FEATURE: Implement 2factor login TOTP

implemented review items. Blocking previous codes - valid 2-factor auth tokens can only be authenticated once/30 seconds. I played with updating the “last used” any time the token was attempted but that seemed to be overkill, and frustrating as to why a token would fail. Translatable texts. Move second factor logic to a helper class. Move second factor specific controller endpoints to its own controller. Move serialization logic for 2-factor details in admin user views. Add a login ember component for de-duplication Fix up code formatting Change verbiage of google authenticator add controller tests: second factor controller tests change email tests change password tests admin login tests add qunit tests - password reset, preferences fix: check for 2factor on change email controller fix: email controller - only show second factor errors on attempt fix: check against 'true' to enable second factor. Add modal for explaining what 2fa with links to Google Authenticator/FreeOTP add two factor to email signin link rate limit if second factor token present add rate limiter test for second factor attempts
2025-06-20 16:21:33 +08:00 · 2017-12-21 17:18:12 -08:00
parent b6e82815bd
commit f4f8a293e7
52 changed files with 1005 additions and 45 deletions
--- a/spec/controllers/users_controller_spec.rb
+++ b/spec/controllers/users_controller_spec.rb
@ -343,7 +343,7 @@ describe UsersController do
        )

        expect(response).to be_success
-        expect(response.body).to include('{"is_developer":false,"admin":false}')
+        expect(response.body).to include('{"is_developer":false,"admin":false,"second_factor_required":false}')

        user.reload

@ -406,6 +406,46 @@ describe UsersController do
        expect(email_token.confirmed).to eq(false)
        expect(UserAuthToken.where(id: user_token.id).count).to eq(1)
      end
+
+      context '2-factor required' do
+
+        second_factor_data = "rcyryaqage3jexfj"
+        let(:user) { Fabricate(:user) }
+
+        before do
+          user.user_second_factor = UserSecondFactor.create(user_id: user.id, method: "totp", data: second_factor_data, enabled: true)
+        end
+
+        it 'does not change with an invalid token' do
+          token = user.email_tokens.create(email: user.email).token
+
+          get :password_reset, params: { token: token }
+
+          expect(response.body).to include('{"is_developer":false,"admin":false,"second_factor_required":true}')
+
+          put :password_reset,
+              params: { token: token, password: 'hg9ow8yHG32O', second_factor_token: '000000' }
+
+          expect(response.body).to include(I18n.t("login.invalid_second_factor_code"))
+
+          user.reload
+          expect(user.confirm_password?('hg9ow8yHG32O')).not_to eq(true)
+          expect(user.user_auth_tokens.count).not_to eq(1)
+        end
+
+        it 'changes password with valid 2-factor tokens' do
+          token = user.email_tokens.create(email: user.email).token
+
+          get :password_reset, params: { token: token }
+
+          put :password_reset,
+              params: { token: token, password: 'hg9ow8yHG32O', second_factor_token: ROTP::TOTP.new(second_factor_data).now }
+
+          user.reload
+          expect(user.confirm_password?('hg9ow8yHG32O')).to eq(true)
+          expect(user.user_auth_tokens.count).to eq(1)
+        end
+      end
    end

    context 'submit change' do
@ -514,6 +554,29 @@ describe UsersController do
          expect(session[:current_user_id]).to eq(admin.id)
        end
      end
+
+      context 'needs 2-factor' do
+        render_views
+        second_factor_data = "rcyryaqage3jexfj"
+        before do
+          admin.user_second_factor = UserSecondFactor.create(user_id: admin.id, method: "totp", data: second_factor_data, enabled: true)
+        end
+
+        it 'does not log in when token required' do
+          token = admin.email_tokens.create(email: admin.email).token
+          get :admin_login, params: { token: token }
+          expect(response).not_to redirect_to('/')
+          expect(session[:current_user_id]).not_to eq(admin.id)
+          expect(response.body).to include(I18n.t('login.second_factor_description'));
+        end
+
+        it 'logs in when a valid 2-factor token is given' do
+          token = admin.email_tokens.create(email: admin.email).token
+          put :admin_login, params: { token: token, second_factor_token: ROTP::TOTP.new(second_factor_data).now }
+          expect(response).to redirect_to('/')
+          expect(session[:current_user_id]).to eq(admin.id)
+        end
+      end
    end
  end