colin
/
bookstack
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
bookstack/tests/Auth/MfaVerificationTest.php

289 lines
10 KiB
PHP
Raw Normal View History

Added TOTP verification upon access
2021-08-02 22:04:43 +08:00
<?php
namespace Tests\Auth;
Worked on MFA setup required flow - Restructured some of the route naming to be a little more consistent. - Moved the routes about to be more logically in one place. - Created a new middleware to handle the auth of people that should be allowed access to mfa setup routes, since these could be used by existing logged in users or by people needing to setup MFA on access. - Added testing to cover MFA setup required flow. - Added TTL and method tracking to session last-login tracking system.
2021-08-03 05:02:25 +08:00
use BookStack\Auth\Access\LoginService;
Added TOTP verification upon access
2021-08-02 22:04:43 +08:00
use BookStack\Auth\Access\Mfa\MfaValue;
use BookStack\Auth\Access\Mfa\TotpService;
Worked on MFA setup required flow - Restructured some of the route naming to be a little more consistent. - Moved the routes about to be more logically in one place. - Created a new middleware to handle the auth of people that should be allowed access to mfa setup routes, since these could be used by existing logged in users or by people needing to setup MFA on access. - Added testing to cover MFA setup required flow. - Added TTL and method tracking to session last-login tracking system.
2021-08-03 05:02:25 +08:00
use BookStack\Auth\Role;
Added TOTP verification upon access
2021-08-02 22:04:43 +08:00
use BookStack\Auth\User;
Worked on MFA setup required flow - Restructured some of the route naming to be a little more consistent. - Moved the routes about to be more logically in one place. - Created a new middleware to handle the auth of people that should be allowed access to mfa setup routes, since these could be used by existing logged in users or by people needing to setup MFA on access. - Added testing to cover MFA setup required flow. - Added TTL and method tracking to session last-login tracking system.
2021-08-03 05:02:25 +08:00
use BookStack\Exceptions\StoppedAuthenticationException;
Added TOTP verification upon access
2021-08-02 22:04:43 +08:00
use Illuminate\Support\Facades\Hash;
use PragmaRX\Google2FA\Google2FA;
use Tests\TestCase;
use Tests\TestResponse;
class MfaVerificationTest extends TestCase
{
public function test_totp_verification()
{
[$user, $secret, $loginResp] = $this->startTotpLogin();
$loginResp->assertRedirect('/mfa/verify');
$resp = $this->get('/mfa/verify');
$resp->assertSee('Verify Access');
$resp->assertSee('Enter the code, generated using your mobile app, below:');
Updated tests to use ssddanbrown/asserthtml package Closes #3519
2022-07-23 22:10:18 +08:00
$this->withHtml($resp)->assertElementExists('form[action$="/mfa/totp/verify"] input[name="code"][autofocus]');
Added TOTP verification upon access
2021-08-02 22:04:43 +08:00
$google2fa = new Google2FA();
Worked on MFA setup required flow - Restructured some of the route naming to be a little more consistent. - Moved the routes about to be more logically in one place. - Created a new middleware to handle the auth of people that should be allowed access to mfa setup routes, since these could be used by existing logged in users or by people needing to setup MFA on access. - Added testing to cover MFA setup required flow. - Added TTL and method tracking to session last-login tracking system.
2021-08-03 05:02:25 +08:00
$resp = $this->post('/mfa/totp/verify', [
Added TOTP verification upon access
2021-08-02 22:04:43 +08:00
'code' => $google2fa->getCurrentOtp($secret),
]);
$resp->assertRedirect('/');
$this->assertEquals($user->id, auth()->user()->id);
}
public function test_totp_verification_fails_on_missing_invalid_code()
{
[$user, $secret, $loginResp] = $this->startTotpLogin();
$resp = $this->get('/mfa/verify');
Worked on MFA setup required flow - Restructured some of the route naming to be a little more consistent. - Moved the routes about to be more logically in one place. - Created a new middleware to handle the auth of people that should be allowed access to mfa setup routes, since these could be used by existing logged in users or by people needing to setup MFA on access. - Added testing to cover MFA setup required flow. - Added TTL and method tracking to session last-login tracking system.
2021-08-03 05:02:25 +08:00
$resp = $this->post('/mfa/totp/verify', [
Added TOTP verification upon access
2021-08-02 22:04:43 +08:00
'code' => '',
]);
$resp->assertRedirect('/mfa/verify');
$resp = $this->get('/mfa/verify');
$resp->assertSeeText('The code field is required.');
$this->assertNull(auth()->user());
Worked on MFA setup required flow - Restructured some of the route naming to be a little more consistent. - Moved the routes about to be more logically in one place. - Created a new middleware to handle the auth of people that should be allowed access to mfa setup routes, since these could be used by existing logged in users or by people needing to setup MFA on access. - Added testing to cover MFA setup required flow. - Added TTL and method tracking to session last-login tracking system.
2021-08-03 05:02:25 +08:00
$resp = $this->post('/mfa/totp/verify', [
Added TOTP verification upon access
2021-08-02 22:04:43 +08:00
'code' => '123321',
]);
$resp->assertRedirect('/mfa/verify');
$resp = $this->get('/mfa/verify');
$resp->assertSeeText('The provided code is not valid or has expired.');
$this->assertNull(auth()->user());
}
Added Backup code verification logic Also added testing to cover as part of this in addition to adding the core backup code handling required. Also added the standardised translations for switching mfa mode and adding testing for this switching.
2021-08-02 23:35:37 +08:00
public function test_backup_code_verification()
{
[$user, $codes, $loginResp] = $this->startBackupCodeLogin();
$loginResp->assertRedirect('/mfa/verify');
$resp = $this->get('/mfa/verify');
$resp->assertSee('Verify Access');
$resp->assertSee('Backup Code');
$resp->assertSee('Enter one of your remaining backup codes below:');
Updated tests to use ssddanbrown/asserthtml package Closes #3519
2022-07-23 22:10:18 +08:00
$this->withHtml($resp)->assertElementExists('form[action$="/mfa/backup_codes/verify"] input[name="code"]');
Added Backup code verification logic Also added testing to cover as part of this in addition to adding the core backup code handling required. Also added the standardised translations for switching mfa mode and adding testing for this switching.
2021-08-02 23:35:37 +08:00
Worked on MFA setup required flow - Restructured some of the route naming to be a little more consistent. - Moved the routes about to be more logically in one place. - Created a new middleware to handle the auth of people that should be allowed access to mfa setup routes, since these could be used by existing logged in users or by people needing to setup MFA on access. - Added testing to cover MFA setup required flow. - Added TTL and method tracking to session last-login tracking system.
2021-08-03 05:02:25 +08:00
$resp = $this->post('/mfa/backup_codes/verify', [
Added Backup code verification logic Also added testing to cover as part of this in addition to adding the core backup code handling required. Also added the standardised translations for switching mfa mode and adding testing for this switching.
2021-08-02 23:35:37 +08:00
'code' => $codes[1],
]);
$resp->assertRedirect('/');
$this->assertEquals($user->id, auth()->user()->id);
// Ensure code no longer exists in available set
$userCodes = MfaValue::getValueForUser($user, MfaValue::METHOD_BACKUP_CODES);
$this->assertStringNotContainsString($codes[1], $userCodes);
$this->assertStringContainsString($codes[0], $userCodes);
}
public function test_backup_code_verification_fails_on_missing_or_invalid_code()
{
[$user, $codes, $loginResp] = $this->startBackupCodeLogin();
$resp = $this->get('/mfa/verify');
Worked on MFA setup required flow - Restructured some of the route naming to be a little more consistent. - Moved the routes about to be more logically in one place. - Created a new middleware to handle the auth of people that should be allowed access to mfa setup routes, since these could be used by existing logged in users or by people needing to setup MFA on access. - Added testing to cover MFA setup required flow. - Added TTL and method tracking to session last-login tracking system.
2021-08-03 05:02:25 +08:00
$resp = $this->post('/mfa/backup_codes/verify', [
Added Backup code verification logic Also added testing to cover as part of this in addition to adding the core backup code handling required. Also added the standardised translations for switching mfa mode and adding testing for this switching.
2021-08-02 23:35:37 +08:00
'code' => '',
]);
$resp->assertRedirect('/mfa/verify');
$resp = $this->get('/mfa/verify');
$resp->assertSeeText('The code field is required.');
$this->assertNull(auth()->user());
Worked on MFA setup required flow - Restructured some of the route naming to be a little more consistent. - Moved the routes about to be more logically in one place. - Created a new middleware to handle the auth of people that should be allowed access to mfa setup routes, since these could be used by existing logged in users or by people needing to setup MFA on access. - Added testing to cover MFA setup required flow. - Added TTL and method tracking to session last-login tracking system.
2021-08-03 05:02:25 +08:00
$resp = $this->post('/mfa/backup_codes/verify', [
Added Backup code verification logic Also added testing to cover as part of this in addition to adding the core backup code handling required. Also added the standardised translations for switching mfa mode and adding testing for this switching.
2021-08-02 23:35:37 +08:00
'code' => 'ab123-ab456',
]);
$resp->assertRedirect('/mfa/verify');
$resp = $this->get('/mfa/verify');
$resp->assertSeeText('The provided code is not valid or has already been used.');
$this->assertNull(auth()->user());
}
public function test_backup_code_verification_fails_on_attempted_code_reuse()
{
[$user, $codes, $loginResp] = $this->startBackupCodeLogin();
Worked on MFA setup required flow - Restructured some of the route naming to be a little more consistent. - Moved the routes about to be more logically in one place. - Created a new middleware to handle the auth of people that should be allowed access to mfa setup routes, since these could be used by existing logged in users or by people needing to setup MFA on access. - Added testing to cover MFA setup required flow. - Added TTL and method tracking to session last-login tracking system.
2021-08-03 05:02:25 +08:00
$this->post('/mfa/backup_codes/verify', [
Added Backup code verification logic Also added testing to cover as part of this in addition to adding the core backup code handling required. Also added the standardised translations for switching mfa mode and adding testing for this switching.
2021-08-02 23:35:37 +08:00
'code' => $codes[0],
]);
$this->assertNotNull(auth()->user());
auth()->logout();
session()->flush();
$this->post('/login', ['email' => $user->email, 'password' => 'password']);
$this->get('/mfa/verify');
Worked on MFA setup required flow - Restructured some of the route naming to be a little more consistent. - Moved the routes about to be more logically in one place. - Created a new middleware to handle the auth of people that should be allowed access to mfa setup routes, since these could be used by existing logged in users or by people needing to setup MFA on access. - Added testing to cover MFA setup required flow. - Added TTL and method tracking to session last-login tracking system.
2021-08-03 05:02:25 +08:00
$resp = $this->post('/mfa/backup_codes/verify', [
Added Backup code verification logic Also added testing to cover as part of this in addition to adding the core backup code handling required. Also added the standardised translations for switching mfa mode and adding testing for this switching.
2021-08-02 23:35:37 +08:00
'code' => $codes[0],
]);
$resp->assertRedirect('/mfa/verify');
$this->assertNull(auth()->user());
$resp = $this->get('/mfa/verify');
$resp->assertSeeText('The provided code is not valid or has already been used.');
}
public function test_backup_code_verification_shows_warning_when_limited_codes_remain()
{
[$user, $codes, $loginResp] = $this->startBackupCodeLogin(['abc12-def45', 'abc12-def46']);
Worked on MFA setup required flow - Restructured some of the route naming to be a little more consistent. - Moved the routes about to be more logically in one place. - Created a new middleware to handle the auth of people that should be allowed access to mfa setup routes, since these could be used by existing logged in users or by people needing to setup MFA on access. - Added testing to cover MFA setup required flow. - Added TTL and method tracking to session last-login tracking system.
2021-08-03 05:02:25 +08:00
$resp = $this->post('/mfa/backup_codes/verify', [
Added Backup code verification logic Also added testing to cover as part of this in addition to adding the core backup code handling required. Also added the standardised translations for switching mfa mode and adding testing for this switching.
2021-08-02 23:35:37 +08:00
'code' => $codes[0],
]);
$resp = $this->followRedirects($resp);
$resp->assertSeeText('You have less than 5 backup codes remaining, Please generate and store a new set before you run out of codes to prevent being locked out of your account.');
}
public function test_both_mfa_options_available_if_set_on_profile()
{
$user = $this->getEditor();
$user->password = Hash::make('password');
$user->save();
MfaValue::upsertWithValue($user, MfaValue::METHOD_TOTP, 'abc123');
MfaValue::upsertWithValue($user, MfaValue::METHOD_BACKUP_CODES, '["abc12-def456"]');
/** @var TestResponse $mfaView */
$mfaView = $this->followingRedirects()->post('/login', [
Apply fixes from StyleCI
2021-08-21 22:49:40 +08:00
'email' => $user->email,
Added Backup code verification logic Also added testing to cover as part of this in addition to adding the core backup code handling required. Also added the standardised translations for switching mfa mode and adding testing for this switching.
2021-08-02 23:35:37 +08:00
'password' => 'password',
]);
// Totp shown by default
Updated tests to use ssddanbrown/asserthtml package Closes #3519
2022-07-23 22:10:18 +08:00
$this->withHtml($mfaView)->assertElementExists('form[action$="/mfa/totp/verify"] input[name="code"]');
$this->withHtml($mfaView)->assertElementContains('a[href$="/mfa/verify?method=backup_codes"]', 'Verify using a backup code');
Added Backup code verification logic Also added testing to cover as part of this in addition to adding the core backup code handling required. Also added the standardised translations for switching mfa mode and adding testing for this switching.
2021-08-02 23:35:37 +08:00
// Ensure can view backup_codes view
$resp = $this->get('/mfa/verify?method=backup_codes');
Updated tests to use ssddanbrown/asserthtml package Closes #3519
2022-07-23 22:10:18 +08:00
$this->withHtml($resp)->assertElementExists('form[action$="/mfa/backup_codes/verify"] input[name="code"]');
$this->withHtml($resp)->assertElementContains('a[href$="/mfa/verify?method=totp"]', 'Verify using a mobile app');
Added Backup code verification logic Also added testing to cover as part of this in addition to adding the core backup code handling required. Also added the standardised translations for switching mfa mode and adding testing for this switching.
2021-08-02 23:35:37 +08:00
}
Worked on MFA setup required flow - Restructured some of the route naming to be a little more consistent. - Moved the routes about to be more logically in one place. - Created a new middleware to handle the auth of people that should be allowed access to mfa setup routes, since these could be used by existing logged in users or by people needing to setup MFA on access. - Added testing to cover MFA setup required flow. - Added TTL and method tracking to session last-login tracking system.
2021-08-03 05:02:25 +08:00
public function test_mfa_required_with_no_methods_leads_to_setup()
{
$user = $this->getEditor();
$user->password = Hash::make('password');
$user->save();
/** @var Role $role */
$role = $user->roles->first();
$role->mfa_enforced = true;
$role->save();
$this->assertDatabaseMissing('mfa_values', [
'user_id' => $user->id,
]);
/** @var TestResponse $resp */
$resp = $this->followingRedirects()->post('/login', [
Apply fixes from StyleCI
2021-08-21 22:49:40 +08:00
'email' => $user->email,
Worked on MFA setup required flow - Restructured some of the route naming to be a little more consistent. - Moved the routes about to be more logically in one place. - Created a new middleware to handle the auth of people that should be allowed access to mfa setup routes, since these could be used by existing logged in users or by people needing to setup MFA on access. - Added testing to cover MFA setup required flow. - Added TTL and method tracking to session last-login tracking system.
2021-08-03 05:02:25 +08:00
'password' => 'password',
]);
$resp->assertSeeText('No Methods Configured');
Updated tests to use ssddanbrown/asserthtml package Closes #3519
2022-07-23 22:10:18 +08:00
$this->withHtml($resp)->assertElementContains('a[href$="/mfa/setup"]', 'Configure');
Worked on MFA setup required flow - Restructured some of the route naming to be a little more consistent. - Moved the routes about to be more logically in one place. - Created a new middleware to handle the auth of people that should be allowed access to mfa setup routes, since these could be used by existing logged in users or by people needing to setup MFA on access. - Added testing to cover MFA setup required flow. - Added TTL and method tracking to session last-login tracking system.
2021-08-03 05:02:25 +08:00
$this->get('/mfa/backup_codes/generate');
Improved login redirect and setup experience - Updated auth system for mfa to not update intended URL so that the user is not redirected to mfa setup after eventual login. - Added notification for users setting up MFA, after setup when redirected back to login screen to advise that MFA setup was complete but they need to login again. - Updated some bits of wording to display better.
2021-08-21 22:14:24 +08:00
$resp = $this->post('/mfa/backup_codes/confirm');
$resp->assertRedirect('/login');
Worked on MFA setup required flow - Restructured some of the route naming to be a little more consistent. - Moved the routes about to be more logically in one place. - Created a new middleware to handle the auth of people that should be allowed access to mfa setup routes, since these could be used by existing logged in users or by people needing to setup MFA on access. - Added testing to cover MFA setup required flow. - Added TTL and method tracking to session last-login tracking system.
2021-08-03 05:02:25 +08:00
$this->assertDatabaseHas('mfa_values', [
'user_id' => $user->id,
]);
Improved login redirect and setup experience - Updated auth system for mfa to not update intended URL so that the user is not redirected to mfa setup after eventual login. - Added notification for users setting up MFA, after setup when redirected back to login screen to advise that MFA setup was complete but they need to login again. - Updated some bits of wording to display better.
2021-08-21 22:14:24 +08:00
$resp = $this->get('/login');
$resp->assertSeeText('Multi-factor method configured, Please now login again using the configured method.');
Worked on MFA setup required flow - Restructured some of the route naming to be a little more consistent. - Moved the routes about to be more logically in one place. - Created a new middleware to handle the auth of people that should be allowed access to mfa setup routes, since these could be used by existing logged in users or by people needing to setup MFA on access. - Added testing to cover MFA setup required flow. - Added TTL and method tracking to session last-login tracking system.
2021-08-03 05:02:25 +08:00
$resp = $this->followingRedirects()->post('/login', [
Apply fixes from StyleCI
2021-08-21 22:49:40 +08:00
'email' => $user->email,
Worked on MFA setup required flow - Restructured some of the route naming to be a little more consistent. - Moved the routes about to be more logically in one place. - Created a new middleware to handle the auth of people that should be allowed access to mfa setup routes, since these could be used by existing logged in users or by people needing to setup MFA on access. - Added testing to cover MFA setup required flow. - Added TTL and method tracking to session last-login tracking system.
2021-08-03 05:02:25 +08:00
'password' => 'password',
]);
$resp->assertSeeText('Enter one of your remaining backup codes below:');
}
public function test_mfa_setup_route_access()
{
$routes = [
['get', '/mfa/setup'],
['get', '/mfa/totp/generate'],
['post', '/mfa/totp/confirm'],
['get', '/mfa/backup_codes/generate'],
['post', '/mfa/backup_codes/confirm'],
];
// Non-auth access
foreach ($routes as [$method, $path]) {
$resp = $this->call($method, $path);
$resp->assertRedirect('/login');
}
// Attempted login user, who has configured mfa, access
// Sets up user that has MFA required after attempted login.
$loginService = $this->app->make(LoginService::class);
$user = $this->getEditor();
/** @var Role $role */
$role = $user->roles->first();
$role->mfa_enforced = true;
$role->save();
Apply fixes from StyleCI
2021-08-21 22:49:40 +08:00
Worked on MFA setup required flow - Restructured some of the route naming to be a little more consistent. - Moved the routes about to be more logically in one place. - Created a new middleware to handle the auth of people that should be allowed access to mfa setup routes, since these could be used by existing logged in users or by people needing to setup MFA on access. - Added testing to cover MFA setup required flow. - Added TTL and method tracking to session last-login tracking system.
2021-08-03 05:02:25 +08:00
try {
$loginService->login($user, 'testing');
} catch (StoppedAuthenticationException $e) {
}
$this->assertNotNull($loginService->getLastLoginAttemptUser());
MfaValue::upsertWithValue($user, MfaValue::METHOD_BACKUP_CODES, '[]');
foreach ($routes as [$method, $path]) {
$resp = $this->call($method, $path);
$resp->assertRedirect('/login');
}
}
Added Backup code verification logic Also added testing to cover as part of this in addition to adding the core backup code handling required. Also added the standardised translations for switching mfa mode and adding testing for this switching.
2021-08-02 23:35:37 +08:00
Prevented inadvertant logging during MFA flow - Added StoppedAuthenticationException to dontReport list. - Added test to cover. Closes #3468
2022-05-31 01:31:08 +08:00
public function test_login_mfa_interception_does_not_log_error()
{
$logHandler = $this->withTestLogger();
[$user, $secret, $loginResp] = $this->startTotpLogin();
$loginResp->assertRedirect('/mfa/verify');
$this->assertFalse($logHandler->hasErrorRecords());
}
Added TOTP verification upon access
2021-08-02 22:04:43 +08:00
/**
Applied latest styleci changes
2021-11-01 21:26:02 +08:00
* @return array<User, string, TestResponse>
Added TOTP verification upon access
2021-08-02 22:04:43 +08:00
*/
protected function startTotpLogin(): array
{
$secret = $this->app->make(TotpService::class)->generateSecret();
$user = $this->getEditor();
$user->password = Hash::make('password');
$user->save();
MfaValue::upsertWithValue($user, MfaValue::METHOD_TOTP, $secret);
$loginResp = $this->post('/login', [
Apply fixes from StyleCI
2021-08-21 22:49:40 +08:00
'email' => $user->email,
Added TOTP verification upon access
2021-08-02 22:04:43 +08:00
'password' => 'password',
]);
return [$user, $secret, $loginResp];
}
Added Backup code verification logic Also added testing to cover as part of this in addition to adding the core backup code handling required. Also added the standardised translations for switching mfa mode and adding testing for this switching.
2021-08-02 23:35:37 +08:00
/**
Applied latest styleci changes
2021-11-01 21:26:02 +08:00
* @return array<User, string, TestResponse>
Added Backup code verification logic Also added testing to cover as part of this in addition to adding the core backup code handling required. Also added the standardised translations for switching mfa mode and adding testing for this switching.
2021-08-02 23:35:37 +08:00
*/
Apply fixes from StyleCI
2021-08-21 22:49:40 +08:00
protected function startBackupCodeLogin($codes = ['kzzu6-1pgll', 'bzxnf-plygd', 'bwdsp-ysl51', '1vo93-ioy7n', 'lf7nw-wdyka', 'xmtrd-oplac']): array
Added Backup code verification logic Also added testing to cover as part of this in addition to adding the core backup code handling required. Also added the standardised translations for switching mfa mode and adding testing for this switching.
2021-08-02 23:35:37 +08:00
{
$user = $this->getEditor();
$user->password = Hash::make('password');
$user->save();
MfaValue::upsertWithValue($user, MfaValue::METHOD_BACKUP_CODES, json_encode($codes));
$loginResp = $this->post('/login', [
Apply fixes from StyleCI
2021-08-21 22:49:40 +08:00
'email' => $user->email,
Added Backup code verification logic Also added testing to cover as part of this in addition to adding the core backup code handling required. Also added the standardised translations for switching mfa mode and adding testing for this switching.
2021-08-02 23:35:37 +08:00
'password' => 'password',
]);
return [$user, $codes, $loginResp];
}
Apply fixes from StyleCI
2021-08-21 22:49:40 +08:00
}