FIX: No error displayed when 2FA token is invalid on admin login page.

2018-02-22 09:45:57 +08:00 · 2018-02-22 09:45:57 +08:00 · 964624f3ab
parent 412b298f55
commit 964624f3ab
3 changed files with 44 additions and 15 deletions
--- a/app/controllers/users_controller.rb
+++ b/app/controllers/users_controller.rb
@ -593,8 +593,27 @@ class UsersController < ApplicationController

        email_token_user = EmailToken.confirmable(token)&.user
        totp_enabled = email_token_user.totp_enabled?
+        second_factor_token = params[:second_factor_token]
+        confirm_email = false

-        if !totp_enabled || email_token_user.authenticate_totp(params[:second_factor_token])
+        confirm_email =
+          if totp_enabled
+            @second_factor_required = true
+            @message = I18n.t("login.second_factor_title")
+
+            if second_factor_token.present?
+              if email_token_user.authenticate_totp(second_factor_token)
+                true
+              else
+                @error = I18n.t("login.invalid_second_factor_code")
+                false
+              end
+            end
+          else
+            true
+          end
+
+        if confirm_email
          @user = EmailToken.confirm(token)

          if @user && @user.admin?
@ -603,9 +622,6 @@ class UsersController < ApplicationController
          else
            @message = I18n.t("admin_login.errors.unknown_email_address")
          end
-        else
-          @second_factor_required = true
-          @message = I18n.t("login.second_factor_title")
        end
      else
        @message = I18n.t("admin_login.errors.invalid_token")
--- a/app/views/users/admin_login.html.erb
+++ b/app/views/users/admin_login.html.erb
@ -5,13 +5,13 @@
  <body>
    <% if @message %>
      <%= @message %>
-      <% if @second_factor_required %>
+      <% if @error %><p><%= @error %></p><% end %>
+
      <%=form_tag({}, method: :put) do %>
        <%= label_tag(:second_factor_token, t('login.second_factor_description')) %>
        <%= text_field_tag(:second_factor_token, nil, autofocus: true) %><br><br>
        <%= submit_tag t('submit')%>
      <% end %>
-      <% end %>
    <% else %>
      <%=form_tag({}, method: :put) do %>
        <%= label_tag(:email, t('admin_login.email_input')) %>
--- a/spec/controllers/users_controller_spec.rb
+++ b/spec/controllers/users_controller_spec.rb
@ -554,22 +554,35 @@ describe UsersController do

      describe 'when 2 factor authentication is enabled' do
        let(:second_factor) { Fabricate(:user_second_factor, user: admin) }
+        let(:email_token) { Fabricate(:email_token, user: admin) }
        render_views

        it 'does not log in when token required' do
          second_factor
-          token = admin.email_tokens.create(email: admin.email).token
-          get :admin_login, params: { token: token }
+          get :admin_login, params: { token: email_token.token }
          expect(response).not_to redirect_to('/')
          expect(session[:current_user_id]).not_to eq(admin.id)
          expect(response.body).to include(I18n.t('login.second_factor_description'));
        end

-        it 'logs in when a valid 2-factor token is given' do
-          token = admin.email_tokens.create(email: admin.email).token
+        describe 'invalid 2 factor token' do
+          it 'should display the right error' do
+            second_factor

            put :admin_login, params: {
-            token: token,
+              token: email_token.token,
+              second_factor_token: '13213'
+            }
+
+            expect(response.status).to eq(200)
+            expect(response.body).to include(I18n.t('login.second_factor_description'));
+            expect(response.body).to include(I18n.t('login.invalid_second_factor_code'));
+          end
+        end
+
+        it 'logs in when a valid 2-factor token is given' do
+          put :admin_login, params: {
+            token: email_token.token,
            second_factor_token: ROTP::TOTP.new(second_factor.data).now
          }