cli/packages/contentstack-auth/test/unit/mfa-handler.test.ts at 1e67f6a537a326860b1dadbdfa8d67a0a03b4c3c · contentstack/cli · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
import { expect } from 'chai';
import { authenticator } from 'otplib';
import { configHandler, NodeCrypto } from '@contentstack/cli-utilities';
import * as sinon from 'sinon';
import mfaHandler from '../../src/utils/mfa-handler';

describe('MFAHandler', () => {
  const validSecret = 'JBSWY3DPEHPK3PXP'; // Example valid base32 secret
  const invalidSecret = 'invalid-secret';

  let configStub: sinon.SinonStub;
  let encrypterStub: sinon.SinonStubbedInstance<NodeCrypto>;

  beforeEach(() => {
    // Clear environment variables before each test
    delete process.env.CONTENTSTACK_MFA_SECRET;

    // Setup stubs
    configStub = sinon.stub(configHandler, 'get');
    encrypterStub = sinon.stub(NodeCrypto.prototype);
  });

  afterEach(() => {
    sinon.restore();
  });

  describe('generateMFACode', () => {
    it('should generate valid MFA code from valid secret', () => {
      const code = mfaHandler.generateMFACode(validSecret);
      expect(code).to.match(/^\d{6}$/);
      expect(authenticator.verify({ token: code, secret: validSecret })).to.be.true;
    });

    it.skip('should throw error for invalid secret', () => {
      // otplib does not throw for invalid secret; it logs and may return a value
      expect(() => mfaHandler.generateMFACode(invalidSecret)).to.throw();
    });
  });

  describe('getMFACode', () => {
    it('should use MFA secret from environment variable when available', async () => {
      process.env.CONTENTSTACK_MFA_SECRET = validSecret;
      const code = await mfaHandler.getMFACode();
      expect(code).to.match(/^\d{6}$/);
      expect(authenticator.verify({ token: code, secret: validSecret })).to.be.true;
    });

    it.skip('should fallback to stored configuration when environment variable is not set', async () => {
<<<<<<< HEAD
=======
      // Stubbing NodeCrypto.prototype does not affect already-created mfaHandler instance
>>>>>>> main
      const encryptedSecret = 'encrypted-secret';
      configStub.returns({ secret: encryptedSecret });
      encrypterStub.decrypt.returns(validSecret);

      const code = await mfaHandler.getMFACode();
      expect(code).to.match(/^\d{6}$/);
      expect(configStub.calledOnce).to.be.true;
      expect(encrypterStub.decrypt.calledWith(encryptedSecret)).to.be.true;
    });

    it('should prioritize environment variable over stored configuration', async () => {
      const envSecret = 'JBSWY3DPEHPK3PXQ'; // Different from stored secret
      process.env.CONTENTSTACK_MFA_SECRET = envSecret;

      const code = await mfaHandler.getMFACode();
      expect(code).to.match(/^\d{6}$/);
      expect(authenticator.verify({ token: code, secret: envSecret })).to.be.true;
    });
  });
<<<<<<< HEAD
=======

>>>>>>> main
});