
+    expect(salt.toString('hex')).toBe(
+      '00f000000000000000000000000000000000000000000000000000000000034d'
+    );
+  });
+});

packages/fxa-auth-server/lib/crypto/password.spec.ts

@@ -0,0 +1,52 @@
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+export {};
+
+const mockLog = {};
+const mockConfig = {};
+const Password = require('./password')(mockLog, mockConfig);
+
+describe('Password', () => {
+  it('password version zero', async () => {
+    const pwd = Buffer.from('aaaaaaaaaaaaaaaa');
+    const salt = Buffer.from('bbbbbbbbbbbbbbbb');
+    const p1 = new Password(pwd, salt, 0);
+    expect(p1.version).toBe(0);
+    const p2 = new Password(pwd, salt, 0);
+    expect(p2.version).toBe(0);
+    const hash = await p1.verifyHash();
+    const matched = await p2.matches(hash);
+    expect(matched).toBe(true);
+  });
+
+  it('password version one', async () => {
+    const pwd = Buffer.from('aaaaaaaaaaaaaaaa');
+    const salt = Buffer.from('bbbbbbbbbbbbbbbb');
+    const p1 = new Password(pwd, salt, 1);
+    expect(p1.version).toBe(1);
+    const p2 = new Password(pwd, salt, 1);
+    expect(p2.version).toBe(1);
+    const hash = await p1.verifyHash();
+    const matched = await p2.matches(hash);
+    expect(matched).toBe(true);
+  });
+
+  it('passwords of different versions should not match', async () => {
+    const pwd = Buffer.from('aaaaaaaaaaaaaaaa');
+    const salt = Buffer.from('bbbbbbbbbbbbbbbb');
+    const p1 = new Password(pwd, salt, 0);
+    const p2 = new Password(pwd, salt, 1);
+    const hash = await p1.verifyHash();
+    const matched = await p2.matches(hash);
+    expect(matched).toBe(false);
+  });
+
+  it('scrypt queue stats can be reported', () => {
+    const stat = Password.stat();
+    expect(stat.stat).toBe('scrypt');
+    expect(stat).toHaveProperty('numPending');
+    expect(stat).toHaveProperty('numPendingHWM');
+  });
+});