CapaKraken/packages/api/src/__tests__/assistant-tools-user-self-service-mfa-errors.test.ts

import { beforeEach, describe, expect, it, vi } from "vitest";
import { SystemRole } from "@capakraken/shared";
import {
  createToolContext,
  executeTool,
  totpValidateMock,
} from "./assistant-tools-user-self-service-mfa-test-helpers.js";

describe("assistant user self-service MFA tools - errors", () => {
  beforeEach(() => {
    vi.clearAllMocks();
    totpValidateMock.mockReset();
  });

  it("returns a stable error when enabling TOTP without a generated secret", async () => {
    const ctx = createToolContext(
      {
        user: {
          findUnique: vi.fn().mockResolvedValue({
            id: "user_1",
            name: "Assistant User",
            email: "assistant@example.com",
            totpSecret: null,
            totpEnabled: false,
          }),
        },
      },
      SystemRole.ADMIN,
    );

    const result = await executeTool(
      "verify_and_enable_totp",
      JSON.stringify({ token: "123456" }),
      ctx,
    );

    expect(JSON.parse(result.content)).toEqual({
      error: "No TOTP secret generated. Call generate_totp_secret first.",
    });
  });

  it("returns a stable error when enabling TOTP for a missing user", async () => {
    const ctx = createToolContext(
      {
        user: {
          findUnique: vi.fn().mockResolvedValue(null),
        },
      },
      SystemRole.ADMIN,
    );

    const result = await executeTool(
      "verify_and_enable_totp",
      JSON.stringify({ token: "123456" }),
      ctx,
    );

    expect(JSON.parse(result.content)).toEqual({
      error: "User not found with the given criteria.",
    });
  });

  it("returns a stable error when enabling TOTP that is already enabled", async () => {
    const ctx = createToolContext(
      {
        user: {
          findUnique: vi.fn().mockResolvedValue({
            id: "user_1",
            name: "Assistant User",
            email: "assistant@example.com",
            totpSecret: "MOCKSECRET",
            totpEnabled: true,
          }),
        },
      },
      SystemRole.ADMIN,
    );

    const result = await executeTool(
      "verify_and_enable_totp",
      JSON.stringify({ token: "123456" }),
      ctx,
    );

    expect(JSON.parse(result.content)).toEqual({
      error: "TOTP is already enabled.",
    });
  });

  it("returns a stable error when a provided TOTP token is invalid", async () => {
    totpValidateMock.mockReturnValue(null);

    const update = vi.fn();
    const ctx = createToolContext(
      {
        user: {
          findUnique: vi.fn().mockResolvedValue({
            id: "user_1",
            name: "Assistant User",
            email: "assistant@example.com",
            totpSecret: "MOCKSECRET",
            totpEnabled: false,
          }),
          update,
        },
      },
      SystemRole.ADMIN,
    );

    const result = await executeTool(
      "verify_and_enable_totp",
      JSON.stringify({ token: "123456" }),
      ctx,
    );

    expect(update).not.toHaveBeenCalled();
    expect(JSON.parse(result.content)).toEqual({
      error: "Invalid TOTP token.",
    });
  });
});