authelia/server/test/routes/secondfactor/u2f/register/post.test.ts


import sinon = require("sinon");
import BluebirdPromise = require("bluebird");
import assert = require("assert");
import U2FRegisterPost = require("../../../../../src/lib/routes/secondfactor/u2f/register/post");
import { AuthenticationSessionHandler } from "../../../../../src/lib/AuthenticationSessionHandler";
import { AuthenticationSession } from "../../../../../types/AuthenticationSession";
import ExpressMock = require("../../../../mocks/express");
import { UserDataStoreStub } from "../../../../mocks/storage/UserDataStoreStub";
import { ServerVariablesMockBuilder, ServerVariablesMock } from "../../../../mocks/ServerVariablesMockBuilder";
import { ServerVariables } from "../../../../../src/lib/ServerVariables";


describe("test u2f routes: register", function () {
  let req: ExpressMock.RequestMock;
  let res: ExpressMock.ResponseMock;
  let mocks: ServerVariablesMock;
  let vars: ServerVariables;
  let authSession: AuthenticationSession;

  beforeEach(function () {
    req = ExpressMock.RequestMock();
    req.originalUrl = "/api/xxxx";
    req.app = {};
    req.session = {
      auth: {
        userid: "user",
        first_factor: true,
        second_factor: false,
        identity_check: {
          challenge: "u2f-register",
          userid: "user"
        }
      }
    };
    req.headers = {};
    req.headers.host = "localhost";

    const s = ServerVariablesMockBuilder.build();
    mocks = s.mocks;
    vars = s.variables;

    const options = {
      inMemoryOnly: true
    };

    mocks.userDataStore.saveU2FRegistrationStub.returns(BluebirdPromise.resolve({}));
    mocks.userDataStore.retrieveU2FRegistrationStub.returns(BluebirdPromise.resolve({}));

    res = ExpressMock.ResponseMock();
    res.send = sinon.spy();
    res.json = sinon.spy();
    res.status = sinon.spy();

    authSession = AuthenticationSessionHandler.get(req as any, vars.logger);
  });

  describe("test registration", test_registration);


  function test_registration() {
    it("should save u2f meta and return status code 200", function () {
      const expectedStatus = {
        keyHandle: "keyHandle",
        publicKey: "pbk",
        certificate: "cert"
      };
      mocks.u2f.checkRegistrationStub.returns(BluebirdPromise.resolve(expectedStatus));

      authSession.register_request = {
        appId: "app",
        challenge: "challenge",
        keyHandle: "key",
        version: "U2F_V2"
      };
      return U2FRegisterPost.default(vars)(req as any, res as any)
        .then(function () {
          assert.equal("user", mocks.userDataStore.saveU2FRegistrationStub.getCall(0).args[0]);
          assert.equal(authSession.identity_check, undefined);
        });
    });

    it("should return error message on finishRegistration error", function () {
      mocks.u2f.checkRegistrationStub.returns({ errorCode: 500 });

      authSession.register_request = {
        appId: "app",
        challenge: "challenge",
        keyHandle: "key",
        version: "U2F_V2"
      };

      return U2FRegisterPost.default(vars)(req as any, res as any)
        .then(function () { return BluebirdPromise.reject(new Error("It should fail")); })
        .catch(function () {
          assert.equal(200, res.status.getCall(0).args[0]);
          assert.deepEqual(res.send.getCall(0).args[0], {
            error: "Operation failed."
          });
          return BluebirdPromise.resolve();
        });
    });

    it("should return error message when register_request is not provided", function () {
      mocks.u2f.checkRegistrationStub.returns(BluebirdPromise.resolve());
      authSession.register_request = undefined;
      return U2FRegisterPost.default(vars)(req as any, res as any)
        .then(function () { return BluebirdPromise.reject(new Error("It should fail")); })
        .catch(function () {
          assert.equal(200, res.status.getCall(0).args[0]);
          assert.deepEqual(res.send.getCall(0).args[0], {
            error: "Operation failed."
          });
          return BluebirdPromise.resolve();
        });
    });

    it("should return error message when no auth request has been initiated", function () {
      mocks.u2f.checkRegistrationStub.returns(BluebirdPromise.resolve());
      authSession.register_request = undefined;
      return U2FRegisterPost.default(vars)(req as any, res as any)
        .then(function () { return BluebirdPromise.reject(new Error("It should fail")); })
        .catch(function () {
          assert.equal(200, res.status.getCall(0).args[0]);
          assert.deepEqual(res.send.getCall(0).args[0], {
            error: "Operation failed."
          });
          return BluebirdPromise.resolve();
        });
    });

    it("should return error message when identity has not been verified", function () {
      authSession.identity_check = undefined;
      return U2FRegisterPost.default(vars)(req as any, res as any)
        .then(function () { return BluebirdPromise.reject(new Error("It should fail")); })
        .catch(function () {
          assert.equal(200, res.status.getCall(0).args[0]);
          assert.deepEqual(res.send.getCall(0).args[0], {
            error: "Operation failed."
          });
          return BluebirdPromise.resolve();
        });
    });
  }
});
Refactor client to make it responsive and testable 2017-05-25 20:09:29 +07:00
			`import sinon = require("sinon");`
			`import BluebirdPromise = require("bluebird");`
			`import assert = require("assert");`
Split client and server Client and server now have their own tsconfig so that the transpilation is only done on the part that is being modified. It also allows faster transpilation since tests are now excluded from tsconfig. They are compiled by ts-node during unit tests execution. 2017-10-07 05:09:42 +07:00			`import U2FRegisterPost = require("../../../../../src/lib/routes/secondfactor/u2f/register/post");`
Disable notifiers when server uses single factor method only Notifier is not mandatory when authentication method is single_factor for all sub-domains since there is no registration required. 2017-10-22 22:42:05 +07:00			`import { AuthenticationSessionHandler } from "../../../../../src/lib/AuthenticationSessionHandler";`
			`import { AuthenticationSession } from "../../../../../types/AuthenticationSession";`
Refactor client to make it responsive and testable 2017-05-25 20:09:29 +07:00			`import ExpressMock = require("../../../../mocks/express");`
Add Mongo as scalable and resilient storage backend 2017-07-20 02:06:12 +07:00			`import { UserDataStoreStub } from "../../../../mocks/storage/UserDataStoreStub";`
Add default_redirection_url as configuration option This URL is used when user access the authentication domain without providing the 'redirect' query parameter. In that case, Authelia does not know where to redirect the user. If the parameter is defined, Authelia can redirect the user to a default page when no redirect parameter is provided. When user is already authenticated and tries to access the authentication domain, the "already logged in" page is rendered and it now tells the user he is to be redirected in few seconds and uses this URL to redirect. This parameter is optional. If it is not provided, there is only a notification message at the end of the authentication process, as before, and the user is not redirected when visiting the authentication domain while already authenticated. 2017-10-18 04:24:02 +07:00			`import { ServerVariablesMockBuilder, ServerVariablesMock } from "../../../../mocks/ServerVariablesMockBuilder";`
			`import { ServerVariables } from "../../../../../src/lib/ServerVariables";`

Refactor client to make it responsive and testable 2017-05-25 20:09:29 +07:00
			`describe("test u2f routes: register", function () {`
			`let req: ExpressMock.RequestMock;`
			`let res: ExpressMock.ResponseMock;`
Add default_redirection_url as configuration option This URL is used when user access the authentication domain without providing the 'redirect' query parameter. In that case, Authelia does not know where to redirect the user. If the parameter is defined, Authelia can redirect the user to a default page when no redirect parameter is provided. When user is already authenticated and tries to access the authentication domain, the "already logged in" page is rendered and it now tells the user he is to be redirected in few seconds and uses this URL to redirect. This parameter is optional. If it is not provided, there is only a notification message at the end of the authentication process, as before, and the user is not redirected when visiting the authentication domain while already authenticated. 2017-10-18 04:24:02 +07:00			`let mocks: ServerVariablesMock;`
			`let vars: ServerVariables;`
Disable notifiers when server uses single factor method only Notifier is not mandatory when authentication method is single_factor for all sub-domains since there is no registration required. 2017-10-22 22:42:05 +07:00			`let authSession: AuthenticationSession;`
Refactor client to make it responsive and testable 2017-05-25 20:09:29 +07:00
			`beforeEach(function () {`
			`req = ExpressMock.RequestMock();`
Fix endpoints redirection on errors From this commit on, api endpoints reply with a 401 error code and non api endpoints redirect to /error/40X. This commit also fixes missing restrictions on /loggedin (the "already logged in page). This was not a security issue, though. The change also makes error pages automatically redirect the user after few seconds based on the referrer or the default_redirection_url if provided in the configuration. Warning: The old /verify endpoint of the REST API has moved to /api/verify. You will need to update your nginx configuration to take this change into account. 2017-11-01 20:24:18 +07:00			`req.originalUrl = "/api/xxxx";`
Refactor client to make it responsive and testable 2017-05-25 20:09:29 +07:00			`req.app = {};`
Add default_redirection_url as configuration option This URL is used when user access the authentication domain without providing the 'redirect' query parameter. In that case, Authelia does not know where to redirect the user. If the parameter is defined, Authelia can redirect the user to a default page when no redirect parameter is provided. When user is already authenticated and tries to access the authentication domain, the "already logged in" page is rendered and it now tells the user he is to be redirected in few seconds and uses this URL to redirect. This parameter is optional. If it is not provided, there is only a notification message at the end of the authentication process, as before, and the user is not redirected when visiting the authentication domain while already authenticated. 2017-10-18 04:24:02 +07:00			`req.session = {`
			`auth: {`
			`userid: "user",`
			`first_factor: true,`
			`second_factor: false,`
			`identity_check: {`
			`challenge: "u2f-register",`
			`userid: "user"`
			`}`
			`}`
			`};`
Refactor client to make it responsive and testable 2017-05-25 20:09:29 +07:00			`req.headers = {};`
			`req.headers.host = "localhost";`

Add default_redirection_url as configuration option This URL is used when user access the authentication domain without providing the 'redirect' query parameter. In that case, Authelia does not know where to redirect the user. If the parameter is defined, Authelia can redirect the user to a default page when no redirect parameter is provided. When user is already authenticated and tries to access the authentication domain, the "already logged in" page is rendered and it now tells the user he is to be redirected in few seconds and uses this URL to redirect. This parameter is optional. If it is not provided, there is only a notification message at the end of the authentication process, as before, and the user is not redirected when visiting the authentication domain while already authenticated. 2017-10-18 04:24:02 +07:00			`const s = ServerVariablesMockBuilder.build();`
			`mocks = s.mocks;`
			`vars = s.variables;`

Refactor client to make it responsive and testable 2017-05-25 20:09:29 +07:00			`const options = {`
			`inMemoryOnly: true`
			`};`

Add Mongo as scalable and resilient storage backend 2017-07-20 02:06:12 +07:00			`mocks.userDataStore.saveU2FRegistrationStub.returns(BluebirdPromise.resolve({}));`
			`mocks.userDataStore.retrieveU2FRegistrationStub.returns(BluebirdPromise.resolve({}));`
Refactor client to make it responsive and testable 2017-05-25 20:09:29 +07:00
			`res = ExpressMock.ResponseMock();`
			`res.send = sinon.spy();`
			`res.json = sinon.spy();`
			`res.status = sinon.spy();`
Disable notifiers when server uses single factor method only Notifier is not mandatory when authentication method is single_factor for all sub-domains since there is no registration required. 2017-10-22 22:42:05 +07:00
			`authSession = AuthenticationSessionHandler.get(req as any, vars.logger);`
Refactor client to make it responsive and testable 2017-05-25 20:09:29 +07:00			`});`

			`describe("test registration", test_registration);`


			`function test_registration() {`
			`it("should save u2f meta and return status code 200", function () {`
			`const expectedStatus = {`
			`keyHandle: "keyHandle",`
			`publicKey: "pbk",`
			`certificate: "cert"`
			`};`
Add default_redirection_url as configuration option This URL is used when user access the authentication domain without providing the 'redirect' query parameter. In that case, Authelia does not know where to redirect the user. If the parameter is defined, Authelia can redirect the user to a default page when no redirect parameter is provided. When user is already authenticated and tries to access the authentication domain, the "already logged in" page is rendered and it now tells the user he is to be redirected in few seconds and uses this URL to redirect. This parameter is optional. If it is not provided, there is only a notification message at the end of the authentication process, as before, and the user is not redirected when visiting the authentication domain while already authenticated. 2017-10-18 04:24:02 +07:00			`mocks.u2f.checkRegistrationStub.returns(BluebirdPromise.resolve(expectedStatus));`
Add logs to detect redis connection issues earlier Before this fix, the application was simply crashing during execution when connection to redis was failing. Now, it is correctly handled with failing promises and logs have been enabled to clearly see the problem 2017-09-22 03:07:34 +07:00
Disable notifiers when server uses single factor method only Notifier is not mandatory when authentication method is single_factor for all sub-domains since there is no registration required. 2017-10-22 22:42:05 +07:00			`authSession.register_request = {`
			`appId: "app",`
			`challenge: "challenge",`
			`keyHandle: "key",`
			`version: "U2F_V2"`
			`};`
			`return U2FRegisterPost.default(vars)(req as any, res as any)`
Refactor client to make it responsive and testable 2017-05-25 20:09:29 +07:00			`.then(function () {`
Add Mongo as scalable and resilient storage backend 2017-07-20 02:06:12 +07:00			`assert.equal("user", mocks.userDataStore.saveU2FRegistrationStub.getCall(0).args[0]);`
Refactor client to make it responsive and testable 2017-05-25 20:09:29 +07:00			`assert.equal(authSession.identity_check, undefined);`
			`});`
			`});`

Every public endpoints return 200 with harmonized error messages or 401 Now, /verify can return 401 or 403 depending on the user authentication. Every public API endpoints and pages return 200 with error message in JSON body or 401 if the user is not authorized. This policy makes it complicated for an attacker to know what is the source of the failure and hide server-side bugs (not returning 500), bugs being potential threats. 2017-10-11 04:03:30 +07:00			`it("should return error message on finishRegistration error", function () {`
Add default_redirection_url as configuration option This URL is used when user access the authentication domain without providing the 'redirect' query parameter. In that case, Authelia does not know where to redirect the user. If the parameter is defined, Authelia can redirect the user to a default page when no redirect parameter is provided. When user is already authenticated and tries to access the authentication domain, the "already logged in" page is rendered and it now tells the user he is to be redirected in few seconds and uses this URL to redirect. This parameter is optional. If it is not provided, there is only a notification message at the end of the authentication process, as before, and the user is not redirected when visiting the authentication domain while already authenticated. 2017-10-18 04:24:02 +07:00			`mocks.u2f.checkRegistrationStub.returns({ errorCode: 500 });`
Add logs to detect redis connection issues earlier Before this fix, the application was simply crashing during execution when connection to redis was failing. Now, it is correctly handled with failing promises and logs have been enabled to clearly see the problem 2017-09-22 03:07:34 +07:00
Disable notifiers when server uses single factor method only Notifier is not mandatory when authentication method is single_factor for all sub-domains since there is no registration required. 2017-10-22 22:42:05 +07:00			`authSession.register_request = {`
			`appId: "app",`
			`challenge: "challenge",`
			`keyHandle: "key",`
			`version: "U2F_V2"`
			`};`

			`return U2FRegisterPost.default(vars)(req as any, res as any)`
Refactor client to make it responsive and testable 2017-05-25 20:09:29 +07:00			`.then(function () { return BluebirdPromise.reject(new Error("It should fail")); })`
			`.catch(function () {`
Every public endpoints return 200 with harmonized error messages or 401 Now, /verify can return 401 or 403 depending on the user authentication. Every public API endpoints and pages return 200 with error message in JSON body or 401 if the user is not authorized. This policy makes it complicated for an attacker to know what is the source of the failure and hide server-side bugs (not returning 500), bugs being potential threats. 2017-10-11 04:03:30 +07:00			`assert.equal(200, res.status.getCall(0).args[0]);`
			`assert.deepEqual(res.send.getCall(0).args[0], {`
			`error: "Operation failed."`
			`});`
Refactor client to make it responsive and testable 2017-05-25 20:09:29 +07:00			`return BluebirdPromise.resolve();`
			`});`
			`});`

Every public endpoints return 200 with harmonized error messages or 401 Now, /verify can return 401 or 403 depending on the user authentication. Every public API endpoints and pages return 200 with error message in JSON body or 401 if the user is not authorized. This policy makes it complicated for an attacker to know what is the source of the failure and hide server-side bugs (not returning 500), bugs being potential threats. 2017-10-11 04:03:30 +07:00			`it("should return error message when register_request is not provided", function () {`
Add default_redirection_url as configuration option This URL is used when user access the authentication domain without providing the 'redirect' query parameter. In that case, Authelia does not know where to redirect the user. If the parameter is defined, Authelia can redirect the user to a default page when no redirect parameter is provided. When user is already authenticated and tries to access the authentication domain, the "already logged in" page is rendered and it now tells the user he is to be redirected in few seconds and uses this URL to redirect. This parameter is optional. If it is not provided, there is only a notification message at the end of the authentication process, as before, and the user is not redirected when visiting the authentication domain while already authenticated. 2017-10-18 04:24:02 +07:00			`mocks.u2f.checkRegistrationStub.returns(BluebirdPromise.resolve());`
Disable notifiers when server uses single factor method only Notifier is not mandatory when authentication method is single_factor for all sub-domains since there is no registration required. 2017-10-22 22:42:05 +07:00			`authSession.register_request = undefined;`
			`return U2FRegisterPost.default(vars)(req as any, res as any)`
Refactor client to make it responsive and testable 2017-05-25 20:09:29 +07:00			`.then(function () { return BluebirdPromise.reject(new Error("It should fail")); })`
			`.catch(function () {`
Every public endpoints return 200 with harmonized error messages or 401 Now, /verify can return 401 or 403 depending on the user authentication. Every public API endpoints and pages return 200 with error message in JSON body or 401 if the user is not authorized. This policy makes it complicated for an attacker to know what is the source of the failure and hide server-side bugs (not returning 500), bugs being potential threats. 2017-10-11 04:03:30 +07:00			`assert.equal(200, res.status.getCall(0).args[0]);`
			`assert.deepEqual(res.send.getCall(0).args[0], {`
			`error: "Operation failed."`
			`});`
Refactor client to make it responsive and testable 2017-05-25 20:09:29 +07:00			`return BluebirdPromise.resolve();`
			`});`
			`});`

Every public endpoints return 200 with harmonized error messages or 401 Now, /verify can return 401 or 403 depending on the user authentication. Every public API endpoints and pages return 200 with error message in JSON body or 401 if the user is not authorized. This policy makes it complicated for an attacker to know what is the source of the failure and hide server-side bugs (not returning 500), bugs being potential threats. 2017-10-11 04:03:30 +07:00			`it("should return error message when no auth request has been initiated", function () {`
Add default_redirection_url as configuration option This URL is used when user access the authentication domain without providing the 'redirect' query parameter. In that case, Authelia does not know where to redirect the user. If the parameter is defined, Authelia can redirect the user to a default page when no redirect parameter is provided. When user is already authenticated and tries to access the authentication domain, the "already logged in" page is rendered and it now tells the user he is to be redirected in few seconds and uses this URL to redirect. This parameter is optional. If it is not provided, there is only a notification message at the end of the authentication process, as before, and the user is not redirected when visiting the authentication domain while already authenticated. 2017-10-18 04:24:02 +07:00			`mocks.u2f.checkRegistrationStub.returns(BluebirdPromise.resolve());`
Disable notifiers when server uses single factor method only Notifier is not mandatory when authentication method is single_factor for all sub-domains since there is no registration required. 2017-10-22 22:42:05 +07:00			`authSession.register_request = undefined;`
			`return U2FRegisterPost.default(vars)(req as any, res as any)`
Refactor client to make it responsive and testable 2017-05-25 20:09:29 +07:00			`.then(function () { return BluebirdPromise.reject(new Error("It should fail")); })`
			`.catch(function () {`
Every public endpoints return 200 with harmonized error messages or 401 Now, /verify can return 401 or 403 depending on the user authentication. Every public API endpoints and pages return 200 with error message in JSON body or 401 if the user is not authorized. This policy makes it complicated for an attacker to know what is the source of the failure and hide server-side bugs (not returning 500), bugs being potential threats. 2017-10-11 04:03:30 +07:00			`assert.equal(200, res.status.getCall(0).args[0]);`
			`assert.deepEqual(res.send.getCall(0).args[0], {`
			`error: "Operation failed."`
			`});`
Refactor client to make it responsive and testable 2017-05-25 20:09:29 +07:00			`return BluebirdPromise.resolve();`
			`});`
			`});`

Every public endpoints return 200 with harmonized error messages or 401 Now, /verify can return 401 or 403 depending on the user authentication. Every public API endpoints and pages return 200 with error message in JSON body or 401 if the user is not authorized. This policy makes it complicated for an attacker to know what is the source of the failure and hide server-side bugs (not returning 500), bugs being potential threats. 2017-10-11 04:03:30 +07:00			`it("should return error message when identity has not been verified", function () {`
Disable notifiers when server uses single factor method only Notifier is not mandatory when authentication method is single_factor for all sub-domains since there is no registration required. 2017-10-22 22:42:05 +07:00			`authSession.identity_check = undefined;`
			`return U2FRegisterPost.default(vars)(req as any, res as any)`
Refactor client to make it responsive and testable 2017-05-25 20:09:29 +07:00			`.then(function () { return BluebirdPromise.reject(new Error("It should fail")); })`
			`.catch(function () {`
Every public endpoints return 200 with harmonized error messages or 401 Now, /verify can return 401 or 403 depending on the user authentication. Every public API endpoints and pages return 200 with error message in JSON body or 401 if the user is not authorized. This policy makes it complicated for an attacker to know what is the source of the failure and hide server-side bugs (not returning 500), bugs being potential threats. 2017-10-11 04:03:30 +07:00			`assert.equal(200, res.status.getCall(0).args[0]);`
			`assert.deepEqual(res.send.getCall(0).args[0], {`
			`error: "Operation failed."`
			`});`
Refactor client to make it responsive and testable 2017-05-25 20:09:29 +07:00			`return BluebirdPromise.resolve();`
			`});`
			`});`
			`}`
			`});`