diff options
author | Sean McGivern <sean@gitlab.com> | 2016-09-02 14:30:19 +0100 |
---|---|---|
committer | Sean McGivern <sean@gitlab.com> | 2016-10-04 15:01:38 +0100 |
commit | 194fbc3c3d4b068f191fca75488b986df88c5333 (patch) | |
tree | cbb59f0130f665b2abe84d88435a88a011bad762 /spec/controllers | |
parent | 66613f1ac9e277da9b68ff6ddbd0fb7eca3507bf (diff) | |
download | gitlab-ce-194fbc3c3d4b068f191fca75488b986df88c5333.tar.gz |
Restrict failed login attempts for users with 2FA
Copy logic from `Devise::Models::Lockable#valid_for_authentication?`, as
our custom login flow with two pages doesn't call this method. This will
increment the failed login counter, and lock the user's account once
they exceed the number of failed attempts.
Also ensure that users who are locked can't continue to submit 2FA
codes.
Diffstat (limited to 'spec/controllers')
-rw-r--r-- | spec/controllers/sessions_controller_spec.rb | 38 |
1 files changed, 38 insertions, 0 deletions
diff --git a/spec/controllers/sessions_controller_spec.rb b/spec/controllers/sessions_controller_spec.rb index 8f27e616c3e..48d69377461 100644 --- a/spec/controllers/sessions_controller_spec.rb +++ b/spec/controllers/sessions_controller_spec.rb @@ -109,6 +109,44 @@ describe SessionsController do end end + context 'when the user is on their last attempt' do + before do + user.update(failed_attempts: User.maximum_attempts.pred) + end + + context 'when OTP is valid' do + it 'authenticates correctly' do + authenticate_2fa(otp_attempt: user.current_otp) + + expect(subject.current_user).to eq user + end + end + + context 'when OTP is invalid' do + before { authenticate_2fa(otp_attempt: 'invalid') } + + it 'does not authenticate' do + expect(subject.current_user).not_to eq user + end + + it 'warns about invalid login' do + expect(response).to set_flash.now[:alert] + .to /Invalid Login or password/ + end + + it 'locks the user' do + expect(user.reload).to be_access_locked + end + + it 'keeps the user locked on future login attempts' do + post(:create, user: { login: user.username, password: user.password }) + + expect(response) + .to set_flash.now[:alert].to /Invalid Login or password/ + end + end + end + context 'when another user does not have 2FA enabled' do let(:another_user) { create(:user) } |