Merge branch 'sh-fix-otp-backup-invalidation-10-5' into 'security-10-5'

Ensure that OTP backup codes are always invalidated - 10.5 port See merge request gitlab/gitlabhq!2324

Merge branch 'sh-fix-otp-backup-invalidation-10-5' into 'security-10-5'
Ensure that OTP backup codes are always invalidated - 10.5 port See merge request gitlab/gitlabhq!2324
6deed66e · Douwe Maan · James Lopez · 5d129709 · 6deed66e · 6deed66e
Commit 6deed66e authored Feb 09, 2018 by Douwe Maan Committed by James Lopez Mar 07, 2018
3 changed files
--- a/app/controllers/concerns/authenticates_with_two_factor.rb
+++ b/app/controllers/concerns/authenticates_with_two_factor.rb
@@ -56,6 +56,7 @@ module AuthenticatesWithTwoFactor
      session.delete(:otp_user_id)

      remember_me(user) if user_params[:remember_me] == '1'
+      user.save!
      sign_in(user)
    else
      user.increment_failed_attempts!

--- a/changelogs/unreleased/sh-fix-otp-backup-code-invalidation.yml
+++ b/changelogs/unreleased/sh-fix-otp-backup-code-invalidation.yml
+---
+title: Ensure that OTP backup codes are always invalidated
+merge_request:
+author:
+type: security
--- a/spec/features/users/login_spec.rb
+++ b/spec/features/users/login_spec.rb
@@ -145,6 +145,18 @@ feature 'Login' do
            expect { enter_code(codes.sample) }
              .to change { user.reload.otp_backup_codes.size }.by(-1)
          end
+
+          it 'invalidates backup codes twice in a row' do
+            random_code = codes.delete(codes.sample)
+            expect { enter_code(random_code) }
+              .to change { user.reload.otp_backup_codes.size }.by(-1)
+
+            gitlab_sign_out
+            gitlab_sign_in(user)
+
+            expect { enter_code(codes.sample) }
+              .to change { user.reload.otp_backup_codes.size }.by(-1)
+          end
        end

        context 'with invalid code' do