webapp/bookstack
1
0
Fork 0
mirror of https://github.com/BookStackApp/BookStack.git synced 2025-07-30 04:23:11 +03:00
Code Activity

Worked on MFA setup required flow

Browse Source 
- Restructured some of the route naming to be a little more consistent.
- Moved the routes about to be more logically in one place.
- Created a new middleware to handle the auth of people that should be
  allowed access to mfa setup routes, since these could be used by
  existing logged in users or by people needing to setup MFA on access.
- Added testing to cover MFA setup required flow.
- Added TTL and method tracking to session last-login tracking system.
This commit is contained in:
Dan Brown
2021-08-02 22:02:25 +01:00
parent 4597069083
commit 9b271e559f
15 changed files with 218 additions and 68 deletions
Download Patch File Download Diff File Expand all files Collapse all files

26
tests/Auth/MfaConfigurationTest.php
View File

@ -18,21 +18,21 @@ class MfaConfigurationTest extends TestCase
// Setup page state
$resp = $this->actingAs($editor)->get('/mfa/setup');
$resp->assertElementContains('a[href$="/mfa/totp-generate"]', 'Setup');
$resp->assertElementContains('a[href$="/mfa/totp/generate"]', 'Setup');
// Generate page access
$resp = $this->get('/mfa/totp-generate');
$resp = $this->get('/mfa/totp/generate');
$resp->assertSee('Mobile App Setup');
$resp->assertSee('Verify Setup');
$resp->assertElementExists('form[action$="/mfa/totp-confirm"] button');
$resp->assertElementExists('form[action$="/mfa/totp/confirm"] button');
$this->assertSessionHas('mfa-setup-totp-secret');
$svg = $resp->getElementHtml('#main-content .card svg');
// Validation error, code should remain the same
$resp = $this->post('/mfa/totp-confirm', [
$resp = $this->post('/mfa/totp/confirm', [
'code' => 'abc123',
]);
$resp->assertRedirect('/mfa/totp-generate');
$resp->assertRedirect('/mfa/totp/generate');
$resp = $this->followRedirects($resp);
$resp->assertSee('The provided code is not valid or has expired.');
$revisitSvg = $resp->getElementHtml('#main-content .card svg');
@ -42,7 +42,7 @@ class MfaConfigurationTest extends TestCase
$google2fa = new Google2FA();
$secret = decrypt(session()->get('mfa-setup-totp-secret'));
$otp = $google2fa->getCurrentOtp($secret);
$resp = $this->post('/mfa/totp-confirm', [
$resp = $this->post('/mfa/totp/confirm', [
'code' => $otp,
]);
$resp->assertRedirect('/mfa/setup');
@ -50,7 +50,7 @@ class MfaConfigurationTest extends TestCase
// Confirmation of setup
$resp = $this->followRedirects($resp);
$resp->assertSee('Multi-factor method successfully configured');
$resp->assertElementContains('a[href$="/mfa/totp-generate"]', 'Reconfigure');
$resp->assertElementContains('a[href$="/mfa/totp/generate"]', 'Reconfigure');
$this->assertDatabaseHas('mfa_values', [
'user_id' => $editor->id,
@ -69,12 +69,12 @@ class MfaConfigurationTest extends TestCase
// Setup page state
$resp = $this->actingAs($editor)->get('/mfa/setup');
$resp->assertElementContains('a[href$="/mfa/backup-codes-generate"]', 'Setup');
$resp->assertElementContains('a[href$="/mfa/backup_codes/generate"]', 'Setup');
// Generate page access
$resp = $this->get('/mfa/backup-codes-generate');
$resp = $this->get('/mfa/backup_codes/generate');
$resp->assertSee('Backup Codes');
$resp->assertElementContains('form[action$="/mfa/backup-codes-confirm"]', 'Confirm and Enable');
$resp->assertElementContains('form[action$="/mfa/backup_codes/confirm"]', 'Confirm and Enable');
$this->assertSessionHas('mfa-setup-backup-codes');
$codes = decrypt(session()->get('mfa-setup-backup-codes'));
// Check code format
@ -84,13 +84,13 @@ class MfaConfigurationTest extends TestCase
$resp->assertSee(base64_encode(implode("\n\n", $codes)));
// Confirm submit
$resp = $this->post('/mfa/backup-codes-confirm');
$resp = $this->post('/mfa/backup_codes/confirm');
$resp->assertRedirect('/mfa/setup');
// Confirmation of setup
$resp = $this->followRedirects($resp);
$resp->assertSee('Multi-factor method successfully configured');
$resp->assertElementContains('a[href$="/mfa/backup-codes-generate"]', 'Reconfigure');
$resp->assertElementContains('a[href$="/mfa/backup_codes/generate"]', 'Reconfigure');
$this->assertDatabaseHas('mfa_values', [
'user_id' => $editor->id,
@ -104,7 +104,7 @@ class MfaConfigurationTest extends TestCase
public function test_backup_codes_cannot_be_confirmed_if_not_previously_generated()
{
$resp = $this->asEditor()->post('/mfa/backup-codes-confirm');
$resp = $this->asEditor()->post('/mfa/backup_codes/confirm');
$resp->assertStatus(500);
}

103
tests/Auth/MfaVerificationTest.php
View File

@ -2,9 +2,12 @@
namespace Tests\Auth;
use BookStack\Auth\Access\LoginService;
use BookStack\Auth\Access\Mfa\MfaValue;
use BookStack\Auth\Access\Mfa\TotpService;
use BookStack\Auth\Role;
use BookStack\Auth\User;
use BookStack\Exceptions\StoppedAuthenticationException;
use Illuminate\Support\Facades\Hash;
use PragmaRX\Google2FA\Google2FA;
use Tests\TestCase;
@ -20,10 +23,10 @@ class MfaVerificationTest extends TestCase
$resp = $this->get('/mfa/verify');
$resp->assertSee('Verify Access');
$resp->assertSee('Enter the code, generated using your mobile app, below:');
$resp->assertElementExists('form[action$="/mfa/verify/totp"] input[name="code"]');
$resp->assertElementExists('form[action$="/mfa/totp/verify"] input[name="code"]');
$google2fa = new Google2FA();
$resp = $this->post('/mfa/verify/totp', [
$resp = $this->post('/mfa/totp/verify', [
'code' => $google2fa->getCurrentOtp($secret),
]);
$resp->assertRedirect('/');
@ -35,7 +38,7 @@ class MfaVerificationTest extends TestCase
[$user, $secret, $loginResp] = $this->startTotpLogin();
$resp = $this->get('/mfa/verify');
$resp = $this->post('/mfa/verify/totp', [
$resp = $this->post('/mfa/totp/verify', [
'code' => '',
]);
$resp->assertRedirect('/mfa/verify');
@ -44,7 +47,7 @@ class MfaVerificationTest extends TestCase
$resp->assertSeeText('The code field is required.');
$this->assertNull(auth()->user());
$resp = $this->post('/mfa/verify/totp', [
$resp = $this->post('/mfa/totp/verify', [
'code' => '123321',
]);
$resp->assertRedirect('/mfa/verify');
@ -63,9 +66,9 @@ class MfaVerificationTest extends TestCase
$resp->assertSee('Verify Access');
$resp->assertSee('Backup Code');
$resp->assertSee('Enter one of your remaining backup codes below:');
$resp->assertElementExists('form[action$="/mfa/verify/backup_codes"] input[name="code"]');
$resp->assertElementExists('form[action$="/mfa/backup_codes/verify"] input[name="code"]');
$resp = $this->post('/mfa/verify/backup_codes', [
$resp = $this->post('/mfa/backup_codes/verify', [
'code' => $codes[1],
]);
@ -82,7 +85,7 @@ class MfaVerificationTest extends TestCase
[$user, $codes, $loginResp] = $this->startBackupCodeLogin();
$resp = $this->get('/mfa/verify');
$resp = $this->post('/mfa/verify/backup_codes', [
$resp = $this->post('/mfa/backup_codes/verify', [
'code' => '',
]);
$resp->assertRedirect('/mfa/verify');
@ -91,7 +94,7 @@ class MfaVerificationTest extends TestCase
$resp->assertSeeText('The code field is required.');
$this->assertNull(auth()->user());
$resp = $this->post('/mfa/verify/backup_codes', [
$resp = $this->post('/mfa/backup_codes/verify', [
'code' => 'ab123-ab456',
]);
$resp->assertRedirect('/mfa/verify');
@ -105,7 +108,7 @@ class MfaVerificationTest extends TestCase
{
[$user, $codes, $loginResp] = $this->startBackupCodeLogin();
$this->post('/mfa/verify/backup_codes', [
$this->post('/mfa/backup_codes/verify', [
'code' => $codes[0],
]);
$this->assertNotNull(auth()->user());
@ -114,7 +117,7 @@ class MfaVerificationTest extends TestCase
$this->post('/login', ['email' => $user->email, 'password' => 'password']);
$this->get('/mfa/verify');
$resp = $this->post('/mfa/verify/backup_codes', [
$resp = $this->post('/mfa/backup_codes/verify', [
'code' => $codes[0],
]);
$resp->assertRedirect('/mfa/verify');
@ -128,7 +131,7 @@ class MfaVerificationTest extends TestCase
{
[$user, $codes, $loginResp] = $this->startBackupCodeLogin(['abc12-def45', 'abc12-def46']);
$resp = $this->post('/mfa/verify/backup_codes', [
$resp = $this->post('/mfa/backup_codes/verify', [
'code' => $codes[0],
]);
$resp = $this->followRedirects($resp);
@ -151,16 +154,88 @@ class MfaVerificationTest extends TestCase
]);
// Totp shown by default
$mfaView->assertElementExists('form[action$="/mfa/verify/totp"] input[name="code"]');
$mfaView->assertElementExists('form[action$="/mfa/totp/verify"] input[name="code"]');
$mfaView->assertElementContains('a[href$="/mfa/verify?method=backup_codes"]', 'Verify using a backup code');
// Ensure can view backup_codes view
$resp = $this->get('/mfa/verify?method=backup_codes');
$resp->assertElementExists('form[action$="/mfa/verify/backup_codes"] input[name="code"]');
$resp->assertElementExists('form[action$="/mfa/backup_codes/verify"] input[name="code"]');
$resp->assertElementContains('a[href$="/mfa/verify?method=totp"]', 'Verify using a mobile app');
}
// TODO !! - Test no-existing MFA
public function test_mfa_required_with_no_methods_leads_to_setup()
{
$user = $this->getEditor();
$user->password = Hash::make('password');
$user->save();
/** @var Role $role */
$role = $user->roles->first();
$role->mfa_enforced = true;
$role->save();
$this->assertDatabaseMissing('mfa_values', [
'user_id' => $user->id,
]);
/** @var TestResponse $resp */
$resp = $this->followingRedirects()->post('/login', [
'email' => $user->email,
'password' => 'password',
]);
$resp->assertSeeText('No Methods Configured');
$resp->assertElementContains('a[href$="/mfa/setup"]', 'Configure');
$this->get('/mfa/backup_codes/generate');
$this->followingRedirects()->post('/mfa/backup_codes/confirm');
$this->assertDatabaseHas('mfa_values', [
'user_id' => $user->id,
]);
$resp = $this->followingRedirects()->post('/login', [
'email' => $user->email,
'password' => 'password',
]);
$resp->assertSeeText('Enter one of your remaining backup codes below:');
}
public function test_mfa_setup_route_access()
{
$routes = [
['get', '/mfa/setup'],
['get', '/mfa/totp/generate'],
['post', '/mfa/totp/confirm'],
['get', '/mfa/backup_codes/generate'],
['post', '/mfa/backup_codes/confirm'],
];
// Non-auth access
foreach ($routes as [$method, $path]) {
$resp = $this->call($method, $path);
$resp->assertRedirect('/login');
}
// Attempted login user, who has configured mfa, access
// Sets up user that has MFA required after attempted login.
$loginService = $this->app->make(LoginService::class);
$user = $this->getEditor();
/** @var Role $role */
$role = $user->roles->first();
$role->mfa_enforced = true;
$role->save();
try {
$loginService->login($user, 'testing');
} catch (StoppedAuthenticationException $e) {
}
$this->assertNotNull($loginService->getLastLoginAttemptUser());
MfaValue::upsertWithValue($user, MfaValue::METHOD_BACKUP_CODES, '[]');
foreach ($routes as [$method, $path]) {
$resp = $this->call($method, $path);
$resp->assertRedirect('/login');
}
}
/**
* @return Array<User, string, TestResponse>