dragonflight/services/mam-api/test/auth/mfa-tickets.test.js

// MFA ticket binding tests — the second login step's tickets are bound to the
// issuing request's IP + User-Agent (hashed) so a stolen ticket replayed from
// a different origin can't complete the second factor.
import { test } from 'node:test';
import assert from 'node:assert/strict';
import { issueTicket, redeemTicket } from '../../src/auth/mfa-tickets.js';

test('ticket round-trips when ip + userAgent match', () => {
  const id = issueTicket('user-1', { ip: '1.2.3.4', userAgent: 'curl/8' });
  assert.equal(redeemTicket(id, { ip: '1.2.3.4', userAgent: 'curl/8' }), 'user-1');
});

test('ticket rejects redemption from a different IP', () => {
  const id = issueTicket('user-1', { ip: '1.2.3.4', userAgent: 'curl/8' });
  assert.equal(redeemTicket(id, { ip: '9.9.9.9', userAgent: 'curl/8' }), null);
});

test('ticket rejects redemption with a different User-Agent', () => {
  const id = issueTicket('user-1', { ip: '1.2.3.4', userAgent: 'curl/8' });
  assert.equal(redeemTicket(id, { ip: '1.2.3.4', userAgent: 'Mozilla/5.0' }), null);
});

test('ticket is single-use even on binding mismatch', () => {
  // A wrong-binding probe must still burn the ticket — otherwise an attacker
  // could try multiple IPs/UAs against the same ticket.
  const id = issueTicket('user-1', { ip: '1.2.3.4', userAgent: 'curl/8' });
  assert.equal(redeemTicket(id, { ip: '9.9.9.9', userAgent: 'curl/8' }), null);
  // Same ticket with correct bindings now also fails — it was consumed.
  assert.equal(redeemTicket(id, { ip: '1.2.3.4', userAgent: 'curl/8' }), null);
});

test('redeemTicket returns null for missing or unknown id', () => {
  assert.equal(redeemTicket(null), null);
  assert.equal(redeemTicket(undefined), null);
  assert.equal(redeemTicket(''), null);
  assert.equal(redeemTicket('not-a-real-id', { ip: 'x', userAgent: 'y' }), null);
});

test('ticket is single-use on success', () => {
  const id = issueTicket('user-1', { ip: '1.2.3.4', userAgent: 'curl/8' });
  assert.equal(redeemTicket(id, { ip: '1.2.3.4', userAgent: 'curl/8' }), 'user-1');
  assert.equal(redeemTicket(id, { ip: '1.2.3.4', userAgent: 'curl/8' }), null);
});

test('issueTicket without bindings still works (back-compat / tests)', () => {
  const id = issueTicket('user-1');
  // No bindings on redeem either — both sides skip the check.
  assert.equal(redeemTicket(id), 'user-1');
});
fix(mam-api): harden TOTP login flow + tighten Google domain check Review of the v2 auth landing turned up four weak spots in the MFA path. All four are now fixed; behaviour is unchanged for the password-correct + correct-TOTP happy path. 1. TOTP brute-force gate (the big one). /login was calling ipBackoff.recordSuccess(ip) the instant the password hashed correctly, before the second factor was proven. That cleared the per-IP failure counter, so each /login retry let an attacker with a known password hammer the 6-digit /login/totp space (10^6) at full speed. Now recordSuccess fires only inside establishSession() — i.e. after every required factor has actually passed (password [+TOTP] or OAuth [+TOTP]). 2. MFA ticket binding. Tickets issued by /login (and the Google callback) were unbound — a stolen ticket replayed from a different origin still worked. Tickets now carry SHA-256 hashes of the issuing request's IP and User-Agent; redeemTicket rejects on mismatch. The ticket is burned even on mismatch so a wrong-binding probe can't be retried. 3. TOTP replay within the same 30s step (RFC 6238 §5.2). The verifier accepted the same code as many times as you submitted it. Now verifyToken returns the matched counter, and /login/totp does a CAS UPDATE on users.totp_last_counter — codes at counters <= the last accepted value are rejected. New migration 030 adds totp_last_counter, seeded on /totp/enable so the enrollment code itself can't be reused at first login, and zeroed on /totp/disable. 4. Google OAuth domain check no longer falls back to the email suffix when the hd (hosted-domain) claim is missing. Email-suffix matching let consumer (non-Workspace) Google accounts whose email happens to end in the allowed domain through; if GOOGLE_ALLOWED_DOMAIN is set, the operator means "only this Workspace", so accounts without a verified hd must be rejected. Tests: new mfa-tickets.test.js covers ip/UA binding, single-use on mismatch, and bindings-absent back-compat. totp.test.js updated for the new verifyToken return shape (counter on success, null on failure; truthiness still works at call sites) and adds an explicit matched-counter check. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com> 2026-05-30 08:52:53 -04:00			`// MFA ticket binding tests — the second login step's tickets are bound to the`
			`// issuing request's IP + User-Agent (hashed) so a stolen ticket replayed from`
			`// a different origin can't complete the second factor.`
			`import { test } from 'node:test';`
			`import assert from 'node:assert/strict';`
			`import { issueTicket, redeemTicket } from '../../src/auth/mfa-tickets.js';`

			`test('ticket round-trips when ip + userAgent match', () => {`
			`const id = issueTicket('user-1', { ip: '1.2.3.4', userAgent: 'curl/8' });`
			`assert.equal(redeemTicket(id, { ip: '1.2.3.4', userAgent: 'curl/8' }), 'user-1');`
			`});`

			`test('ticket rejects redemption from a different IP', () => {`
			`const id = issueTicket('user-1', { ip: '1.2.3.4', userAgent: 'curl/8' });`
			`assert.equal(redeemTicket(id, { ip: '9.9.9.9', userAgent: 'curl/8' }), null);`
			`});`

			`test('ticket rejects redemption with a different User-Agent', () => {`
			`const id = issueTicket('user-1', { ip: '1.2.3.4', userAgent: 'curl/8' });`
			`assert.equal(redeemTicket(id, { ip: '1.2.3.4', userAgent: 'Mozilla/5.0' }), null);`
			`});`

			`test('ticket is single-use even on binding mismatch', () => {`
			`// A wrong-binding probe must still burn the ticket — otherwise an attacker`
			`// could try multiple IPs/UAs against the same ticket.`
			`const id = issueTicket('user-1', { ip: '1.2.3.4', userAgent: 'curl/8' });`
			`assert.equal(redeemTicket(id, { ip: '9.9.9.9', userAgent: 'curl/8' }), null);`
			`// Same ticket with correct bindings now also fails — it was consumed.`
			`assert.equal(redeemTicket(id, { ip: '1.2.3.4', userAgent: 'curl/8' }), null);`
			`});`

			`test('redeemTicket returns null for missing or unknown id', () => {`
			`assert.equal(redeemTicket(null), null);`
			`assert.equal(redeemTicket(undefined), null);`
			`assert.equal(redeemTicket(''), null);`
			`assert.equal(redeemTicket('not-a-real-id', { ip: 'x', userAgent: 'y' }), null);`
			`});`

			`test('ticket is single-use on success', () => {`
			`const id = issueTicket('user-1', { ip: '1.2.3.4', userAgent: 'curl/8' });`
			`assert.equal(redeemTicket(id, { ip: '1.2.3.4', userAgent: 'curl/8' }), 'user-1');`
			`assert.equal(redeemTicket(id, { ip: '1.2.3.4', userAgent: 'curl/8' }), null);`
			`});`

			`test('issueTicket without bindings still works (back-compat / tests)', () => {`
			`const id = issueTicket('user-1');`
			`// No bindings on redeem either — both sides skip the check.`
			`assert.equal(redeemTicket(id), 'user-1');`
			`});`