test(auth): cover normalized 2fa recovery codes and status decrement
Some checks are pending
CI / test (push) Has started running
Some checks are pending
CI / test (push) Has started running
This commit is contained in:
@@ -38,7 +38,7 @@ Legend:
|
||||
29. Archive - `DONE`
|
||||
30. Blacklist - `DONE`
|
||||
31. Privacy - `PARTIAL` (avatar/last-seen/group-invites + PM policy `everyone|contacts|nobody`; group-invite `nobody` is available in API and web settings; integration tests cover PM policy matrix (`everyone/contacts/nobody`), group-invite policy matrix (`everyone/contacts/nobody`), and private chat counterpart visibility for `nobody/contacts`, remaining UX/matrix hardening)
|
||||
32. Security - `PARTIAL` (sessions + revoke + 2FA base + access-session visibility; integration tests cover single-session revoke and revoke-all invalidation/force-disconnect; 2FA setup now blocked after enable to prevent secret re-issuance; one-time recovery codes added; web settings now has safer revoke UX with confirmation/loading/error feedback)
|
||||
32. Security - `PARTIAL` (sessions + revoke + 2FA base + access-session visibility; integration tests cover single-session revoke and revoke-all invalidation/force-disconnect; 2FA setup now blocked after enable to prevent secret re-issuance; one-time recovery codes added and covered for normalization/lifecycle (`remaining_codes` decrement + one-time usage); web settings now has safer revoke UX with confirmation/loading/error feedback; web auth panel supports recovery-code login)
|
||||
33. Realtime Events - `DONE` (connect/disconnect/send/receive/typing/read/delivered/online/offline + chat/message updates + chat_deleted)
|
||||
34. Sync - `PARTIAL` (cross-device via backend state + realtime; reconciliation improved for loaded chats/messages, chat-info panel hot-refreshes on `chat_updated`, delete/leave updates realtime subscriptions, full-chat delete emits `chat_deleted`)
|
||||
35. Additional - `PARTIAL` (drafts/link preview partial/autoload media basic)
|
||||
|
||||
@@ -243,3 +243,57 @@ async def test_twofa_recovery_codes_can_login_once(client, db_session):
|
||||
json={"email": payload["email"], "password": payload["password"], "recovery_code": first_code},
|
||||
)
|
||||
assert reuse_recovery_code.status_code == 401
|
||||
|
||||
|
||||
async def test_twofa_recovery_codes_are_normalized_and_decrement_status(client, db_session):
|
||||
payload = {
|
||||
"email": "erin2@example.com",
|
||||
"name": "Erin Two",
|
||||
"username": "erin_two",
|
||||
"password": "strongpass123",
|
||||
}
|
||||
await client.post("/api/v1/auth/register", json=payload)
|
||||
token_row = await db_session.execute(select(EmailVerificationToken).order_by(EmailVerificationToken.id.desc()))
|
||||
verify_token = token_row.scalar_one().token
|
||||
await client.post("/api/v1/auth/verify-email", json={"token": verify_token})
|
||||
|
||||
login_response = await client.post(
|
||||
"/api/v1/auth/login",
|
||||
json={"email": payload["email"], "password": payload["password"]},
|
||||
)
|
||||
assert login_response.status_code == 200
|
||||
access_token = login_response.json()["access_token"]
|
||||
headers = {"Authorization": f"Bearer {access_token}"}
|
||||
|
||||
setup_response = await client.post("/api/v1/auth/2fa/setup", headers=headers)
|
||||
assert setup_response.status_code == 200
|
||||
secret = setup_response.json()["secret"]
|
||||
|
||||
enable_response = await client.post("/api/v1/auth/2fa/enable", headers=headers, json={"code": _totp_code(secret)})
|
||||
assert enable_response.status_code == 200
|
||||
|
||||
regen_response = await client.post(
|
||||
"/api/v1/auth/2fa/recovery-codes/regenerate",
|
||||
headers=headers,
|
||||
json={"code": _totp_code(secret)},
|
||||
)
|
||||
assert regen_response.status_code == 200
|
||||
codes = regen_response.json()["codes"]
|
||||
assert len(codes) >= 2
|
||||
initial_count = len(codes)
|
||||
first_code = codes[0]
|
||||
|
||||
status_before = await client.get("/api/v1/auth/2fa/recovery-codes/status", headers=headers)
|
||||
assert status_before.status_code == 200
|
||||
assert status_before.json()["remaining_codes"] == initial_count
|
||||
|
||||
normalized_variant = first_code.lower().replace("-", "")
|
||||
login_with_normalized_recovery = await client.post(
|
||||
"/api/v1/auth/login",
|
||||
json={"email": payload["email"], "password": payload["password"], "recovery_code": normalized_variant},
|
||||
)
|
||||
assert login_with_normalized_recovery.status_code == 200
|
||||
|
||||
status_after = await client.get("/api/v1/auth/2fa/recovery-codes/status", headers=headers)
|
||||
assert status_after.status_code == 200
|
||||
assert status_after.json()["remaining_codes"] == initial_count - 1
|
||||
|
||||
Reference in New Issue
Block a user