Pass the "Remember me" value to the 2FA token formrs-remember-me-2fa

Prior, if a user had 2FA enabled and checked the "Remember me" field, the setting was ignored because the OTP input was on a new form and the value was never passed. Closes #18000
author: Robert Speicher <rspeicher@gmail.com> 2016-05-30 22:17:26 -0400
committer: Robert Speicher <rspeicher@gmail.com> 2016-05-30 22:25:35 -0400
commit: a602df303175aaaf1d5b60a2c009f5e259d187db (patch)
tree: 68eb6241dfbd4ccc8ae8474b73ead87018e92386
parent: de20bd5b31715f096db3fb0155c82b0eea992b6c (diff)
download: gitlab-ce-rs-remember-me-2fa.tar.gz
5 files changed, 35 insertions, 3 deletions
diff --git a/app/controllers/sessions_controller.rb b/app/controllers/sessions_controller.rb
index c29f4609e93..d68c2a708e3 100644
--- a/app/controllers/sessions_controller.rb
+++ b/app/controllers/sessions_controller.rb
@@ -1,5 +1,6 @@
 class SessionsController < Devise::SessionsController
   include AuthenticatesWithTwoFactor
+  include Devise::Controllers::Rememberable
   include Recaptcha::ClientHelper
 
   skip_before_action :check_2fa_requirement, only: [:destroy]
@@ -96,6 +97,7 @@ class SessionsController < Devise::SessionsController
         # Remove any lingering user data from login
         session.delete(:otp_user_id)
 
+        remember_me(user) if user_params[:remember_me] == '1'
         sign_in(user) and return
       else
         flash.now[:alert] = 'Invalid two-factor code.'
diff --git a/app/views/devise/sessions/two_factor.html.haml b/app/views/devise/sessions/two_factor.html.haml
index c9d1e454a5e..8c6a1552a53 100644
--- a/app/views/devise/sessions/two_factor.html.haml
+++ b/app/views/devise/sessions/two_factor.html.haml
@@ -4,6 +4,7 @@
       %h3 Two-factor Authentication
     .login-body
       = form_for(resource, as: resource_name, url: session_path(resource_name), method: :post) do |f|
+        = f.hidden_field :remember_me, value: params[resource_name][:remember_me]
         = f.text_field :otp_attempt, class: 'form-control', placeholder: 'Two-factor Authentication code', required: true, autofocus: true
         %p.help-block.hint Enter the code from the two-factor app on your mobile device. If you've lost your device, you may enter one of your recovery codes.
         .prepend-top-20
diff --git a/spec/controllers/sessions_controller_spec.rb b/spec/controllers/sessions_controller_spec.rb
index ab57c52c7cd..b39d8c8cd5b 100644
--- a/spec/controllers/sessions_controller_spec.rb
+++ b/spec/controllers/sessions_controller_spec.rb
@@ -35,6 +35,27 @@ describe SessionsController do
         post(:create, { user: user_params }, { otp_user_id: user.id })
       end
 
+      context 'remember_me field' do
+        it 'sets a remember_user_token cookie when enabled' do
+          allow(controller).to receive(:find_user).and_return(user)
+          expect(controller).
+            to receive(:remember_me).with(user).and_call_original
+
+          authenticate_2fa(remember_me: '1', otp_attempt: user.current_otp)
+
+          expect(response.cookies['remember_user_token']).to be_present
+        end
+
+        it 'does nothing when disabled' do
+          allow(controller).to receive(:find_user).and_return(user)
+          expect(controller).not_to receive(:remember_me)
+
+          authenticate_2fa(remember_me: '0', otp_attempt: user.current_otp)
+
+          expect(response.cookies['remember_user_token']).to be_nil
+        end
+      end
+
       ##
       # See #14900 issue
       #
diff --git a/spec/features/login_spec.rb b/spec/features/login_spec.rb
index 8c38dd5b122..a7dc3b2701b 100644
--- a/spec/features/login_spec.rb
+++ b/spec/features/login_spec.rb
@@ -32,7 +32,7 @@ feature 'Login', feature: true do
       let(:user) { create(:user, :two_factor) }
 
       before do
-        login_with(user)
+        login_with(user, remember: true)
         expect(page).to have_content('Two-factor Authentication')
       end
 
@@ -52,6 +52,12 @@ feature 'Login', feature: true do
           expect(current_path).to eq root_path
         end
 
+        it 'persists remember_me value via hidden field' do
+          field = first('input#user_remember_me', visible: false)
+
+          expect(field.value).to eq '1'
+        end
+
         it 'blocks login with invalid code' do
           enter_code('foo')
           expect(page).to have_content('Invalid two-factor code')
diff --git a/spec/support/login_helpers.rb b/spec/support/login_helpers.rb
index cd9fdc6f18e..7a0f078c72b 100644
--- a/spec/support/login_helpers.rb
+++ b/spec/support/login_helpers.rb
@@ -26,11 +26,13 @@ module LoginHelpers
 
   # Internal: Login as the specified user
   #
-  # user - User instance to login with
-  def login_with(user)
+  # user     - User instance to login with
+  # remember - Whether or not to check "Remember me" (default: false)
+  def login_with(user, remember: false)
     visit new_user_session_path
     fill_in "user_login", with: user.email
     fill_in "user_password", with: "12345678"
+    check 'user_remember_me' if remember
     click_button "Sign in"
     Thread.current[:current_user] = user
   end
author	Robert Speicher <rspeicher@gmail.com>	2016-05-30 22:17:26 -0400
committer	Robert Speicher <rspeicher@gmail.com>	2016-05-30 22:25:35 -0400
commit	a602df303175aaaf1d5b60a2c009f5e259d187db (patch)
tree	68eb6241dfbd4ccc8ae8474b73ead87018e92386
parent	de20bd5b31715f096db3fb0155c82b0eea992b6c (diff)
download	gitlab-ce-rs-remember-me-2fa.tar.gz