feat: magic link tests

Bccorb · Bccorb · commit dade94fd17fb · 2026-03-25T23:30:01.000-04:00
diff --git a/src/controllers/magicLinks.ts b/src/controllers/magicLinks.ts
@@ -86,7 +86,7 @@ export async function verifyMagicLink(req: Request, res: Response) {
   const { token } = req.params;
 
   if (!token) {
-    return res.status(400).json({ message: 'Missing verification token' });
+    return res.status(400).json({ error: 'Missing verification token' });
   }
   const tokenHash = hashSha256(token);
 
@@ -96,17 +96,17 @@ export async function verifyMagicLink(req: Request, res: Response) {
 
   if (!record) {
     logger.warn(`No magic link found for token: ${token}`);
-    return res.status(400).json({ message: 'Invalid verification token' });
+    return res.status(400).json({ error: 'Invalid verification token' });
   }
 
   if (record.used_at) {
     logger.warn(`Magic link token is already used ${token}`);
-    return res.status(400).json({ message: 'Invalid verification token' });
+    return res.status(400).json({ error: 'Invalid verification token' });
   }
 
   if (record.expires_at < new Date()) {
     logger.warn(`Magic link token expired: ${token}`);
-    return res.status(400).json({ message: 'Invalid verification token' });
+    return res.status(400).json({ error: 'Invalid verification token' });
   }
 
   // Atomic consume
@@ -124,7 +124,7 @@ export async function verifyMagicLink(req: Request, res: Response) {
 
   if (!updated) {
     logger.error(`Magic link token was not consumted: ${token}`);
-    return res.status(500).json({ message: 'Failed to use token' });
+    return res.status(500).json({ error: 'Failed to use token' });
   }
 
   await AuthEventService.log({
@@ -156,7 +156,7 @@ export async function pollMagicLinkConfirmation(req: Request, res: Response) {
 
   if (!user) {
     return res.status(400).json({
-      message: 'Failed',
+      error: 'Failed',
     });
   }
 
@@ -165,19 +165,19 @@ export async function pollMagicLinkConfirmation(req: Request, res: Response) {
   });
 
   if (!record) {
-    console.log('No magic link token');
-    return res.status(500).json({ message: 'Invalid request' });
+    logger.warn('No magic link token');
+    return res.status(500).json({ error: 'Invalid request' });
   }
 
   // Device binding check
   const { ip_hash, user_agent_hash } = hashDeviceFingerprint(req.ip, req.headers['user-agent']);
 
   if (record.ip_hash && record.ip_hash !== ip_hash) {
-    return res.status(500).json({ message: 'Invalid request' });
+    return res.status(500).json({ error: 'Invalid request' });
   }
 
   if (record.user_agent_hash && record.user_agent_hash !== user_agent_hash) {
-    return res.status(500).json({ message: 'Invalid request' });
+    return res.status(500).json({ error: 'Invalid request' });
   }
 
   if (record.used_at && record.expires_at > new Date()) {
diff --git a/tests/integration/magicLink/magicLink.spec.ts b/tests/integration/magicLink/magicLink.spec.ts
@@ -0,0 +1,174 @@
+import request from 'supertest';
+import { beforeAll, beforeEach, describe, expect, it, vi } from 'vitest';
+import { Application } from 'express';
+
+import { User } from '../../../src/models/users.js';
+import { MagicLinkToken } from '../../../src/models/magicLinks.js';
+import { Session } from '../../../src/models/sessions.js';
+
+import { createApp } from '../../../src/app.js';
+import { getSystemConfig } from '../../../src/config/getSystemConfig.js';
+import { generateRefreshToken, hashRefreshToken, signAccessToken } from '../../../src/lib/token.js';
+
+let app: Application;
+
+function buildMagicLink(overrides: any = {}) {
+  return {
+    id: 'link-1',
+    user_id: 'user-1',
+    token_hash: 'hash',
+    used_at: null,
+    expires_at: new Date(Date.now() + 100000),
+    ip_hash: 'ip',
+    user_agent_hash: 'ua',
+    ...overrides,
+  };
+}
+
+beforeAll(async () => {
+  app = await createApp();
+});
+
+beforeEach(() => {
+  (User.findOne as any).mockResolvedValue({
+    id: 'user-1',
+    email: 'test@example.com',
+  });
+
+  (getSystemConfig as any).mockResolvedValue({
+    available_roles: ['user', 'admin'],
+    default_roles: ['user'],
+    access_token_ttl: '15m',
+    refresh_token_ttl: '1h',
+    origins: ['http://localhost:5174'],
+  });
+});
+
+describe('GET /magic-link', () => {
+  it('returns success message even if user not found', async () => {
+    (User.findOne as any).mockResolvedValue(null);
+
+    const res = await request(app).get('/magic-link');
+
+    expect(res.status).toBe(200);
+    expect(res.body.message).toContain('If an account exists');
+  });
+
+  it('creates magic link when user exists', async () => {
+    (User.findOne as any).mockResolvedValue({
+      id: 'user-1',
+      email: 'test@example.com',
+    });
+
+    (MagicLinkToken.update as any).mockResolvedValue([1]);
+    (MagicLinkToken.create as any).mockResolvedValue({});
+
+    const res = await request(app).get('/magic-link');
+
+    expect(res.status).toBe(200);
+    expect(MagicLinkToken.create).toHaveBeenCalled();
+  });
+});
+
+describe('GET /magic-link/verify/:token', () => {
+  it('rejects missing token', async () => {
+    const res = await request(app).get('/magic-link/verify/');
+
+    expect(res.status).toBe(404); // route mismatch
+  });
+
+  it('rejects invalid token', async () => {
+    (MagicLinkToken.findOne as any).mockResolvedValue(null);
+
+    const res = await request(app).get('/magic-link/verify/bad');
+
+    expect(res.status).toBe(400);
+  });
+
+  it('rejects used token', async () => {
+    (MagicLinkToken.findOne as any).mockResolvedValue(buildMagicLink({ used_at: new Date() }));
+
+    const res = await request(app).get('/magic-link/verify/token');
+
+    expect(res.status).toBe(400);
+  });
+
+  it('rejects expired token', async () => {
+    (MagicLinkToken.findOne as any).mockResolvedValue(
+      buildMagicLink({ expires_at: new Date(Date.now() - 1000) }),
+    );
+
+    const res = await request(app).get('/magic-link/verify/token');
+
+    expect(res.status).toBe(400);
+  });
+
+  it('accepts valid token', async () => {
+    (MagicLinkToken.findOne as any).mockResolvedValue(buildMagicLink());
+
+    (MagicLinkToken.update as any).mockResolvedValue([1]);
+
+    const res = await request(app).get('/magic-link/verify/token');
+
+    expect(res.status).toBe(200);
+  });
+});
+
+describe('GET /magic-link/check', () => {
+  it('returns 400 when user not found', async () => {
+    (User.findOne as any).mockResolvedValue(null);
+
+    const res = await request(app).get('/magic-link/check');
+
+    expect(res.status).toBe(400);
+  });
+
+  it('returns 500 when no token found', async () => {
+    (User.findOne as any).mockResolvedValue({ id: 'user-1', email: 'test@example.com' });
+    (MagicLinkToken.findOne as any).mockResolvedValue(null);
+
+    const res = await request(app).get('/magic-link/check');
+
+    expect(res.status).toBe(500);
+  });
+
+  it('returns 204 when not yet verified', async () => {
+    (User.findOne as any).mockResolvedValue({ id: 'user-1', email: 'test@example.com' });
+
+    (MagicLinkToken.findOne as any).mockResolvedValue(buildMagicLink({ used_at: null }));
+
+    const res = await request(app).get('/magic-link/check');
+
+    expect(res.status).toBe(204);
+  });
+});
+
+it('creates session when magic link completed', async () => {
+  const user = {
+    id: 'user-1',
+    email: 'test@example.com',
+    roles: ['user'],
+    save: vi.fn(),
+  };
+
+  (User.findOne as any).mockResolvedValue(user);
+
+  (MagicLinkToken.findOne as any).mockResolvedValue(
+    buildMagicLink({
+      used_at: new Date(),
+      expires_at: new Date(Date.now() + 100000),
+      ip_hash: 'ip',
+      user_agent_hash: 'ua',
+    }),
+  );
+
+  (Session.create as any).mockResolvedValue({ id: 'session-1' });
+
+  (generateRefreshToken as any).mockReturnValue('refresh-token');
+  (hashRefreshToken as any).mockResolvedValue('hashed-refresh');
+  (signAccessToken as any).mockResolvedValue('access-token');
+
+  const res = await request(app).get('/magic-link/check');
+
+  expect(res.status).toBe(200);
+});
diff --git a/tests/setup/mocks.ts b/tests/setup/mocks.ts
@@ -95,6 +95,13 @@ vi.mock('../../src/middleware/requireAdmin.js', () => ({
   },
 }));
 
+vi.mock('../../src/middleware/rateLimit.js', () => ({
+  magicLinkIpLimiter: (_req: any, _res: any, next: any) => next(),
+  magicLinkEmailLimiter: (_req: any, _res: any, next: any) => next(),
+  dynamicRateLimit: (_req: any, _res: any, next: any) => next(),
+  dynamicSlowDown: (_req: any, _res: any, next: any) => next(),
+}));
+
 vi.mock('../../src/utils/otp.js', () => ({
   generatePhoneOTP: vi.fn(),
   generateEmailOTP: vi.fn(),
@@ -125,3 +132,39 @@ vi.mock('../../src/services/authEventService.js', () => ({
     serviceTokenInvalid: vi.fn(),
   },
 }));
+
+vi.mock('../../src/models/magicLinks.js', () => ({
+  MagicLinkToken: {
+    create: vi.fn(),
+    findOne: vi.fn(),
+    update: vi.fn(),
+  },
+}));
+
+vi.mock('../../src/services/messagingService.js', () => ({
+  sendMagicLinkEmail: vi.fn(),
+}));
+
+vi.mock('crypto', async () => {
+  const actual = await vi.importActual<typeof import('crypto')>('crypto');
+  return {
+    ...actual,
+    randomBytes: vi.fn(() => ({
+      toString: () => 'mock-token',
+    })),
+  };
+});
+
+vi.mock('../../src/utils/utils.js', async () => {
+  const actual = await vi.importActual<typeof import('../../src/utils/utils.js')>(
+    '../../src/utils/utils.js',
+  );
+
+  return {
+    ...actual,
+    hashDeviceFingerprint: vi.fn(() => ({
+      ip_hash: 'ip',
+      user_agent_hash: 'ua',
+    })),
+  };
+});
