Merge pull request #98 from johnnygerard/ajv

feat: add JSON parsing and validation with ajv

Author: johnnygerard

client/e2e/log-in-user.function.ts

@@ -1,5 +1,6 @@
 import { expect, Page } from "@playwright/test";
 import { CREATED } from "_server/constants/http-status-code";
+import { Credentials } from "_server/types/credentials";
 
 /**
  * Fill out and submit the login form while verifying the response status.
@@ -9,10 +10,7 @@ import { CREATED } from "_server/constants/http-status-code";
  */
 export const logInUser = async (
   page: Page,
-  credentials: {
-    username: string;
-    password: string;
-  },
+  credentials: Credentials,
   expectedStatus = CREATED,
 ): Promise<void> => {
   await page.goto("/sign-in");

client/e2e/register-user.function.ts

@@ -1,6 +1,7 @@
 import { faker } from "@faker-js/faker";
 import { expect, Page } from "@playwright/test";
 import { CREATED } from "_server/constants/http-status-code";
+import { Credentials } from "_server/types/credentials";
 
 /**
  * Fill out and submit the registration form while verifying the response status.
@@ -10,10 +11,7 @@ import { CREATED } from "_server/constants/http-status-code";
  */
 export const registerUser = async (
   page: Page,
-  credentials?: Partial<{
-    username: string;
-    password: string;
-  }>,
+  credentials?: Partial<Credentials>,
   expectedStatus = CREATED,
 ): Promise<void> => {
   await page.goto("/register");

client/e2e/tests/session-revocation.spec.ts

@@ -1,11 +1,12 @@
 import { expect, test } from "@playwright/test";
 import { getFakeCredentials } from "_server/test-helpers/faker-extensions";
+import { Credentials } from "_server/types/credentials";
 import { UserMessage } from "../../src/app/types/user-message.enum";
 import { logInUser } from "../log-in-user.function";
 import { registerUser } from "../register-user.function";
 
 test.describe("Session revocation", () => {
-  let credentials: { username: string; password: string };
+  let credentials: Credentials;
 
   test.beforeEach(async ({ browser, page }) => {
     const context = await browser.newContext();

client/playwright.config.ts

@@ -11,7 +11,7 @@ import ms from "ms";
  * See https://playwright.dev/docs/test-configuration.
  */
 export default defineConfig({
-  timeout: ms("10 seconds"),
+  timeout: ms("20 seconds"),
   globalTimeout: ms("5 minutes"),
   testDir: "./e2e",
   /* Run tests in files in parallel */

client/src/app/components/register-form/register-form.component.ts

@@ -136,7 +136,7 @@ export class RegisterFormComponent {
   }
 
   onSubmit(): void {
-    if (!this.form.valid || this.isLoading()) return;
+    if (this.form.invalid || this.isLoading()) return;
     if (this.#passwordStrength.isWorkerBusy()) {
       this.#shouldResubmit = true;
       return;

client/src/app/directives/username-validator.directive.ts

@@ -5,10 +5,7 @@ import {
   ValidationErrors,
   Validator,
 } from "@angular/forms";
-import {
-  usernameHasValidCharacters,
-  usernameHasValidType,
-} from "_server/validation/username";
+import { hasValidUsernameCharacters } from "_server/validation/username";
 
 @Directive({
   selector: "[appUsernameValidator]",
@@ -25,8 +22,7 @@ export class UsernameValidatorDirective implements Validator {
   validate(control: AbstractControl): ValidationErrors | null {
     const username = control.value;
 
-    return usernameHasValidType(username) &&
-      !usernameHasValidCharacters(username)
+    return typeof username === "string" && !hasValidUsernameCharacters(username)
       ? { pattern: "Invalid characters" }
       : null;
   }

server/package-lock.json

@@ -1,5 +1,6 @@
 {
   "dependencies": {
+    "ajv": "^8.17.1",
     "argon2": "^0.41.1",
     "cookie-parser": "^1.4.7",
     "cors": "^2.8.5",

server/package.json

@@ -0,0 +1,19 @@
+import { faker } from "@faker-js/faker";
+import assert from "node:assert/strict";
+import { suite, test } from "node:test";
+import { getLeakedPassword } from "../test-helpers/leaked-passwords.js";
+import { isLeakedPassword } from "./is-leaked-password.js";
+
+suite("The isLeakedPassword function", () => {
+  test("returns true for a leaked password", async () => {
+    const password = getLeakedPassword();
+    const isLeaked = await isLeakedPassword(password);
+    assert(isLeaked, `Password "${password}" is not leaked`);
+  });
+
+  test("returns false for a non-leaked password", async () => {
+    const password = faker.internet.password();
+    const isLeaked = await isLeakedPassword(password);
+    assert(!isLeaked, `Password "${password}" is leaked`);
+  });
+});

server/src/auth/is-leaked-password.test.ts

@@ -8,11 +8,11 @@ import { OK } from "../constants/http-status-code.js";
  * This function queries the Pwned Passwords API using the k-Anonymity model
  * (only a partial digest of the hashed password is sent).
  * @param password - Plaintext password
- * @returns `false` if the password is not exposed or the API server did not
- * reply in time with the 200 status code, `true` if the password is exposed.
+ * @returns `false` if the password is not leaked or the API server did not
+ * reply in time with the 200 status code, `true` if the password is leaked.
  * @see https://haveibeenpwned.com/API/v3#PwnedPasswords
  */
-export const isPasswordExposed = async (password: string): Promise<boolean> => {
+export const isLeakedPassword = async (password: string): Promise<boolean> => {
   try {
     const digest = hash("sha1", password);
     const partialDigest = digest.slice(0, 5);