Commit b61a5bc2 authored by Gabriel Mazetto's avatar Gabriel Mazetto

specs for forced two-factor authentication and grace period

simplified code and fixed stuffs
parent 31fb2b77
...@@ -226,12 +226,7 @@ class ApplicationController < ActionController::Base ...@@ -226,12 +226,7 @@ class ApplicationController < ActionController::Base
def check_tfa_requirement def check_tfa_requirement
if two_factor_authentication_required? && current_user && !current_user.two_factor_enabled && !skip_two_factor? if two_factor_authentication_required? && current_user && !current_user.two_factor_enabled && !skip_two_factor?
grace_period_started = current_user.otp_grace_period_started_at redirect_to new_profile_two_factor_auth_path
grace_period_deadline = grace_period_started + two_factor_grace_period.hours
deadline_text = "until #{l(grace_period_deadline)}" unless two_factor_grace_period_expired?(grace_period_started)
redirect_to new_profile_two_factor_auth_path,
alert: "You must configure Two-Factor Authentication in your account #{deadline_text}"
end end
end end
...@@ -377,7 +372,8 @@ class ApplicationController < ActionController::Base ...@@ -377,7 +372,8 @@ class ApplicationController < ActionController::Base
current_application_settings.two_factor_grace_period current_application_settings.two_factor_grace_period
end end
def two_factor_grace_period_expired?(date) def two_factor_grace_period_expired?
date = current_user.otp_grace_period_started_at
date && (date + two_factor_grace_period.hours) < Time.current date && (date + two_factor_grace_period.hours) < Time.current
end end
......
...@@ -10,6 +10,13 @@ class Profiles::TwoFactorAuthsController < Profiles::ApplicationController ...@@ -10,6 +10,13 @@ class Profiles::TwoFactorAuthsController < Profiles::ApplicationController
end end
current_user.save! if current_user.changed? current_user.save! if current_user.changed?
if two_factor_grace_period_expired?
flash.now[:alert] = 'You must configure Two-Factor Authentication in your account.'
else
grace_period_deadline = current_user.otp_grace_period_started_at + two_factor_grace_period.hours
flash.now[:alert] = "You must configure Two-Factor Authentication in your account until #{l(grace_period_deadline)}."
end
@qr_code = build_qr_code @qr_code = build_qr_code
end end
...@@ -40,7 +47,7 @@ class Profiles::TwoFactorAuthsController < Profiles::ApplicationController ...@@ -40,7 +47,7 @@ class Profiles::TwoFactorAuthsController < Profiles::ApplicationController
end end
def skip def skip
if two_factor_grace_period_expired?(current_user.otp_grace_period_started_at) if two_factor_grace_period_expired?
redirect_to new_profile_two_factor_auth_path, alert: 'Cannot skip two factor authentication setup' redirect_to new_profile_two_factor_auth_path, alert: 'Cannot skip two factor authentication setup'
else else
session[:skip_tfa] = current_user.otp_grace_period_started_at + two_factor_grace_period.hours session[:skip_tfa] = current_user.otp_grace_period_started_at + two_factor_grace_period.hours
......
...@@ -98,4 +98,56 @@ feature 'Login', feature: true do ...@@ -98,4 +98,56 @@ feature 'Login', feature: true do
expect(page).to have_content('Invalid login or password.') expect(page).to have_content('Invalid login or password.')
end end
end end
describe 'with required two-factor authentication enabled' do
let(:user) { create(:user) }
before(:each) { stub_application_setting(require_two_factor_authentication: true) }
context 'with grace period defined' do
before(:each) do
stub_application_setting(two_factor_grace_period: 48)
login_with(user)
end
context 'within the grace period' do
it 'redirects to two-factor configuration page' do
expect(current_path).to eq new_profile_two_factor_auth_path
expect(page).to have_content('You must configure Two-Factor Authentication in your account until')
end
it 'two-factor configuration is skippable' do
expect(current_path).to eq new_profile_two_factor_auth_path
click_link 'Configure it later'
expect(current_path).to eq root_path
end
end
context 'after the grace period' do
let(:user) { create(:user, otp_grace_period_started_at: 9999.hours.ago) }
it 'redirects to two-factor configuration page' do
expect(current_path).to eq new_profile_two_factor_auth_path
expect(page).to have_content('You must configure Two-Factor Authentication in your account.')
end
it 'two-factor configuration is not skippable' do
expect(current_path).to eq new_profile_two_factor_auth_path
expect(page).not_to have_link('Configure it later')
end
end
end
context 'without grace pariod defined' do
before(:each) do
stub_application_setting(two_factor_grace_period: 0)
login_with(user)
end
it 'redirects to two-factor configuration page' do
expect(current_path).to eq new_profile_two_factor_auth_path
expect(page).to have_content('You must configure Two-Factor Authentication in your account.')
end
end
end
end end
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment