chore: add totp acceptance tests

2025-12-12 06:02:23 +00:00 · 2024-11-28 09:57:20 +01:00
parent f38b8b753c
commit f0d9d3b429
7 changed files with 330 additions and 214 deletions
--- a/acceptance/tests/login.ts
+++ b/acceptance/tests/login.ts
@@ -1,7 +1,8 @@
 import { expect, Page } from "@playwright/test";
-import { otpFromSink } from "./code";
+import { code, otpFromSink } from "./code";
 import { loginname } from "./loginname";
 import { password } from "./password";
+import { totp } from "./zitadel";

 export async function startLogin(page: Page) {
  await page.goto("/loginname");
@@ -33,3 +34,8 @@ export async function loginWithPasswordAndPhoneOTP(page: Page, username: string,
  await loginWithPassword(page, username, password);
  await otpFromSink(page, phone);
 }
+
+export async function loginWithPasswordAndTOTP(page: Page, username: string, password: string, secret: string) {
+  await loginWithPassword(page, username, password);
+  await code(page, totp(secret));
+}
--- a/acceptance/tests/user.ts
+++ b/acceptance/tests/user.ts
@@ -1,7 +1,6 @@
 import { Page } from "@playwright/test";
-import axios from "axios";
 import { registerWithPasskey } from "./register";
-import { getUserByUsername, removeUser } from "./zitadel";
+import { activateOTP, addTOTP, addUser, getUserByUsername, removeUser } from "./zitadel";

 export interface userProps {
  email: string;
@@ -21,47 +20,9 @@ class User {
  }

  async ensure(page: Page) {
-    const body = {
-      username: this.props.email,
-      organization: {
-        orgId: this.props.organization,
-      },
-      profile: {
-        givenName: this.props.firstName,
-        familyName: this.props.lastName,
-      },
-      email: {
-        email: this.props.email,
-        isVerified: true,
-      },
-      phone: {
-        phone: this.props.phone!,
-        isVerified: true,
-      },
-      password: {
-        password: this.props.password!,
-      },
-    };
-
-    try {
-      const response = await axios.post(`${process.env.ZITADEL_API_URL}/v2/users/human`, body, {
-        headers: {
-          "Content-Type": "application/json",
-          Authorization: `Bearer ${process.env.ZITADEL_SERVICE_USER_TOKEN}`,
-        },
-      });
-
-      if (response.status >= 400) {
-        const error = `HTTP Error: ${response.status} - ${response.statusText}`;
-        console.error(error);
-        throw new Error(error);
-      }
-      this.setUserId(response.data.userId);
-    } catch (error) {
-      console.error("Error making request:", error);
-      throw error;
-    }
+    const response = await addUser(this.props);

+    this.setUserId(response.userId);
    // wait for projection of user
    await page.waitForTimeout(2000);
  }
@@ -142,43 +103,30 @@ export class PasswordUserWithOTP extends User {
  async ensure(page: Page) {
    await super.ensure(page);

-    let url = "otp_";
-    switch (this.type) {
-      case OtpType.sms:
-        url = url + "sms";
-        break;
-      case OtpType.email:
-        url = url + "email";
-        break;
-    }
-
-    try {
-      const response = await axios.post(
-        `${process.env.ZITADEL_API_URL}/v2/users/${this.getUserId()}/${url}`,
-        {},
-        {
-          headers: {
-            "Content-Type": "application/json",
-            Authorization: `Bearer ${process.env.ZITADEL_SERVICE_USER_TOKEN}`,
-          },
-        },
-      );
-
-      if (response.status >= 400) {
-        const error = `HTTP Error: ${response.status} - ${response.statusText}`;
-        console.error(error);
-        throw new Error(error);
-      }
-    } catch (error) {
-      console.error("Error making request:", error);
-      throw error;
-    }
+    await activateOTP(this.getUserId(), this.type);

    // wait for projection of user
    await page.waitForTimeout(2000);
  }
 }

+export class PasswordUserWithTOTP extends User {
+  private secret: string;
+
+  async ensure(page: Page) {
+    await super.ensure(page);
+
+    this.secret = await addTOTP(this.getUserId());
+
+    // wait for projection of user
+    await page.waitForTimeout(2000);
+  }
+
+  public getSecret(): string {
+    return this.secret;
+  }
+}
+
 export interface passkeyUserProps {
  email: string;
  firstName: string;
--- a/acceptance/tests/username-password-otp_sms.spec.ts
+++ b/acceptance/tests/username-password-otp_sms.spec.ts
@@ -48,7 +48,6 @@ test("username, password and sms otp login, resend code", async ({ user, page })
  // User clicks resend code
  // User receives a new sms with a verification code
  // User is redirected to the app (default redirect url)
-  await loginWithPassword(page, user.getUsername(), user.getPassword());
  await loginWithPasswordAndPhoneOTP(page, user.getUsername(), user.getPassword(), user.getPhone());
  await loginScreenExpect(page, user.getFullName());
 });
--- a/acceptance/tests/username-password-totp.spec.ts
+++ b/acceptance/tests/username-password-totp.spec.ts
@@ -1,6 +1,32 @@
-import { test } from "@playwright/test";
+import { faker } from "@faker-js/faker";
+import { test as base } from "@playwright/test";
+import dotenv from "dotenv";
+import path from "path";
+import { code } from "./code";
+import { codeScreenExpect } from "./code-screen";
+import { loginScreenExpect, loginWithPassword, loginWithPasswordAndTOTP } from "./login";
+import { PasswordUserWithTOTP } from "./user";

-test("username, password and totp login", async ({ page }) => {
+// Read from ".env" file.
+dotenv.config({ path: path.resolve(__dirname, ".env.local") });
+
+const test = base.extend<{ user: PasswordUserWithTOTP; sink: any }>({
+  user: async ({ page }, use) => {
+    const user = new PasswordUserWithTOTP({
+      email: faker.internet.email(),
+      firstName: faker.person.firstName(),
+      lastName: faker.person.lastName(),
+      organization: "",
+      phone: faker.phone.number({ style: "international" }),
+      password: "Password1!",
+    });
+
+    await user.ensure(page);
+    await use(user);
+  },
+});
+
+test("username, password and totp login", async ({ user, page }) => {
  // Given totp is enabled on the organization of the user
  // Given the user has only totp configured as second factor
  // User enters username
@@ -8,9 +34,11 @@ test("username, password and totp login", async ({ page }) => {
  // Screen for entering the code is shown directly
  // User enters the code into the ui
  // User is redirected to the app (default redirect url)
+  await loginWithPasswordAndTOTP(page, user.getUsername(), user.getPassword(), user.getSecret());
+  await loginScreenExpect(page, user.getFullName());
 });

-test("username, password and totp otp login, wrong code", async ({ page }) => {
+test("username, password and totp otp login, wrong code", async ({ user, page }) => {
  // Given totp is enabled on the organization of the user
  // Given the user has only totp configured as second factor
  // User enters username
@@ -18,6 +46,10 @@ test("username, password and totp otp login, wrong code", async ({ page }) => {
  // Screen for entering the code is shown directly
  // User enters a wrond code
  // Error message - "Invalid code" is shown
+  const c = "wrongcode";
+  await loginWithPassword(page, user.getUsername(), user.getPassword());
+  await code(page, c);
+  await codeScreenExpect(page, c);
 });

 test("username, password and totp login, multiple mfa options", async ({ page }) => {
--- a/acceptance/tests/zitadel.ts
+++ b/acceptance/tests/zitadel.ts
@@ -1,4 +1,34 @@
+import { Authenticator } from "@otplib/core";
+import { createDigest, createRandomBytes } from "@otplib/plugin-crypto";
+import { keyDecoder, keyEncoder } from "@otplib/plugin-thirty-two"; // use your chosen base32 plugin
 import axios from "axios";
+import { OtpType, userProps } from "./user";
+
+export async function addUser(props: userProps) {
+  const body = {
+    username: props.email,
+    organization: {
+      orgId: props.organization,
+    },
+    profile: {
+      givenName: props.firstName,
+      familyName: props.lastName,
+    },
+    email: {
+      email: props.email,
+      isVerified: true,
+    },
+    phone: {
+      phone: props.phone!,
+      isVerified: true,
+    },
+    password: {
+      password: props.password!,
+    },
+  };
+
+  return await listCall(`${process.env.ZITADEL_API_URL}/v2/users/human`, body);
+}

 export async function removeUserByUsername(username: string) {
  const resp = await getUserByUsername(username);
@@ -9,8 +39,12 @@ export async function removeUserByUsername(username: string) {
 }

 export async function removeUser(id: string) {
+  await deleteCall(`${process.env.ZITADEL_API_URL}/v2/users/${id}`);
+}
+
+async function deleteCall(url: string) {
  try {
-    const response = await axios.delete(`${process.env.ZITADEL_API_URL}/v2/users/${id}`, {
+    const response = await axios.delete(url, {
      headers: {
        Authorization: `Bearer ${process.env.ZITADEL_SERVICE_USER_TOKEN}`,
      },
@@ -27,7 +61,7 @@ export async function removeUser(id: string) {
  }
 }

-export async function getUserByUsername(username: string) {
+export async function getUserByUsername(username: string): Promise<any> {
  const listUsersBody = {
    queries: [
      {
@@ -38,8 +72,12 @@ export async function getUserByUsername(username: string) {
    ],
  };

+  return await listCall(`${process.env.ZITADEL_API_URL}/v2/users`, listUsersBody);
+}
+
+async function listCall(url: string, data: any): Promise<any> {
  try {
-    const response = await axios.post(`${process.env.ZITADEL_API_URL}/v2/users`, listUsersBody, {
+    const response = await axios.post(url, data, {
      headers: {
        "Content-Type": "application/json",
        Authorization: `Bearer ${process.env.ZITADEL_SERVICE_USER_TOKEN}`,
@@ -58,3 +96,64 @@ export async function getUserByUsername(username: string) {
    throw error;
  }
 }
+
+export async function activateOTP(userId: string, type: OtpType) {
+  let url = "otp_";
+  switch (type) {
+    case OtpType.sms:
+      url = url + "sms";
+      break;
+    case OtpType.email:
+      url = url + "email";
+      break;
+  }
+
+  await pushCall(`${process.env.ZITADEL_API_URL}/v2/users/${userId}/${url}`, {});
+}
+
+async function pushCall(url: string, data: any) {
+  try {
+    const response = await axios.post(url, data, {
+      headers: {
+        "Content-Type": "application/json",
+        Authorization: `Bearer ${process.env.ZITADEL_SERVICE_USER_TOKEN}`,
+      },
+    });
+
+    if (response.status >= 400) {
+      const error = `HTTP Error: ${response.status} - ${response.statusText}`;
+      console.error(error);
+      throw new Error(error);
+    }
+  } catch (error) {
+    console.error("Error making request:", error);
+    throw error;
+  }
+}
+
+export async function addTOTP(userId: string): Promise<string> {
+  const response = await listCall(`${process.env.ZITADEL_API_URL}/v2/users/${userId}/totp`, {});
+  const code = totp(response.secret);
+  await pushCall(`${process.env.ZITADEL_API_URL}/v2/users/${userId}/totp/verify`, { code: code });
+  return response.secret;
+}
+
+export function totp(secret: string) {
+  const authenticator = new Authenticator({
+    createDigest,
+    createRandomBytes,
+    keyDecoder,
+    keyEncoder,
+  });
+  // google authenticator usage
+  const token = authenticator.generate(secret);
+
+  // check if token can be used
+  if (!authenticator.verify({ token: token, secret: secret })) {
+    const error = `Generated token could not be verified`;
+    console.error(error);
+    throw new Error(error);
+  }
+
+  return token;
+}