require 'test_helper'
require 'model_tests_helper'

class OtpAuthenticatableTest < ActiveSupport::TestCase

  def setup
    new_user
  end

  test 'new users have a non-nil secret set' do
    assert_not_nil User.first.otp_auth_secret
  end

  test 'new users have OTP disabled by default' do
    assert !User.first.otp_enabled
  end

  test 'users should have an instance of TOTP/ROTP objects' do
    u = User.first
    assert u.time_based_otp.is_a? ROTP::TOTP
    assert u.recovery_otp.is_a? ROTP::HOTP
  end

  test 'users should have their otp_auth_secret/persistence_seed set on creation' do
    assert User.first.otp_auth_secret
    assert User.first.otp_persistence_seed
  end

  test 'reset_otp_credentials should generate new secrets and disable OTP' do
    u = User.first
    u.update_attribute(:otp_enabled, true)
    assert u.otp_enabled
    otp_auth_secret = u.otp_auth_secret
    otp_persistence_seed = u.otp_persistence_seed

    u.reset_otp_credentials!
    assert !(otp_auth_secret == u.otp_auth_secret)
    assert !(otp_persistence_seed == u.otp_persistence_seed)
    assert !u.otp_enabled
  end

  test 'reset_otp_persistence should generate new persistence_seed but NOT change the otp_auth_secret' do
    u = User.first
    u.update_attribute(:otp_enabled, true)
    assert u.otp_enabled
    otp_auth_secret = u.otp_auth_secret
    otp_persistence_seed = u.otp_persistence_seed

    u.reset_otp_persistence!
    assert (otp_auth_secret == u.otp_auth_secret)
    assert !(otp_persistence_seed == u.otp_persistence_seed)
    assert u.otp_enabled
  end

  test 'generating a challenge, should retrieve the user later' do
    u = User.first
    u.update_attribute(:otp_enabled, true)
    challenge = u.generate_otp_challenge!

    w = User.find_valid_otp_challenge(challenge)
    assert w.is_a? User
    assert_equal w,u
  end

  test 'expiring the challenge, should retrieve nothing' do
    u = User.first
    u.update_attribute(:otp_enabled, true)
    challenge = u.generate_otp_challenge!(1.second)
    sleep(2)

    w = User.find_valid_otp_challenge(challenge)
    assert_nil w
  end

  test 'expired challenges should not be valid' do
    u = User.first
    u.update_attribute(:otp_enabled, true)
    challenge = u.generate_otp_challenge!(1.second)
    sleep(2)
    assert_equal false, u.otp_challenge_valid?
  end

  test 'null otp challenge' do
    u = User.first
    u.update_attribute(:otp_enabled, true)
    assert_equal false, u.validate_otp_token('')
    assert_equal false, u.validate_otp_token(nil)
  end

  test 'generated otp token should be valid for the user' do
    u = User.first
    u.update_attribute(:otp_enabled, true)

    secret = u.otp_auth_secret
    token = ROTP::TOTP.new(secret).now

    assert_equal true, u.validate_otp_token(token)
  end

  test 'generated otp token, out of drift window, should be NOT valid for the user' do
    u = User.first
    u.update_attribute(:otp_enabled, true)

    secret = u.otp_auth_secret

    [3.minutes.from_now, 3.minutes.ago].each do |time|
      token = ROTP::TOTP.new(secret).at(time)
      assert_equal false, u.valid_otp_token?(token)
    end
  end

  test 'recovery secrets should be valid, and valid only once' do
    u = User.first
    u.update_attribute(:otp_enabled, true)
    recovery = u.next_otp_recovery_tokens

    assert u.valid_otp_recovery_token? recovery.fetch(0)
    assert_nil u.valid_otp_recovery_token?(recovery.fetch(0))
    assert u.valid_otp_recovery_token? recovery.fetch(2)
  end
end