devise-otp 1.1.0 → 2.0.0

data/test/integration/disable_token_test.rb

@@ -2,7 +2,6 @@ require "test_helper"
 require "integration_tests_helper"
 
 class DisableTokenTest < ActionDispatch::IntegrationTest
-
   def setup
     # log in 1fa
     @user = enable_otp_and_sign_in
@@ -52,5 +51,4 @@ class DisableTokenTest < ActionDispatch::IntegrationTest
     assert_not_nil @user.otp_recovery_secret
     assert_equal @user.otp_recovery_secret, recovery_secret
   end
-
 end

data/test/integration/enable_otp_form_test.rb

@@ -48,7 +48,7 @@ class EnableOtpFormTest < ActionDispatch::IntegrationTest
 
     visit "/"
     within "#alerts" do
-      assert !page.has_content?('The Confirmation Code you entered did not match the QR code shown below.')
+      assert_not page.has_content?('The Confirmation Code you entered did not match the QR code shown below.')
     end
   end
 
@@ -71,4 +71,15 @@ class EnableOtpFormTest < ActionDispatch::IntegrationTest
     assert_not user.otp_enabled?
   end
 
+  test "failed confirmation code should return a 422 'unprocessable entity' status" do
+    user = sign_user_in
+
+    visit edit_user_otp_token_path
+
+    fill_in "confirmation_code", with: "123456"
+
+    click_button "Continue..."
+
+    assert_equal 422, page.status_code
+  end
 end

data/test/integration/lockable_test.rb

@@ -0,0 +1,143 @@
+require "test_helper"
+require "integration_tests_helper"
+
+class SignInTest < ActionDispatch::IntegrationTest
+  def setup
+    @lockable_user = create_lockable_user
+    @lockable_user.populate_otp_secrets!
+    @lockable_user.update(otp_enabled: true)
+
+    sign_user_in(@lockable_user)
+    assert_equal lockable_user_otp_credential_path, current_path
+  end
+
+  def teardown
+    Capybara.reset_sessions!
+  end
+
+  test "a normal User should not get locked out for entering incorrect OTP tokens" do
+    enable_otp_and_sign_in
+
+    6.times do
+      fill_in "token", with: "123456"
+      click_button "Submit Token"
+    end
+
+    assert page.has_content? "The token you provided was invalid."
+  end
+
+  test "a Lockable User should increment failed_attempts for each incorrect OTP token" do
+    fill_in "token", with: "123456"
+    click_button "Submit Token"
+    assert page.has_content? "The token you provided was invalid."
+
+    @lockable_user.reload
+    assert_equal 1, @lockable_user.failed_attempts
+
+    fill_in "token", with: "123456"
+    click_button "Submit Token"
+    assert page.has_content? "The token you provided was invalid."
+
+    @lockable_user.reload
+    assert_equal 2, @lockable_user.failed_attempts
+  end
+
+  test "a Lockable User should reset failed_attempts after a correct OTP token" do
+    fill_in "token", with: ROTP::TOTP.new(@lockable_user.otp_auth_secret).at(Time.now)
+    click_button "Submit Token"
+    assert_equal root_path, current_path
+
+    @lockable_user.reload
+    assert_equal 0, @lockable_user.failed_attempts
+  end
+
+  test "a Lockable User should get locked out for entering incorrect OTP token too many times" do
+    # Enter incorrect token
+    5.times do
+      fill_in "token", with: "123456"
+      click_button "Submit Token"
+    end
+
+    @lockable_user.reload
+    assert @lockable_user.access_locked?
+  end
+
+  test "a locked out user should be redirected to the sign in form" do
+    # Enter incorrect token
+    5.times do
+      fill_in "token", with: "123456"
+      click_button "Submit Token"
+    end
+
+    assert_equal new_lockable_user_session_path, current_path
+  end
+
+  test "a locked out user should see the default 'Your account is locked' message" do
+    # Enter incorrect token
+    5.times do
+      fill_in "token", with: "123456"
+      click_button "Submit Token"
+    end
+
+    assert page.has_content? "Your account is locked."
+  end
+
+  test "the OTP credentials form should display the 'one more attempt' message before being locked out" do
+    # Enter incorrect token
+    4.times do
+      fill_in "token", with: "123456"
+      click_button "Submit Token"
+    end
+
+    assert page.has_content? "You have one more attempt"
+  end
+
+  test "the OTP credentials form should not work for a locked out user (in case of URL revisit)" do
+    # Save challenge path
+    uri = URI.parse(current_url)
+    challenge_path = "#{uri.path}?#{uri.query}"
+
+    # Enter incorrect token
+    5.times do
+      fill_in "token", with: "123456"
+      click_button "Submit Token"
+    end
+
+    visit challenge_path
+
+    # Enter correct token
+    fill_in "token", with: ROTP::TOTP.new(@lockable_user.otp_auth_secret).at(Time.now)
+    click_button "Submit Token"
+
+    assert page.has_content? "Your account is locked."
+  end
+
+  test "manually revisiting the sign_in form should not reset the failed attempts for the OTP form" do
+    # Enter incorrect token
+    4.times do
+      fill_in "token", with: "123456"
+      click_button "Submit Token"
+    end
+
+    @lockable_user.reload
+    assert_equal 4, @lockable_user.failed_attempts
+
+    # Attempt to reset failed attempts via sign_in form
+    reset!
+    visit posts_path
+    assert_equal new_user_session_path, current_path
+    sign_user_in(@lockable_user)
+
+    @lockable_user.reload
+    assert_equal 4, @lockable_user.failed_attempts
+
+    # Enter incorrect token again
+    fill_in "token", with: "123456"
+    click_button "Submit Token"
+
+    @lockable_user.reload
+    assert_equal 5, @lockable_user.failed_attempts
+
+    assert page.has_content? "Your account is locked."
+  end
+end

data/test/integration/non_otp_user_models_test.rb

@@ -2,7 +2,6 @@ require "test_helper"
 require "integration_tests_helper"
 
 class NonOtpUserModelsTest < ActionDispatch::IntegrationTest
-
   def teardown
     Capybara.reset_sessions!
   end
@@ -17,5 +16,4 @@ class NonOtpUserModelsTest < ActionDispatch::IntegrationTest
 
     assert_equal non_otp_posts_path, current_path
   end
-
 end

data/test/integration/otp_drift_test.rb

@@ -0,0 +1,35 @@
+require "test_helper"
+require "integration_tests_helper"
+
+class OtpDriftTest < ActionDispatch::IntegrationTest
+  def teardown
+    Capybara.reset_sessions!
+    Timecop.return
+  end
+
+  test "should allow OTP token usage up within the OTP drift window" do
+    user = enable_otp_and_sign_in
+
+    copied_token = ROTP::TOTP.new(user.otp_auth_secret).at(Time.now)
+
+    Timecop.freeze(Time.now + 90)
+
+    fill_in "token", with: copied_token
+    click_button "Submit Token"
+
+    assert_equal root_path, current_path
+  end
+
+  test "should not allow OTP token usage beyond the OTP drift window" do
+    user = enable_otp_and_sign_in
+
+    copied_token = ROTP::TOTP.new(user.otp_auth_secret).at(Time.now)
+
+    Timecop.freeze(Time.now + 120)
+
+    fill_in "token", with: copied_token
+    click_button "Submit Token"
+
+    assert_not_equal root_path, current_path
+  end
+end

data/test/integration/persistence_test.rb

@@ -10,6 +10,7 @@ class PersistenceTest < ActionDispatch::IntegrationTest
   def teardown
     User.otp_trust_persistence = @old_persistence
     Capybara.reset_sessions!
+    Timecop.return
   end
 
   test "a user should be requested the otp challenge every log in" do
@@ -34,7 +35,7 @@ class PersistenceTest < ActionDispatch::IntegrationTest
     visit user_otp_token_path
     assert_equal user_otp_token_path, current_path
 
-    click_link("Trust this browser")
+    click_button("Trust this browser")
     assert_text "Your browser is trusted."
     within "#alerts" do
       assert page.has_content? 'Your device is now trusted.'
@@ -46,6 +47,46 @@ class PersistenceTest < ActionDispatch::IntegrationTest
     assert_equal root_path, current_path
   end
 
+  test "a user should be able to remove their browser" do
+    # log in 1fa
+    user = enable_otp_and_sign_in
+    otp_challenge_for user
+
+    original_persistence_seed = user.otp_persistence_seed
+
+    visit user_otp_token_path
+    click_button("Trust this browser")
+    click_button("Remove this browser from the list of trusted browsers")
+
+    assert_text "Your browser is not trusted."
+    # Test that the OTP Persistence Seed is still valid
+    assert_equal user.reload.otp_persistence_seed, original_persistence_seed
+
+    sign_out
+    sign_user_in
+    assert_equal user_otp_credential_path, current_path
+  end
+
+  test "a user should be able to clear all trusted browsers" do
+    # log in 1fa
+    user = enable_otp_and_sign_in
+    otp_challenge_for user
+
+    original_persistence_seed = user.otp_persistence_seed
+
+    visit user_otp_token_path
+    click_button("Trust this browser")
+    click_button("Clear the list of trusted browsers")
+
+    assert_text "Your browser is not trusted."
+    # Test that the OTP Persistence Seed was reset
+    assert_not_equal user.reload.otp_persistence_seed, original_persistence_seed
+
+    sign_out
+    sign_user_in
+    assert_equal user_otp_credential_path, current_path
+  end
+
   test "a user should be able to download its recovery codes" do
     # log in 1fa
     user = enable_otp_and_sign_in
@@ -68,13 +109,27 @@ class PersistenceTest < ActionDispatch::IntegrationTest
     visit user_otp_token_path
     assert_equal user_otp_token_path, current_path
 
-    click_link("Trust this browser")
+    click_button("Trust this browser")
     assert_text "Your browser is trusted."
     sign_out
 
-    sleep User.otp_trust_persistence.to_i + 1
-    sign_user_in
+    Timecop.travel(Time.now + 30.days)
 
+    sign_user_in
     assert_equal user_otp_credential_path, current_path
   end
+
+  test "a user should be prompted for credentials if the credentials_refresh time is expired" do
+    # log in 1fa
+    user = enable_otp_and_sign_in
+    otp_challenge_for user
+
+    visit user_otp_token_path
+    assert_equal user_otp_token_path, current_path
+
+    Timecop.travel(Time.now + 15.minutes)
+
+    click_button("Trust this browser")
+    assert_equal refresh_user_otp_credential_path, current_path
+  end
 end

data/test/integration/refresh_test.rb

@@ -2,16 +2,9 @@ require "test_helper"
 require "integration_tests_helper"
 
 class RefreshTest < ActionDispatch::IntegrationTest
-  def setup
-    @old_refresh = User.otp_credentials_refresh
-    User.otp_credentials_refresh = 1.second
-    Admin.otp_credentials_refresh = 1.second
-  end
-
   def teardown
-    User.otp_credentials_refresh = @old_refresh
-    Admin.otp_credentials_refresh = @old_refresh
     Capybara.reset_sessions!
+    Timecop.return
   end
 
   test "a user that just signed in should be able to access their OTP settings without refreshing" do
@@ -26,7 +19,7 @@ class RefreshTest < ActionDispatch::IntegrationTest
     visit user_otp_token_path
     assert_equal user_otp_token_path, current_path
 
-    sleep(2)
+    Timecop.travel(Time.now + 15.minutes)
 
     visit user_otp_token_path
     assert_equal refresh_user_otp_credential_path, current_path
@@ -37,7 +30,7 @@ class RefreshTest < ActionDispatch::IntegrationTest
     visit user_otp_token_path
     assert_equal user_otp_token_path, current_path
 
-    sleep(2)
+    Timecop.travel(Time.now + 15.minutes)
 
     visit user_otp_token_path
     assert_equal refresh_user_otp_credential_path, current_path
@@ -52,7 +45,7 @@ class RefreshTest < ActionDispatch::IntegrationTest
     visit user_otp_token_path
     assert_equal user_otp_token_path, current_path
 
-    sleep(2)
+    Timecop.travel(Time.now + 15.minutes)
 
     visit user_otp_token_path
     assert_equal refresh_user_otp_credential_path, current_path
@@ -67,14 +60,15 @@ class RefreshTest < ActionDispatch::IntegrationTest
 
     visit "/"
     within "#alerts" do
-      assert !page.has_content?('Sorry, you provided the wrong credentials.')
+      assert_not page.has_content?('Sorry, you provided the wrong credentials.')
     end
   end
 
   test "user should be finally be able to access their settings, and just password is enough" do
     user = enable_otp_and_sign_in_with_otp
 
-    sleep(2)
+    Timecop.travel(Time.now + 15.minutes)
+
     visit user_otp_token_path
     assert_equal refresh_user_otp_credential_path, current_path
 
@@ -102,7 +96,7 @@ class RefreshTest < ActionDispatch::IntegrationTest
     click_button "Submit Token"
     assert_equal "/", current_path
 
-    sleep(2)
+    Timecop.travel(Time.now + 15.minutes)
 
     visit admin_otp_token_path
     assert_equal refresh_admin_otp_credential_path, current_path
@@ -113,4 +107,19 @@ class RefreshTest < ActionDispatch::IntegrationTest
     assert_equal admin_otp_token_path, current_path
   end
 
+  test "failed credentials should return a 422 'unprocessable entity' status" do
+    sign_user_in
+    visit user_otp_token_path
+    assert_equal user_otp_token_path, current_path
+
+    Timecop.travel(Time.now + 15.minutes)
+
+    visit user_otp_token_path
+    assert_equal refresh_user_otp_credential_path, current_path
+
+    fill_in "user_refresh_password", with: "12345670"
+    click_button "Continue..."
+
+    assert_equal 422, page.status_code
+  end
 end

data/test/integration/rememberable_test.rb

@@ -0,0 +1,143 @@
+require "test_helper"
+require "integration_tests_helper"
+
+class RememberableTest < ActionDispatch::IntegrationTest
+  def setup
+    @rememberable_user = create_rememberable_user
+    @rememberable_user.populate_otp_secrets!
+    @rememberable_user.enable_otp!
+  end
+
+  def teardown
+    Capybara.reset_sessions!
+    Timecop.return
+  end
+
+  test "checking remember_me at the sign in page persists the selection to the OTP credentials page" do
+    visit new_rememberable_user_session_path
+
+    fill_in "rememberable_user_email", with: "rememberable-user@email.invalid"
+    fill_in "rememberable_user_password", with: "12345678"
+    check "Remember me"
+    click_button("Log in")
+
+    assert_equal rememberable_user_otp_credential_path, current_path
+
+    assert_equal "true", find("#remember_me", visible: false).value
+  end
+
+  test "checking remember me during the sign in process with OTP enabled remembers the user" do
+    visit new_rememberable_user_session_path
+
+    fill_in "rememberable_user_email", with: "rememberable-user@email.invalid"
+    fill_in "rememberable_user_password", with: "12345678"
+    check "Remember me"
+    click_button("Log in")
+
+    assert_equal rememberable_user_otp_credential_path, current_path
+
+    fill_in "token", with: ROTP::TOTP.new(@rememberable_user.otp_auth_secret).at(Time.now)
+    click_button("Submit Token")
+
+    assert current_path, "/"
+
+    assert page.driver.browser.last_request.cookies['remember_rememberable_user_token']
+  end
+
+  test "not checking remember me during the sign in process does not remember the user" do
+    visit new_rememberable_user_session_path
+
+    fill_in "rememberable_user_email", with: "rememberable-user@email.invalid"
+    fill_in "rememberable_user_password", with: "12345678"
+    click_button("Log in")
+
+    assert_equal rememberable_user_otp_credential_path, current_path
+
+    fill_in "token", with: ROTP::TOTP.new(@rememberable_user.otp_auth_secret).at(Time.now)
+    click_button("Submit Token")
+
+    assert current_path, "/"
+
+    assert_nil page.driver.browser.last_request.cookies['remember_rememberable_user_token']
+  end
+
+  test "the OTP credentials page persists the remember_me value through any reloads" do
+    visit new_rememberable_user_session_path
+
+    fill_in "rememberable_user_email", with: "rememberable-user@email.invalid"
+    fill_in "rememberable_user_password", with: "12345678"
+    check "Remember me"
+    click_button("Log in")
+
+    assert_equal rememberable_user_otp_credential_path, current_path
+
+    fill_in "token", with: "123456"
+    click_button("Submit Token")
+
+    assert_equal rememberable_user_otp_credential_path, current_path
+
+    assert_equal "true", find("#remember_me", visible: false).value
+  end
+
+  test "checking remember_me at the sign in page does not remember the user until sign in is completed" do
+    visit new_rememberable_user_session_path
+
+    fill_in "rememberable_user_email", with: "rememberable-user@email.invalid"
+    fill_in "rememberable_user_password", with: "12345678"
+    check "Remember me"
+    click_button("Log in")
+
+    assert_equal rememberable_user_otp_credential_path, current_path
+
+    assert_nil page.driver.browser.last_request.cookies['remember_rememberable_user_token']
+  end
+
+  test "rememberable users without OTP enabled are remembered immediately" do
+    @rememberable_user.disable_otp!
+
+    visit new_rememberable_user_session_path
+    fill_in "rememberable_user_email", with: "rememberable-user@email.invalid"
+    fill_in "rememberable_user_password", with: "12345678"
+    check "Remember me"
+    click_button("Log in")
+
+    assert page.driver.browser.last_request.cookies['remember_rememberable_user_token']
+  end
+
+  test "rememberable users with browser persistence enabled are still remembered when signing in" do
+    visit new_rememberable_user_session_path
+
+    fill_in "rememberable_user_email", with: "rememberable-user@email.invalid"
+    fill_in "rememberable_user_password", with: "12345678"
+    check "Remember me"
+    click_button("Log in")
+
+    fill_in "token", with: ROTP::TOTP.new(@rememberable_user.otp_auth_secret).at(Time.now)
+    click_button("Submit Token")
+
+    visit rememberable_user_otp_token_path
+    click_button "Trust this browser"
+    click_button("Sign Out")
+
+    visit new_rememberable_user_session_path
+    fill_in "rememberable_user_email", with: "rememberable-user@email.invalid"
+    fill_in "rememberable_user_password", with: "12345678"
+    check "Remember me"
+    click_button("Log in")
+
+    assert page.driver.browser.last_request.cookies['remember_rememberable_user_token']
+  end
+
+  test "normal users without rememberable strategy are not affected" do
+    create_full_user
+    visit new_user_session_path
+
+    assert_not page.has_content? "Remember me"
+
+    fill_in "user_email", with: "user@email.invalid"
+    fill_in "user_password", with: "12345678"
+    click_button("Log in")
+
+    assert_nil page.driver.browser.last_request.cookies['remember_rememberable_user_token']
+  end
+end

data/test/integration/reset_token_test.rb

@@ -2,7 +2,6 @@ require "test_helper"
 require "integration_tests_helper"
 
 class ResetTokenTest < ActionDispatch::IntegrationTest
-
   def setup
     # log in 1fa
     @user = enable_otp_and_sign_in
@@ -44,5 +43,4 @@ class ResetTokenTest < ActionDispatch::IntegrationTest
     assert_not_nil @user.otp_recovery_secret
     assert_not_equal @user.otp_recovery_secret, recovery_secret
   end
-
 end

data/test/integration/sign_in_test.rb

@@ -4,6 +4,7 @@ require "integration_tests_helper"
 class SignInTest < ActionDispatch::IntegrationTest
   def teardown
     Capybara.reset_sessions!
+    Timecop.return
   end
 
   test "a new user should be able to sign in without using their token" do
@@ -57,6 +58,16 @@ class SignInTest < ActionDispatch::IntegrationTest
     assert page.has_content? "You need to type in the token you generated with your device."
   end
 
+  test "failed authentication should return a 422 'unprocessable entity' status" do
+    enable_otp_and_sign_in
+    assert_equal user_otp_credential_path, current_path
+
+    fill_in "token", with: "123456"
+    click_button "Submit Token"
+
+    assert_equal 422, page.status_code
+  end
+
   test "successful token authentication" do
     user = enable_otp_and_sign_in
 
@@ -66,18 +77,14 @@ class SignInTest < ActionDispatch::IntegrationTest
     assert_equal root_path, current_path
   end
 
-  test "should fail if the the challenge times out" do
-    old_timeout = User.otp_authentication_timeout
-    User.otp_authentication_timeout = 1.second
-
+  test "should fail and redirect if the the challenge is expired" do
     user = enable_otp_and_sign_in
 
-    sleep(2)
+    Timecop.travel(Time.now + 3.minutes)
 
     fill_in "token", with: ROTP::TOTP.new(user.otp_auth_secret).at(Time.now)
     click_button "Submit Token"
 
-    User.otp_authentication_timeout = old_timeout
     assert_equal new_user_session_path, current_path
   end
 
@@ -92,7 +99,7 @@ class SignInTest < ActionDispatch::IntegrationTest
     fill_in "token", with: ROTP::TOTP.new(user.otp_auth_secret).at(Time.now)
     click_button "Submit Token"
 
-    assert !page.has_content?("The token you provided was invalid.")
+    assert_not page.has_content?("The token you provided was invalid.")
   end
 
   test "invalid token flash message does not persist to successful authentication redirect." do
@@ -106,6 +113,6 @@ class SignInTest < ActionDispatch::IntegrationTest
     fill_in "token", with: ROTP::TOTP.new(user.otp_auth_secret).at(Time.now)
     click_button "Submit Token"
 
-    assert !page.has_content?("You need to type in the token you generated with your device.")
+    assert_not page.has_content?("You need to type in the token you generated with your device.")
   end
 end

data/test/integration/trackable_test.rb

@@ -2,7 +2,6 @@ require "test_helper"
 require "integration_tests_helper"
 
 class TrackableTest < ActionDispatch::IntegrationTest
-
   def setup
     @user = sign_user_in
 
@@ -46,5 +45,4 @@ class TrackableTest < ActionDispatch::IntegrationTest
     assert_not_equal @sign_in_count, @user.sign_in_count
     assert_not_equal @current_sign_in_at, @user.current_sign_in_at
   end
-
 end

data/test/integration_tests_helper.rb

@@ -27,6 +27,17 @@ class ActionDispatch::IntegrationTest
     end
   end
 
+  def create_lockable_user
+    @lockable_user ||= begin
+      lockable_user = LockableUser.create!(
+        email: "lockable-user@devise-otp.local",
+        password: "12345678",
+        password_confirmation: "12345678"
+      )
+      lockable_user
+    end
+  end
+
   def create_non_otp_user
     @non_otp_user ||= begin
       non_otp_user = NonOtpUser.create!(
@@ -38,6 +49,17 @@ class ActionDispatch::IntegrationTest
     end
   end
 
+  def create_rememberable_user
+    @rememberable_user ||= begin
+      rememberable_user = RememberableUser.create!(
+        email: "rememberable-user@email.invalid",
+        password: "12345678",
+        password_confirmation: "12345678"
+      )
+      rememberable_user
+    end
+  end
+
   def enable_otp_and_sign_in_with_otp
     enable_otp_and_sign_in.tap do |user|
       fill_in "token", with: ROTP::TOTP.new(user.otp_auth_secret).at(Time.now)
@@ -89,5 +111,4 @@ class ActionDispatch::IntegrationTest
     page.has_content?("Log in") ? click_button("Log in") : click_button("Sign in")
     user
   end
-
 end