107 lines
3.1 KiB
Ruby
107 lines
3.1 KiB
Ruby
require 'rails_helper'
|
|
|
|
describe Mfa::AuthenticationService do
|
|
before do
|
|
skip('Skipping since MFA is not configured in this environment') unless Chatwoot.encryption_configured?
|
|
user.enable_two_factor!
|
|
user.update!(otp_required_for_login: true)
|
|
end
|
|
|
|
let(:user) { create(:user) }
|
|
|
|
describe '#authenticate' do
|
|
context 'with OTP code' do
|
|
context 'when OTP is valid' do
|
|
it 'returns true' do
|
|
valid_otp = user.current_otp
|
|
service = described_class.new(user: user, otp_code: valid_otp)
|
|
expect(service.authenticate).to be_truthy
|
|
end
|
|
end
|
|
|
|
context 'when OTP is invalid' do
|
|
it 'returns false' do
|
|
service = described_class.new(user: user, otp_code: '000000')
|
|
expect(service.authenticate).to be_falsey
|
|
end
|
|
end
|
|
|
|
context 'when OTP is nil' do
|
|
it 'returns false' do
|
|
service = described_class.new(user: user, otp_code: nil)
|
|
expect(service.authenticate).to be_falsey
|
|
end
|
|
end
|
|
end
|
|
|
|
context 'with backup code' do
|
|
let(:backup_codes) { user.generate_backup_codes! }
|
|
|
|
context 'when backup code is valid' do
|
|
it 'returns true and invalidates the code' do
|
|
valid_code = backup_codes.first
|
|
service = described_class.new(user: user, backup_code: valid_code)
|
|
|
|
expect(service.authenticate).to be_truthy
|
|
|
|
# Code should be invalidated after use
|
|
user.reload
|
|
expect(user.otp_backup_codes).to include('XXXXXXXX')
|
|
end
|
|
end
|
|
|
|
context 'when backup code is invalid' do
|
|
it 'returns false' do
|
|
service = described_class.new(user: user, backup_code: 'invalid')
|
|
expect(service.authenticate).to be_falsey
|
|
end
|
|
end
|
|
|
|
context 'when backup code has already been used' do
|
|
it 'returns false' do
|
|
valid_code = backup_codes.first
|
|
# Use the code once
|
|
service = described_class.new(user: user, backup_code: valid_code)
|
|
service.authenticate
|
|
|
|
# Try to use it again
|
|
service2 = described_class.new(user: user.reload, backup_code: valid_code)
|
|
expect(service2.authenticate).to be_falsey
|
|
end
|
|
end
|
|
end
|
|
|
|
context 'with neither OTP nor backup code' do
|
|
it 'returns false' do
|
|
service = described_class.new(user: user)
|
|
expect(service.authenticate).to be_falsey
|
|
end
|
|
end
|
|
|
|
context 'when user is nil' do
|
|
it 'returns false' do
|
|
service = described_class.new(user: nil, otp_code: '123456')
|
|
expect(service.authenticate).to be_falsey
|
|
end
|
|
end
|
|
|
|
context 'when both OTP and backup code are provided' do
|
|
it 'uses OTP authentication first' do
|
|
valid_otp = user.current_otp
|
|
backup_codes = user.generate_backup_codes!
|
|
|
|
service = described_class.new(
|
|
user: user,
|
|
otp_code: valid_otp,
|
|
backup_code: backup_codes.first
|
|
)
|
|
|
|
expect(service.authenticate).to be_truthy
|
|
# Backup code should not be consumed
|
|
user.reload
|
|
expect(user.otp_backup_codes).not_to include('XXXXXXXX')
|
|
end
|
|
end
|
|
end
|
|
end
|