Commit 6deed66e authored by Douwe Maan's avatar Douwe Maan Committed by James Lopez

Merge branch 'sh-fix-otp-backup-invalidation-10-5' into 'security-10-5'

Ensure that OTP backup codes are always invalidated - 10.5 port

See merge request gitlab/gitlabhq!2324
parent 5d129709
...@@ -56,6 +56,7 @@ module AuthenticatesWithTwoFactor ...@@ -56,6 +56,7 @@ module AuthenticatesWithTwoFactor
session.delete(:otp_user_id) session.delete(:otp_user_id)
remember_me(user) if user_params[:remember_me] == '1' remember_me(user) if user_params[:remember_me] == '1'
user.save!
sign_in(user) sign_in(user)
else else
user.increment_failed_attempts! user.increment_failed_attempts!
......
---
title: Ensure that OTP backup codes are always invalidated
merge_request:
author:
type: security
...@@ -145,6 +145,18 @@ feature 'Login' do ...@@ -145,6 +145,18 @@ feature 'Login' do
expect { enter_code(codes.sample) } expect { enter_code(codes.sample) }
.to change { user.reload.otp_backup_codes.size }.by(-1) .to change { user.reload.otp_backup_codes.size }.by(-1)
end end
it 'invalidates backup codes twice in a row' do
random_code = codes.delete(codes.sample)
expect { enter_code(random_code) }
.to change { user.reload.otp_backup_codes.size }.by(-1)
gitlab_sign_out
gitlab_sign_in(user)
expect { enter_code(codes.sample) }
.to change { user.reload.otp_backup_codes.size }.by(-1)
end
end end
context 'with invalid code' do context 'with invalid code' do
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment