FEATURE: Implement 2factor login TOTP

implemented review items.

Blocking previous codes - valid 2-factor auth tokens can only be authenticated once/30 seconds.
I played with updating the “last used” any time the token was attempted but that seemed to be overkill, and frustrating as to why a token would fail.
Translatable texts.
Move second factor logic to a helper class.
Move second factor specific controller endpoints to its own controller.
Move serialization logic for 2-factor details in admin user views.
Add a login ember component for de-duplication
Fix up code formatting
Change verbiage of google authenticator

add controller tests:
second factor controller tests
change email tests
change password tests
admin login tests

add qunit tests - password reset, preferences

fix: check for 2factor on change email controller
fix: email controller - only show second factor errors on attempt
fix: check against 'true' to enable second factor.

Add modal for explaining what 2fa with links to Google Authenticator/FreeOTP

add two factor to email signin link

rate limit if second factor token present

add rate limiter test for second factor attempts

spec/controllers/admin/users_controller_spec.rb

@@ -265,6 +265,19 @@ describe Admin::UsersController do
       end
     end
 
+    context '#disable_second_factor' do
+      before do
+        @another_user = Fabricate(:user)
+        SecondFactorHelper.create_totp(@another_user)
+      end
+
+      it 'disables the second factor' do
+        expect(User.find(@another_user.id).user_second_factor).not_to eq(nil)
+        put :disable_second_factor, params: { user_id: @another_user.id }, format: :json
+        expect(User.find(@another_user.id).user_second_factor).to eq(nil)
+      end
+    end
+
     context '#add_group' do
       let(:user) { Fabricate(:user) }
       let(:group) { Fabricate(:group) }

spec/controllers/second_factor_controller_spec.rb

@@ -0,0 +1,69 @@
+require 'rails_helper'
+
+RSpec.describe SecondFactorController, type: :controller do
+  # featheredtoast-todo also write qunit tests.
+  describe '.create' do
+
+    let(:user) { Fabricate(:user) }
+
+    describe 'create 2fa request' do
+      it 'fails on incorrect password' do
+        post :create, params: {
+               login: user.username, password: 'wrongpassword'
+             }, format: :json
+        expect(JSON.parse(response.body)['error']).to eq(I18n.t("login.incorrect_username_email_or_password"))
+      end
+
+      it 'succeeds on correct password' do
+        post :create, params: {
+               login: user.username, password: 'myawesomepassword'
+             }, format: :json
+        expect(JSON.parse(response.body).keys).to contain_exactly('key', 'qr')
+      end
+    end
+  end
+
+  describe '.update' do
+    let(:user) { Fabricate(:user) }
+
+    context 'when user has totp setup' do
+      second_factor_data = "rcyryaqage3jexfj"
+      before do
+        user.user_second_factor = UserSecondFactor.create(user_id: user.id, method: "totp", data: second_factor_data)
+      end
+
+      it 'errors on incorrect code' do
+        post :update, params: {
+               username: user.username,
+               token: '000000',
+               enable: 'true'
+             }, format: :json
+        expect(JSON.parse(response.body)['error']).to eq(I18n.t("login.invalid_second_factor_code"))
+        user.reload
+      end
+
+      it 'can be enabled' do
+        post :update, params: {
+               username: user.username,
+               token: ROTP::TOTP.new(second_factor_data).now,
+               enable: 'true'
+             }, format: :json
+        expect(JSON.parse(response.body)['result']).to eq('ok')
+        user.reload
+        expect(user.user_second_factor.enabled).to be true
+      end
+
+      it 'can be disabled' do
+        post :update, params: {
+               username: user.username,
+               enable: 'false',
+               token: ROTP::TOTP.new(second_factor_data).now
+             }, format: :json
+        expect(JSON.parse(response.body)['result']).to eq('ok')
+        user.reload
+        expect(user.user_second_factor).to be_nil
+      end
+    end
+  end
+
+end

spec/controllers/session_controller_spec.rb

@@ -584,6 +584,39 @@ describe SessionController do
         end
       end
 
+      context 'when user has 2-factor logins' do
+        second_factor_data = "rcyryaqage3jexfj"
+        before do
+          user.user_second_factor = UserSecondFactor.create(user_id: user.id, method: "totp", data: second_factor_data, enabled: true)
+        end
+
+        describe 'failure no 2-factor' do
+          it 'should return an error' do
+            post :create, params: {
+                   login: user.username, password: 'myawesomepassword'
+                 }, format: :json
+            expect(JSON.parse(response.body)['error']).to eq(I18n.t('login.invalid_second_factor_code'))
+          end
+        end
+        describe 'successful 2-factor' do
+          it 'logs in correctly' do
+            events = DiscourseEvent.track_events do
+              post :create, params: {
+                     login: user.username, password: 'myawesomepassword', second_factor_token: ROTP::TOTP.new(second_factor_data).now
+                   }, format: :json
+            end
+
+            expect(events.map { |event| event[:event_name] }).to include(:user_logged_in, :user_first_logged_in)
+
+            user.reload
+
+            expect(session[:current_user_id]).to eq(user.id)
+            expect(user.user_auth_tokens.count).to eq(1)
+            expect(UserAuthToken.hash_token(cookies[:_t])).to eq(user.user_auth_tokens.first.auth_token)
+          end
+        end
+      end
+
       describe 'with a blocked IP' do
         before do
           screened_ip = Fabricate(:screened_ip_address)
@@ -777,6 +810,26 @@ describe SessionController do
           login: user.username, password: 'myawesomepassword'
         }, format: :json
 
+        expect(response).not_to be_success
+        json = JSON.parse(response.body)
+        expect(json["error_type"]).to eq("rate_limit")
+      end
+      it 'rate limits second factor attempts' do
+        RateLimiter.enable
+        RateLimiter.clear_all!
+
+        3.times do
+          post :create, params: {
+                 login: user.username, password: 'myawesomepassword', second_factor_token: '000000'
+               }, format: :json
+
+          expect(response).to be_success
+        end
+
+        post :create, params: {
+               login: user.username, password: 'myawesomepassword', second_factor_token: '000000'
+             }, format: :json
+
         expect(response).not_to be_success
         json = JSON.parse(response.body)
         expect(json["error_type"]).to eq("rate_limit")

spec/controllers/users_controller_spec.rb

@@ -343,7 +343,7 @@ describe UsersController do
         )
 
         expect(response).to be_success
-        expect(response.body).to include('{"is_developer":false,"admin":false}')
+        expect(response.body).to include('{"is_developer":false,"admin":false,"second_factor_required":false}')
 
         user.reload
 
@@ -406,6 +406,46 @@ describe UsersController do
         expect(email_token.confirmed).to eq(false)
         expect(UserAuthToken.where(id: user_token.id).count).to eq(1)
       end
+
+      context '2-factor required' do
+
+        second_factor_data = "rcyryaqage3jexfj"
+        let(:user) { Fabricate(:user) }
+
+        before do
+          user.user_second_factor = UserSecondFactor.create(user_id: user.id, method: "totp", data: second_factor_data, enabled: true)
+        end
+
+        it 'does not change with an invalid token' do
+          token = user.email_tokens.create(email: user.email).token
+
+          get :password_reset, params: { token: token }
+
+          expect(response.body).to include('{"is_developer":false,"admin":false,"second_factor_required":true}')
+
+          put :password_reset,
+              params: { token: token, password: 'hg9ow8yHG32O', second_factor_token: '000000' }
+
+          expect(response.body).to include(I18n.t("login.invalid_second_factor_code"))
+
+          user.reload
+          expect(user.confirm_password?('hg9ow8yHG32O')).not_to eq(true)
+          expect(user.user_auth_tokens.count).not_to eq(1)
+        end
+
+        it 'changes password with valid 2-factor tokens' do
+          token = user.email_tokens.create(email: user.email).token
+
+          get :password_reset, params: { token: token }
+
+          put :password_reset,
+              params: { token: token, password: 'hg9ow8yHG32O', second_factor_token: ROTP::TOTP.new(second_factor_data).now }
+
+          user.reload
+          expect(user.confirm_password?('hg9ow8yHG32O')).to eq(true)
+          expect(user.user_auth_tokens.count).to eq(1)
+        end
+      end
     end
 
     context 'submit change' do
@@ -514,6 +554,29 @@ describe UsersController do
           expect(session[:current_user_id]).to eq(admin.id)
         end
       end
+
+      context 'needs 2-factor' do
+        render_views
+        second_factor_data = "rcyryaqage3jexfj"
+        before do
+          admin.user_second_factor = UserSecondFactor.create(user_id: admin.id, method: "totp", data: second_factor_data, enabled: true)
+        end
+
+        it 'does not log in when token required' do
+          token = admin.email_tokens.create(email: admin.email).token
+          get :admin_login, params: { token: token }
+          expect(response).not_to redirect_to('/')
+          expect(session[:current_user_id]).not_to eq(admin.id)
+          expect(response.body).to include(I18n.t('login.second_factor_description'));
+        end
+
+        it 'logs in when a valid 2-factor token is given' do
+          token = admin.email_tokens.create(email: admin.email).token
+          put :admin_login, params: { token: token, second_factor_token: ROTP::TOTP.new(second_factor_data).now }
+          expect(response).to redirect_to('/')
+          expect(session[:current_user_id]).to eq(admin.id)
+        end
+      end
     end
   end