fix(api): harden user self-service and resource linking

2026-03-31 21:02:36 +02:00
parent e8c0d3c3eb
commit 99db52929f
24 changed files with 2882 additions and 38 deletions
@@ -0,0 +1,121 @@
+import { beforeEach, describe, expect, it, vi } from "vitest";
+import { SystemRole } from "@capakraken/shared";
+import {
+  createToolContext,
+  executeTool,
+  totpValidateMock,
+} from "./assistant-tools-user-self-service-mfa-test-helpers.js";
+
+describe("assistant user self-service MFA tools - errors", () => {
+  beforeEach(() => {
+    vi.clearAllMocks();
+    totpValidateMock.mockReset();
+  });
+
+  it("returns a stable error when enabling TOTP without a generated secret", async () => {
+    const ctx = createToolContext(
+      {
+        user: {
+          findUnique: vi.fn().mockResolvedValue({
+            id: "user_1",
+            name: "Assistant User",
+            email: "assistant@example.com",
+            totpSecret: null,
+            totpEnabled: false,
+          }),
+        },
+      },
+      SystemRole.ADMIN,
+    );
+
+    const result = await executeTool(
+      "verify_and_enable_totp",
+      JSON.stringify({ token: "123456" }),
+      ctx,
+    );
+
+    expect(JSON.parse(result.content)).toEqual({
+      error: "No TOTP secret generated. Call generate_totp_secret first.",
+    });
+  });
+
+  it("returns a stable error when enabling TOTP for a missing user", async () => {
+    const ctx = createToolContext(
+      {
+        user: {
+          findUnique: vi.fn().mockResolvedValue(null),
+        },
+      },
+      SystemRole.ADMIN,
+    );
+
+    const result = await executeTool(
+      "verify_and_enable_totp",
+      JSON.stringify({ token: "123456" }),
+      ctx,
+    );
+
+    expect(JSON.parse(result.content)).toEqual({
+      error: "User not found with the given criteria.",
+    });
+  });
+
+  it("returns a stable error when enabling TOTP that is already enabled", async () => {
+    const ctx = createToolContext(
+      {
+        user: {
+          findUnique: vi.fn().mockResolvedValue({
+            id: "user_1",
+            name: "Assistant User",
+            email: "assistant@example.com",
+            totpSecret: "MOCKSECRET",
+            totpEnabled: true,
+          }),
+        },
+      },
+      SystemRole.ADMIN,
+    );
+
+    const result = await executeTool(
+      "verify_and_enable_totp",
+      JSON.stringify({ token: "123456" }),
+      ctx,
+    );
+
+    expect(JSON.parse(result.content)).toEqual({
+      error: "TOTP is already enabled.",
+    });
+  });
+
+  it("returns a stable error when a provided TOTP token is invalid", async () => {
+    totpValidateMock.mockReturnValue(null);
+
+    const update = vi.fn();
+    const ctx = createToolContext(
+      {
+        user: {
+          findUnique: vi.fn().mockResolvedValue({
+            id: "user_1",
+            name: "Assistant User",
+            email: "assistant@example.com",
+            totpSecret: "MOCKSECRET",
+            totpEnabled: false,
+          }),
+          update,
+        },
+      },
+      SystemRole.ADMIN,
+    );
+
+    const result = await executeTool(
+      "verify_and_enable_totp",
+      JSON.stringify({ token: "123456" }),
+      ctx,
+    );
+
+    expect(update).not.toHaveBeenCalled();
+    expect(JSON.parse(result.content)).toEqual({
+      error: "Invalid TOTP token.",
+    });
+  });
+});