chore: audit logging (#468)

* chore: audit logs

add audit logs for specific events

* chore: test ci

run ci pipeline

* chore: ci

set working dir for playwright

* chore: ci

set working dir for playwright

* chore: ci

set working dir for playwright

* chore: ci

set working dir for playwright

* chore: ci server

run server using playwright in ci

* chore: ci server

run server using playwright in ci

* chore: db name

update to use test db name

* chore: db name

update to use test db name

* chore: cache playwright

add caching for playwright browser install

* chore: cache playwright

add caching for playwright browser install

* chore: cache playwright

add caching for playwright browser install

* chore: cache playwright

run cached playwright tests

* chore: debug ci

run ci pipeline for debugging

* chore: debug ci

run ci pipeline for debugging

* chore: debug ci

run ci pipeline for debugging

* chore: debug ci

run ci pipeline for debugging

* chore: debug ci

run ci pipeline for debugging

* chore: debug ci

run ci pipeline for debugging

* chore: debug ci

run ci pipeline for debugging

* chore: debug ci

run ci pipeline for debugging

* chore: debug ci

run ci pipeline for debugging

* chore: debug ci

run ci pipeline for debugging

* chore: debug ci

run ci pipeline for debugging

* chore: debug ci

run ci pipeline for debugging

* chore: debug ci

run ci pipeline for debugging

* chore: test ci

test ci pipeline

* chore: test ci

test ci pipeline

* chore: migrator

migrate in ci pipeline

* chore: migrator

migrate in ci pipeline

* chore: migrator

migrate in ci pipeline

* chore: migrator

migrate in ci pipeline

* chore: migrator

migrate in ci pipeline

* chore: migrator

migrate in ci pipeline

* chore: migrator

migrate in ci pipeline

* chore: migrator

migrate in ci pipeline

* chore: event logging

add event logging

* chore: test-env time

add shared var for test env delay

* chore: event tests

add client id to events and test cases

* chore: ci reset

ensure fresh test db in CI

* chore: test utils

use util function in all cases to fill otp

* chore: documentation

add docs for running the e2e suite

Author: jlangy

.github/workflows/otp-provider-tests.yml

@@ -31,15 +31,13 @@ jobs:
 
       - name: Install asdf
         uses: asdf-vm/actions/setup@v3
+
       - name: Cache asdf tools
         uses: actions/cache@v4
         with:
           path: |
             /home/runner/.asdf
-          key: ${{ runner.os }}-${{ hashFiles('**/.tool-versions') }}
-
-      - name: Install asdf
-        uses: asdf-vm/actions/install@v3
+          key: ${{ runner.os }}-${{ hashFiles('docker/otp-provider/.tool-versions') }}
 
       - name: Install app specific asdf plugins
         run: |
@@ -60,10 +58,45 @@ jobs:
           pg_ctl start
           createdb runner || true
           chmod +x ./db-setup.sh
+          psql -U postgres -c 'drop database if exists otp_test';
           ./db-setup.sh otp_test
         working-directory: ./docker/otp-provider/.bin
 
       - name: Run unit tests
         run: |
           yarn test
         working-directory: ./docker/otp-provider
+
+      - name: Cache Playwright browsers
+        uses: actions/cache@v3
+        with:
+          path: ~/.cache/ms-playwright
+          key: ${{ runner.os }}-playwright-${{ hashFiles('**/package-lock.json') }}
+          restore-keys: |
+            ${{ runner.os }}-playwright-
+
+      - name: Install Playwright Browsers
+        run: yarn playwright install --with-deps
+        working-directory: ./docker/otp-provider
+
+      - name: Migrate DB
+        run: |
+          yarn tailwind:build
+          yarn build
+          DB_NAME=otp_test node ./build/migrate.js
+        working-directory: ./docker/otp-provider
+
+      - name: Seed DB
+        run: psql -U postgres -d otp_test -f ./seed.sql
+        working-directory: ./docker/otp-provider/e2e
+
+      - name: Run Playwright tests
+        run: DB_NAME=otp_test yarn playwright test
+        working-directory: ./docker/otp-provider
+
+      - uses: actions/upload-artifact@v4
+        if: ${{ !cancelled() }}
+        with:
+          name: playwright-report
+          path: ./docker/otp-provider/playwright-report/
+          retention-days: 30

docker/otp-provider/.dockerignore

@@ -0,0 +1,8 @@
+build
+node_modules
+e2e
+terraform
+/test-results/
+/playwright-report/
+/blob-report/
+/playwright/.cache/

docker/otp-provider/.gitignore

@@ -1 +1,8 @@
 output.css
+
+# Playwright
+node_modules/
+/test-results/
+/playwright-report/
+/blob-report/
+/playwright/.cache/

docker/otp-provider/README.md

@@ -83,6 +83,20 @@ The app runs locally using tsup to compile the server and client files into the
     'none');
   ```
 
+## End to End Tests
+
+End to end testing is done with playwright. As prerequisite the end-to-end tests need a seeded db. Run the folowing from this directory:
+- `psql -c 'create database otp_test'`;
+- `yarn build && DB_NAME=otp_test node build/migrate.js`
+- `psql -d otp_test -f e2e/seed.sql`
+
+This is only needed the first time to initialize the db. To run the tests run `yarn test:e2e`
+
+For debugging, you can run `yarn playwright test --debug`. This is useful alongside adding `test.only` on the test to debug.
+For auto-generating tests, you can run `yarn playwright codegen` to click through the app and generate a test.
+
+The test-version of the server has a few settings, using the env vars `NODE_ENV=test OTP_RESEND_INTERVAL_MINUTES=[2,3,3,4]`. When NODE_ENV is set to test, code resend intervals will be in seconds instead of minutes, useful for testing lockout functionality. You can adjust the `OTP_RESEND_INTERVAL_MINUTES` array to desired intervals in seconds then. It will also skip the CHES email callouts while in test mode.
+
 ## References
 
 - https://github.com/panva/node-oidc-provider

docker/otp-provider/e2e/email.spec.ts

@@ -0,0 +1,70 @@
+import { test, expect } from '@playwright/test';
+import models from '../src/modules/sequelize/models';
+import { initURL } from './util';
+
+const otpModel = models.get('Otp');
+
+test.beforeEach(async () => {
+  // Reset all OTPs between tests
+  await otpModel.destroy({where: {}});
+});
+
+test('Email Validations', async ({ page }, testInfo) => {
+  await page.goto(initURL);
+  await expect(page.locator('#signin-form')).toMatchAriaSnapshot(`- textbox "Email"`);
+
+  // Empty field validation
+  await expect(page.getByRole('button', { name: 'Continue' })).toBeEnabled();
+  await page.getByRole('button', { name: 'Continue' }).click();
+  await expect(page.locator('#signin-form')).toMatchAriaSnapshot(`
+    - textbox "Email"
+    - text: Email is required.
+    - button "Continue Caution" [disabled]:
+      - img "Caution"
+    `);
+
+  // Re-enables on input change
+  await page.getByRole('textbox', { name: 'Email' }).fill('a@');
+  await expect(page.getByRole('button', { name: 'Continue' })).toBeEnabled();
+
+  // Invalid email message
+  await page.getByRole('button', { name: 'Continue' }).click();
+  await expect(page.locator('#signin-form')).toMatchAriaSnapshot(`
+    - textbox "Email": a@
+    - text: Invalid email.
+    - button "Continue Caution" [disabled]:
+      - img "Caution"
+    `);
+
+  await page.getByRole('textbox', { name: 'Email' }).fill('a@');
+  await expect(page.getByRole('button', { name: 'Continue' })).toBeEnabled();
+  await page.getByRole('button', { name: 'Continue' }).click();
+  await expect(page.locator('#signin-form')).toMatchAriaSnapshot(`
+    - textbox "Email": a@
+    - text: Invalid email.
+    - button "Continue Caution" [disabled]:
+      - img "Caution"
+    `);
+
+  // Proceeds with valid email. To prevent hitting cooldown for the parallel browsers, passing in the browser alias as part of email address.
+  await page.getByRole('textbox', { name: 'Email' }).fill(`${testInfo.project.name}@b.com`);
+  await page.getByRole('button', { name: 'Continue' }).click();
+
+  await page.waitForURL('**/otp')
+
+  await expect(page.getByRole('heading')).toMatchAriaSnapshot(`- heading "Enter your verification code" [level=2]`);
+});
+
+test('Email Cooldown', async ({ page }, testInfo) => {
+  // Fire a login to put the email into cooldown
+  await page.goto(initURL);
+  await page.getByRole('textbox', { name: 'Email' }).fill(`${testInfo.project.name}@b.com`);
+  await page.getByRole('button', { name: 'Continue' }).click();
+
+  // Attempt another login with the same email and expect the cooldown error
+  await page.goto(initURL);
+  await page.getByRole('textbox', { name: 'Email' }).fill(`${testInfo.project.name}@b.com`);
+  await page.getByRole('button', { name: 'Continue' }).click();
+
+  await expect(page.locator('#email-error')).toMatchAriaSnapshot(`- text: /Please wait \\d+ seconds before requesting a new code for this email address\\./`);
+});

docker/otp-provider/e2e/events.spec.ts

@@ -0,0 +1,123 @@
+import { test, expect } from '@playwright/test';
+import models from '../src/modules/sequelize/models';
+import { changeOTP, fillOTP, initURL, clientId } from './util';
+import { config } from '../src/config';
+
+const otpModel = models.get('Otp');
+const eventModel = models.get('Event');
+
+test.beforeEach(async () => {
+  // Reset all OTPs between tests
+  await otpModel.destroy({ where: {} });
+  await eventModel.destroy({ where: {} });
+});
+
+
+test('Send Code Event', async ({ page }, testInfo) => {
+  await page.goto(initURL);
+  const email = `${testInfo.project.name}@b.com`;
+
+  // Enter email and go to OTP page
+  await page.getByRole('textbox', { name: 'Email' }).fill(email);
+  await page.getByRole('button', { name: 'Continue' }).click();
+  await page.waitForURL('**/otp');
+  await expect(page.getByRole('heading')).toMatchAriaSnapshot(`- heading "Enter your verification code" [level=2]`);
+
+  let requestCodeEvents = await eventModel.findAll({ where: { eventType: 'REQUEST_OTP', email, clientId } });
+  let resendCodeEvents = await eventModel.findAll({ where: { eventType: 'RESEND_OTP', email, clientId } });
+
+  expect(requestCodeEvents.length).toBe(1);
+  expect(resendCodeEvents.length).toBe(0);
+
+  // The variable OTP_RESENDS_ALLOWED_PER_DAY is actually sends per day, including the initial. Hence the minus 1 here
+  // Check each new resend creates an event
+  for (let i = 0; i < Number(config.OTP_RESENDS_ALLOWED_PER_DAY) - 1; i++) {
+    await expect(page.locator('#new-code-text')).toMatchAriaSnapshot(
+      `
+        - text: Can't find the code?
+        - button "Resend code"
+        `,
+    );
+    await page.getByRole('button', { name: 'Resend code' }).click();
+    await page.waitForURL('**/otp');
+    resendCodeEvents = await eventModel.findAll({ where: { eventType: 'RESEND_OTP', email, clientId } });
+    expect(resendCodeEvents.length).toBe(i + 1);
+  }
+
+  // Check max_resend event is not trigerred yet. Attempt a new login and expect event to be logged.
+  let maxResendEvents = await eventModel.findAll({ where: { eventType: 'MAX_RESENDS', email, clientId } });
+  expect(maxResendEvents.length).toBe(0);
+  await page.goto(initURL);
+  await page.getByRole('textbox', { name: 'Email' }).fill(email);
+  await page.getByRole('button', { name: 'Continue' }).click();
+
+  await expect(page.locator('#signin-form')).toMatchAriaSnapshot(`
+    - textbox "Email"
+    - text: You have reached the maximum number of OTP requests for today. Please try again tomorrow.
+    - button "Continue"
+    `);
+
+    maxResendEvents = await eventModel.findAll({ where: { eventType: 'MAX_RESENDS', email, clientId } });
+    expect(maxResendEvents.length).toBe(1);
+});
+
+test('Retry code event', async ({page}, testInfo) => {
+  await page.goto(initURL);
+  const email = `${testInfo.project.name}@b.com`;
+
+  // Enter email and go to OTP page
+  await page.getByRole('textbox', { name: 'Email' }).fill(email);
+  await page.getByRole('button', { name: 'Continue' }).click();
+  await page.waitForURL('**/otp');
+
+  const currentOtp = await otpModel
+    .findOne({ where: { email: `${testInfo.project.name}@b.com`, active: true } })
+    .then((res) => res.otp);
+  const wrongOTP = changeOTP(String(currentOtp));
+
+  // Verify at zero to start
+  let invalidOtpEvents = await eventModel.findAll({ where: { eventType: 'INVALID_OTP', email, clientId } });
+  let maxAttemptsEvents = await eventModel.findAll({ where: { eventType: 'MAX_ATTEMPTS', email, clientId } });
+
+  expect(invalidOtpEvents.length).toBe(0);
+  expect(maxAttemptsEvents.length).toBe(0);
+
+  for (let i = 0; i <= Number(config.OTP_ATTEMPTS_ALLOWED); i++) {
+    await fillOTP(wrongOTP, false, page);
+    await page.waitForSelector('#otp-error')
+    invalidOtpEvents = await eventModel.findAll({ where: { eventType: 'INVALID_OTP', email, clientId } });
+    expect(invalidOtpEvents.length).toBe(i + 1);
+
+    if (i === Number(config.OTP_ATTEMPTS_ALLOWED)) {
+      maxAttemptsEvents = await eventModel.findAll({ where: { eventType: 'MAX_ATTEMPTS', email, clientId } });
+      expect(maxAttemptsEvents.length).toBe(1);
+    }
+  }
+});
+
+
+test('Expired OTP Event', async ({page}, testInfo) => {
+  await page.goto(initURL);
+  const email = `${testInfo.project.name}@b.com`;
+
+  // Enter email and go to OTP page
+  await page.getByRole('textbox', { name: 'Email' }).fill(email);
+  await page.getByRole('button', { name: 'Continue' }).click();
+  await page.waitForURL('**/otp');
+
+  const currentOtp = await otpModel
+    .findOne({ where: { email: `${testInfo.project.name}@b.com`, active: true } });
+
+  // Set OTP timestamp to make it expired
+  const fiveMinutesAgo = new Date(Date.now() - 5 * 60 * 1000);
+  await otpModel.update({createdAt: fiveMinutesAgo}, {where: {id: currentOtp.id}} );
+
+  // Verify at zero to start
+  let expiredOtpEvents = await eventModel.findAll({ where: { eventType: 'EXPIRED_OTP', email, clientId } });
+  expect(expiredOtpEvents.length).toBe(0);
+
+  // assert filling in otp creates event
+  await fillOTP(currentOtp.otp, false, page);
+  expiredOtpEvents = await eventModel.findAll({ where: { eventType: 'EXPIRED_OTP', email, clientId } });
+  expect(expiredOtpEvents.length).toBe(1);
+});