From d4ae68cdd661d1cc0d02ca35a293ff2042541cc8 Mon Sep 17 00:00:00 2001
From: Douwe Maan <douwe@gitlab.com>
Date: Wed, 1 Jun 2016 10:57:05 +0000
Subject: Merge branch 'rs-remember-me-2fa' into 'master'

Pass the "Remember me" value to the 2FA token form

Prior, if a user had 2FA enabled and checked the "Remember me" field,
the setting was ignored because the OTP input was on a new form and the
value was never passed.

Closes #18000

See merge request !4369
---
 app/controllers/sessions_controller.rb         |  2 ++
 app/views/devise/sessions/two_factor.html.haml |  1 +
 spec/controllers/sessions_controller_spec.rb   | 21 +++++++++++++++++++++
 spec/features/login_spec.rb                    |  8 +++++++-
 spec/support/login_helpers.rb                  |  6 ++++--
 5 files changed, 35 insertions(+), 3 deletions(-)

diff --git a/app/controllers/sessions_controller.rb b/app/controllers/sessions_controller.rb
index c29f4609e93..d68c2a708e3 100644
--- a/app/controllers/sessions_controller.rb
+++ b/app/controllers/sessions_controller.rb
@@ -1,5 +1,6 @@
 class SessionsController < Devise::SessionsController
   include AuthenticatesWithTwoFactor
+  include Devise::Controllers::Rememberable
   include Recaptcha::ClientHelper
 
   skip_before_action :check_2fa_requirement, only: [:destroy]
@@ -96,6 +97,7 @@ class SessionsController < Devise::SessionsController
         # Remove any lingering user data from login
         session.delete(:otp_user_id)
 
+        remember_me(user) if user_params[:remember_me] == '1'
         sign_in(user) and return
       else
         flash.now[:alert] = 'Invalid two-factor code.'
diff --git a/app/views/devise/sessions/two_factor.html.haml b/app/views/devise/sessions/two_factor.html.haml
index c9d1e454a5e..8c6a1552a53 100644
--- a/app/views/devise/sessions/two_factor.html.haml
+++ b/app/views/devise/sessions/two_factor.html.haml
@@ -4,6 +4,7 @@
       %h3 Two-factor Authentication
     .login-body
       = form_for(resource, as: resource_name, url: session_path(resource_name), method: :post) do |f|
+        = f.hidden_field :remember_me, value: params[resource_name][:remember_me]
         = f.text_field :otp_attempt, class: 'form-control', placeholder: 'Two-factor Authentication code', required: true, autofocus: true
         %p.help-block.hint Enter the code from the two-factor app on your mobile device. If you've lost your device, you may enter one of your recovery codes.
         .prepend-top-20
diff --git a/spec/controllers/sessions_controller_spec.rb b/spec/controllers/sessions_controller_spec.rb
index 83cc8ec6d26..50fda0ed70a 100644
--- a/spec/controllers/sessions_controller_spec.rb
+++ b/spec/controllers/sessions_controller_spec.rb
@@ -35,6 +35,27 @@ describe SessionsController do
         post(:create, { user: user_params }, { otp_user_id: user.id })
       end
 
+      context 'remember_me field' do
+        it 'sets a remember_user_token cookie when enabled' do
+          allow(controller).to receive(:find_user).and_return(user)
+          expect(controller).
+            to receive(:remember_me).with(user).and_call_original
+
+          authenticate_2fa(remember_me: '1', otp_attempt: user.current_otp)
+
+          expect(response.cookies['remember_user_token']).to be_present
+        end
+
+        it 'does nothing when disabled' do
+          allow(controller).to receive(:find_user).and_return(user)
+          expect(controller).not_to receive(:remember_me)
+
+          authenticate_2fa(remember_me: '0', otp_attempt: user.current_otp)
+
+          expect(response.cookies['remember_user_token']).to be_nil
+        end
+      end
+
       ##
       # See #14900 issue
       #
diff --git a/spec/features/login_spec.rb b/spec/features/login_spec.rb
index 8c38dd5b122..a7dc3b2701b 100644
--- a/spec/features/login_spec.rb
+++ b/spec/features/login_spec.rb
@@ -32,7 +32,7 @@ feature 'Login', feature: true do
       let(:user) { create(:user, :two_factor) }
 
       before do
-        login_with(user)
+        login_with(user, remember: true)
         expect(page).to have_content('Two-factor Authentication')
       end
 
@@ -52,6 +52,12 @@ feature 'Login', feature: true do
           expect(current_path).to eq root_path
         end
 
+        it 'persists remember_me value via hidden field' do
+          field = first('input#user_remember_me', visible: false)
+
+          expect(field.value).to eq '1'
+        end
+
         it 'blocks login with invalid code' do
           enter_code('foo')
           expect(page).to have_content('Invalid two-factor code')
diff --git a/spec/support/login_helpers.rb b/spec/support/login_helpers.rb
index cd9fdc6f18e..7a0f078c72b 100644
--- a/spec/support/login_helpers.rb
+++ b/spec/support/login_helpers.rb
@@ -26,11 +26,13 @@ module LoginHelpers
 
   # Internal: Login as the specified user
   #
-  # user - User instance to login with
-  def login_with(user)
+  # user     - User instance to login with
+  # remember - Whether or not to check "Remember me" (default: false)
+  def login_with(user, remember: false)
     visit new_user_session_path
     fill_in "user_login", with: user.email
     fill_in "user_password", with: "12345678"
+    check 'user_remember_me' if remember
     click_button "Sign in"
     Thread.current[:current_user] = user
   end
-- 
cgit v1.2.1