1 files changed, 25 insertions, 6 deletions

diff --git a/spec/controllers/admin/sessions_controller_spec.rb b/spec/controllers/admin/sessions_controller_spec.rb
index 82366cc6952..35982e57034 100644
--- a/spec/controllers/admin/sessions_controller_spec.rb
+++ b/spec/controllers/admin/sessions_controller_spec.rb
@@ -220,10 +220,8 @@ RSpec.describe Admin::SessionsController, :do_not_mock_admin_mode do
         end
       end
 
-      context 'when using two-factor authentication via U2F' do
-        let(:user) { create(:admin, :two_factor_via_u2f) }
-
-        def authenticate_2fa_u2f(user_params)
+      shared_examples 'when using two-factor authentication via hardware device' do
+        def authenticate_2fa(user_params)
           post(:create, params: { user: user_params }, session: { otp_user_id: user.id })
         end
 
@@ -239,14 +237,18 @@ RSpec.describe Admin::SessionsController, :do_not_mock_admin_mode do
         end
 
         it 'can login with valid auth' do
+          # we can stub both without an differentiation between webauthn / u2f
+          # as these not interfere with each other und this saves us passing aroud
+          # parameters
           allow(U2fRegistration).to receive(:authenticate).and_return(true)
+          allow_any_instance_of(Webauthn::AuthenticateService).to receive(:execute).and_return(true)
 
           expect(controller.current_user_mode.admin_mode?).to be(false)
 
           controller.store_location_for(:redirect, admin_root_path)
           controller.current_user_mode.request_admin_mode!
 
-          authenticate_2fa_u2f(login: user.username, device_response: '{}')
+          authenticate_2fa(login: user.username, device_response: '{}')
 
           expect(response).to redirect_to admin_root_path
           expect(controller.current_user_mode.admin_mode?).to be(true)
@@ -254,16 +256,33 @@ RSpec.describe Admin::SessionsController, :do_not_mock_admin_mode do
 
         it 'cannot login with invalid auth' do
           allow(U2fRegistration).to receive(:authenticate).and_return(false)
+          allow_any_instance_of(Webauthn::AuthenticateService).to receive(:execute).and_return(false)
 
           expect(controller.current_user_mode.admin_mode?).to be(false)
 
           controller.current_user_mode.request_admin_mode!
-          authenticate_2fa_u2f(login: user.username, device_response: '{}')
+          authenticate_2fa(login: user.username, device_response: '{}')
 
           expect(response).to render_template('admin/sessions/two_factor')
           expect(controller.current_user_mode.admin_mode?).to be(false)
         end
       end
+
+      context 'when using two-factor authentication via U2F' do
+        it_behaves_like 'when using two-factor authentication via hardware device' do
+          let(:user) { create(:admin, :two_factor_via_u2f) }
+
+          before do
+            stub_feature_flags(webauthn: false)
+          end
+        end
+      end
+
+      context 'when using two-factor authentication via WebAuthn' do
+        it_behaves_like 'when using two-factor authentication via hardware device' do
+          let(:user) { create(:admin, :two_factor_via_webauthn) }
+        end
+      end
     end
   end