From 2d8080098d1fdf421754bdb5094f465b9d33accd Mon Sep 17 00:00:00 2001 From: Sattvik Chakravarthy Date: Wed, 20 Mar 2024 18:59:19 +0530 Subject: [PATCH] fix: changelog and test --- CHANGELOG.md | 5 ++++ .../supertokens/test/totp/TOTPRecipeTest.java | 26 ++++++++++++++++--- 2 files changed, 27 insertions(+), 4 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index aaf903f10..6474eb568 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -5,6 +5,11 @@ All notable changes to this project will be documented in this file. The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/), and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html). +## [9.0.1] - 2024-03-20 + +- Fixes verify TOTP and verify device APIs to treat any code as invalid +- Fixes the computation of the number of failed attempts when return `INVALID_TOTP_ERROR` + ## [9.0.0] - 2024-03-13 ### Added diff --git a/src/test/java/io/supertokens/test/totp/TOTPRecipeTest.java b/src/test/java/io/supertokens/test/totp/TOTPRecipeTest.java index d5147e2d2..8177878ef 100644 --- a/src/test/java/io/supertokens/test/totp/TOTPRecipeTest.java +++ b/src/test/java/io/supertokens/test/totp/TOTPRecipeTest.java @@ -348,15 +348,33 @@ public void rateLimitCooldownTest() throws Exception { // Wait for 1 second (Should cool down rate limiting): Thread.sleep(1000); // But again try with invalid code: - assertThrows(InvalidTotpException.class, () -> Totp.verifyCode(main, "user", "invalid0")); - assertThrows(InvalidTotpException.class, () -> Totp.verifyCode(main, "user", "invalid0")); - assertThrows(InvalidTotpException.class, () -> Totp.verifyCode(main, "user", "invalid0")); + InvalidTotpException invalidTotpException = assertThrows(InvalidTotpException.class, + () -> Totp.verifyCode(main, "user", "invalid0")); + assertEquals(1, invalidTotpException.currentAttempts); + invalidTotpException = assertThrows(InvalidTotpException.class, () -> Totp.verifyCode(main, "user", "invalid0")); + assertEquals(2, invalidTotpException.currentAttempts); + invalidTotpException = assertThrows(InvalidTotpException.class, () -> Totp.verifyCode(main, "user", "invalid0")); + assertEquals(3, invalidTotpException.currentAttempts); + // This triggered rate limiting again. So even valid codes will fail for // another cooldown period: - assertThrows(LimitReachedException.class, + LimitReachedException limitReachedException = assertThrows(LimitReachedException.class, () -> Totp.verifyCode(main, "user", generateTotpCode(main, device))); + assertEquals(3, limitReachedException.currentAttempts); // Wait for 1 second (Should cool down rate limiting): Thread.sleep(1000); + + // test that after cool down, we can retry invalid codes N times again + invalidTotpException = assertThrows(InvalidTotpException.class, + () -> Totp.verifyCode(main, "user", "invalid0")); + assertEquals(1, invalidTotpException.currentAttempts); + invalidTotpException = assertThrows(InvalidTotpException.class, () -> Totp.verifyCode(main, "user", "invalid0")); + assertEquals(2, invalidTotpException.currentAttempts); + invalidTotpException = assertThrows(InvalidTotpException.class, () -> Totp.verifyCode(main, "user", "invalid0")); + assertEquals(3, invalidTotpException.currentAttempts); + + Thread.sleep(1100); + // Now try with valid code: Totp.verifyCode(main, "user", generateTotpCode(main, device)); // Now invalid code shouldn't trigger rate limiting. Unless you do it N times: