super-productivity/packages/super-sync-server/tests
Johannes Millan 70414145a3
fix(sync): prevent magic link prefetch failures and improve auth resilience (#7175)
* fix(sync): prevent magic link prefetch failures and improve auth resilience

- Make /magic-login prefetch-immune: GET now renders a confirmation page
  instead of consuming the single-use token. A "Log In" button triggers
  POST /api/login/magic-link/verify which does the actual verification.
  This prevents email client link prefetchers (Outlook SafeLinks, Gmail)
  from consuming magic link tokens before users click them.

- Increase rate limits on auth endpoints for shared-IP scenarios (e.g.
  university NAT). Global: 100→500, register: 10→50, login: 5→30,
  verify: 10→50, magic-login page: 10→50.

- Add trustProxy to Fastify so req.ip uses X-Forwarded-For behind
  reverse proxies instead of collapsing all clients to one rate bucket.

- Clear stale SuperSync auth tokens after 3 consecutive AuthFailSPErrors
  instead of never clearing them. Prevents persistent failure loops where
  an invalid token keeps retrying indefinitely until app reinstall.

- Improve registration-to-login UX messaging to emphasize email
  verification is required before login links will work.

https://claude.ai/code/session_01WkbLzvhguQwRDtk7ht38aY

* chore: update package-lock.json from npm install

https://claude.ai/code/session_01WkbLzvhguQwRDtk7ht38aY

* fix(sync): address review feedback for auth resilience

- Remove conflicting style.css link from magic-login page
- Change trustProxy from true to 1 (trust single hop only)
- Increase /login/magic-link rate limit from 30 to 50 per 15min
- Delete dead magic-login-redirect.js (replaced by magic-login-confirm.js)
- Reset auth failure counter on non-auth errors (truly consecutive)
- Add test for counter reset on non-auth error between auth errors

https://claude.ai/code/session_01WkbLzvhguQwRDtk7ht38aY

* fix(sync): increase passkey rate limits and fix CSP inline script violations

- Increase passkey endpoint rate limits to match magic-link equivalents (50/15min)
- Extract inline scripts from /reset-password and /recover-passkey pages
  into external JS files to comply with CSP scriptSrc: ["'self'"]
- Remove dead safeJsonForScript helper (no longer needed)
- Increase /recover-passkey page rate limit to 50/15min for consistency

https://claude.ai/code/session_01WkbLzvhguQwRDtk7ht38aY

* fix(sync): update security tests for escapeHtml and fix recover/passkey rate limit

- Update server-security.spec.ts: tests now check for escapeHtml output
  (<, ") instead of safeJsonForScript output (\u003c), matching
  the new data-token attribute approach
- Increase /recover/passkey rate limit from 30 to 50 per 15min to match
  /login/magic-link (both send email with a secret link)

https://claude.ai/code/session_01WkbLzvhguQwRDtk7ht38aY

* fix(sync): reset auth failure counter after successful download

Move the counter reset from the final InSync return to right after
downloadRemoteOps() succeeds. This ensures early returns (cancelled,
LWW pending, payload rejected) also break the consecutive-failure
chain, since a successful download confirms auth is working.

https://claude.ai/code/session_01WkbLzvhguQwRDtk7ht38aY

---------

Co-authored-by: Claude <noreply@anthropic.com>
2026-04-10 14:46:57 +02:00
..
integration fix(sync): preserve own vector clock counter across full-state op resets 2026-04-01 15:41:13 +02:00
api.routes.spec.ts Pr 6741 (#6743) 2026-03-05 21:17:59 +01:00
auth-flows.spec.ts Pr 6741 (#6743) 2026-03-05 21:17:59 +01:00
cleanup.spec.ts test(sync): add comprehensive tests for retention configuration 2025-12-28 12:13:45 +01:00
config.spec.ts feat(cors): normalize domain to lowercase and validate non-empty origins 2026-01-24 21:14:57 +01:00
conflict-detection.spec.ts fix(sync): preserve own vector clock counter across full-state op resets 2026-04-01 15:41:13 +02:00
decompress-body.spec.ts fix(sync): handle base64-encoded gzip from Android clients 2025-12-28 10:37:45 +01:00
device.service.spec.ts refactor(sync): extract DeviceService and OperationDownloadService 2025-12-27 20:43:25 +01:00
duplicate-operation-precheck.spec.ts fix(sync): prevent duplicate operation from aborting batch upload 2025-12-31 16:39:55 +01:00
email.spec.ts Fix super-sync server auth and snapshot safety 2025-12-12 20:48:13 +01:00
gap-detection.spec.ts fix(sync): preserve own vector clock counter across full-state op resets 2026-04-01 15:41:13 +02:00
magic-link-registration.spec.ts fix(sync): preserve own vector clock counter across full-state op resets 2026-04-01 15:41:13 +02:00
middleware.spec.ts Pr 6741 (#6743) 2026-03-05 21:17:59 +01:00
operation-download.service.spec.ts refactor(sync): improve vector clock implementation quality 2026-03-17 13:59:40 +01:00
passkey.spec.ts test(sync): fix failing unit tests for recent server changes 2026-01-24 21:14:58 +01:00
password-reset-api.spec.ts Revert "feat(sync): add rolling JWT token refresh on sync requests" 2026-02-02 17:15:13 +01:00
password-reset.spec.ts fix(security): address critical and high severity vulnerabilities 2025-12-31 12:15:56 +01:00
rate-limit.service.spec.ts refactor(sync): extract services from SyncService and migrate tests to Prisma 2025-12-27 20:38:26 +01:00
registration-api.spec.ts chore(sync-server): update npm scripts and expand legal docs 2025-12-15 13:47:42 +01:00
replace-token-expiry.spec.ts fix(sync): fix supersync server unit test failures 2026-03-22 10:10:19 +01:00
request-deduplication.service.spec.ts refactor(sync): extract services from SyncService and migrate tests to Prisma 2025-12-27 20:38:26 +01:00
retention-config.spec.ts fix(security): address critical and high severity vulnerabilities 2025-12-31 12:15:56 +01:00
security-fixes.spec.ts test(sync): fix failing unit tests for recent server changes 2026-01-24 21:14:58 +01:00
server-security.spec.ts fix(sync): prevent magic link prefetch failures and improve auth resilience (#7175) 2026-04-10 14:46:57 +02:00
setup.ts fix(sync): fix supersync server unit test failures 2026-03-22 10:10:19 +01:00
snapshot-skip-optimization.spec.ts test(sync-server): add comprehensive edge case tests for snapshot skip 2025-12-17 11:42:32 +01:00
snapshot.service.spec.ts fix(sync): preserve own vector clock counter across full-state op resets 2026-04-01 15:41:13 +02:00
storage-quota-cleanup.spec.ts fix(sync): fix supersync server unit test failures 2026-03-22 10:10:19 +01:00
storage-quota.service.spec.ts refactor(sync): extract StorageQuotaService from SyncService 2025-12-27 20:48:08 +01:00
sync-fixes.spec.ts fix(sync): fix supersync server unit test failures 2026-03-22 10:10:19 +01:00
sync-operations.spec.ts fix(sync): preserve own vector clock counter across full-state op resets 2026-04-01 15:41:13 +02:00
sync-types.spec.ts test(sync): add vector clock pruning edge case tests (#6506) 2026-02-13 12:42:36 +01:00
sync.routes.spec.ts refactor(sync): unify JWT expiry to 365 days for all auth methods 2026-02-16 18:44:27 +01:00
sync.service.spec.ts fix(sync): preserve own vector clock counter across full-state op resets 2026-04-01 15:41:13 +02:00
sync.service.test-state.ts refactor(sync): remove tombstone system 2025-12-28 12:08:28 +01:00
time-tracking-operations.spec.ts fix(sync): preserve own vector clock counter across full-state op resets 2026-04-01 15:41:13 +02:00
validation.service.spec.ts fix(sync-server): reject empty/whitespace-only entityId in validation 2026-01-02 13:58:07 +01:00
websocket-connection.service.spec.ts feat(sync): add Helm chart and WebSocket push for SuperSync (#6971) 2026-03-30 21:34:30 +02:00
websocket.routes.spec.ts feat(sync): add Helm chart and WebSocket push for SuperSync (#6971) 2026-03-30 21:34:30 +02:00