/** * Phase 2 adversarial — JWT forgery, brute-force, and password attacks. * * The JWT secret is in docker-compose.test.yml as a fixed value — these * tests do NOT try to forge tokens using that secret (that would only * prove HS256 works). Instead they assert the *failure* paths: alg:none, * tampered signature, expired sessions, wrong role. */ import { test, expect } from '../../fixtures/test'; const BASE = process.env.E2E_FRONTEND_URL ?? 'http://localhost:3101'; /** RFC-4648 base64url with no padding. */ function b64u(s: string) { return Buffer.from(s).toString('base64').replace(/=+$/, '').replace(/\+/g, '-').replace(/\//g, '_'); } test.describe('Adversarial — JWT', () => { test('alg:none token claiming admin role is rejected', async () => { const header = b64u(JSON.stringify({ alg: 'none', typ: 'JWT' })); const payload = b64u(JSON.stringify({ sub: '00000000-0000-0000-0000-000000000000', role: 'admin', event_id: '00000000-0000-0000-0000-000000000000', exp: Math.floor(Date.now() / 1000) + 3600, })); const token = `${header}.${payload}.`; const res = await fetch(`${BASE}/api/v1/admin/config`, { headers: { Authorization: `Bearer ${token}` }, }); expect(res.status).toBe(401); }); test('JWT with valid structure but bogus signature is rejected', async ({ guest }) => { const g = await guest('SigForge'); const parts = g.jwt.split('.'); // Replace the signature with random bytes of the same length. const fakeSig = parts[2].split('').reverse().join(''); const tampered = `${parts[0]}.${parts[1]}.${fakeSig}`; const res = await fetch(`${BASE}/api/v1/me/context`, { headers: { Authorization: `Bearer ${tampered}` }, }); expect(res.status).toBe(401); }); test('JWT with payload-tampered role=admin (re-encoded payload, original signature) is rejected', async ({ guest }) => { const g = await guest('RolePromote'); const parts = g.jwt.split('.'); const original = JSON.parse(Buffer.from(parts[1], 'base64url').toString()); const escalated = { ...original, role: 'admin' }; const newPayload = b64u(JSON.stringify(escalated)); const tampered = `${parts[0]}.${newPayload}.${parts[2]}`; const res = await fetch(`${BASE}/api/v1/admin/config`, { headers: { Authorization: `Bearer ${tampered}` }, }); // Signature won't match the new payload → middleware must return 401, not 403. expect(res.status).toBe(401); }); test('JWT for a session that was deleted (logout) is rejected', async ({ guest, api }) => { const g = await guest('LoggedOut'); await api.logout(g.jwt); const res = await fetch(`${BASE}/api/v1/me/context`, { headers: { Authorization: `Bearer ${g.jwt}` }, }); expect(res.status).toBe(401); }); test('Authorization header without "Bearer " prefix is rejected', async ({ guest }) => { const g = await guest('NoBearer'); const res = await fetch(`${BASE}/api/v1/me/context`, { headers: { Authorization: g.jwt }, }); expect([401, 403]).toContain(res.status); }); test('missing Authorization header on protected route returns 401', async () => { const res = await fetch(`${BASE}/api/v1/me/context`); expect(res.status).toBe(401); }); }); test.describe('Adversarial — PIN brute-force', () => { test('sequential wrong-PIN attempts lock the account after 3 attempts', async ({ guest }) => { const g = await guest('Brute'); const wrong = g.pin === '0000' ? '1111' : '0000'; // Do them serially so the failed_pin_attempts counter increments // monotonically. Parallel attempts race and may never accumulate to 3 in // the current handler implementation — that's a separate finding. const statuses: number[] = []; for (let i = 0; i < 4; i++) { const r = await fetch(`${BASE}/api/v1/recover`, { method: 'POST', headers: { 'Content-Type': 'application/json' }, body: JSON.stringify({ display_name: g.displayName, pin: wrong }), }); statuses.push(r.status); } // First three are 401, fourth (or later) is 429. expect(statuses.filter((s) => s === 200)).toHaveLength(0); expect(statuses.some((s) => s === 429)).toBe(true); // Now even the correct PIN fails until lockout expires. const correct = await fetch(`${BASE}/api/v1/recover`, { method: 'POST', headers: { 'Content-Type': 'application/json' }, body: JSON.stringify({ display_name: g.displayName, pin: g.pin }), }); expect(correct.status).toBe(429); }); test('parallel wrong-PIN attempts may NOT all hit lockout (race-condition finding)', async ({ guest }) => { const g = await guest('BruteParallel'); const wrong = g.pin === '0000' ? '1111' : '0000'; const attempts = await Promise.all( Array.from({ length: 10 }, () => fetch(`${BASE}/api/v1/recover`, { method: 'POST', headers: { 'Content-Type': 'application/json' }, body: JSON.stringify({ display_name: g.displayName, pin: wrong }), }) ) ); const statuses = attempts.map((r) => r.status); expect(statuses.filter((s) => s === 200)).toHaveLength(0); // Documented behavior: lockout counter may race so not every status is 429. // Critical invariant: no attempt succeeded. if (!statuses.some((s) => s === 429)) { console.warn('[finding] PIN-attempt counter races under parallel requests — none hit lockout.'); } }); }); test.describe('Adversarial — admin password brute-force', () => { test('repeated wrong passwords do NOT lock the admin (documented finding)', async () => { // The admin login handler does not currently implement lockout. This test // documents the behavior so any future change is intentional. const attempts = await Promise.all( Array.from({ length: 10 }, () => fetch(`${BASE}/api/v1/admin/login`, { method: 'POST', headers: { 'Content-Type': 'application/json' }, body: JSON.stringify({ password: 'wrong-' + Math.random() }), }) ) ); const statuses = attempts.map((r) => r.status); expect(statuses.every((s) => s === 401)).toBe(true); console.warn('[finding] /admin/login has no rate-limit or lockout — bcrypt cost is the only defense.'); }); });