-
Notifications
You must be signed in to change notification settings - Fork 315
Expand file tree
/
Copy pathauthUtils.test.ts
More file actions
115 lines (98 loc) · 4 KB
/
Copy pathauthUtils.test.ts
File metadata and controls
115 lines (98 loc) · 4 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
import { describe, expect, test, vi } from "vitest";
vi.mock("server-only", () => ({ default: vi.fn() }));
vi.mock("@/prisma", async () => {
const actual = await vi.importActual<typeof import("@/__mocks__/prisma")>("@/__mocks__/prisma");
return { ...actual };
});
import { computeOAuthLinkConflictAudit } from "./authUtils";
import { SINGLE_TENANT_ORG_ID } from "@/lib/constants";
describe("computeOAuthLinkConflictAudit", () => {
const oauthAccount = {
provider: "github",
providerAccountId: "upstream-123",
type: "oauth" as const,
};
test("returns audit event when upstream identity is linked to a different user than the one currently signed in", () => {
const result = computeOAuthLinkConflictAudit({
account: oauthAccount,
existingLinkedUserId: "user-victim",
currentUserId: "user-attacker",
});
expect(result).toEqual({
action: "account.link_failed_already_linked",
actor: { id: "user-attacker", type: "user" },
target: { id: "user-victim", type: "user" },
orgId: SINGLE_TENANT_ORG_ID,
metadata: {
provider: "github",
providerAccountId: "upstream-123",
},
});
});
test("returns audit event for OIDC providers too", () => {
const result = computeOAuthLinkConflictAudit({
account: { ...oauthAccount, type: "oidc" },
existingLinkedUserId: "user-victim",
currentUserId: "user-attacker",
});
expect(result).not.toBeNull();
expect(result?.action).toBe("account.link_failed_already_linked");
});
test("returns null when the upstream identity is linked to the same user that is signed in (re-authentication)", () => {
const result = computeOAuthLinkConflictAudit({
account: oauthAccount,
existingLinkedUserId: "user-same",
currentUserId: "user-same",
});
expect(result).toBeNull();
});
test("returns null when there is no signed-in user (fresh OAuth login that NextAuth will resolve to the existing user)", () => {
const result = computeOAuthLinkConflictAudit({
account: oauthAccount,
existingLinkedUserId: "user-victim",
currentUserId: undefined,
});
expect(result).toBeNull();
});
test("returns null when the upstream identity is not yet linked to any user", () => {
const result = computeOAuthLinkConflictAudit({
account: oauthAccount,
existingLinkedUserId: null,
currentUserId: "user-attacker",
});
expect(result).toBeNull();
});
test("returns null for non-OAuth providers (credentials, email, webauthn)", () => {
for (const type of ["credentials", "email", "webauthn"] as const) {
const result = computeOAuthLinkConflictAudit({
account: { ...oauthAccount, type },
existingLinkedUserId: "user-victim",
currentUserId: "user-attacker",
});
expect(result, `type=${type}`).toBeNull();
}
});
test("returns null when account is missing required fields", () => {
expect(
computeOAuthLinkConflictAudit({
account: null,
existingLinkedUserId: "user-victim",
currentUserId: "user-attacker",
})
).toBeNull();
expect(
computeOAuthLinkConflictAudit({
account: { provider: "", providerAccountId: "id", type: "oauth" },
existingLinkedUserId: "user-victim",
currentUserId: "user-attacker",
})
).toBeNull();
expect(
computeOAuthLinkConflictAudit({
account: { provider: "github", providerAccountId: "", type: "oauth" },
existingLinkedUserId: "user-victim",
currentUserId: "user-attacker",
})
).toBeNull();
});
});