gitlab-org--gitlab-foss/spec/controllers/sessions_controller_spec.rb

require 'spec_helper'

describe SessionsController do
  describe '#create' do
    before do
      @request.env['devise.mapping'] = Devise.mappings[:user]
    end

    context 'when using standard authentications' do
      context 'invalid password' do
        it 'does not authenticate user' do
          post(:create, user: { login: 'invalid', password: 'invalid' })

          expect(response)
            .to set_flash.now[:alert].to /Invalid login or password/
        end
      end

      context 'when using valid password' do
        let(:user) { create(:user) }

        it 'authenticates user correctly' do
          post(:create, user: { login: user.username, password: user.password })

          expect(response).to set_flash.to /Signed in successfully/
          expect(subject.current_user). to eq user
        end
      end
    end

    context 'when using two-factor authentication' do
      let(:user) { create(:user, :two_factor) }

      def authenticate_2fa(user_params)
        post(:create, { user: user_params }, { otp_user_id: user.id })
      end

      ##
      # See #14900 issue
      #
      context 'when authenticating with login and OTP of another user' do
        context 'when another user has 2FA enabled' do
          let(:another_user) { create(:user, :two_factor) }

          context 'when OTP is valid for another user' do
            it 'does not authenticate' do
              authenticate_2fa(login: another_user.username,
                               otp_attempt: another_user.current_otp)

              expect(subject.current_user).not_to eq another_user
            end
          end

          context 'when OTP is invalid for another user' do
            it 'does not authenticate' do
              authenticate_2fa(login: another_user.username,
                               otp_attempt: 'invalid')

              expect(subject.current_user).not_to eq another_user
            end
          end

          context 'when authenticating with OTP' do
            context 'when OTP is valid' do
              it 'authenticates correctly' do
                authenticate_2fa(otp_attempt: user.current_otp)

                expect(subject.current_user).to eq user
              end
            end

            context 'when OTP is invalid' do
              before { authenticate_2fa(otp_attempt: 'invalid') }

              it 'does not authenticate' do
                expect(subject.current_user).not_to eq user
              end

              it 'warns about invalid OTP code' do
                expect(response).to set_flash.now[:alert]
                  .to /Invalid two-factor code/
              end
            end
          end

          context 'when another user does not have 2FA enabled' do
            let(:another_user) { create(:user) }

            it 'does not leak that 2FA is disabled for another user' do
              authenticate_2fa(login: another_user.username,
                               otp_attempt: 'invalid')

              expect(response).to set_flash.now[:alert]
                .to /Invalid two-factor code/
            end
          end
        end
      end
    end
  end
end
Add specs for sessions controller including 2FA This also contains specs for a bug described in #14900 2016-04-06 10:26:10 +00:00			`require 'spec_helper'`

			`describe SessionsController do`
			`describe '#create' do`
			`before do`
			`@request.env['devise.mapping'] = Devise.mappings[:user]`
			`end`

Fix 2FA authentication spoofing vulnerability This commit attempts to change default user search scope if otp_user_id session variable has been set. If it is present, it means that user has 2FA enabled, and has already been verified with login and password. In this case we should look for user with otp_user_id first, before picking it up by login. 2016-04-07 09:19:29 +00:00			`context 'when using standard authentications' do`
Add specs for sessions controller including 2FA This also contains specs for a bug described in #14900 2016-04-06 10:26:10 +00:00			`context 'invalid password' do`
			`it 'does not authenticate user' do`
			`post(:create, user: { login: 'invalid', password: 'invalid' })`

			`expect(response)`
			`.to set_flash.now[:alert].to /Invalid login or password/`
			`end`
			`end`

Fix 2FA authentication spoofing vulnerability This commit attempts to change default user search scope if otp_user_id session variable has been set. If it is present, it means that user has 2FA enabled, and has already been verified with login and password. In this case we should look for user with otp_user_id first, before picking it up by login. 2016-04-07 09:19:29 +00:00			`context 'when using valid password' do`
Add specs for sessions controller including 2FA This also contains specs for a bug described in #14900 2016-04-06 10:26:10 +00:00			`let(:user) { create(:user) }`

			`it 'authenticates user correctly' do`
			`post(:create, user: { login: user.username, password: user.password })`

			`expect(response).to set_flash.to /Signed in successfully/`
			`expect(subject.current_user). to eq user`
			`end`
			`end`
			`end`

Fix 2FA authentication spoofing vulnerability This commit attempts to change default user search scope if otp_user_id session variable has been set. If it is present, it means that user has 2FA enabled, and has already been verified with login and password. In this case we should look for user with otp_user_id first, before picking it up by login. 2016-04-07 09:19:29 +00:00			`context 'when using two-factor authentication' do`
Add specs for sessions controller including 2FA This also contains specs for a bug described in #14900 2016-04-06 10:26:10 +00:00			`let(:user) { create(:user, :two_factor) }`

			`def authenticate_2fa(user_params)`
			`post(:create, { user: user_params }, { otp_user_id: user.id })`
			`end`

			`##`
			`# See #14900 issue`
			`#`
Fix 2FA authentication spoofing vulnerability This commit attempts to change default user search scope if otp_user_id session variable has been set. If it is present, it means that user has 2FA enabled, and has already been verified with login and password. In this case we should look for user with otp_user_id first, before picking it up by login. 2016-04-07 09:19:29 +00:00			`context 'when authenticating with login and OTP of another user' do`
			`context 'when another user has 2FA enabled' do`
			`let(:another_user) { create(:user, :two_factor) }`
Add specs for sessions controller including 2FA This also contains specs for a bug described in #14900 2016-04-06 10:26:10 +00:00
Fix 2FA authentication spoofing vulnerability This commit attempts to change default user search scope if otp_user_id session variable has been set. If it is present, it means that user has 2FA enabled, and has already been verified with login and password. In this case we should look for user with otp_user_id first, before picking it up by login. 2016-04-07 09:19:29 +00:00			`context 'when OTP is valid for another user' do`
			`it 'does not authenticate' do`
			`authenticate_2fa(login: another_user.username,`
			`otp_attempt: another_user.current_otp)`
Add specs for sessions controller including 2FA This also contains specs for a bug described in #14900 2016-04-06 10:26:10 +00:00
Enable RSpec/NotToNot cop and auto-correct offenses Also removes the note from the development/testing.md guide 2016-05-23 23:37:59 +00:00			`expect(subject.current_user).not_to eq another_user`
Fix 2FA authentication spoofing vulnerability This commit attempts to change default user search scope if otp_user_id session variable has been set. If it is present, it means that user has 2FA enabled, and has already been verified with login and password. In this case we should look for user with otp_user_id first, before picking it up by login. 2016-04-07 09:19:29 +00:00			`end`
Add specs for sessions controller including 2FA This also contains specs for a bug described in #14900 2016-04-06 10:26:10 +00:00			`end`

Fix 2FA authentication spoofing vulnerability This commit attempts to change default user search scope if otp_user_id session variable has been set. If it is present, it means that user has 2FA enabled, and has already been verified with login and password. In this case we should look for user with otp_user_id first, before picking it up by login. 2016-04-07 09:19:29 +00:00			`context 'when OTP is invalid for another user' do`
			`it 'does not authenticate' do`
			`authenticate_2fa(login: another_user.username,`
			`otp_attempt: 'invalid')`
Add specs for sessions controller including 2FA This also contains specs for a bug described in #14900 2016-04-06 10:26:10 +00:00
Enable RSpec/NotToNot cop and auto-correct offenses Also removes the note from the development/testing.md guide 2016-05-23 23:37:59 +00:00			`expect(subject.current_user).not_to eq another_user`
Fix 2FA authentication spoofing vulnerability This commit attempts to change default user search scope if otp_user_id session variable has been set. If it is present, it means that user has 2FA enabled, and has already been verified with login and password. In this case we should look for user with otp_user_id first, before picking it up by login. 2016-04-07 09:19:29 +00:00			`end`
Add specs for sessions controller including 2FA This also contains specs for a bug described in #14900 2016-04-06 10:26:10 +00:00			`end`

Fix 2FA authentication spoofing vulnerability This commit attempts to change default user search scope if otp_user_id session variable has been set. If it is present, it means that user has 2FA enabled, and has already been verified with login and password. In this case we should look for user with otp_user_id first, before picking it up by login. 2016-04-07 09:19:29 +00:00			`context 'when authenticating with OTP' do`
			`context 'when OTP is valid' do`
			`it 'authenticates correctly' do`
			`authenticate_2fa(otp_attempt: user.current_otp)`

			`expect(subject.current_user).to eq user`
			`end`
			`end`
Add specs for sessions controller including 2FA This also contains specs for a bug described in #14900 2016-04-06 10:26:10 +00:00
Make sessions controller specs more explicit 2016-04-07 09:45:04 +00:00			`context 'when OTP is invalid' do`
Fix 2FA authentication spoofing vulnerability This commit attempts to change default user search scope if otp_user_id session variable has been set. If it is present, it means that user has 2FA enabled, and has already been verified with login and password. In this case we should look for user with otp_user_id first, before picking it up by login. 2016-04-07 09:19:29 +00:00			`before { authenticate_2fa(otp_attempt: 'invalid') }`
Add specs for sessions controller including 2FA This also contains specs for a bug described in #14900 2016-04-06 10:26:10 +00:00
Fix 2FA authentication spoofing vulnerability This commit attempts to change default user search scope if otp_user_id session variable has been set. If it is present, it means that user has 2FA enabled, and has already been verified with login and password. In this case we should look for user with otp_user_id first, before picking it up by login. 2016-04-07 09:19:29 +00:00			`it 'does not authenticate' do`
Enable RSpec/NotToNot cop and auto-correct offenses Also removes the note from the development/testing.md guide 2016-05-23 23:37:59 +00:00			`expect(subject.current_user).not_to eq user`
Fix 2FA authentication spoofing vulnerability This commit attempts to change default user search scope if otp_user_id session variable has been set. If it is present, it means that user has 2FA enabled, and has already been verified with login and password. In this case we should look for user with otp_user_id first, before picking it up by login. 2016-04-07 09:19:29 +00:00			`end`

			`it 'warns about invalid OTP code' do`
Make sessions controller specs more explicit 2016-04-07 09:45:04 +00:00			`expect(response).to set_flash.now[:alert]`
			`.to /Invalid two-factor code/`
Fix 2FA authentication spoofing vulnerability This commit attempts to change default user search scope if otp_user_id session variable has been set. If it is present, it means that user has 2FA enabled, and has already been verified with login and password. In this case we should look for user with otp_user_id first, before picking it up by login. 2016-04-07 09:19:29 +00:00			`end`
Add specs for sessions controller including 2FA This also contains specs for a bug described in #14900 2016-04-06 10:26:10 +00:00			`end`
			`end`

Fix 2FA authentication spoofing vulnerability This commit attempts to change default user search scope if otp_user_id session variable has been set. If it is present, it means that user has 2FA enabled, and has already been verified with login and password. In this case we should look for user with otp_user_id first, before picking it up by login. 2016-04-07 09:19:29 +00:00			`context 'when another user does not have 2FA enabled' do`
			`let(:another_user) { create(:user) }`
Add specs for sessions controller including 2FA This also contains specs for a bug described in #14900 2016-04-06 10:26:10 +00:00
Fix 2FA authentication spoofing vulnerability This commit attempts to change default user search scope if otp_user_id session variable has been set. If it is present, it means that user has 2FA enabled, and has already been verified with login and password. In this case we should look for user with otp_user_id first, before picking it up by login. 2016-04-07 09:19:29 +00:00			`it 'does not leak that 2FA is disabled for another user' do`
			`authenticate_2fa(login: another_user.username,`
			`otp_attempt: 'invalid')`
Add specs for sessions controller including 2FA This also contains specs for a bug described in #14900 2016-04-06 10:26:10 +00:00
Make sessions controller specs more explicit 2016-04-07 09:45:04 +00:00			`expect(response).to set_flash.now[:alert]`
			`.to /Invalid two-factor code/`
Add specs for sessions controller including 2FA This also contains specs for a bug described in #14900 2016-04-06 10:26:10 +00:00			`end`
			`end`
			`end`
			`end`
			`end`
			`end`
			`end`