Add password challenge to 2FA settings, e-mail notifications (#11878)

Fix #3961
2019-09-18 16:37:27 +02:00
parent d0c2c52783
commit e1066cd431
32 changed files with 567 additions and 50 deletions
--- a/spec/controllers/settings/two_factor_authentication/confirmations_controller_spec.rb
+++ b/spec/controllers/settings/two_factor_authentication/confirmations_controller_spec.rb
@ -24,7 +24,7 @@ describe Settings::TwoFactorAuthentication::ConfirmationsController do
    context 'when signed in' do
      subject do
        sign_in user, scope: :user
-        get :new
+        get :new, session: { challenge_passed_at: Time.now.utc }
      end

      include_examples 'renders :new'
@ -37,7 +37,7 @@ describe Settings::TwoFactorAuthentication::ConfirmationsController do

    it 'redirects if user do not have otp_secret' do
      sign_in user_without_otp_secret, scope: :user
-      get :new
+      get :new, session: { challenge_passed_at: Time.now.utc }
      expect(response).to redirect_to('/settings/two_factor_authentication')
    end
  end
@ -50,7 +50,7 @@ describe Settings::TwoFactorAuthentication::ConfirmationsController do

      describe 'when form_two_factor_confirmation parameter is not provided' do
        it 'raises ActionController::ParameterMissing' do
-          post :create, params: {}
+          post :create, params: {}, session: { challenge_passed_at: Time.now.utc }
          expect(response).to have_http_status(400)
        end
      end
@ -68,7 +68,7 @@ describe Settings::TwoFactorAuthentication::ConfirmationsController do
            true
          end

-          post :create, params: { form_two_factor_confirmation: { otp_attempt: '123456' } }
+          post :create, params: { form_two_factor_confirmation: { otp_attempt: '123456' } }, session: { challenge_passed_at: Time.now.utc }

          expect(assigns(:recovery_codes)).to eq otp_backup_codes
          expect(flash[:notice]).to eq 'Two-factor authentication successfully enabled'
@ -85,7 +85,7 @@ describe Settings::TwoFactorAuthentication::ConfirmationsController do
            false
          end

-          post :create, params: { form_two_factor_confirmation: { otp_attempt: '123456' } }
+          post :create, params: { form_two_factor_confirmation: { otp_attempt: '123456' } }, session: { challenge_passed_at: Time.now.utc }
        end

        it 'renders the new view' do
--- a/spec/controllers/settings/two_factor_authentication/recovery_codes_controller_spec.rb
+++ b/spec/controllers/settings/two_factor_authentication/recovery_codes_controller_spec.rb
@ -15,7 +15,7 @@ describe Settings::TwoFactorAuthentication::RecoveryCodesController do
      end

      sign_in user, scope: :user
-      post :create
+      post :create, session: { challenge_passed_at: Time.now.utc }

      expect(assigns(:recovery_codes)).to eq otp_backup_codes
      expect(flash[:notice]).to eq 'Recovery codes successfully regenerated'