webapp/bookstack
1
0
Fork 0
mirror of https://github.com/BookStackApp/BookStack.git synced 2026-01-03 23:42:28 +03:00
Code Activity

Added backup code setup flow

Browse Source 
- Includes testing to cover flow.
- Moved TOTP logic to its own controller.
- Added some extra totp tests.
This commit is contained in:
Dan Brown
2021-07-02 20:53:33 +01:00
parent 83c8f73142
commit 529971c534
10 changed files with 242 additions and 57 deletions
Download Patch File Download Diff File Expand all files Collapse all files

59
tests/Auth/MfaConfigurationTest.php
View File

@@ -2,6 +2,7 @@
namespace Tests\Auth;
use BookStack\Auth\Access\Mfa\MfaValue;
use PragmaRX\Google2FA\Google2FA;
use Tests\TestCase;
@@ -37,7 +38,8 @@ class MfaConfigurationTest extends TestCase
// Successful confirmation
$google2fa = new Google2FA();
$otp = $google2fa->getCurrentOtp(decrypt(session()->get('mfa-setup-totp-secret')));
$secret = decrypt(session()->get('mfa-setup-totp-secret'));
$otp = $google2fa->getCurrentOtp($secret);
$resp = $this->post('/mfa/totp-confirm', [
'code' => $otp,
]);
@@ -47,6 +49,61 @@ class MfaConfigurationTest extends TestCase
$resp = $this->followRedirects($resp);
$resp->assertSee('Multi-factor method successfully configured');
$resp->assertElementContains('a[href$="/mfa/totp-generate"]', 'Reconfigure');
$this->assertDatabaseHas('mfa_values', [
'user_id' => $editor->id,
'method' => 'totp',
]);
$this->assertFalse(session()->has('mfa-setup-totp-secret'));
$value = MfaValue::query()->where('user_id', '=', $editor->id)
->where('method', '=', 'totp')->first();
$this->assertEquals($secret, decrypt($value->value));
}
public function test_backup_codes_setup()
{
$editor = $this->getEditor();
$this->assertDatabaseMissing('mfa_values', ['user_id' => $editor->id]);
// Setup page state
$resp = $this->actingAs($editor)->get('/mfa/setup');
$resp->assertElementContains('a[href$="/mfa/backup-codes-generate"]', 'Setup');
// Generate page access
$resp = $this->get('/mfa/backup-codes-generate');
$resp->assertSee('Backup Codes');
$resp->assertElementContains('form[action$="/mfa/backup-codes-confirm"]', 'Confirm and Enable');
$this->assertSessionHas('mfa-setup-backup-codes');
$codes = decrypt(session()->get('mfa-setup-backup-codes'));
// Check code format
$this->assertCount(16, $codes);
$this->assertEquals(16*11, strlen(implode('', $codes)));
// Check download link
$resp->assertSee(base64_encode(implode("\n\n", $codes)));
// Confirm submit
$resp = $this->post('/mfa/backup-codes-confirm');
$resp->assertRedirect('/mfa/setup');
// Confirmation of setup
$resp = $this->followRedirects($resp);
$resp->assertSee('Multi-factor method successfully configured');
$resp->assertElementContains('a[href$="/mfa/backup-codes-generate"]', 'Reconfigure');
$this->assertDatabaseHas('mfa_values', [
'user_id' => $editor->id,
'method' => 'backup_codes',
]);
$this->assertFalse(session()->has('mfa-setup-backup-codes'));
$value = MfaValue::query()->where('user_id', '=', $editor->id)
->where('method', '=', 'backup_codes')->first();
$this->assertEquals($codes, json_decode(decrypt($value->value)));
}
public function test_backup_codes_cannot_be_confirmed_if_not_previously_generated()
{
$resp = $this->asEditor()->post('/mfa/backup-codes-confirm');
$resp->assertStatus(500);
}
}