Archive/screentinker
1
0
Fork 0
mirror of https://github.com/screentinker/screentinker.git synced 2026-06-17 11:42:40 -06:00
Code Issues Actions 1 Packages Projects Releases Wiki Activity
screentinker/server/test/totp-keyrotation.test.js
ScreenTinker 728f03beba test(server): TOTP - bite, lockout, replay, recovery, st_ bypass, key-rotation (#100) 
Unit: the mfa_pending BITE (db-injected so removing the rejection goes red), lockout, replay,
recovery-hash, decrypt-null graceful. Integration: enrollment, login->mfa_required, route-level
bite, recovery single-use, API-token bypass, verify lockout. Key-rotation: enroll under key A,
reboot under key B -> recovery still works, TOTP fails cleanly (no 500).

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-06-13 20:48:55 -05:00

78 lines
4 KiB
JavaScript
Raw Blame History

'use strict';
// #100 key-rotation robustness: secretbox derives its key from JWT_SECRET, so an enrolled
// user's totp_secret_enc is bound to it. If the key changes (redeploy with a different
// JWT_SECRET, or a non-persisted .jwt_secret regenerated on a fresh Docker boot), the
// stored TOTP secret becomes undecryptable. Requirement: the user must NOT be hard-locked
// out - recovery codes (hashed, key-independent) must still work, and a TOTP attempt must
// fail CLEANLY (401), never 500. Boots under key A (enroll), reboots under key B (verify).
const { test } = require('node:test');
const assert = require('node:assert/strict');
const { spawn } = require('node:child_process');
const path = require('node:path');
const os = require('node:os');
const fs = require('node:fs');
const crypto = require('node:crypto');
const { authenticator } = require('otplib');
const PORT = 3980;
const BASE = `http://127.0.0.1:${PORT}`;
const DATA_DIR = path.join(os.tmpdir(), 'st-totp-rot-' + crypto.randomBytes(4).toString('hex'));
function bootServer(jwtSecret) {
const logFd = fs.openSync(path.join(os.tmpdir(), 'st-rot-' + crypto.randomBytes(3).toString('hex') + '.log'), 'w');
return spawn('node', ['server.js'], {
cwd: path.join(__dirname, '..'),
env: { ...process.env, DATA_DIR, SELF_HOSTED: 'true', PORT: String(PORT), NODE_ENV: 'test', JWT_SECRET: jwtSecret },
stdio: ['ignore', logFd, logFd],
});
}
async function waitUp() {
for (let i = 0; i < 80; i++) {
try { const r = await fetch(BASE + '/api/status'); if (r.ok) return; } catch { /* not yet */ }
await new Promise(r => setTimeout(r, 250));
}
throw new Error('server did not boot');
}
async function jfetch(p, opts = {}) {
const res = await fetch(BASE + p, opts);
let body = null; try { body = await res.json(); } catch { /* non-JSON */ }
return { status: res.status, body };
}
const post = (o) => ({ method: 'POST', headers: { 'Content-Type': 'application/json' }, body: JSON.stringify(o || {}) });
const postAuth = (tok, o) => ({ method: 'POST', headers: { Authorization: 'Bearer ' + tok, 'Content-Type': 'application/json' }, body: JSON.stringify(o || {}) });
test('#100 key rotation does NOT brick TOTP: recovery survives; TOTP fails cleanly (no 500)', async () => {
let proc = bootServer('keyA-' + crypto.randomBytes(8).toString('hex'));
try {
await waitUp();
const email = 'rot' + crypto.randomBytes(4).toString('hex') + '@x.local';
const tok = (await jfetch('/api/auth/register', post({ email, password: 'Passw0rd123' }))).body.token;
const secret = (await jfetch('/api/auth/totp/setup', postAuth(tok, {}))).body.secret;
const recovery = (await jfetch('/api/auth/totp/enable', postAuth(tok, { code: authenticator.generate(secret) }))).body.recovery_codes;
assert.equal(recovery.length, 10, 'enrolled under key A');
proc.kill('SIGKILL'); await new Promise(r => setTimeout(r, 600));
// Reboot with a DIFFERENT key (same DATA_DIR) -> totp_secret_enc is now undecryptable.
proc = bootServer('keyB-' + crypto.randomBytes(8).toString('hex'));
await waitUp();
// password login still issues an MFA challenge
const l1 = await jfetch('/api/auth/login', post({ email, password: 'Passw0rd123' }));
assert.equal(l1.body.mfa_required, true, 'still challenged after the key change');
// a TOTP code can't be verified (secret undecryptable) -> CLEAN 401, NEVER 500
const totpTry = await jfetch('/api/auth/totp/verify', post({ mfa_token: l1.body.mfa_token, code: authenticator.generate(secret) }));
assert.equal(totpTry.status, 401, 'TOTP fails cleanly when the secret cannot be decrypted (not 500)');
// a RECOVERY code STILL works (hashed, key-independent) -> the user is not bricked
const l2 = await jfetch('/api/auth/login', post({ email, password: 'Passw0rd123' }));
const rec = await jfetch('/api/auth/totp/verify', post({ mfa_token: l2.body.mfa_token, code: recovery[0] }));
assert.ok(rec.body.token, 'recovery code survives the key change -> NOT hard-locked-out');
} finally {
try { proc.kill('SIGKILL'); } catch { /* ignore */ }
}
});
Reference in a new issue View git blame Copy permalink