From c222c9362802fcbbb533d83eae02b931bbd078c3 Mon Sep 17 00:00:00 2001
From: benya <benya@daemonlord.ru>
Date: Sun, 8 Mar 2026 21:01:26 +0300
Subject: [PATCH] test(auth): cover normalized 2fa recovery codes and status
 decrement

---
 docs/core-checklist-status.md |  2 +-
 tests/test_auth_flow.py       | 54 +++++++++++++++++++++++++++++++++++
 2 files changed, 55 insertions(+), 1 deletion(-)

diff --git a/docs/core-checklist-status.md b/docs/core-checklist-status.md
index 4c5732e..e366f04 100644
--- a/docs/core-checklist-status.md
+++ b/docs/core-checklist-status.md
@@ -38,7 +38,7 @@ Legend:
 29. Archive - `DONE`
 30. Blacklist - `DONE`
 31. Privacy - `PARTIAL` (avatar/last-seen/group-invites + PM policy `everyone|contacts|nobody`; group-invite `nobody` is available in API and web settings; integration tests cover PM policy matrix (`everyone/contacts/nobody`), group-invite policy matrix (`everyone/contacts/nobody`), and private chat counterpart visibility for `nobody/contacts`, remaining UX/matrix hardening)
-32. Security - `PARTIAL` (sessions + revoke + 2FA base + access-session visibility; integration tests cover single-session revoke and revoke-all invalidation/force-disconnect; 2FA setup now blocked after enable to prevent secret re-issuance; one-time recovery codes added; web settings now has safer revoke UX with confirmation/loading/error feedback)
+32. Security - `PARTIAL` (sessions + revoke + 2FA base + access-session visibility; integration tests cover single-session revoke and revoke-all invalidation/force-disconnect; 2FA setup now blocked after enable to prevent secret re-issuance; one-time recovery codes added and covered for normalization/lifecycle (`remaining_codes` decrement + one-time usage); web settings now has safer revoke UX with confirmation/loading/error feedback; web auth panel supports recovery-code login)
 33. Realtime Events - `DONE` (connect/disconnect/send/receive/typing/read/delivered/online/offline + chat/message updates + chat_deleted)
 34. Sync - `PARTIAL` (cross-device via backend state + realtime; reconciliation improved for loaded chats/messages, chat-info panel hot-refreshes on `chat_updated`, delete/leave updates realtime subscriptions, full-chat delete emits `chat_deleted`)
 35. Additional - `PARTIAL` (drafts/link preview partial/autoload media basic)
diff --git a/tests/test_auth_flow.py b/tests/test_auth_flow.py
index 18b7b9c..3fd88c4 100644
--- a/tests/test_auth_flow.py
+++ b/tests/test_auth_flow.py
@@ -243,3 +243,57 @@ async def test_twofa_recovery_codes_can_login_once(client, db_session):
         json={"email": payload["email"], "password": payload["password"], "recovery_code": first_code},
     )
     assert reuse_recovery_code.status_code == 401
+
+
+async def test_twofa_recovery_codes_are_normalized_and_decrement_status(client, db_session):
+    payload = {
+        "email": "erin2@example.com",
+        "name": "Erin Two",
+        "username": "erin_two",
+        "password": "strongpass123",
+    }
+    await client.post("/api/v1/auth/register", json=payload)
+    token_row = await db_session.execute(select(EmailVerificationToken).order_by(EmailVerificationToken.id.desc()))
+    verify_token = token_row.scalar_one().token
+    await client.post("/api/v1/auth/verify-email", json={"token": verify_token})
+
+    login_response = await client.post(
+        "/api/v1/auth/login",
+        json={"email": payload["email"], "password": payload["password"]},
+    )
+    assert login_response.status_code == 200
+    access_token = login_response.json()["access_token"]
+    headers = {"Authorization": f"Bearer {access_token}"}
+
+    setup_response = await client.post("/api/v1/auth/2fa/setup", headers=headers)
+    assert setup_response.status_code == 200
+    secret = setup_response.json()["secret"]
+
+    enable_response = await client.post("/api/v1/auth/2fa/enable", headers=headers, json={"code": _totp_code(secret)})
+    assert enable_response.status_code == 200
+
+    regen_response = await client.post(
+        "/api/v1/auth/2fa/recovery-codes/regenerate",
+        headers=headers,
+        json={"code": _totp_code(secret)},
+    )
+    assert regen_response.status_code == 200
+    codes = regen_response.json()["codes"]
+    assert len(codes) >= 2
+    initial_count = len(codes)
+    first_code = codes[0]
+
+    status_before = await client.get("/api/v1/auth/2fa/recovery-codes/status", headers=headers)
+    assert status_before.status_code == 200
+    assert status_before.json()["remaining_codes"] == initial_count
+
+    normalized_variant = first_code.lower().replace("-", "")
+    login_with_normalized_recovery = await client.post(
+        "/api/v1/auth/login",
+        json={"email": payload["email"], "password": payload["password"], "recovery_code": normalized_variant},
+    )
+    assert login_with_normalized_recovery.status_code == 200
+
+    status_after = await client.get("/api/v1/auth/2fa/recovery-codes/status", headers=headers)
+    assert status_after.status_code == 200
+    assert status_after.json()["remaining_codes"] == initial_count - 1