feat: cookie auth test

Author: Bccorb

src/controllers/sessions.ts

@@ -38,7 +38,7 @@ export const listSessions = async (req: Request, res: Response) => {
     current: session.id === currentSessionId,
   }));
 
-  return res.json({ sessions: response });
+  return res.json({ sessions: response, total: response.length });
 };
 
 export const revokeSession = async (req: Request, res: Response) => {

tests/integration/auth/cookieAuth.spec.ts

@@ -0,0 +1,157 @@
+import { describe, it, expect, beforeEach, vi } from 'vitest';
+import { verifyCookieAuth } from '../../../src/middleware/verifyCookieAuth.js';
+
+import {
+  validateAccessToken,
+  validateSessionRecord,
+  getUserFromSession,
+  verifyJwtWithKid,
+} from '../../../src/services/sessionService.js';
+
+vi.mock('../../../src/models/authEvents.js', () => ({
+  AuthEvent: {
+    create: vi.fn(),
+  },
+}));
+
+vi.mock('bcrypt-ts', () => ({
+  compareSync: vi.fn(),
+}));
+
+import { User } from '../../../src/models/users.js';
+import { Session } from '../../../src/models/sessions.js';
+import { generateRefreshToken, hashRefreshToken, signAccessToken } from '../../../src/lib/token.js';
+import { compareSync } from 'bcrypt-ts';
+
+function mockReqRes(cookies: any = {}) {
+  const req: any = {
+    cookies,
+    ip: '127.0.0.1',
+    headers: {},
+  };
+
+  const res: any = {
+    status: vi.fn().mockReturnThis(),
+    json: vi.fn(),
+  };
+
+  const next = vi.fn();
+
+  return { req, res, next };
+}
+
+beforeEach(() => {
+  vi.clearAllMocks();
+});
+
+describe('verifyCookieAuth - ephemeral', () => {
+  it('rejects missing cookie', async () => {
+    const middleware = verifyCookieAuth('ephemeral');
+    const { req, res, next } = mockReqRes();
+
+    await middleware(req, res, next);
+
+    expect(res.status).toHaveBeenCalledWith(401);
+  });
+
+  it('accepts valid ephemeral token', async () => {
+    (verifyJwtWithKid as any).mockResolvedValue({ sub: 'user-1' });
+
+    (User.findOne as any).mockResolvedValue({
+      id: 'user-1',
+      revoked: false,
+    });
+
+    const middleware = verifyCookieAuth('ephemeral');
+
+    const { req, res, next } = mockReqRes({
+      seamless_ephemeral: 'token',
+    });
+
+    await middleware(req, res, next);
+
+    expect(req.user).toBeDefined();
+    expect(next).toHaveBeenCalled();
+  });
+});
+
+describe('verifyCookieAuth - access token', () => {
+  it('uses valid access token', async () => {
+    (validateAccessToken as any).mockResolvedValue({
+      sessionId: 'session-1',
+    });
+
+    (validateSessionRecord as any).mockResolvedValue({
+      id: 'session-1',
+    });
+
+    (getUserFromSession as any).mockResolvedValue({
+      id: 'user-1',
+    });
+
+    const middleware = verifyCookieAuth('access');
+
+    const { req, res, next } = mockReqRes({
+      seamless_access: 'access-token',
+    });
+
+    await middleware(req, res, next);
+
+    expect(req.user).toBeDefined();
+    expect(next).toHaveBeenCalled();
+  });
+
+  it('returns 401 when no cookies', async () => {
+    const middleware = verifyCookieAuth('access');
+
+    const { req, res, next } = mockReqRes();
+
+    await middleware(req, res, next);
+
+    expect(res.status).toHaveBeenCalledWith(401);
+  });
+});
+
+describe('verifyCookieAuth - silent refresh', () => {
+  it('refreshes session when access token invalid', async () => {
+    (validateAccessToken as any).mockResolvedValue(null);
+
+    (compareSync as any).mockReturnValue(true);
+
+    (Session.findAll as any).mockResolvedValue([
+      {
+        id: 'session-1',
+        refreshTokenHash: 'hash',
+        userId: 'user-1',
+        infraId: 'app',
+        mode: 'web',
+        userAgent: 'agent',
+        replacedBySessionId: null,
+        revokedAt: null,
+        save: vi.fn(),
+      },
+    ]);
+
+    (User.findByPk as any).mockResolvedValue({
+      id: 'user-1',
+    });
+
+    (generateRefreshToken as any).mockReturnValue('refresh-token');
+    (hashRefreshToken as any).mockResolvedValue('hashed-refresh');
+    (signAccessToken as any).mockResolvedValue('access-token');
+
+    (Session.create as any).mockResolvedValue({
+      id: 'new-session',
+    });
+
+    const middleware = verifyCookieAuth('access');
+
+    const { req, res, next } = mockReqRes({
+      seamless_refresh: 'refresh-token',
+    });
+
+    await middleware(req, res, next);
+
+    expect(next).toHaveBeenCalled();
+  });
+});

tests/integration/session/session.spec.ts

@@ -0,0 +1,99 @@
+import request from 'supertest';
+import { describe, it, expect, beforeAll, beforeEach, vi } from 'vitest';
+import { createApp } from '../../../src/app';
+import { Application } from 'express';
+
+import { Session } from '../../../src/models/sessions.js';
+import { hardRevokeSession } from '../../../src/services/sessionService.js';
+
+let app: Application;
+
+beforeAll(async () => {
+  app = await createApp();
+});
+
+beforeEach(() => {
+  vi.clearAllMocks();
+});
+
+function buildSession(overrides: any = {}) {
+  return {
+    id: 'session-1',
+    deviceName: 'MacBook',
+    ipAddress: '127.0.0.1',
+    userAgent: 'test-agent',
+    lastUsedAt: new Date(),
+    expiresAt: new Date(Date.now() + 100000),
+    revokedAt: null,
+    ...overrides,
+  };
+}
+
+describe('GET /sessions', () => {
+  it('returns active sessions', async () => {
+    (Session.findAll as any).mockResolvedValue([
+      buildSession({ id: 'session-1' }),
+      buildSession({ id: 'session-2' }),
+    ]);
+
+    const res = await request(app).get('/sessions');
+
+    expect(res.status).toBe(200);
+    expect(res.body.sessions).toHaveLength(2);
+
+    const current = res.body.sessions.find((s: any) => s.id === 'session-1');
+    expect(current.current).toBe(true);
+  });
+
+  it('returns empty list', async () => {
+    (Session.findAll as any).mockResolvedValue([]);
+
+    const res = await request(app).get('/sessions');
+
+    expect(res.status).toBe(200);
+    expect(res.body.sessions).toEqual([]);
+  });
+});
+
+describe('DELETE /sessions/:id', () => {
+  it('revokes a session', async () => {
+    const session = buildSession();
+
+    (Session.findOne as any).mockResolvedValue(session);
+
+    const res = await request(app).delete('/sessions/session-1');
+
+    expect(res.status).toBe(200);
+    expect(hardRevokeSession).toHaveBeenCalledWith(session, 'user_revoked');
+  });
+
+  it('returns 404 if session not found', async () => {
+    (Session.findOne as any).mockResolvedValue(null);
+
+    const res = await request(app).delete('/sessions/bad-id');
+
+    expect(res.status).toBe(404);
+  });
+});
+
+describe('DELETE /sessions', () => {
+  it('revokes all sessions', async () => {
+    const sessions = [buildSession({ id: '1' }), buildSession({ id: '2' })];
+
+    (Session.findAll as any).mockResolvedValue(sessions);
+
+    const res = await request(app).delete('/sessions');
+
+    expect(res.status).toBe(200);
+    expect(hardRevokeSession).toHaveBeenCalledTimes(2);
+  });
+
+  it('handles no sessions gracefully', async () => {
+    (Session.findAll as any).mockResolvedValue([]);
+
+    const res = await request(app).delete('/sessions');
+
+    expect(res.status).toBe(200);
+    expect(hardRevokeSession).not.toHaveBeenCalled();
+  });
+});

tests/setup/mocks.ts

@@ -14,6 +14,22 @@ vi.mock('../../src/models/sessions.js', () => ({
   },
 }));
 
+vi.mock('../../src/models/users.js', () => ({
+  User: {
+    findOne: vi.fn(),
+    findByPk: vi.fn(),
+  },
+}));
+
+vi.mock('../../src/services/sessionService.js', () => ({
+  validateAccessToken: vi.fn(),
+  validateSessionRecord: vi.fn(),
+  getUserFromSession: vi.fn(),
+  verifyJwtWithKid: vi.fn(),
+  revokeSessionChain: vi.fn(),
+  hardRevokeSession: vi.fn(),
+}));
+
 vi.mock('../../src/middleware/attachAuthMiddleware.js', () => ({
   attachAuthMiddleware: () => (req: any, _res: any, next: any) => {
     // inject fake authenticated user
@@ -36,6 +52,8 @@ vi.mock('../../src/middleware/attachAuthMiddleware.js', () => ({
 
       update: vi.fn(),
     };
+
+    req.sessionId = 'session-1';
     next();
   },
 }));
@@ -53,3 +71,8 @@ vi.mock('../../src/lib/token.js', () => ({
   generateRefreshToken: vi.fn(),
   hashRefreshToken: vi.fn(),
 }));
+
+vi.mock('../../src/lib/cookie.js', () => ({
+  setAuthCookies: vi.fn(),
+  clearAuthCookies: vi.fn(),
+}));