|
2 | 2 | // |
3 | 3 | // cy.task node-spec port of the SESSION-BOUND mfa service tests: |
4 | 4 | // - choose-mfa-method.service.test.ts (chooseMfaMethod findUser-failure audit) |
| 5 | +// - resolveMfaSetup auto-skip: when no MFA methods are offerable, the loader must |
| 6 | +// redirect instead of rendering an empty chooser. |
5 | 7 | // |
6 | 8 | // These read an already-read SessionEntry[] and emit REAL audit via logAuthEvent (→ console.log, |
7 | 9 | // captured by the harness). The browser bundle stubs observability to a no-op, so they must run |
@@ -53,3 +55,117 @@ describe('chooseMfaMethod — findUser failure audit (security: routing continue |
53 | 55 | }); |
54 | 56 | }); |
55 | 57 | }); |
| 58 | + |
| 59 | +// ── resolveMfaSetup: auto-skip when no MFA methods are offerable ──────────────────────────────── |
| 60 | +// |
| 61 | +// Root cause (fixed): when offerableSetupRoutes returns [], resolveMfaSetup used to return |
| 62 | +// { kind: 'setup', offerableKeys: [] } — rendering an empty chooser. Under force=true, the |
| 63 | +// Skip button is hidden, leaving the user stuck. |
| 64 | +// |
| 65 | +// Fix: an empty offerable set → stamp the skip (setMfaInitSkipped, same as the manual skip path) |
| 66 | +// and return { kind: 'redirect', target } so the loader auto-advances. Stamping is required to |
| 67 | +// prevent a re-prompt loop (nextStep re-routes to /setup/mfa when mfaInitSkippedAt is null). |
| 68 | +// |
| 69 | +// The fresh provider seed uses capabilities: { passkey: false, totpOtp: false, emailOtp: false, |
| 70 | +// u2f: false, smsOtp: false } so offerableSetupRoutes returns [] regardless of policy. The |
| 71 | +// live session is seeded via `liveSessions` so getSession(entry.id, entry.token) resolves |
| 72 | +// (required by the auto-skip nextStepFromSession call inside resolveMfaSetup). |
| 73 | + |
| 74 | +describe('resolveMfaSetup — auto-skip when no MFA methods are offerable', () => { |
| 75 | + // A fresh provider with all MFA capabilities disabled and one password-only user. |
| 76 | + const NO_MFA_CAPS = { |
| 77 | + passkey: false, |
| 78 | + u2f: false, |
| 79 | + totpOtp: false, |
| 80 | + emailOtp: false, |
| 81 | + smsOtp: false, |
| 82 | + externalIdp: false, |
| 83 | + ldap: false, |
| 84 | + saml: false, |
| 85 | + oidc: false, |
| 86 | + registration: false, |
| 87 | + }; |
| 88 | + |
| 89 | + const baseScenario = { |
| 90 | + fn: 'resolveMfaSetup' as const, |
| 91 | + provider: 'fresh' as const, |
| 92 | + seed: { |
| 93 | + users: [{ id: 'u-nomfa', loginName: 'nomfa@test.example' }], |
| 94 | + authMethods: { 'u-nomfa': ['password'] as string[] }, |
| 95 | + capabilities: NO_MFA_CAPS, |
| 96 | + }, |
| 97 | + liveSessions: [ |
| 98 | + { |
| 99 | + id: 'sess-nomfa', |
| 100 | + token: 'tok-nomfa', |
| 101 | + user: { id: 'u-nomfa', loginName: 'nomfa@test.example' }, |
| 102 | + }, |
| 103 | + ], |
| 104 | + request: { |
| 105 | + url: 'http://localhost/id/setup/mfa', |
| 106 | + sessions: [{ id: 'sess-nomfa', token: 'tok-nomfa', loginName: 'nomfa@test.example' }], |
| 107 | + }, |
| 108 | + mfaInput: { loginName: 'nomfa@test.example' }, |
| 109 | + }; |
| 110 | + |
| 111 | + it('returns a redirect (not setup) when no MFA methods are offerable', () => { |
| 112 | + callService(baseScenario).then((v) => { |
| 113 | + const o = v.outcome as { kind: string; offerableKeys?: unknown[] }; |
| 114 | + expect(o.kind, 'auto-skip: kind must be redirect, not setup').to.equal('redirect'); |
| 115 | + }); |
| 116 | + }); |
| 117 | + |
| 118 | + it('redirect target does not loop back to /setup/mfa', () => { |
| 119 | + callService(baseScenario).then((v) => { |
| 120 | + const o = v.outcome as { kind: string; target?: string }; |
| 121 | + expect(o.target ?? '', 'target must not loop back to /setup/mfa').to.not.include( |
| 122 | + '/setup/mfa' |
| 123 | + ); |
| 124 | + }); |
| 125 | + }); |
| 126 | + |
| 127 | + it('emits an mfa_skip success audit line on auto-skip', () => { |
| 128 | + callService(baseScenario).then((v) => { |
| 129 | + const skipAudit = v.audit.find((e) => e.event === 'mfa_skip' && e.outcome === 'success'); |
| 130 | + expect(skipAudit, 'mfa_skip success audit must be emitted').to.not.equal(undefined); |
| 131 | + }); |
| 132 | + }); |
| 133 | +}); |
| 134 | + |
| 135 | +// ── resolveMfaSetup: normal path (non-empty offerable set) still returns offerableKeys ────────── |
| 136 | +// |
| 137 | +// Regression guard: ensure the fix does not break the normal chooser path where MFA methods ARE |
| 138 | +// available. Uses the singleton provider which has totpOtp + emailOtp + passkey capabilities. |
| 139 | + |
| 140 | +describe('resolveMfaSetup — normal path returns offerableKeys when MFA methods exist', () => { |
| 141 | + const scenario = { |
| 142 | + fn: 'resolveMfaSetup' as const, |
| 143 | + provider: 'singleton' as const, |
| 144 | + liveSessions: [ |
| 145 | + { |
| 146 | + id: 's-alice-setup', |
| 147 | + token: 't-alice-setup', |
| 148 | + user: { id: 'u1', loginName: 'alice@acme.test' }, |
| 149 | + }, |
| 150 | + ], |
| 151 | + request: { |
| 152 | + url: 'http://localhost/id/setup/mfa', |
| 153 | + sessions: [{ id: 's-alice-setup', token: 't-alice-setup', loginName: 'alice@acme.test' }], |
| 154 | + }, |
| 155 | + mfaInput: { loginName: 'alice@acme.test' }, |
| 156 | + }; |
| 157 | + |
| 158 | + it('returns kind: setup (not redirect) when offerable MFA methods exist', () => { |
| 159 | + callService(scenario).then((v) => { |
| 160 | + const o = v.outcome as { kind: string; offerableKeys?: string[] }; |
| 161 | + expect(o.kind, 'chooser renders when methods available').to.equal('setup'); |
| 162 | + }); |
| 163 | + }); |
| 164 | + |
| 165 | + it('offerableKeys is non-empty when MFA capabilities are enabled', () => { |
| 166 | + callService(scenario).then((v) => { |
| 167 | + const o = v.outcome as { kind: string; offerableKeys?: string[] }; |
| 168 | + expect((o.offerableKeys ?? []).length, 'offerable keys non-empty').to.be.greaterThan(0); |
| 169 | + }); |
| 170 | + }); |
| 171 | +}); |
0 commit comments