test: Improve TOTP tests

src/test/java/io/supertokens/test/totp/TOTPRecipeTest.java

@@ -234,7 +234,21 @@ public void createDeviceAndVerifyCodeTest() throws Exception {
         TOTPUsedCode[] usedCodes = getAllUsedCodesUtil(result.storage, "user");
         TOTPUsedCode latestCode = usedCodes[0];
         assert latestCode.isValid == false;
-        assert latestCode.expiryTime - latestCode.createdTime == 3000; // it should be 3s because of device1
+        assert latestCode.expiryTime - latestCode.createdTime == 3000; // it should be 3s because of device1 (i.e. max(device1Exp, device2Exp))
+
+        // Now verify device2:
+        Totp.verifyDevice(main, "user", device2.deviceName, generateTotpCode(main, device2));
+
+        // device1: unverified, device2: verified
+        // Valid code & allowUnverifiedDevice = false:
+        assertThrows(
+                InvalidTotpException.class,
+                () -> Totp.verifyCode(main, "user", generateTotpCode(main, device), false));
+        Totp.verifyCode(main, "user", generateTotpCode(main, device2), false);
+
+        // Valid code & allowUnverifiedDevice = true:
+        Totp.verifyCode(main, "user", generateTotpCode(main, device), true);
+        Totp.verifyCode(main, "user", generateTotpCode(main, device2), true);
     }
 
     /*
@@ -248,7 +262,7 @@ public int triggerAndCheckRateLimit(Main main, TOTPDevice device) throws Excepti
         // First N attempts should fail with invalid code:
         // This is to trigger rate limiting
         for (int i = 0; i < N; i++) {
-            String code = "ic-" + i;
+            String code = "ic-" + i; // ic = invalid code
             assertThrows(
                     InvalidTotpException.class,
                     () -> Totp.verifyCode(main, "user", code, true));
@@ -487,6 +501,8 @@ public void updateDeviceNameTest() throws Exception {
         // Try update device name to an already existing device name:
         assertThrows(DeviceAlreadyExistsException.class,
                 () -> Totp.updateDeviceName(main, "user", "device2", "new-device-name"));
+        // Try to rename to the same name: (Should work)
+        Totp.updateDeviceName(main, "user", "device2", "device2");
     }
 
     @Test

src/test/java/io/supertokens/test/totp/api/VerifyTotpAPITest.java

@@ -193,7 +193,7 @@ public void testApi() throws Exception {
             assert res.get("status").getAsString().equals("OK");
 
             // try to reuse the same code (replay attack)
-            body.addProperty("totp", "mycode");
+            body.addProperty("totp", validTotp);
             JsonObject res2 = HttpRequestForTesting.sendJsonPOSTRequest(
                     process.getProcess(),
                     "",
@@ -206,6 +206,20 @@ public void testApi() throws Exception {
                     "totp");
             assert res2.get("status").getAsString().equals("INVALID_TOTP_ERROR");
 
+            // Try with a new valid code during rate limiting:
+            body.addProperty("totp", TOTPRecipeTest.generateTotpCode(process.getProcess(), device));
+            res = HttpRequestForTesting.sendJsonPOSTRequest(
+                    process.getProcess(),
+                    "",
+                    "http://localhost:3567/recipe/totp/verify",
+                    body,
+                    1000,
+                    1000,
+                    null,
+                    Utils.getCdiVersionLatestForTests(),
+                    "totp");
+            assert res.get("status").getAsString().equals("LIMIT_REACHED_ERROR");
+
             // try verifying device for a non-existent user
             body.addProperty("userId", "non-existent-user");
             JsonObject res5 = HttpRequestForTesting.sendJsonPOSTRequest(