|
| 1 | +import { describe, expect, test, vi } from "vitest"; |
| 2 | + |
| 3 | +vi.mock("server-only", () => ({ default: vi.fn() })); |
| 4 | +vi.mock("@/prisma", async () => { |
| 5 | + const actual = await vi.importActual<typeof import("@/__mocks__/prisma")>("@/__mocks__/prisma"); |
| 6 | + return { ...actual }; |
| 7 | +}); |
| 8 | + |
| 9 | +import { computeOAuthLinkConflictAudit } from "./authUtils"; |
| 10 | +import { SINGLE_TENANT_ORG_ID } from "@/lib/constants"; |
| 11 | + |
| 12 | +describe("computeOAuthLinkConflictAudit", () => { |
| 13 | + const oauthAccount = { |
| 14 | + provider: "github", |
| 15 | + providerAccountId: "upstream-123", |
| 16 | + type: "oauth" as const, |
| 17 | + }; |
| 18 | + |
| 19 | + test("returns audit event when upstream identity is linked to a different user than the one currently signed in", () => { |
| 20 | + const result = computeOAuthLinkConflictAudit({ |
| 21 | + account: oauthAccount, |
| 22 | + existingLinkedUserId: "user-victim", |
| 23 | + currentUserId: "user-attacker", |
| 24 | + }); |
| 25 | + |
| 26 | + expect(result).toEqual({ |
| 27 | + action: "account.link_failed_already_linked", |
| 28 | + actor: { id: "user-attacker", type: "user" }, |
| 29 | + target: { id: "user-victim", type: "user" }, |
| 30 | + orgId: SINGLE_TENANT_ORG_ID, |
| 31 | + metadata: { |
| 32 | + provider: "github", |
| 33 | + providerAccountId: "upstream-123", |
| 34 | + }, |
| 35 | + }); |
| 36 | + }); |
| 37 | + |
| 38 | + test("returns audit event for OIDC providers too", () => { |
| 39 | + const result = computeOAuthLinkConflictAudit({ |
| 40 | + account: { ...oauthAccount, type: "oidc" }, |
| 41 | + existingLinkedUserId: "user-victim", |
| 42 | + currentUserId: "user-attacker", |
| 43 | + }); |
| 44 | + |
| 45 | + expect(result).not.toBeNull(); |
| 46 | + expect(result?.action).toBe("account.link_failed_already_linked"); |
| 47 | + }); |
| 48 | + |
| 49 | + test("returns null when the upstream identity is linked to the same user that is signed in (re-authentication)", () => { |
| 50 | + const result = computeOAuthLinkConflictAudit({ |
| 51 | + account: oauthAccount, |
| 52 | + existingLinkedUserId: "user-same", |
| 53 | + currentUserId: "user-same", |
| 54 | + }); |
| 55 | + |
| 56 | + expect(result).toBeNull(); |
| 57 | + }); |
| 58 | + |
| 59 | + test("returns null when there is no signed-in user (fresh OAuth login that NextAuth will resolve to the existing user)", () => { |
| 60 | + const result = computeOAuthLinkConflictAudit({ |
| 61 | + account: oauthAccount, |
| 62 | + existingLinkedUserId: "user-victim", |
| 63 | + currentUserId: undefined, |
| 64 | + }); |
| 65 | + |
| 66 | + expect(result).toBeNull(); |
| 67 | + }); |
| 68 | + |
| 69 | + test("returns null when the upstream identity is not yet linked to any user", () => { |
| 70 | + const result = computeOAuthLinkConflictAudit({ |
| 71 | + account: oauthAccount, |
| 72 | + existingLinkedUserId: null, |
| 73 | + currentUserId: "user-attacker", |
| 74 | + }); |
| 75 | + |
| 76 | + expect(result).toBeNull(); |
| 77 | + }); |
| 78 | + |
| 79 | + test("returns null for non-OAuth providers (credentials, email, webauthn)", () => { |
| 80 | + for (const type of ["credentials", "email", "webauthn"] as const) { |
| 81 | + const result = computeOAuthLinkConflictAudit({ |
| 82 | + account: { ...oauthAccount, type }, |
| 83 | + existingLinkedUserId: "user-victim", |
| 84 | + currentUserId: "user-attacker", |
| 85 | + }); |
| 86 | + expect(result, `type=${type}`).toBeNull(); |
| 87 | + } |
| 88 | + }); |
| 89 | + |
| 90 | + test("returns null when account is missing required fields", () => { |
| 91 | + expect( |
| 92 | + computeOAuthLinkConflictAudit({ |
| 93 | + account: null, |
| 94 | + existingLinkedUserId: "user-victim", |
| 95 | + currentUserId: "user-attacker", |
| 96 | + }) |
| 97 | + ).toBeNull(); |
| 98 | + |
| 99 | + expect( |
| 100 | + computeOAuthLinkConflictAudit({ |
| 101 | + account: { provider: "", providerAccountId: "id", type: "oauth" }, |
| 102 | + existingLinkedUserId: "user-victim", |
| 103 | + currentUserId: "user-attacker", |
| 104 | + }) |
| 105 | + ).toBeNull(); |
| 106 | + |
| 107 | + expect( |
| 108 | + computeOAuthLinkConflictAudit({ |
| 109 | + account: { provider: "github", providerAccountId: "", type: "oauth" }, |
| 110 | + existingLinkedUserId: "user-victim", |
| 111 | + currentUserId: "user-attacker", |
| 112 | + }) |
| 113 | + ).toBeNull(); |
| 114 | + }); |
| 115 | +}); |
0 commit comments