Browse Source

CLDC-1016: Fix 2FA bypass (#367)

* Failing test

* Simplest thing to make spec pass

* Extract to method

* Set condition based on class having the 2fa module rather than hardcoding class name
pull/368/head
baarkerlounger 3 years ago committed by GitHub
parent
commit
739d1d761a
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
  1. 8
      app/controllers/auth/passwords_controller.rb
  2. 4
      spec/requests/auth/passwords_controller_spec.rb

8
app/controllers/auth/passwords_controller.rb

@ -37,6 +37,7 @@ class Auth::PasswordsController < Devise::PasswordsController
set_flash_message!(:notice, password_update_flash_message) set_flash_message!(:notice, password_update_flash_message)
resource.after_database_authentication resource.after_database_authentication
sign_in(resource_name, resource) sign_in(resource_name, resource)
set_2fa_required
else else
set_flash_message!(:notice, :updated_not_active) set_flash_message!(:notice, :updated_not_active)
end end
@ -49,6 +50,13 @@ class Auth::PasswordsController < Devise::PasswordsController
protected protected
def set_2fa_required
return unless resource.respond_to?(:need_two_factor_authentication?) &&
resource.need_two_factor_authentication?(request)
warden.session(resource_class.name.underscore)[TwoFactorAuthentication::NEED_AUTHENTICATION] = true
end
def password_update_flash_message def password_update_flash_message
resource_class == AdminUser ? :updated_2FA : :updated resource_class == AdminUser ? :updated_2FA : :updated
end end

4
spec/requests/auth/passwords_controller_spec.rb

@ -130,9 +130,11 @@ RSpec.describe Auth::PasswordsController, type: :request do
}.to change(admin_user, :encrypted_password) }.to change(admin_user, :encrypted_password)
end end
it "sends you to the 2FA page" do it "sends you to the 2FA page and does not allow bypassing 2FA code" do
put "/admin/password", headers: headers, params: params put "/admin/password", headers: headers, params: params
expect(response).to redirect_to("/admin/two-factor-authentication") expect(response).to redirect_to("/admin/two-factor-authentication")
get "/admin/case_logs", headers: headers
expect(response).to redirect_to("/admin/two-factor-authentication")
end end
it "triggers an SMS" do it "triggers an SMS" do

Loading…
Cancel
Save