test: add unit tests for OTP verification with per-IP tracking in UsersService

Author: adriangohjw

src/services/identity/__tests__/UsersService.spec.ts

@@ -1,7 +1,9 @@
 import { ModelStatic } from "sequelize/types"
 import { Sequelize } from "sequelize-typescript"
 
+import { config } from "@root/config/config"
 import { Otp, User, Whitelist } from "@root/database/models"
+import { BadRequestError } from "@root/errors/BadRequestError"
 import SmsClient from "@services/identity/SmsClient"
 import TotpGenerator from "@services/identity/TotpGenerator"
 import MailClient from "@services/utilServices/MailClient"
@@ -39,8 +41,30 @@ const MockWhitelist = {
   findAll: jest.fn(),
 }
 
+let dbAttempts = 0
+let dbAttemptsByIp: Record<string, number> = {}
+
+const futureDate = new Date(Date.now() + 60 * 60 * 1000)
+
 const MockOtp = {
-  findOne: jest.fn(),
+  findOne: jest.fn().mockImplementation(() =>
+    Promise.resolve({
+      id: 1,
+      email: mockEmail,
+      hashedOtp: "hashed",
+      attempts: dbAttempts,
+      attemptsByIp: { ...dbAttemptsByIp },
+      expiresAt: futureDate,
+      destroy: jest.fn(),
+    })
+  ),
+  update: jest.fn().mockImplementation((values: any, options: any) => {
+    if (options?.where?.attempts !== dbAttempts) return Promise.resolve([0])
+
+    dbAttempts = values.attempts
+    dbAttemptsByIp = { ...(values.attemptsByIp || {}) }
+    return Promise.resolve([1])
+  }),
 }
 
 const UsersService = new _UsersService({
@@ -57,7 +81,11 @@ const mockEmail = "[email protected]"
 const mockGithubId = "sudowoodo"
 
 describe("User Service", () => {
-  afterEach(() => jest.clearAllMocks())
+  afterEach(() => {
+    jest.clearAllMocks()
+    dbAttempts = 0
+    dbAttemptsByIp = {}
+  })
 
   it("should return the result of calling the findOne method by email on the db model", () => {
     // Arrange
@@ -74,6 +102,56 @@ describe("User Service", () => {
     })
   })
 
+  describe("verifyOtp per-IP behavior", () => {
+    const maxAttempts = config.get("auth.maxNumOtpAttempts")
+    const wrongOtp = "000000"
+
+    it("increments attempts for provided IP and returns invalid until max", async () => {
+      (MockOtpService.verifyOtp as jest.Mock).mockResolvedValue(false)
+      const ip = "1.1.1.1"
+
+      for (let i = 1; i <= maxAttempts; i += 1) {
+        // eslint-disable-next-line no-await-in-loop
+        const result = await UsersService.verifyEmailOtp(mockEmail, wrongOtp, ip)
+        expect(result.isErr()).toBe(true)
+        const err = result._unsafeUnwrapErr()
+        expect(err).toBeInstanceOf(BadRequestError)
+        if (i < maxAttempts) {
+          expect((err as BadRequestError).message).toBe("OTP is not valid")
+        } else {
+          expect((err as BadRequestError).message).toBe(
+            "Max number of attempts reached"
+          )
+        }
+      }
+
+      expect(MockOtp.update).toHaveBeenCalled()
+      expect(dbAttemptsByIp[ip]).toBe(maxAttempts - 1) // last call rejected before increment
+    })
+
+    it("uses 'unknown' bucket when clientIp is missing", async () => {
+      (MockOtpService.verifyOtp as jest.Mock).mockResolvedValue(false)
+
+      const result = await UsersService.verifyEmailOtp(mockEmail, wrongOtp)
+      expect(result.isErr()).toBe(true)
+      result._unsafeUnwrapErr() // ensure unwrap doesn't throw
+      expect(dbAttemptsByIp.unknown).toBe(1)
+    })
+
+    it("tracks per-IP separately", async () => {
+      (MockOtpService.verifyOtp as jest.Mock).mockResolvedValue(false)
+      const ipA = "1.1.1.1"
+      const ipB = "2.2.2.2"
+
+      await UsersService.verifyEmailOtp(mockEmail, wrongOtp, ipA)
+      await UsersService.verifyEmailOtp(mockEmail, wrongOtp, ipA)
+      await UsersService.verifyEmailOtp(mockEmail, wrongOtp, ipB)
+
+      expect(dbAttemptsByIp[ipA]).toBe(2)
+      expect(dbAttemptsByIp[ipB]).toBe(1)
+    })
+  })
+
   it("should return the result of calling the findOne method by githubId on the db model", () => {
     // Arrange
     const expected = "user1"