FEATURE: Implement 2factor login TOTP

implemented review items. Blocking previous codes - valid 2-factor auth tokens can only be authenticated once/30 seconds. I played with updating the “last used” any time the token was attempted but that seemed to be overkill, and frustrating as to why a token would fail. Translatable texts. Move second factor logic to a helper class. Move second factor specific controller endpoints to its own controller. Move serialization logic for 2-factor details in admin user views. Add a login ember component for de-duplication Fix up code formatting Change verbiage of google authenticator add controller tests: second factor controller tests change email tests change password tests admin login tests add qunit tests - password reset, preferences fix: check for 2factor on change email controller fix: email controller - only show second factor errors on attempt fix: check against 'true' to enable second factor. Add modal for explaining what 2fa with links to Google Authenticator/FreeOTP add two factor to email signin link rate limit if second factor token present add rate limiter test for second factor attempts
2025-05-30 07:11:34 +08:00 · 2017-12-21 17:18:12 -08:00
parent b6e82815bd
commit f4f8a293e7
52 changed files with 1005 additions and 45 deletions
--- a/spec/requests/users_email_controller_spec.rb
+++ b/spec/requests/users_email_controller_spec.rb
@ -60,6 +60,35 @@ describe UsersEmailController do
        expect(user.user_stat.bounce_score).to eq(0)
        expect(user.user_stat.reset_bounce_score_after).to eq(nil)
      end
+
+      context 'second factor required' do
+        second_factor_data = "rcyryaqage3jexfj"
+        before do
+          user.user_second_factor = UserSecondFactor.create(user_id: user.id, method: "totp", data: second_factor_data, enabled: true)
+        end
+
+        it 'requires a second factor token' do
+          get "/u/authorize-email/#{user.email_tokens.last.token}"
+          expect(response.body).to include(I18n.t("login.second_factor_title"))
+          expect(response.body).not_to include(I18n.t("login.invalid_second_factor_code"))
+        end
+
+        it 'adds an error on a second factor attempt' do
+          get "/u/authorize-email/#{user.email_tokens.last.token}", params: {
+                second_factor_token: "000000"
+              }
+          expect(response.body).to include(I18n.t("login.invalid_second_factor_code"))
+        end
+
+        it 'confirms with a correct second token' do
+          get "/u/authorize-email/#{user.email_tokens.last.token}", params: {
+                second_factor_token: ROTP::TOTP.new(second_factor_data).now
+              }
+          expect(response).to be_success
+          expect(response.body).not_to include(I18n.t("login.second_factor_title"))
+          expect(response.body).not_to include(I18n.t("login.invalid_second_factor_code"))
+        end
+      end
    end
  end