diff options
Diffstat (limited to 'spec/controllers/settings/two_factor_authentication/confirmations_controller_spec.rb')
| -rw-r--r-- | spec/controllers/settings/two_factor_authentication/confirmations_controller_spec.rb | 140 |
1 files changed, 76 insertions, 64 deletions
diff --git a/spec/controllers/settings/two_factor_authentication/confirmations_controller_spec.rb b/spec/controllers/settings/two_factor_authentication/confirmations_controller_spec.rb index 336f13127..cdfeef8d6 100644 --- a/spec/controllers/settings/two_factor_authentication/confirmations_controller_spec.rb +++ b/spec/controllers/settings/two_factor_authentication/confirmations_controller_spec.rb @@ -5,8 +5,6 @@ require 'rails_helper' describe Settings::TwoFactorAuthentication::ConfirmationsController do render_views - let(:user) { Fabricate(:user, email: 'local-part@domain', otp_secret: 'thisisasecretforthespecofnewview') } - let(:user_without_otp_secret) { Fabricate(:user, email: 'local-part@domain') } shared_examples 'renders :new' do it 'renders the new view' do @@ -20,87 +18,101 @@ describe Settings::TwoFactorAuthentication::ConfirmationsController do end end - describe 'GET #new' do - context 'when signed in' do - subject do - sign_in user, scope: :user - get :new, session: { challenge_passed_at: Time.now.utc } - end + [true, false].each do |with_otp_secret| + let(:user) { Fabricate(:user, email: 'local-part@domain', otp_secret: with_otp_secret ? 'oldotpsecret' : nil) } - include_examples 'renders :new' - end + describe 'GET #new' do + context 'when signed in and a new otp secret has been setted in the session' do + subject do + sign_in user, scope: :user + get :new, session: { challenge_passed_at: Time.now.utc, new_otp_secret: 'thisisasecretforthespecofnewview' } + end - it 'redirects if not signed in' do - get :new - expect(response).to redirect_to('/auth/sign_in') - end + include_examples 'renders :new' + end - it 'redirects if user do not have otp_secret' do - sign_in user_without_otp_secret, scope: :user - get :new, session: { challenge_passed_at: Time.now.utc } - expect(response).to redirect_to('/settings/two_factor_authentication') - end - end + it 'redirects if not signed in' do + get :new + expect(response).to redirect_to('/auth/sign_in') + end - describe 'POST #create' do - context 'when signed in' do - before do + it 'redirects if a new otp_secret has not been setted in the session' do sign_in user, scope: :user + get :new, session: { challenge_passed_at: Time.now.utc } + expect(response).to redirect_to('/settings/otp_authentication') end + end - describe 'when form_two_factor_confirmation parameter is not provided' do - it 'raises ActionController::ParameterMissing' do - post :create, params: {}, session: { challenge_passed_at: Time.now.utc } - expect(response).to have_http_status(400) + describe 'POST #create' do + context 'when signed in' do + before do + sign_in user, scope: :user end - end - describe 'when creation succeeds' do - it 'renders page with success' do - otp_backup_codes = user.generate_otp_backup_codes! - expect_any_instance_of(User).to receive(:generate_otp_backup_codes!) do |value| - expect(value).to eq user - otp_backup_codes - end - expect_any_instance_of(User).to receive(:validate_and_consume_otp!) do |value, arg| - expect(value).to eq user - expect(arg).to eq '123456' - true + describe 'when form_two_factor_confirmation parameter is not provided' do + it 'raises ActionController::ParameterMissing' do + post :create, params: {}, session: { challenge_passed_at: Time.now.utc, new_otp_secret: 'thisisasecretforthespecofnewview' } + expect(response).to have_http_status(400) end + end - post :create, params: { form_two_factor_confirmation: { otp_attempt: '123456' } }, session: { challenge_passed_at: Time.now.utc } - - expect(assigns(:recovery_codes)).to eq otp_backup_codes - expect(flash[:notice]).to eq 'Two-factor authentication successfully enabled' - expect(response).to have_http_status(200) - expect(response).to render_template('settings/two_factor_authentication/recovery_codes/index') + describe 'when creation succeeds' do + it 'renders page with success' do + otp_backup_codes = user.generate_otp_backup_codes! + expect_any_instance_of(User).to receive(:generate_otp_backup_codes!) do |value| + expect(value).to eq user + otp_backup_codes + end + expect_any_instance_of(User).to receive(:validate_and_consume_otp!) do |value, code, options| + expect(value).to eq user + expect(code).to eq '123456' + expect(options).to eq({ otp_secret: 'thisisasecretforthespecofnewview' }) + true + end + + expect do + post :create, + params: { form_two_factor_confirmation: { otp_attempt: '123456' } }, + session: { challenge_passed_at: Time.now.utc, new_otp_secret: 'thisisasecretforthespecofnewview' } + end.to change { user.reload.otp_secret }.to 'thisisasecretforthespecofnewview' + + expect(assigns(:recovery_codes)).to eq otp_backup_codes + expect(flash[:notice]).to eq 'Two-factor authentication successfully enabled' + expect(response).to have_http_status(200) + expect(response).to render_template('settings/two_factor_authentication/recovery_codes/index') + end end - end - describe 'when creation fails' do - subject do - expect_any_instance_of(User).to receive(:validate_and_consume_otp!) do |value, arg| - expect(value).to eq user - expect(arg).to eq '123456' - false + describe 'when creation fails' do + subject do + expect_any_instance_of(User).to receive(:validate_and_consume_otp!) do |value, code, options| + expect(value).to eq user + expect(code).to eq '123456' + expect(options).to eq({ otp_secret: 'thisisasecretforthespecofnewview' }) + false + end + + expect do + post :create, + params: { form_two_factor_confirmation: { otp_attempt: '123456' } }, + session: { challenge_passed_at: Time.now.utc, new_otp_secret: 'thisisasecretforthespecofnewview' } + end.to not_change { user.reload.otp_secret } end - post :create, params: { form_two_factor_confirmation: { otp_attempt: '123456' } }, session: { challenge_passed_at: Time.now.utc } - end + it 'renders the new view' do + subject + expect(response.body).to include 'The entered code was invalid! Are server time and device time correct?' + end - it 'renders the new view' do - subject - expect(response.body).to include 'The entered code was invalid! Are server time and device time correct?' + include_examples 'renders :new' end - - include_examples 'renders :new' end - end - context 'when not signed in' do - it 'redirects if not signed in' do - post :create, params: { form_two_factor_confirmation: { otp_attempt: '123456' } } - expect(response).to redirect_to('/auth/sign_in') + context 'when not signed in' do + it 'redirects if not signed in' do + post :create, params: { form_two_factor_confirmation: { otp_attempt: '123456' } } + expect(response).to redirect_to('/auth/sign_in') + end end end end |