test/test.auth.node.ts

import { tap, expect } from '@git.zone/tstest/tapbundle';

import { LoginSession } from '../ts/reception/classes.loginsession.js';
import { User } from '../ts/reception/classes.user.js';
import * as plugins from '../ts/plugins.js';

const createTestLoginSession = () => {
  const loginSession = new LoginSession();
  loginSession.id = 'test-session';
  loginSession.data.userId = 'test-user';
  (loginSession as LoginSession & { save: () => Promise<void> }).save = async () => undefined;
  return loginSession;
};

tap.test('hashes passwords with argon2 and verifies them', async () => {
  const passwordHash = await User.hashPassword('correct horse battery staple');

  expect(passwordHash.startsWith('$argon2')).toBeTrue();
  expect(await User.verifyPassword('correct horse battery staple', passwordHash)).toBeTrue();
  expect(await User.verifyPassword('wrong password', passwordHash)).toBeFalse();
  expect(User.shouldUpgradePasswordHash(passwordHash)).toBeFalse();
});

tap.test('accepts legacy sha256 hashes and marks them for upgrade', async () => {
  const legacyHash = await plugins.smarthash.sha256FromString('legacy-password');

  expect(User.isLegacyPasswordHash(legacyHash)).toBeTrue();
  expect(await User.verifyPassword('legacy-password', legacyHash)).toBeTrue();
  expect(await User.verifyPassword('different-password', legacyHash)).toBeFalse();
  expect(User.shouldUpgradePasswordHash(legacyHash)).toBeTrue();
});

tap.test('rotates refresh tokens and detects reuse', async () => {
  const loginSession = createTestLoginSession();

  const firstRefreshToken = await loginSession.getRefreshToken();
  const secondRefreshToken = await loginSession.getRefreshToken();

  expect(firstRefreshToken.startsWith('refresh_')).toBeTrue();
  expect(secondRefreshToken.startsWith('refresh_')).toBeTrue();
  expect(firstRefreshToken).not.toEqual(secondRefreshToken);
  expect(loginSession.data.refreshToken).toBeNullOrUndefined();
  expect(loginSession.data.refreshTokenHash).toBeTruthy();
  expect(await loginSession.validateRefreshToken(secondRefreshToken)).toEqual('current');
  expect(await loginSession.validateRefreshToken(firstRefreshToken)).toEqual('reused');

  await loginSession.invalidate();
  expect(await loginSession.validateRefreshToken(secondRefreshToken)).toEqual('invalidated');
});

tap.test('persists transfer tokens as one-time hashes', async () => {
  const loginSession = createTestLoginSession();
  const transferToken = await loginSession.getTransferToken();

  expect(transferToken.startsWith('transfer_')).toBeTrue();
  expect(loginSession.data.transferTokenHash).toBeTruthy();
  expect(await loginSession.validateTransferToken(transferToken)).toBeTrue();
  expect(await loginSession.validateTransferToken(transferToken)).toBeFalse();
});

export default tap.start();
feat(auth): harden authentication with argon2 passwords and rotating hashed refresh tokens 2026-04-20 08:12:07 +00:00			`import { tap, expect } from '@git.zone/tstest/tapbundle';`

			`import { LoginSession } from '../ts/reception/classes.loginsession.js';`
			`import { User } from '../ts/reception/classes.user.js';`
			`import * as plugins from '../ts/plugins.js';`

			`const createTestLoginSession = () => {`
			`const loginSession = new LoginSession();`
			`loginSession.id = 'test-session';`
			`loginSession.data.userId = 'test-user';`
			`(loginSession as LoginSession & { save: () => Promise<void> }).save = async () => undefined;`
			`return loginSession;`
			`};`

			`tap.test('hashes passwords with argon2 and verifies them', async () => {`
			`const passwordHash = await User.hashPassword('correct horse battery staple');`

			`expect(passwordHash.startsWith('$argon2')).toBeTrue();`
			`expect(await User.verifyPassword('correct horse battery staple', passwordHash)).toBeTrue();`
			`expect(await User.verifyPassword('wrong password', passwordHash)).toBeFalse();`
			`expect(User.shouldUpgradePasswordHash(passwordHash)).toBeFalse();`
			`});`

			`tap.test('accepts legacy sha256 hashes and marks them for upgrade', async () => {`
			`const legacyHash = await plugins.smarthash.sha256FromString('legacy-password');`

			`expect(User.isLegacyPasswordHash(legacyHash)).toBeTrue();`
			`expect(await User.verifyPassword('legacy-password', legacyHash)).toBeTrue();`
			`expect(await User.verifyPassword('different-password', legacyHash)).toBeFalse();`
			`expect(User.shouldUpgradePasswordHash(legacyHash)).toBeTrue();`
			`});`

			`tap.test('rotates refresh tokens and detects reuse', async () => {`
			`const loginSession = createTestLoginSession();`

			`const firstRefreshToken = await loginSession.getRefreshToken();`
			`const secondRefreshToken = await loginSession.getRefreshToken();`

			`expect(firstRefreshToken.startsWith('refresh_')).toBeTrue();`
			`expect(secondRefreshToken.startsWith('refresh_')).toBeTrue();`
			`expect(firstRefreshToken).not.toEqual(secondRefreshToken);`
			`expect(loginSession.data.refreshToken).toBeNullOrUndefined();`
			`expect(loginSession.data.refreshTokenHash).toBeTruthy();`
			`expect(await loginSession.validateRefreshToken(secondRefreshToken)).toEqual('current');`
			`expect(await loginSession.validateRefreshToken(firstRefreshToken)).toEqual('reused');`

			`await loginSession.invalidate();`
			`expect(await loginSession.validateRefreshToken(secondRefreshToken)).toEqual('invalidated');`
			`});`

			`tap.test('persists transfer tokens as one-time hashes', async () => {`
			`const loginSession = createTestLoginSession();`
			`const transferToken = await loginSession.getTransferToken();`

			`expect(transferToken.startsWith('transfer_')).toBeTrue();`
			`expect(loginSession.data.transferTokenHash).toBeTruthy();`
			`expect(await loginSession.validateTransferToken(transferToken)).toBeTrue();`
			`expect(await loginSession.validateTransferToken(transferToken)).toBeFalse();`
			`});`

			`export default tap.start();`