From 6221b36b278c02cdbf5b6d1c0753654b506b44fd Mon Sep 17 00:00:00 2001 From: Eugen Rochko Date: Wed, 6 Apr 2022 20:58:12 +0200 Subject: Remove sign-in token authentication, instead send e-mail about new sign-in (#17970) --- spec/controllers/auth/sessions_controller_spec.rb | 151 ---------------------- 1 file changed, 151 deletions(-) (limited to 'spec/controllers/auth/sessions_controller_spec.rb') diff --git a/spec/controllers/auth/sessions_controller_spec.rb b/spec/controllers/auth/sessions_controller_spec.rb index 64ec7b794..1b8fd0b7b 100644 --- a/spec/controllers/auth/sessions_controller_spec.rb +++ b/spec/controllers/auth/sessions_controller_spec.rb @@ -225,22 +225,6 @@ RSpec.describe Auth::SessionsController, type: :controller do end end - context 'using email and password after an unfinished log-in attempt with a sign-in token challenge' do - let!(:other_user) do - Fabricate(:user, email: 'z@y.com', password: 'abcdefgh', otp_required_for_login: false, current_sign_in_at: 1.month.ago) - end - - before do - post :create, params: { user: { email: other_user.email, password: other_user.password } } - post :create, params: { user: { email: user.email, password: user.password } } - end - - it 'renders two factor authentication page' do - expect(controller).to render_template("two_factor") - expect(controller).to render_template(partial: "_otp_authentication_form") - end - end - context 'using upcase email and password' do before do post :create, params: { user: { email: user.email.upcase, password: user.password } } @@ -266,21 +250,6 @@ RSpec.describe Auth::SessionsController, type: :controller do end end - context 'using a valid OTP, attempting to leverage previous half-login to bypass password auth' do - let!(:other_user) do - Fabricate(:user, email: 'z@y.com', password: 'abcdefgh', otp_required_for_login: false, current_sign_in_at: 1.month.ago) - end - - before do - post :create, params: { user: { email: other_user.email, password: other_user.password } } - post :create, params: { user: { email: user.email, otp_attempt: user.current_otp } }, session: { attempt_user_updated_at: user.updated_at.to_s } - end - - it "doesn't log the user in" do - expect(controller.current_user).to be_nil - end - end - context 'when the server has an decryption error' do before do allow_any_instance_of(User).to receive(:validate_and_consume_otp!).and_raise(OpenSSL::Cipher::CipherError) @@ -401,126 +370,6 @@ RSpec.describe Auth::SessionsController, type: :controller do end end end - - context 'when 2FA is disabled and IP is unfamiliar' do - let!(:user) { Fabricate(:user, email: 'x@y.com', password: 'abcdefgh', current_sign_in_at: 3.weeks.ago) } - - before do - request.remote_ip = '10.10.10.10' - request.user_agent = 'Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:75.0) Gecko/20100101 Firefox/75.0' - - allow(UserMailer).to receive(:sign_in_token).and_return(double('email', deliver_later!: nil)) - end - - context 'using email and password' do - before do - post :create, params: { user: { email: user.email, password: user.password } } - end - - it 'renders sign in token authentication page' do - expect(controller).to render_template("sign_in_token") - end - - it 'generates sign in token' do - expect(user.reload.sign_in_token).to_not be_nil - end - - it 'sends sign in token e-mail' do - expect(UserMailer).to have_received(:sign_in_token) - end - end - - context 'using email and password after an unfinished log-in attempt to a 2FA-protected account' do - let!(:other_user) do - Fabricate(:user, email: 'z@y.com', password: 'abcdefgh', otp_required_for_login: true, otp_secret: User.generate_otp_secret(32)) - end - - before do - post :create, params: { user: { email: other_user.email, password: other_user.password } } - post :create, params: { user: { email: user.email, password: user.password } } - end - - it 'renders sign in token authentication page' do - expect(controller).to render_template("sign_in_token") - end - - it 'generates sign in token' do - expect(user.reload.sign_in_token).to_not be_nil - end - - it 'sends sign in token e-mail' do - expect(UserMailer).to have_received(:sign_in_token) - end - end - - context 'using email and password after an unfinished log-in attempt with a sign-in token challenge' do - let!(:other_user) do - Fabricate(:user, email: 'z@y.com', password: 'abcdefgh', otp_required_for_login: false, current_sign_in_at: 1.month.ago) - end - - before do - post :create, params: { user: { email: other_user.email, password: other_user.password } } - post :create, params: { user: { email: user.email, password: user.password } } - end - - it 'renders sign in token authentication page' do - expect(controller).to render_template("sign_in_token") - end - - it 'generates sign in token' do - expect(user.reload.sign_in_token).to_not be_nil - end - - it 'sends sign in token e-mail' do - expect(UserMailer).to have_received(:sign_in_token).with(user, any_args) - end - end - - context 'using a valid sign in token' do - before do - user.generate_sign_in_token && user.save - post :create, params: { user: { sign_in_token_attempt: user.sign_in_token } }, session: { attempt_user_id: user.id, attempt_user_updated_at: user.updated_at.to_s } - end - - it 'redirects to home' do - expect(response).to redirect_to(root_path) - end - - it 'logs the user in' do - expect(controller.current_user).to eq user - end - end - - context 'using a valid sign in token, attempting to leverage previous half-login to bypass password auth' do - let!(:other_user) do - Fabricate(:user, email: 'z@y.com', password: 'abcdefgh', otp_required_for_login: false, current_sign_in_at: 1.month.ago) - end - - before do - user.generate_sign_in_token && user.save - post :create, params: { user: { email: other_user.email, password: other_user.password } } - post :create, params: { user: { email: user.email, sign_in_token_attempt: user.sign_in_token } }, session: { attempt_user_updated_at: user.updated_at.to_s } - end - - it "doesn't log the user in" do - expect(controller.current_user).to be_nil - end - end - - context 'using an invalid sign in token' do - before do - post :create, params: { user: { sign_in_token_attempt: 'wrongotp' } }, session: { attempt_user_id: user.id, attempt_user_updated_at: user.updated_at.to_s } - end - - it 'shows a login error' do - expect(flash[:alert]).to match I18n.t('users.invalid_sign_in_token') - end - - it "doesn't log the user in" do - expect(controller.current_user).to be_nil - end - end - end end describe 'GET #webauthn_options' do -- cgit