test(core): add the mfa binding integration tests (#6330)

* refactor(core): refactor backup code generate flow

refactor backup code generate flow

* fix(core): fix api payload

fix api payload

* test(core): implement the mfa binding integration tests

implement the mfa binding integration tests

* test(core): rebase backup code refactor

rebase backup code refactor

packages/core/src/routes/experience/classes/mfa.ts

@@ -165,7 +165,7 @@ export class Mfa {
  * @throws {RequestError} with status 400 if the verification record is not verified
  * @throws {RequestError} with status 400 if the verification record has no secret
  * @throws {RequestError} with status 404 if the verification record is not found
- * @throws {RequestError} with status 422 if TOTP is not enabled in the sign-in experience
+ * @throws {RequestError} with status 400 if TOTP is not enabled in the sign-in experience
  * @throws {RequestError} with status 422 if the user already has a TOTP factor
  *
  * - Any existing TOTP factor will be replaced with the new one.
@@ -196,7 +196,7 @@ export class Mfa {
  * @throws {RequestError} with status 400 if the verification record is not verified
  * @throws {RequestError} with status 400 if the verification record has no registration data
  * @throws {RequestError} with status 404 if the verification record is not found
- * @throws {RequestError} with status 422 if WebAuthn is not enabled in the sign-in experience
+ * @throws {RequestError} with status 400 if WebAuthn is not enabled in the sign-in experience
  */
  async addWebAuthnByVerificationId(verificationId: string) {
  const verificationRecord = this.interactionContext.getVerificationRecordByTypeAndId(
@@ -215,7 +215,7 @@ export class Mfa {
  * - Any existing backup code factor will be replaced with the new one.
  *
  * @throws {RequestError} with status 404 if no pending backup codes are found
- * @throws {RequestError} with status 422 if Backup Code is not enabled in the sign-in experience
+ * @throws {RequestError} with status 400 if Backup Code is not enabled in the sign-in experience
  * @throws {RequestError} with status 422 if the backup code is the only MFA factor
  */
  async addBackupCodeByVerificationId(verificationId: string) {
@@ -241,7 +241,7 @@ export class Mfa {
  }
 
  /**
- * @throws {RequestError} with status 422 if the mfa factors are not enabled in the sign-in experience
+ * @throws {RequestError} with status 400 if the mfa factors are not enabled in the sign-in experience
  */
  async checkAvailability() {
  const newBindMfaFactors = deduplicate(this.bindMfaFactorsArray.map(({ type }) => type));

packages/core/src/routes/experience/verification-routes/backup-code-verification.ts

@@ -52,6 +52,41 @@ export default function backupCodeVerificationRoutes<T extends WithLogContext>(
  }
  );
 
+ router.post(
+ `${experienceRoutes.verification}/backup-code/generate`,
+ koaGuard({
+ status: [200, 400],
+ response: z.object({
+ verificationId: z.string(),
+ codes: z.array(z.string()),
+ }),
+ }),
+ async (ctx, next) => {
+ const { experienceInteraction } = ctx;
+
+ assertThat(experienceInteraction.identifiedUserId, 'session.identifier_not_found');
+
+ const backupCodeVerificationRecord = BackupCodeVerification.create(
+ libraries,
+ queries,
+ experienceInteraction.identifiedUserId
+ );
+
+ const codes = backupCodeVerificationRecord.generate();
+
+ ctx.experienceInteraction.setVerificationRecord(backupCodeVerificationRecord);
+
+ await ctx.experienceInteraction.save();
+
+ ctx.body = {
+ verificationId: backupCodeVerificationRecord.id,
+ codes,
+ };
+
+ return next();
+ }
+ );
+
  router.post(
  `${experienceRoutes.verification}/backup-code/verify`,
  koaGuard({

packages/integration-tests/src/client/experience/const.ts

@@ -4,5 +4,6 @@ export const experienceRoutes = {
  verification: `${prefix}/verification`,
  identification: `${prefix}/identification`,
  profile: `${prefix}/profile`,
+ mfa: `${prefix}/profile/mfa`,
  prefix,
 };

packages/integration-tests/src/client/experience/index.ts

@@ -2,6 +2,7 @@ import {
  type CreateExperienceApiPayload,
  type IdentificationApiPayload,
  type InteractionEvent,
+ type MfaFactor,
  type NewPasswordIdentityVerificationPayload,
  type PasswordVerificationPayload,
  type UpdateProfileApiPayload,
@@ -178,6 +179,14 @@ export class ExperienceClient extends MockClient {
  .json<{ verificationId: string }>();
  }
 
+ public async generateMfaBackupCodes() {
+ return api
+ .post(`${experienceRoutes.verification}/backup-code/generate`, {
+ headers: { cookie: this.interactionCookie },
+ })
+ .json<{ verificationId: string; codes: string[] }>();
+ }
+
  public async verifyBackupCode(payload: { code: string }) {
  return api
  .post(`${experienceRoutes.verification}/backup-code/verify`, {
@@ -211,4 +220,17 @@ export class ExperienceClient extends MockClient {
  json: payload,
  });
  }
+
+ public async skipMfaBinding() {
+ return api.post(`${experienceRoutes.mfa}/mfa-skipped`, {
+ headers: { cookie: this.interactionCookie },
+ });
+ }
+
+ public async bindMfa(type: MfaFactor, verificationId: string) {
+ return api.post(`${experienceRoutes.mfa}`, {
+ headers: { cookie: this.interactionCookie },
+ json: { type, verificationId },
+ });
+ }
 }

packages/integration-tests/src/helpers/experience/totp-verification.ts

@@ -1,3 +1,5 @@
+import { authenticator } from 'otplib';
+
 import { type ExperienceClient } from '#src/client/experience/index.js';
 
 export const successFullyCreateNewTotpSecret = async (client: ExperienceClient) => {
@@ -23,3 +25,15 @@ export const successfullyVerifyTotp = async (
 
  return verificationId;
 };
+
+export const successfullyCreateAndVerifyTotp = async (client: ExperienceClient) => {
+ const { secret, verificationId } = await successFullyCreateNewTotpSecret(client);
+ const code = authenticator.generate(secret);
+
+ await successfullyVerifyTotp(client, {
+ code,
+ verificationId,
+ });
+
+ return verificationId;
+};