mirror of
https://github.com/0rangebananaspy/authelia.git
synced 2024-09-14 22:47:21 +07:00
56fdc40290
Now, /verify can return 401 or 403 depending on the user authentication. Every public API endpoints and pages return 200 with error message in JSON body or 401 if the user is not authorized. This policy makes it complicated for an attacker to know what is the source of the failure and hide server-side bugs (not returning 500), bugs being potential threats.
37 lines
1.3 KiB
TypeScript
37 lines
1.3 KiB
TypeScript
|
|
import TOTPValidator = require("../../src/lib/secondfactor/TOTPValidator");
|
|
import JQueryMock = require("../mocks/jquery");
|
|
import BluebirdPromise = require("bluebird");
|
|
import Assert = require("assert");
|
|
|
|
describe("test TOTPValidator", function () {
|
|
it("should initiate an identity check successfully", () => {
|
|
const postPromise = JQueryMock.JQueryDeferredMock();
|
|
postPromise.done.yields();
|
|
postPromise.done.returns(postPromise);
|
|
|
|
const jqueryMock = JQueryMock.JQueryMock();
|
|
jqueryMock.jquery.ajax.returns(postPromise);
|
|
|
|
return TOTPValidator.validate("totp_token", jqueryMock.jquery as any);
|
|
});
|
|
|
|
it("should fail validating TOTP token", () => {
|
|
const errorMessage = "Error while validating TOTP token";
|
|
|
|
const postPromise = JQueryMock.JQueryDeferredMock();
|
|
postPromise.fail.yields(undefined, errorMessage);
|
|
postPromise.done.returns(postPromise);
|
|
|
|
const jqueryMock = JQueryMock.JQueryMock();
|
|
jqueryMock.jquery.ajax.returns(postPromise);
|
|
|
|
return TOTPValidator.validate("totp_token", jqueryMock.jquery as any)
|
|
.then(function () {
|
|
return BluebirdPromise.reject(new Error("Registration successfully finished while it should have not."));
|
|
}, function (err: Error) {
|
|
Assert.equal(errorMessage, err.message);
|
|
return BluebirdPromise.resolve();
|
|
});
|
|
});
|
|
}); |