state the reason to the user for the required 2fa
This commit is contained in:
parent
a49c5d1836
commit
b7ca7330ec
3 changed files with 130 additions and 33 deletions
|
@ -24,6 +24,17 @@ module EnforcesTwoFactorAuthentication
|
|||
current_user.try(:require_two_factor_authentication?)
|
||||
end
|
||||
|
||||
def two_factor_authentication_reason(global: -> {}, group: -> {})
|
||||
if two_factor_authentication_required?
|
||||
if current_application_settings.require_two_factor_authentication?
|
||||
global.call
|
||||
else
|
||||
groups = current_user.groups.where(require_two_factor_authentication: true).reorder(name: :asc)
|
||||
group.call(groups)
|
||||
end
|
||||
end
|
||||
end
|
||||
|
||||
def two_factor_grace_period
|
||||
periods = [current_application_settings.two_factor_grace_period]
|
||||
periods << current_user.two_factor_grace_period if current_user.try(:require_two_factor_authentication?)
|
||||
|
|
|
@ -13,11 +13,24 @@ class Profiles::TwoFactorAuthsController < Profiles::ApplicationController
|
|||
current_user.save! if current_user.changed?
|
||||
|
||||
if two_factor_authentication_required? && !current_user.two_factor_enabled?
|
||||
if two_factor_grace_period_expired?
|
||||
flash.now[:alert] = 'You must enable Two-Factor Authentication for your account.'
|
||||
else
|
||||
two_factor_authentication_reason(
|
||||
global: lambda do
|
||||
flash.now[:alert] =
|
||||
'The global settings require you to enable Two-Factor Authentication for your account.'
|
||||
end,
|
||||
group: lambda do |groups|
|
||||
group_links = groups.map { |group| view_context.link_to group.full_name, group_path(group) }.to_sentence
|
||||
|
||||
flash.now[:alert] = %{
|
||||
The group settings for #{group_links} require you to enable
|
||||
Two-Factor Authentication for your account.
|
||||
}.html_safe
|
||||
end
|
||||
)
|
||||
|
||||
unless two_factor_grace_period_expired?
|
||||
grace_period_deadline = current_user.otp_grace_period_started_at + two_factor_grace_period.hours
|
||||
flash.now[:alert] = "You must enable Two-Factor Authentication for your account before #{l(grace_period_deadline)}."
|
||||
flash.now[:alert] << " You need to do this before #{l(grace_period_deadline)}."
|
||||
end
|
||||
end
|
||||
|
||||
|
|
|
@ -199,6 +199,9 @@ feature 'Login', feature: true do
|
|||
|
||||
describe 'with required two-factor authentication enabled' do
|
||||
let(:user) { create(:user) }
|
||||
# TODO: otp_grace_period_started_at
|
||||
|
||||
context 'global setting' do
|
||||
before(:each) { stub_application_setting(require_two_factor_authentication: true) }
|
||||
|
||||
context 'with grace period defined' do
|
||||
|
@ -210,7 +213,7 @@ feature 'Login', feature: true do
|
|||
context 'within the grace period' do
|
||||
it 'redirects to two-factor configuration page' do
|
||||
expect(current_path).to eq profile_two_factor_auth_path
|
||||
expect(page).to have_content('You must enable Two-Factor Authentication for your account before')
|
||||
expect(page).to have_content('The global settings require you to enable Two-Factor Authentication for your account. You need to do this before ')
|
||||
end
|
||||
|
||||
it 'allows skipping two-factor configuration', js: true do
|
||||
|
@ -226,7 +229,9 @@ feature 'Login', feature: true do
|
|||
|
||||
it 'redirects to two-factor configuration page' do
|
||||
expect(current_path).to eq profile_two_factor_auth_path
|
||||
expect(page).to have_content('You must enable Two-Factor Authentication for your account.')
|
||||
expect(page).to have_content(
|
||||
'The global settings require you to enable Two-Factor Authentication for your account.'
|
||||
)
|
||||
end
|
||||
|
||||
it 'disallows skipping two-factor configuration', js: true do
|
||||
|
@ -244,7 +249,75 @@ feature 'Login', feature: true do
|
|||
|
||||
it 'redirects to two-factor configuration page' do
|
||||
expect(current_path).to eq profile_two_factor_auth_path
|
||||
expect(page).to have_content('You must enable Two-Factor Authentication for your account.')
|
||||
expect(page).to have_content(
|
||||
'The global settings require you to enable Two-Factor Authentication for your account.'
|
||||
)
|
||||
end
|
||||
end
|
||||
end
|
||||
|
||||
context 'group setting' do
|
||||
before do
|
||||
group1 = create :group, name: 'Group 1', require_two_factor_authentication: true
|
||||
group1.add_user(user, GroupMember::DEVELOPER)
|
||||
group2 = create :group, name: 'Group 2', require_two_factor_authentication: true
|
||||
group2.add_user(user, GroupMember::DEVELOPER)
|
||||
end
|
||||
|
||||
context 'with grace period defined' do
|
||||
before(:each) do
|
||||
stub_application_setting(two_factor_grace_period: 48)
|
||||
login_with(user)
|
||||
end
|
||||
|
||||
context 'within the grace period' do
|
||||
it 'redirects to two-factor configuration page' do
|
||||
expect(current_path).to eq profile_two_factor_auth_path
|
||||
expect(page).to have_content(
|
||||
'The group settings for Group 1 and Group 2 require you to enable ' \
|
||||
'Two-Factor Authentication for your account. You need to do this ' \
|
||||
'before ')
|
||||
end
|
||||
|
||||
it 'allows skipping two-factor configuration', js: true do
|
||||
expect(current_path).to eq profile_two_factor_auth_path
|
||||
|
||||
click_link 'Configure it later'
|
||||
expect(current_path).to eq root_path
|
||||
end
|
||||
end
|
||||
|
||||
context 'after the grace period' do
|
||||
let(:user) { create(:user, otp_grace_period_started_at: 9999.hours.ago) }
|
||||
|
||||
it 'redirects to two-factor configuration page' do
|
||||
expect(current_path).to eq profile_two_factor_auth_path
|
||||
expect(page).to have_content(
|
||||
'The group settings for Group 1 and Group 2 require you to enable ' \
|
||||
'Two-Factor Authentication for your account.'
|
||||
)
|
||||
end
|
||||
|
||||
it 'disallows skipping two-factor configuration', js: true do
|
||||
expect(current_path).to eq profile_two_factor_auth_path
|
||||
expect(page).not_to have_link('Configure it later')
|
||||
end
|
||||
end
|
||||
end
|
||||
|
||||
context 'without grace period defined' do
|
||||
before(:each) do
|
||||
stub_application_setting(two_factor_grace_period: 0)
|
||||
login_with(user)
|
||||
end
|
||||
|
||||
it 'redirects to two-factor configuration page' do
|
||||
expect(current_path).to eq profile_two_factor_auth_path
|
||||
expect(page).to have_content(
|
||||
'The group settings for Group 1 and Group 2 require you to enable ' \
|
||||
'Two-Factor Authentication for your account.'
|
||||
)
|
||||
end
|
||||
end
|
||||
end
|
||||
end
|
||||
|
|
Loading…
Reference in a new issue