diff options
author | Matt Jankowski <mjankowski@thoughtbot.com> | 2017-04-27 09:18:21 -0400 |
---|---|---|
committer | Eugen Rochko <eugen@zeonfederated.com> | 2017-04-27 15:18:21 +0200 |
commit | b48f2cbc8b6b260a8d9b51a26e484a7da1694851 (patch) | |
tree | 1d76a8e5dd8ec92237516963628ac734a02d13da | |
parent | 1736badf28eae2ba42e42f9fef2e151e35d5397a (diff) |
Catch error when server decryption fails on 2FA (#2512)
-rw-r--r-- | app/controllers/auth/sessions_controller.rb | 2 | ||||
-rw-r--r-- | spec/controllers/auth/sessions_controller_spec.rb | 17 |
2 files changed, 19 insertions, 0 deletions
diff --git a/app/controllers/auth/sessions_controller.rb b/app/controllers/auth/sessions_controller.rb index a187ae6da..09e67ec59 100644 --- a/app/controllers/auth/sessions_controller.rb +++ b/app/controllers/auth/sessions_controller.rb @@ -51,6 +51,8 @@ class Auth::SessionsController < Devise::SessionsController def valid_otp_attempt?(user) user.validate_and_consume_otp!(user_params[:otp_attempt]) || user.invalidate_otp_backup_code!(user_params[:otp_attempt]) + rescue OpenSSL::Cipher::CipherError => error + false end def authenticate_with_two_factor diff --git a/spec/controllers/auth/sessions_controller_spec.rb b/spec/controllers/auth/sessions_controller_spec.rb index 2b68b4c5a..393908d97 100644 --- a/spec/controllers/auth/sessions_controller_spec.rb +++ b/spec/controllers/auth/sessions_controller_spec.rb @@ -1,3 +1,5 @@ +# frozen_string_literal: true + require 'rails_helper' RSpec.describe Auth::SessionsController, type: :controller do @@ -90,6 +92,21 @@ RSpec.describe Auth::SessionsController, type: :controller do end end + context 'when the server has an decryption error' do + before do + allow_any_instance_of(User).to receive(:validate_and_consume_otp!).and_raise(OpenSSL::Cipher::CipherError) + post :create, params: { user: { otp_attempt: user.current_otp } }, session: { otp_user_id: user.id } + end + + it 'shows a login error' do + expect(flash[:alert]).to match I18n.t('users.invalid_otp_token') + end + + it "doesn't log the user in" do + expect(controller.current_user).to be_nil + end + end + context 'using a valid recovery code' do before do post :create, params: { user: { otp_attempt: recovery_codes.first } }, session: { otp_user_id: user.id } |