FIX: Ensure disabling 2FA works as expected (#10485)

2025-06-04 11:11:13 +08:00 · 2020-08-31 09:56:57 -07:00
parent 2a3a173e8e
commit 2550c5bd03
6 changed files with 48 additions and 10 deletions
--- a/spec/requests/users_controller_spec.rb
+++ b/spec/requests/users_controller_spec.rb
@ -4080,6 +4080,32 @@ describe UsersController do
    end
  end

+  describe '#disable_second_factor' do
+    context 'when logged in with secure session' do
+      before do
+        sign_in(user)
+        stub_secure_session_confirmed
+      end
+      context 'when user has a registered totp and security key' do
+        before do
+          totp_second_factor = Fabricate(:user_second_factor_totp, user: user)
+          security_key_second_factor = Fabricate(:user_security_key, user: user, factor_type: UserSecurityKey.factor_types[:second_factor])
+        end
+
+        it 'should disable all totp and security keys' do
+          expect_enqueued_with(job: :critical_user_email, args: { type: :account_second_factor_disabled, user_id: user.id }) do
+            put "/u/disable_second_factor.json"
+
+            expect(response.status).to eq(200)
+
+            expect(user.reload.user_second_factors).to be_empty
+            expect(user.security_keys).to be_empty
+          end
+        end
+      end
+    end
+  end
+
  describe '#revoke_account' do
    fab!(:other_user) { Fabricate(:user) }
    it 'errors for unauthorised users' do