|
|
|
require "rails_helper"
|
|
|
|
|
|
|
|
RSpec.describe "User Lockout" do
|
|
|
|
let(:user) { FactoryBot.create(:user) }
|
|
|
|
let(:admin) { FactoryBot.create(:admin_user) }
|
|
|
|
let(:max_login_attempts) { Devise.maximum_attempts }
|
|
|
|
let(:max_2fa_attempts) { Devise.max_login_attempts }
|
|
|
|
let(:notify_client) { instance_double(Notifications::Client) }
|
|
|
|
|
|
|
|
context "when login-in with the wrong user password up to a maximum number of attempts" do
|
|
|
|
before do
|
|
|
|
visit("/account/sign-in")
|
|
|
|
max_login_attempts.times do
|
|
|
|
fill_in("user[email]", with: user.email)
|
|
|
|
fill_in("user[password]", with: "wrong_password")
|
|
|
|
click_button("Sign in")
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
|
|
|
it "locks the user account" do
|
|
|
|
visit("/account/sign-in")
|
|
|
|
fill_in("user[email]", with: user.email)
|
|
|
|
fill_in("user[password]", with: user.password)
|
|
|
|
click_button("Sign in")
|
|
|
|
expect(page).to have_http_status(:unprocessable_entity)
|
|
|
|
expect(page).to have_content(I18n.t("devise.failure.locked"))
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
|
|
|
context "when login-in with the wrong admin password up to a maximum number of attempts" do
|
|
|
|
before do
|
|
|
|
visit("/admin/sign-in")
|
|
|
|
max_login_attempts.times do
|
|
|
|
fill_in("admin_user[email]", with: admin.email)
|
|
|
|
fill_in("admin_user[password]", with: "wrong_password")
|
|
|
|
click_button("Sign in")
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
|
|
|
it "locks the admin account" do
|
|
|
|
visit("/admin/sign-in")
|
|
|
|
fill_in("admin_user[email]", with: admin.email)
|
|
|
|
fill_in("admin_user[password]", with: admin.password)
|
|
|
|
click_button("Sign in")
|
|
|
|
expect(page).to have_http_status(:unprocessable_entity)
|
|
|
|
expect(page).to have_content(I18n.t("devise.failure.locked"))
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
|
|
|
context "when login-in with the right admin password and incorrect 2FA token up to a maximum number of attempts" do
|
|
|
|
let(:devise_notify_mailer) { DeviseNotifyMailer.new }
|
|
|
|
|
|
|
|
before do
|
|
|
|
allow(DeviseNotifyMailer).to receive(:new).and_return(devise_notify_mailer)
|
|
|
|
allow(devise_notify_mailer).to receive(:notify_client).and_return(notify_client)
|
|
|
|
allow(notify_client).to receive(:send_email).and_return(true)
|
|
|
|
|
|
|
|
visit("/admin/sign-in")
|
|
|
|
fill_in("admin_user[email]", with: admin.email)
|
|
|
|
fill_in("admin_user[password]", with: admin.password)
|
|
|
|
click_button("Sign in")
|
|
|
|
|
|
|
|
max_2fa_attempts.times do
|
|
|
|
fill_in("code", with: "random")
|
|
|
|
click_button("Submit")
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
|
|
|
it "locks the admin account" do
|
|
|
|
visit("/admin/sign-in")
|
|
|
|
fill_in("admin_user[email]", with: admin.email)
|
|
|
|
fill_in("admin_user[password]", with: admin.password)
|
|
|
|
click_button("Sign in")
|
|
|
|
expect(page).to have_http_status(:unprocessable_entity)
|
|
|
|
expect(page).to have_content(I18n.t("devise.two_factor_authentication.account_locked"))
|
|
|
|
end
|
|
|
|
end
|
|
|
|
end
|