bookstack/tests/Auth/MfaConfigurationTest.php

<?php

namespace Tests\Auth;

use BookStack\Actions\ActivityType;
use BookStack\Auth\Access\Mfa\MfaValue;
use BookStack\Auth\User;
use PragmaRX\Google2FA\Google2FA;
use Tests\TestCase;

class MfaConfigurationTest extends TestCase
{
    public function test_totp_setup()
    {
        $editor = $this->getEditor();
        $this->assertDatabaseMissing('mfa_values', ['user_id' => $editor->id]);

        // Setup page state
        $resp = $this->actingAs($editor)->get('/mfa/setup');
        $resp->assertElementContains('a[href$="/mfa/totp/generate"]', 'Setup');

        // Generate page access
        $resp = $this->get('/mfa/totp/generate');
        $resp->assertSee('Mobile App Setup');
        $resp->assertSee('Verify Setup');
        $resp->assertElementExists('form[action$="/mfa/totp/confirm"] button');
        $this->assertSessionHas('mfa-setup-totp-secret');
        $svg = $resp->getElementHtml('#main-content .card svg');

        // Validation error, code should remain the same
        $resp = $this->post('/mfa/totp/confirm', [
            'code' => 'abc123',
        ]);
        $resp->assertRedirect('/mfa/totp/generate');
        $resp = $this->followRedirects($resp);
        $resp->assertSee('The provided code is not valid or has expired.');
        $revisitSvg = $resp->getElementHtml('#main-content .card svg');
        $this->assertTrue($svg === $revisitSvg);
        $secret = decrypt(session()->get('mfa-setup-totp-secret'));

        $resp->assertSee(htmlentities("?secret={$secret}&issuer=BookStack&algorithm=SHA1&digits=6&period=30"));

        // Successful confirmation
        $google2fa = new Google2FA();
        $otp = $google2fa->getCurrentOtp($secret);
        $resp = $this->post('/mfa/totp/confirm', [
            'code' => $otp,
        ]);
        $resp->assertRedirect('/mfa/setup');

        // Confirmation of setup
        $resp = $this->followRedirects($resp);
        $resp->assertSee('Multi-factor method successfully configured');
        $resp->assertElementContains('a[href$="/mfa/totp/generate"]', 'Reconfigure');

        $this->assertDatabaseHas('mfa_values', [
            'user_id' => $editor->id,
            'method'  => 'totp',
        ]);
        $this->assertFalse(session()->has('mfa-setup-totp-secret'));
        $value = MfaValue::query()->where('user_id', '=', $editor->id)
            ->where('method', '=', 'totp')->first();
        $this->assertEquals($secret, decrypt($value->value));
    }

    public function test_backup_codes_setup()
    {
        $editor = $this->getEditor();
        $this->assertDatabaseMissing('mfa_values', ['user_id' => $editor->id]);

        // Setup page state
        $resp = $this->actingAs($editor)->get('/mfa/setup');
        $resp->assertElementContains('a[href$="/mfa/backup_codes/generate"]', 'Setup');

        // Generate page access
        $resp = $this->get('/mfa/backup_codes/generate');
        $resp->assertSee('Backup Codes');
        $resp->assertElementContains('form[action$="/mfa/backup_codes/confirm"]', 'Confirm and Enable');
        $this->assertSessionHas('mfa-setup-backup-codes');
        $codes = decrypt(session()->get('mfa-setup-backup-codes'));
        // Check code format
        $this->assertCount(16, $codes);
        $this->assertEquals(16 * 11, strlen(implode('', $codes)));
        // Check download link
        $resp->assertSee(base64_encode(implode("\n\n", $codes)));

        // Confirm submit
        $resp = $this->post('/mfa/backup_codes/confirm');
        $resp->assertRedirect('/mfa/setup');

        // Confirmation of setup
        $resp = $this->followRedirects($resp);
        $resp->assertSee('Multi-factor method successfully configured');
        $resp->assertElementContains('a[href$="/mfa/backup_codes/generate"]', 'Reconfigure');

        $this->assertDatabaseHas('mfa_values', [
            'user_id' => $editor->id,
            'method'  => 'backup_codes',
        ]);
        $this->assertFalse(session()->has('mfa-setup-backup-codes'));
        $value = MfaValue::query()->where('user_id', '=', $editor->id)
            ->where('method', '=', 'backup_codes')->first();
        $this->assertEquals($codes, json_decode(decrypt($value->value)));
    }

    public function test_backup_codes_cannot_be_confirmed_if_not_previously_generated()
    {
        $resp = $this->asEditor()->post('/mfa/backup_codes/confirm');
        $resp->assertStatus(500);
    }

    public function test_mfa_method_count_is_visible_on_user_edit_page()
    {
        $user = $this->getEditor();
        $resp = $this->actingAs($this->getAdmin())->get($user->getEditUrl());
        $resp->assertSee('0 methods configured');

        MfaValue::upsertWithValue($user, MfaValue::METHOD_TOTP, 'test');
        $resp = $this->get($user->getEditUrl());
        $resp->assertSee('1 method configured');

        MfaValue::upsertWithValue($user, MfaValue::METHOD_BACKUP_CODES, 'test');
        $resp = $this->get($user->getEditUrl());
        $resp->assertSee('2 methods configured');
    }

    public function test_mfa_setup_link_only_shown_when_viewing_own_user_edit_page()
    {
        $admin = $this->getAdmin();
        $resp = $this->actingAs($admin)->get($admin->getEditUrl());
        $resp->assertElementExists('a[href$="/mfa/setup"]');

        $resp = $this->actingAs($admin)->get($this->getEditor()->getEditUrl());
        $resp->assertElementNotExists('a[href$="/mfa/setup"]');
    }

    public function test_mfa_indicator_shows_in_user_list()
    {
        $admin = $this->getAdmin();
        User::query()->where('id', '!=', $admin->id)->delete();

        $resp = $this->actingAs($admin)->get('/settings/users');
        $resp->assertElementNotExists('[title="MFA Configured"] svg');

        MfaValue::upsertWithValue($admin, MfaValue::METHOD_TOTP, 'test');
        $resp = $this->actingAs($admin)->get('/settings/users');
        $resp->assertElementExists('[title="MFA Configured"] svg');
    }

    public function test_remove_mfa_method()
    {
        $admin = $this->getAdmin();

        MfaValue::upsertWithValue($admin, MfaValue::METHOD_TOTP, 'test');
        $this->assertEquals(1, $admin->mfaValues()->count());
        $resp = $this->actingAs($admin)->get('/mfa/setup');
        $resp->assertElementExists('form[action$="/mfa/totp/remove"]');

        $resp = $this->delete('/mfa/totp/remove');
        $resp->assertRedirect('/mfa/setup');
        $resp = $this->followRedirects($resp);
        $resp->assertSee('Multi-factor method successfully removed');

        $this->assertActivityExists(ActivityType::MFA_REMOVE_METHOD);
        $this->assertEquals(0, $admin->mfaValues()->count());
    }
}
Covered TOTP setup with testing 2021-07-03 02:51:30 +08:00			`<?php`

			`namespace Tests\Auth;`

Added the ability to remove an MFA method Includes testing to cover 2021-07-15 04:27:21 +08:00			`use BookStack\Actions\ActivityType;`
Added backup code setup flow - Includes testing to cover flow. - Moved TOTP logic to its own controller. - Added some extra totp tests. 2021-07-03 03:53:33 +08:00			`use BookStack\Auth\Access\Mfa\MfaValue;`
Added MFA indicator to user list Also fixed issue with showing incorrect MFA method count on user edit page changes done in last commit 2021-07-15 03:18:48 +08:00			`use BookStack\Auth\User;`
Covered TOTP setup with testing 2021-07-03 02:51:30 +08:00			`use PragmaRX\Google2FA\Google2FA;`
			`use Tests\TestCase;`

			`class MfaConfigurationTest extends TestCase`
			`{`
			`public function test_totp_setup()`
			`{`
			`$editor = $this->getEditor();`
			`$this->assertDatabaseMissing('mfa_values', ['user_id' => $editor->id]);`

			`// Setup page state`
			`$resp = $this->actingAs($editor)->get('/mfa/setup');`
Worked on MFA setup required flow - Restructured some of the route naming to be a little more consistent. - Moved the routes about to be more logically in one place. - Created a new middleware to handle the auth of people that should be allowed access to mfa setup routes, since these could be used by existing logged in users or by people needing to setup MFA on access. - Added testing to cover MFA setup required flow. - Added TTL and method tracking to session last-login tracking system. 2021-08-03 05:02:25 +08:00			`$resp->assertElementContains('a[href$="/mfa/totp/generate"]', 'Setup');`
Covered TOTP setup with testing 2021-07-03 02:51:30 +08:00
			`// Generate page access`
Worked on MFA setup required flow - Restructured some of the route naming to be a little more consistent. - Moved the routes about to be more logically in one place. - Created a new middleware to handle the auth of people that should be allowed access to mfa setup routes, since these could be used by existing logged in users or by people needing to setup MFA on access. - Added testing to cover MFA setup required flow. - Added TTL and method tracking to session last-login tracking system. 2021-08-03 05:02:25 +08:00			`$resp = $this->get('/mfa/totp/generate');`
Covered TOTP setup with testing 2021-07-03 02:51:30 +08:00			`$resp->assertSee('Mobile App Setup');`
			`$resp->assertSee('Verify Setup');`
Worked on MFA setup required flow - Restructured some of the route naming to be a little more consistent. - Moved the routes about to be more logically in one place. - Created a new middleware to handle the auth of people that should be allowed access to mfa setup routes, since these could be used by existing logged in users or by people needing to setup MFA on access. - Added testing to cover MFA setup required flow. - Added TTL and method tracking to session last-login tracking system. 2021-08-03 05:02:25 +08:00			`$resp->assertElementExists('form[action$="/mfa/totp/confirm"] button');`
Covered TOTP setup with testing 2021-07-03 02:51:30 +08:00			`$this->assertSessionHas('mfa-setup-totp-secret');`
			`$svg = $resp->getElementHtml('#main-content .card svg');`

			`// Validation error, code should remain the same`
Worked on MFA setup required flow - Restructured some of the route naming to be a little more consistent. - Moved the routes about to be more logically in one place. - Created a new middleware to handle the auth of people that should be allowed access to mfa setup routes, since these could be used by existing logged in users or by people needing to setup MFA on access. - Added testing to cover MFA setup required flow. - Added TTL and method tracking to session last-login tracking system. 2021-08-03 05:02:25 +08:00			`$resp = $this->post('/mfa/totp/confirm', [`
Covered TOTP setup with testing 2021-07-03 02:51:30 +08:00			`'code' => 'abc123',`
			`]);`
Worked on MFA setup required flow - Restructured some of the route naming to be a little more consistent. - Moved the routes about to be more logically in one place. - Created a new middleware to handle the auth of people that should be allowed access to mfa setup routes, since these could be used by existing logged in users or by people needing to setup MFA on access. - Added testing to cover MFA setup required flow. - Added TTL and method tracking to session last-login tracking system. 2021-08-03 05:02:25 +08:00			`$resp->assertRedirect('/mfa/totp/generate');`
Covered TOTP setup with testing 2021-07-03 02:51:30 +08:00			`$resp = $this->followRedirects($resp);`
			`$resp->assertSee('The provided code is not valid or has expired.');`
			`$revisitSvg = $resp->getElementHtml('#main-content .card svg');`
			`$this->assertTrue($svg === $revisitSvg);`
Made the TOTP URL visible during setup Useful for some non-scanner type apps. Closes #2908 2021-09-02 03:58:19 +08:00			`$secret = decrypt(session()->get('mfa-setup-totp-secret'));`

			`$resp->assertSee(htmlentities("?secret={$secret}&issuer=BookStack&algorithm=SHA1&digits=6&period=30"));`
Covered TOTP setup with testing 2021-07-03 02:51:30 +08:00
			`// Successful confirmation`
			`$google2fa = new Google2FA();`
Added backup code setup flow - Includes testing to cover flow. - Moved TOTP logic to its own controller. - Added some extra totp tests. 2021-07-03 03:53:33 +08:00			`$otp = $google2fa->getCurrentOtp($secret);`
Worked on MFA setup required flow - Restructured some of the route naming to be a little more consistent. - Moved the routes about to be more logically in one place. - Created a new middleware to handle the auth of people that should be allowed access to mfa setup routes, since these could be used by existing logged in users or by people needing to setup MFA on access. - Added testing to cover MFA setup required flow. - Added TTL and method tracking to session last-login tracking system. 2021-08-03 05:02:25 +08:00			`$resp = $this->post('/mfa/totp/confirm', [`
Covered TOTP setup with testing 2021-07-03 02:51:30 +08:00			`'code' => $otp,`
			`]);`
			`$resp->assertRedirect('/mfa/setup');`

			`// Confirmation of setup`
			`$resp = $this->followRedirects($resp);`
			`$resp->assertSee('Multi-factor method successfully configured');`
Worked on MFA setup required flow - Restructured some of the route naming to be a little more consistent. - Moved the routes about to be more logically in one place. - Created a new middleware to handle the auth of people that should be allowed access to mfa setup routes, since these could be used by existing logged in users or by people needing to setup MFA on access. - Added testing to cover MFA setup required flow. - Added TTL and method tracking to session last-login tracking system. 2021-08-03 05:02:25 +08:00			`$resp->assertElementContains('a[href$="/mfa/totp/generate"]', 'Reconfigure');`
Added backup code setup flow - Includes testing to cover flow. - Moved TOTP logic to its own controller. - Added some extra totp tests. 2021-07-03 03:53:33 +08:00
			`$this->assertDatabaseHas('mfa_values', [`
			`'user_id' => $editor->id,`
Apply fixes from StyleCI 2021-08-21 22:49:40 +08:00			`'method' => 'totp',`
Added backup code setup flow - Includes testing to cover flow. - Moved TOTP logic to its own controller. - Added some extra totp tests. 2021-07-03 03:53:33 +08:00			`]);`
			`$this->assertFalse(session()->has('mfa-setup-totp-secret'));`
			`$value = MfaValue::query()->where('user_id', '=', $editor->id)`
			`->where('method', '=', 'totp')->first();`
			`$this->assertEquals($secret, decrypt($value->value));`
			`}`

			`public function test_backup_codes_setup()`
			`{`
			`$editor = $this->getEditor();`
			`$this->assertDatabaseMissing('mfa_values', ['user_id' => $editor->id]);`

			`// Setup page state`
			`$resp = $this->actingAs($editor)->get('/mfa/setup');`
Worked on MFA setup required flow - Restructured some of the route naming to be a little more consistent. - Moved the routes about to be more logically in one place. - Created a new middleware to handle the auth of people that should be allowed access to mfa setup routes, since these could be used by existing logged in users or by people needing to setup MFA on access. - Added testing to cover MFA setup required flow. - Added TTL and method tracking to session last-login tracking system. 2021-08-03 05:02:25 +08:00			`$resp->assertElementContains('a[href$="/mfa/backup_codes/generate"]', 'Setup');`
Added backup code setup flow - Includes testing to cover flow. - Moved TOTP logic to its own controller. - Added some extra totp tests. 2021-07-03 03:53:33 +08:00
			`// Generate page access`
Worked on MFA setup required flow - Restructured some of the route naming to be a little more consistent. - Moved the routes about to be more logically in one place. - Created a new middleware to handle the auth of people that should be allowed access to mfa setup routes, since these could be used by existing logged in users or by people needing to setup MFA on access. - Added testing to cover MFA setup required flow. - Added TTL and method tracking to session last-login tracking system. 2021-08-03 05:02:25 +08:00			`$resp = $this->get('/mfa/backup_codes/generate');`
Added backup code setup flow - Includes testing to cover flow. - Moved TOTP logic to its own controller. - Added some extra totp tests. 2021-07-03 03:53:33 +08:00			`$resp->assertSee('Backup Codes');`
Worked on MFA setup required flow - Restructured some of the route naming to be a little more consistent. - Moved the routes about to be more logically in one place. - Created a new middleware to handle the auth of people that should be allowed access to mfa setup routes, since these could be used by existing logged in users or by people needing to setup MFA on access. - Added testing to cover MFA setup required flow. - Added TTL and method tracking to session last-login tracking system. 2021-08-03 05:02:25 +08:00			`$resp->assertElementContains('form[action$="/mfa/backup_codes/confirm"]', 'Confirm and Enable');`
Added backup code setup flow - Includes testing to cover flow. - Moved TOTP logic to its own controller. - Added some extra totp tests. 2021-07-03 03:53:33 +08:00			`$this->assertSessionHas('mfa-setup-backup-codes');`
			`$codes = decrypt(session()->get('mfa-setup-backup-codes'));`
			`// Check code format`
			`$this->assertCount(16, $codes);`
Apply fixes from StyleCI 2021-08-21 22:49:40 +08:00			`$this->assertEquals(16 * 11, strlen(implode('', $codes)));`
Added backup code setup flow - Includes testing to cover flow. - Moved TOTP logic to its own controller. - Added some extra totp tests. 2021-07-03 03:53:33 +08:00			`// Check download link`
			`$resp->assertSee(base64_encode(implode("\n\n", $codes)));`

			`// Confirm submit`
Worked on MFA setup required flow - Restructured some of the route naming to be a little more consistent. - Moved the routes about to be more logically in one place. - Created a new middleware to handle the auth of people that should be allowed access to mfa setup routes, since these could be used by existing logged in users or by people needing to setup MFA on access. - Added testing to cover MFA setup required flow. - Added TTL and method tracking to session last-login tracking system. 2021-08-03 05:02:25 +08:00			`$resp = $this->post('/mfa/backup_codes/confirm');`
Added backup code setup flow - Includes testing to cover flow. - Moved TOTP logic to its own controller. - Added some extra totp tests. 2021-07-03 03:53:33 +08:00			`$resp->assertRedirect('/mfa/setup');`

			`// Confirmation of setup`
			`$resp = $this->followRedirects($resp);`
			`$resp->assertSee('Multi-factor method successfully configured');`
Worked on MFA setup required flow - Restructured some of the route naming to be a little more consistent. - Moved the routes about to be more logically in one place. - Created a new middleware to handle the auth of people that should be allowed access to mfa setup routes, since these could be used by existing logged in users or by people needing to setup MFA on access. - Added testing to cover MFA setup required flow. - Added TTL and method tracking to session last-login tracking system. 2021-08-03 05:02:25 +08:00			`$resp->assertElementContains('a[href$="/mfa/backup_codes/generate"]', 'Reconfigure');`
Added backup code setup flow - Includes testing to cover flow. - Moved TOTP logic to its own controller. - Added some extra totp tests. 2021-07-03 03:53:33 +08:00
			`$this->assertDatabaseHas('mfa_values', [`
			`'user_id' => $editor->id,`
Apply fixes from StyleCI 2021-08-21 22:49:40 +08:00			`'method' => 'backup_codes',`
Added backup code setup flow - Includes testing to cover flow. - Moved TOTP logic to its own controller. - Added some extra totp tests. 2021-07-03 03:53:33 +08:00			`]);`
			`$this->assertFalse(session()->has('mfa-setup-backup-codes'));`
			`$value = MfaValue::query()->where('user_id', '=', $editor->id)`
			`->where('method', '=', 'backup_codes')->first();`
			`$this->assertEquals($codes, json_decode(decrypt($value->value)));`
			`}`

			`public function test_backup_codes_cannot_be_confirmed_if_not_previously_generated()`
			`{`
Worked on MFA setup required flow - Restructured some of the route naming to be a little more consistent. - Moved the routes about to be more logically in one place. - Created a new middleware to handle the auth of people that should be allowed access to mfa setup routes, since these could be used by existing logged in users or by people needing to setup MFA on access. - Added testing to cover MFA setup required flow. - Added TTL and method tracking to session last-login tracking system. 2021-08-03 05:02:25 +08:00			`$resp = $this->asEditor()->post('/mfa/backup_codes/confirm');`
Added backup code setup flow - Includes testing to cover flow. - Moved TOTP logic to its own controller. - Added some extra totp tests. 2021-07-03 03:53:33 +08:00			`$resp->assertStatus(500);`
Covered TOTP setup with testing 2021-07-03 02:51:30 +08:00			`}`

Added MFA setup link on user edit view 2021-07-15 03:06:41 +08:00			`public function test_mfa_method_count_is_visible_on_user_edit_page()`
			`{`
Added MFA indicator to user list Also fixed issue with showing incorrect MFA method count on user edit page changes done in last commit 2021-07-15 03:18:48 +08:00			`$user = $this->getEditor();`
			`$resp = $this->actingAs($this->getAdmin())->get($user->getEditUrl());`
Added MFA setup link on user edit view 2021-07-15 03:06:41 +08:00			`$resp->assertSee('0 methods configured');`

Added MFA indicator to user list Also fixed issue with showing incorrect MFA method count on user edit page changes done in last commit 2021-07-15 03:18:48 +08:00			`MfaValue::upsertWithValue($user, MfaValue::METHOD_TOTP, 'test');`
			`$resp = $this->get($user->getEditUrl());`
Added MFA setup link on user edit view 2021-07-15 03:06:41 +08:00			`$resp->assertSee('1 method configured');`

Added MFA indicator to user list Also fixed issue with showing incorrect MFA method count on user edit page changes done in last commit 2021-07-15 03:18:48 +08:00			`MfaValue::upsertWithValue($user, MfaValue::METHOD_BACKUP_CODES, 'test');`
			`$resp = $this->get($user->getEditUrl());`
Added MFA setup link on user edit view 2021-07-15 03:06:41 +08:00			`$resp->assertSee('2 methods configured');`
			`}`

			`public function test_mfa_setup_link_only_shown_when_viewing_own_user_edit_page()`
			`{`
			`$admin = $this->getAdmin();`
			`$resp = $this->actingAs($admin)->get($admin->getEditUrl());`
			`$resp->assertElementExists('a[href$="/mfa/setup"]');`

			`$resp = $this->actingAs($admin)->get($this->getEditor()->getEditUrl());`
			`$resp->assertElementNotExists('a[href$="/mfa/setup"]');`
			`}`

Added MFA indicator to user list Also fixed issue with showing incorrect MFA method count on user edit page changes done in last commit 2021-07-15 03:18:48 +08:00			`public function test_mfa_indicator_shows_in_user_list()`
			`{`
			`$admin = $this->getAdmin();`
			`User::query()->where('id', '!=', $admin->id)->delete();`

			`$resp = $this->actingAs($admin)->get('/settings/users');`
			`$resp->assertElementNotExists('[title="MFA Configured"] svg');`

			`MfaValue::upsertWithValue($admin, MfaValue::METHOD_TOTP, 'test');`
			`$resp = $this->actingAs($admin)->get('/settings/users');`
			`$resp->assertElementExists('[title="MFA Configured"] svg');`
			`}`

Added the ability to remove an MFA method Includes testing to cover 2021-07-15 04:27:21 +08:00			`public function test_remove_mfa_method()`
			`{`
			`$admin = $this->getAdmin();`

			`MfaValue::upsertWithValue($admin, MfaValue::METHOD_TOTP, 'test');`
			`$this->assertEquals(1, $admin->mfaValues()->count());`
			`$resp = $this->actingAs($admin)->get('/mfa/setup');`
Extracted text to translation files Also aligned mfa method delete route to align with others. 2021-08-08 21:24:44 +08:00			`$resp->assertElementExists('form[action$="/mfa/totp/remove"]');`
Added the ability to remove an MFA method Includes testing to cover 2021-07-15 04:27:21 +08:00
Apply fixes from StyleCI 2021-08-21 22:49:40 +08:00			`$resp = $this->delete('/mfa/totp/remove');`
			`$resp->assertRedirect('/mfa/setup');`
Added the ability to remove an MFA method Includes testing to cover 2021-07-15 04:27:21 +08:00			`$resp = $this->followRedirects($resp);`
			`$resp->assertSee('Multi-factor method successfully removed');`

			`$this->assertActivityExists(ActivityType::MFA_REMOVE_METHOD);`
			`$this->assertEquals(0, $admin->mfaValues()->count());`
			`}`
Apply fixes from StyleCI 2021-08-21 22:49:40 +08:00			`}`