UNPKG

@joystick.js/db-canary

Version:

JoystickDB - A minimalist database server for the Joystick framework

415 lines (330 loc) 13.3 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
import test from 'ava'; import fs from 'fs'; import bcrypt from 'bcrypt'; import { create_recovery_token, is_token_valid, record_failed_recovery_attempt, change_password, get_recovery_status, initialize_recovery_manager, reset_recovery_state } from '../../../src/server/lib/recovery_manager.js'; const RECOVERY_TOKEN_FILE = './recovery_token.json'; test.beforeEach(() => { // Clean up any existing files and environment variables reset_recovery_state(); if (fs.existsSync(RECOVERY_TOKEN_FILE)) { fs.unlinkSync(RECOVERY_TOKEN_FILE); } delete process.env.JOYSTICK_DB_SETTINGS; }); test.afterEach(() => { // Clean up files and environment variables after each test reset_recovery_state(); if (fs.existsSync(RECOVERY_TOKEN_FILE)) { fs.unlinkSync(RECOVERY_TOKEN_FILE); } delete process.env.JOYSTICK_DB_SETTINGS; }); test('create_recovery_token generates valid token with expiration', (t) => { const recovery_info = create_recovery_token(); t.true(typeof recovery_info.token === 'string'); t.true(recovery_info.token.length > 0); t.true(typeof recovery_info.expires_at === 'number'); t.true(recovery_info.expires_at > Date.now()); t.true(recovery_info.url.includes(recovery_info.token)); // Verify token file was created t.true(fs.existsSync(RECOVERY_TOKEN_FILE)); const token_data = JSON.parse(fs.readFileSync(RECOVERY_TOKEN_FILE, 'utf8')); t.is(token_data.token, recovery_info.token); t.is(token_data.expires_at, recovery_info.expires_at); }); test('create_recovery_token sets 10 minute expiration', (t) => { const before_creation = Date.now(); const recovery_info = create_recovery_token(); const after_creation = Date.now(); const expected_min_expiry = before_creation + (10 * 60 * 1000); const expected_max_expiry = after_creation + (10 * 60 * 1000); t.true(recovery_info.expires_at >= expected_min_expiry); t.true(recovery_info.expires_at <= expected_max_expiry); }); test('is_token_valid returns true for valid token', (t) => { const recovery_info = create_recovery_token(); const validation = is_token_valid(recovery_info.token); t.true(validation.valid); }); test('is_token_valid returns false for invalid token', (t) => { create_recovery_token(); const validation = is_token_valid('invalid-token'); t.false(validation.valid); t.is(validation.reason, 'invalid'); }); test('is_token_valid returns false when no token exists', (t) => { const validation = is_token_valid('any-token'); t.false(validation.valid); t.is(validation.reason, 'no_token'); }); test('is_token_valid returns false for expired token', (t) => { const recovery_info = create_recovery_token(); // Manually expire the token by modifying the file const token_data = JSON.parse(fs.readFileSync(RECOVERY_TOKEN_FILE, 'utf8')); token_data.expires_at = Date.now() - 1000; // 1 second ago fs.writeFileSync(RECOVERY_TOKEN_FILE, JSON.stringify(token_data, null, 2)); // Reload state to pick up the expired token (but don't initialize, which would clean it up) // Instead, directly test the validation which will detect expiration and clean up const validation = is_token_valid(recovery_info.token); t.false(validation.valid); t.is(validation.reason, 'expired'); }); test('record_failed_recovery_attempt increments counter', (t) => { create_recovery_token(); record_failed_recovery_attempt('192.168.1.100'); const status = get_recovery_status(); t.is(status.failed_attempts, 1); }); test('record_failed_recovery_attempt locks after max attempts', (t) => { create_recovery_token(); // Make 3 failed attempts (the maximum) for (let i = 0; i < 3; i++) { record_failed_recovery_attempt('192.168.1.100'); } const status = get_recovery_status(); t.is(status.failed_attempts, 3); t.true(status.is_locked); t.true(typeof status.locked_until === 'number'); t.true(status.locked_until > Date.now()); }); test('is_token_valid returns locked when recovery is locked', (t) => { const recovery_info = create_recovery_token(); // Lock the recovery by making too many failed attempts for (let i = 0; i < 3; i++) { record_failed_recovery_attempt('192.168.1.100'); } const validation = is_token_valid(recovery_info.token); t.false(validation.valid); t.is(validation.reason, 'locked'); }); test('change_password validates password strength', async (t) => { // Create environment variable with authentication const settings_data = { authentication: { password_hash: await bcrypt.hash('old_password', 12), created_at: new Date().toISOString(), last_updated: new Date().toISOString(), failed_attempts: {}, rate_limits: {} } }; process.env.JOYSTICK_DB_SETTINGS = JSON.stringify(settings_data); // Test short password const error = await t.throwsAsync(async () => { await change_password('short', '192.168.1.100'); }); t.is(error.message, 'Password must be at least 12 characters long'); }); test('change_password requires environment variable', async (t) => { const error = await t.throwsAsync(async () => { await change_password('valid_password_123', '192.168.1.100'); }); t.is(error.message, 'JOYSTICK_DB_SETTINGS environment variable not found'); }); test('change_password requires authentication configuration', async (t) => { // Create environment variable without authentication const settings_data = { port: 1983 }; process.env.JOYSTICK_DB_SETTINGS = JSON.stringify(settings_data); const error = await t.throwsAsync(async () => { await change_password('valid_password_123', '192.168.1.100'); }); t.is(error.message, 'Authentication not configured'); }); test('change_password successfully updates password', async (t) => { // Create environment variable with authentication const old_password = 'old_password_123'; const new_password = 'new_password_456'; const settings_data = { authentication: { password_hash: await bcrypt.hash(old_password, 12), created_at: new Date().toISOString(), last_updated: new Date().toISOString(), failed_attempts: { '192.168.1.50': [Date.now()] }, rate_limits: { '192.168.1.50': { expires_at: Date.now() + 60000, attempts: 1 } } } }; process.env.JOYSTICK_DB_SETTINGS = JSON.stringify(settings_data); const result = await change_password(new_password, '192.168.1.100'); t.true(result.success); t.is(result.message, 'Password changed successfully'); t.true(typeof result.timestamp === 'string'); // Verify password was updated in environment variable const updated_settings = JSON.parse(process.env.JOYSTICK_DB_SETTINGS); t.true(await bcrypt.compare(new_password, updated_settings.authentication.password_hash)); t.false(await bcrypt.compare(old_password, updated_settings.authentication.password_hash)); // Verify failed attempts and rate limits were reset t.deepEqual(updated_settings.authentication.failed_attempts, {}); t.deepEqual(updated_settings.authentication.rate_limits, {}); }); test('change_password calls connection terminator', async (t) => { // Create environment variable with authentication const settings_data = { authentication: { password_hash: await bcrypt.hash('old_password_123', 12), created_at: new Date().toISOString(), last_updated: new Date().toISOString(), failed_attempts: {}, rate_limits: {} } }; process.env.JOYSTICK_DB_SETTINGS = JSON.stringify(settings_data); let terminator_called = false; const connection_terminator = () => { terminator_called = true; }; await change_password('new_password_456', '192.168.1.100', connection_terminator); t.true(terminator_called); }); test('change_password cleans up recovery token', async (t) => { // Create recovery token create_recovery_token(); t.true(fs.existsSync(RECOVERY_TOKEN_FILE)); // Create environment variable with authentication const settings_data = { authentication: { password_hash: await bcrypt.hash('old_password_123', 12), created_at: new Date().toISOString(), last_updated: new Date().toISOString(), failed_attempts: {}, rate_limits: {} } }; process.env.JOYSTICK_DB_SETTINGS = JSON.stringify(settings_data); await change_password('new_password_456', '192.168.1.100'); // Verify recovery token was cleaned up t.false(fs.existsSync(RECOVERY_TOKEN_FILE)); const status = get_recovery_status(); t.false(status.token_active); }); test('get_recovery_status returns correct status', (t) => { // Test with no token let status = get_recovery_status(); t.false(status.token_active); t.is(status.failed_attempts, 0); t.false(status.is_locked); // Test with active token create_recovery_token(); status = get_recovery_status(); t.true(status.token_active); t.true(typeof status.expires_at === 'number'); // Test with failed attempts record_failed_recovery_attempt('192.168.1.100'); status = get_recovery_status(); t.is(status.failed_attempts, 1); }); test('initialize_recovery_manager loads existing state', (t) => { // Create a recovery token file manually const token_data = { token: 'test-token-123', expires_at: Date.now() + 600000, // 10 minutes from now failed_attempts: 2, locked_until: null }; fs.writeFileSync(RECOVERY_TOKEN_FILE, JSON.stringify(token_data, null, 2)); initialize_recovery_manager(); const status = get_recovery_status(); t.true(status.token_active); t.is(status.failed_attempts, 2); const validation = is_token_valid('test-token-123'); t.true(validation.valid); }); test('initialize_recovery_manager cleans up expired tokens', (t) => { // Create an expired recovery token file const token_data = { token: 'expired-token-123', expires_at: Date.now() - 1000, // 1 second ago failed_attempts: 1, locked_until: null }; fs.writeFileSync(RECOVERY_TOKEN_FILE, JSON.stringify(token_data, null, 2)); initialize_recovery_manager(); const status = get_recovery_status(); t.false(status.token_active); t.is(status.failed_attempts, 0); // Token file should be cleaned up t.false(fs.existsSync(RECOVERY_TOKEN_FILE)); }); test('initialize_recovery_manager cleans up expired locks', (t) => { // Create a recovery state with expired lock const token_data = { token: 'test-token-123', expires_at: Date.now() + 600000, // 10 minutes from now failed_attempts: 3, locked_until: Date.now() - 1000 // 1 second ago (expired) }; fs.writeFileSync(RECOVERY_TOKEN_FILE, JSON.stringify(token_data, null, 2)); initialize_recovery_manager(); const status = get_recovery_status(); t.false(status.is_locked); t.is(status.failed_attempts, 0); // Should be reset when lock expires }); test('reset_recovery_state cleans up everything', (t) => { // Create recovery token and make some failed attempts create_recovery_token(); record_failed_recovery_attempt('192.168.1.100'); t.true(fs.existsSync(RECOVERY_TOKEN_FILE)); reset_recovery_state(); t.false(fs.existsSync(RECOVERY_TOKEN_FILE)); const status = get_recovery_status(); t.false(status.token_active); t.is(status.failed_attempts, 0); t.false(status.is_locked); }); test('recovery token file has secure permissions', (t) => { create_recovery_token(); const stats = fs.statSync(RECOVERY_TOKEN_FILE); const mode = stats.mode & parseInt('777', 8); // Should have 600 permissions (owner read/write only) t.is(mode, parseInt('600', 8)); }); test('multiple recovery tokens not allowed', (t) => { const first_token = create_recovery_token(); const second_token = create_recovery_token(); // Second token should replace the first t.not(first_token.token, second_token.token); // First token should no longer be valid const first_validation = is_token_valid(first_token.token); t.false(first_validation.valid); // Second token should be valid const second_validation = is_token_valid(second_token.token); t.true(second_validation.valid); }); test('password strength validation edge cases', async (t) => { // Create environment variable with authentication const settings_data = { authentication: { password_hash: await bcrypt.hash('old_password_123', 12), created_at: new Date().toISOString(), last_updated: new Date().toISOString(), failed_attempts: {}, rate_limits: {} } }; process.env.JOYSTICK_DB_SETTINGS = JSON.stringify(settings_data); // Test null password let error = await t.throwsAsync(async () => { await change_password(null, '192.168.1.100'); }); t.is(error.message, 'Password is required'); // Test undefined password error = await t.throwsAsync(async () => { await change_password(undefined, '192.168.1.100'); }); t.is(error.message, 'Password is required'); // Test non-string password error = await t.throwsAsync(async () => { await change_password(123456789012, '192.168.1.100'); }); t.is(error.message, 'Password is required'); // Test exactly 12 characters (should pass) const result = await change_password('exactly12chr', '192.168.1.100'); t.true(result.success); });