Stéphane Meny
3 years ago
committed by
GitHub
7 changed files with 113 additions and 10 deletions
@ -0,0 +1,10 @@ |
|||||||
|
class AddLockableFields < ActiveRecord::Migration[7.0] |
||||||
|
def change |
||||||
|
change_table :users, bulk: true do |t| |
||||||
|
t.column :failed_attempts, :integer, default: 0 |
||||||
|
t.column :unlock_token, :string |
||||||
|
t.column :locked_at, :datetime |
||||||
|
end |
||||||
|
add_index :users, :unlock_token, unique: true |
||||||
|
end |
||||||
|
end |
@ -0,0 +1,10 @@ |
|||||||
|
class AddLockableFields2 < ActiveRecord::Migration[7.0] |
||||||
|
def change |
||||||
|
change_table :admin_users, bulk: true do |t| |
||||||
|
t.column :failed_attempts, :integer, default: 0 |
||||||
|
t.column :unlock_token, :string |
||||||
|
t.column :locked_at, :datetime |
||||||
|
end |
||||||
|
add_index :admin_users, :unlock_token, unique: true |
||||||
|
end |
||||||
|
end |
@ -0,0 +1,75 @@ |
|||||||
|
require "rails_helper" |
||||||
|
|
||||||
|
RSpec.describe "User Lockout" do |
||||||
|
let(:user) { FactoryBot.create(:user) } |
||||||
|
let(:admin) { FactoryBot.create(:admin_user) } |
||||||
|
let(:max_login_attempts) { Devise.maximum_attempts } |
||||||
|
let(:max_2fa_attempts) { Devise.max_login_attempts } |
||||||
|
let(:notify_client) { instance_double(Notifications::Client) } |
||||||
|
|
||||||
|
context "when login-in with the wrong user password up to a maximum number of attempts" do |
||||||
|
before do |
||||||
|
visit("/users/sign-in") |
||||||
|
max_login_attempts.times do |
||||||
|
fill_in("user[email]", with: user.email) |
||||||
|
fill_in("user[password]", with: "wrong_password") |
||||||
|
click_button("Sign in") |
||||||
|
end |
||||||
|
end |
||||||
|
|
||||||
|
it "locks the user account" do |
||||||
|
visit("/users/sign-in") |
||||||
|
fill_in("user[email]", with: user.email) |
||||||
|
fill_in("user[password]", with: user.password) |
||||||
|
click_button("Sign in") |
||||||
|
expect(page).to have_http_status(:unprocessable_entity) |
||||||
|
expect(page).to have_content("Your account is locked.") |
||||||
|
end |
||||||
|
end |
||||||
|
|
||||||
|
context "when login-in with the wrong admin password up to a maximum number of attempts" do |
||||||
|
before do |
||||||
|
visit("/admin/sign-in") |
||||||
|
max_login_attempts.times do |
||||||
|
fill_in("admin_user[email]", with: admin.email) |
||||||
|
fill_in("admin_user[password]", with: "wrong_password") |
||||||
|
click_button("Sign in") |
||||||
|
end |
||||||
|
end |
||||||
|
|
||||||
|
it "locks the admin account" do |
||||||
|
visit("/admin/sign-in") |
||||||
|
fill_in("admin_user[email]", with: admin.email) |
||||||
|
fill_in("admin_user[password]", with: admin.password) |
||||||
|
click_button("Sign in") |
||||||
|
expect(page).to have_http_status(:unprocessable_entity) |
||||||
|
expect(page).to have_content("Your account is locked.") |
||||||
|
end |
||||||
|
end |
||||||
|
|
||||||
|
context "when login-in with the right admin password and incorrect 2FA token up to a maximum number of attempts" do |
||||||
|
before do |
||||||
|
allow(Sms).to receive(:notify_client).and_return(notify_client) |
||||||
|
allow(notify_client).to receive(:send_sms).and_return(true) |
||||||
|
|
||||||
|
visit("/admin/sign-in") |
||||||
|
fill_in("admin_user[email]", with: admin.email) |
||||||
|
fill_in("admin_user[password]", with: admin.password) |
||||||
|
click_button("Sign in") |
||||||
|
|
||||||
|
max_2fa_attempts.times do |
||||||
|
fill_in("code", with: "random") |
||||||
|
click_button("Submit") |
||||||
|
end |
||||||
|
end |
||||||
|
|
||||||
|
it "locks the admin account" do |
||||||
|
visit("/admin/sign-in") |
||||||
|
fill_in("admin_user[email]", with: admin.email) |
||||||
|
fill_in("admin_user[password]", with: admin.password) |
||||||
|
click_button("Sign in") |
||||||
|
expect(page).to have_http_status(:unprocessable_entity) |
||||||
|
expect(page).to have_content(I18n.t("devise.two_factor_authentication.account_locked")) |
||||||
|
end |
||||||
|
end |
||||||
|
end |
Loading…
Reference in new issue