Commit 5cd526f7 authored by Robert Speicher's avatar Robert Speicher

Prevent "You are already signed in." error message upon 2FA login

parent 76873ce4
class SessionsController < Devise::SessionsController class SessionsController < Devise::SessionsController
prepend_before_action :authenticate_with_two_factor, only: :create prepend_before_action :authenticate_with_two_factor, only: [:create]
# This action comes from DeviseController, but because we call `sign_in`
# manually inside `authenticate_with_two_factor`, not skipping this action
# would cause a "You are already signed in." error message to be shown upon
# successful login.
skip_before_action :require_no_authentication, only: [:create]
def new def new
redirect_path = redirect_path =
...@@ -61,7 +67,7 @@ class SessionsController < Devise::SessionsController ...@@ -61,7 +67,7 @@ class SessionsController < Devise::SessionsController
# Remove any lingering user data from login # Remove any lingering user data from login
session.delete(:otp_user_id) session.delete(:otp_user_id)
sign_in(user) sign_in(user) and return
else else
flash.now[:alert] = 'Invalid two-factor code.' flash.now[:alert] = 'Invalid two-factor code.'
render :two_factor and return render :two_factor and return
......
...@@ -15,6 +15,11 @@ feature 'Login' do ...@@ -15,6 +15,11 @@ feature 'Login' do
click_button 'Verify code' click_button 'Verify code'
end end
it 'does not show a "You are already signed in." error message' do
enter_code(user.current_otp)
expect(page).not_to have_content('You are already signed in.')
end
context 'using one-time code' do context 'using one-time code' do
it 'allows login with valid code' do it 'allows login with valid code' do
enter_code(user.current_otp) enter_code(user.current_otp)
...@@ -66,7 +71,7 @@ feature 'Login' do ...@@ -66,7 +71,7 @@ feature 'Login' do
expect(user.reload.otp_backup_codes.size).to eq 9 expect(user.reload.otp_backup_codes.size).to eq 9
enter_code(code) enter_code(code)
expect(page).to have_content('Invalid two-factor code') expect(page).to have_content('Invalid two-factor code.')
end end
end end
end end
...@@ -80,5 +85,17 @@ feature 'Login' do ...@@ -80,5 +85,17 @@ feature 'Login' do
login_with(user) login_with(user)
expect(current_path).to eq root_path expect(current_path).to eq root_path
end end
it 'does not show a "You are already signed in." error message' do
login_with(user)
expect(page).not_to have_content('You are already signed in.')
end
it 'blocks invalid login' do
user = create(:user, password: 'not-the-default')
login_with(user)
expect(page).to have_content('Invalid email or password.')
end
end end
end end
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment