Test that demonstrates issue that both types of magic token are interchangable

Lan2u · Lan2u · commit b68b2ac00473 · 2026-03-20T21:16:49.000Z
diff --git a/src/authentication/login/magic-link.ts b/src/authentication/login/magic-link.ts
@@ -20,7 +20,7 @@ const MagicLinkQuery = t.strict({
   token: t.string,
 });
 
-const decodeMagicLinkFromQuery =
+export const decodeMagicLinkFromQuery =
   (logger: Logger, conf: Config) => (input: unknown) =>
     pipe(
       input,
diff --git a/tests/authentication/magic-links.test.ts b/tests/authentication/magic-links.test.ts
@@ -0,0 +1,57 @@
+import { faker } from "@faker-js/faker";
+import { magicLink } from "../../src/authentication";
+import { Config } from "../../src/configuration";
+import { User } from "../../src/types/user";
+import { EmailAddress } from "../../src/types";
+import { createEmailVerificationLink, decodeEmailVerificationLink } from "../../src/authentication/verify-email/email-verification-link";
+import * as E from 'fp-ts/Either';
+import pino from "pino";
+import { Request } from 'express';
+import { decodeMagicLinkFromQuery } from "../../src/authentication/login/magic-link";
+import { getRightOrFail } from "../helpers";
+
+const reqWithQuery = (link: string): Request => ({
+    query: Object.fromEntries(new URL(link).searchParams.entries())
+} as unknown as Request);
+
+describe('magic links', () => {
+    const conf = {
+        TOKEN_SECRET: 'secret',
+        PUBLIC_URL: 'https://members.makespace.example',
+    } as Config;
+    const logger = pino({level: 'silent'});
+
+    describe('generates a login and a verification link', () => {
+        const user: User = {
+            emailAddress: faker.internet.email() as EmailAddress,
+            memberNumber: faker.number.int(),
+        };
+        let loginLink: string;
+        let verificationLink: string;
+        beforeEach(() => {
+            loginLink = magicLink.create(conf)(user);
+            verificationLink = createEmailVerificationLink(conf)(user);
+        });
+
+        it('login link does not decode as an email verification link', () => {
+            const req = reqWithQuery(loginLink);
+            expect(E.isLeft(decodeEmailVerificationLink(logger, conf)(req))).toBeTruthy();
+        });
+
+        it('email verification link does not decode as a login link', () => {
+            const req = reqWithQuery(verificationLink);
+            expect(E.isLeft(decodeMagicLinkFromQuery(logger, conf)(req.query))).toBeTruthy();
+        });
+
+        it('login link does decode as an login link', () => {
+            const req = reqWithQuery(loginLink);
+            expect(getRightOrFail(decodeMagicLinkFromQuery(logger, conf)(req.query))).toStrictEqual(user);
+        });
+
+        it('email verification link does decode as an email verification link', () => {
+            const req = reqWithQuery(verificationLink);
+            expect(getRightOrFail(decodeEmailVerificationLink(logger, conf)(req))).toStrictEqual(user);
+        });
+    });
+
+});
