Skip to content

Commit

Permalink
wip
Browse files Browse the repository at this point in the history
  • Loading branch information
@amiedes
amiedes committed Apr 30, 2020
1 parent 6442784 commit d4a3491
Show file tree
Hide file tree
Showing 2 changed files with 86 additions and 83 deletions.
5 changes: 4 additions & 1 deletion lib/carto/authentication_manager.rb
View file
Original file line number Diff line number Diff line change
Expand Up @@ -15,7 +15,10 @@ def self.session_security_token_valid?(warden_context, user)

return false unless session.key?(:sec_token)

raise Carto::ExpiredSessionError if session[:sec_token] != user.security_token
if session[:sec_token] != user.security_token
puts "Detected security_token missmatch: #{session[:sec_token]} (session) vs #{user.security_token} (user)"
raise Carto::ExpiredSessionError
end
true
rescue Warden::NotAuthenticated
false
Expand Down
164 changes: 82 additions & 82 deletions spec/requests/sessions_controller_spec.rb
View file
Original file line number Diff line number Diff line change
Expand Up @@ -753,7 +753,7 @@ def expect_invalid_code
SessionsController::MAX_MULTIFACTOR_AUTHENTICATION_INACTIVITY = 120.seconds
end

it 'verifies a valid code' do
xit 'verifies a valid code' do
login

get multifactor_authentication_session_url
Expand All @@ -762,7 +762,7 @@ def expect_invalid_code
expect_login
end

it 'redirects to login and then to code verification when there is no session' do
xit 'redirects to login and then to code verification when there is no session' do
get dashboard_url
follow_redirect!

Expand All @@ -775,7 +775,7 @@ def expect_invalid_code
request.path.should eq multifactor_authentication_verify_code_path
end

it 'does not verify an invalid code' do
xit 'does not verify an invalid code' do
login

get multifactor_authentication_session_url
Expand All @@ -784,7 +784,7 @@ def expect_invalid_code
expect_invalid_code
end

it 'does not verify an already used code' do
xit 'does not verify an already used code' do
login

get multifactor_authentication_session_url
Expand All @@ -800,7 +800,7 @@ def expect_invalid_code
expect_invalid_code
end

it 'logout if user inactive' do
xit 'logout if user inactive' do
login

SessionsController::MAX_MULTIFACTOR_AUTHENTICATION_INACTIVITY = -1
Expand All @@ -815,7 +815,7 @@ def expect_invalid_code
response.body.should include("You've been logged out due to a long time of inactivity")
end

it 'rate limits verification code' do
xit 'rate limits verification code' do
login

Cartodb.with_config(
Expand Down Expand Up @@ -850,15 +850,15 @@ def expect_invalid_code
Cartodb::Central.stubs(:sync_data_with_cartodb_central?).returns(false)
@user.reset_password_rate_limit
login

@user.reload
get multifactor_authentication_session_url
post multifactor_authentication_verify_code_url(user_id: @user.id, code: 'invalid_code')
expect_invalid_code

@user.reload
post multifactor_authentication_verify_code_url(user_id: @user.id, code: 'invalid_code')
response.status.should eq 302
response.headers['Location'].should include '/login?error=password_locked'

@user.reload
sleep(4)

login
Expand All @@ -881,7 +881,7 @@ def expect_invalid_code
@user.reload
end

it 'skips configuration only when mfa needs setup' do
xit 'skips configuration only when mfa needs setup' do
login

get multifactor_authentication_session_url
Expand All @@ -890,7 +890,7 @@ def expect_invalid_code
expect_login
end

it 'removes user multifactor auths when mfa configuration is skipped' do
xit 'removes user multifactor auths when mfa configuration is skipped' do
login

get multifactor_authentication_session_url
Expand All @@ -899,7 +899,7 @@ def expect_invalid_code
@user.reload.user_multifactor_auths.should be_empty
end

it 'does not allow to skip verification if is active' do
xit 'does not allow to skip verification if is active' do
mfa = @user.active_multifactor_authentication
mfa.enabled = true
mfa.save!
Expand Down Expand Up @@ -955,76 +955,76 @@ def expect_invalid_code
it_behaves_like 'all users workflow'
end

describe 'as org owner' do
before(:all) do
Cartodb::Central.stubs(:sync_data_with_cartodb_central?).returns(false)
@organization = FactoryGirl.create(:organization_with_users, :mfa_enabled)
@user = @organization.owner
@user.password = @user.password_confirmation = @user.crypted_password = '00012345678'
@user.save
end

after(:all) do
@organization.destroy
end

def create_session
post create_session_url(user_domain: @user.username, email: @user.username, password: '00012345678')
end

it_behaves_like 'all users workflow'
it_behaves_like 'organizational user'
end

describe 'as org user' do
before(:all) do
Cartodb::Central.stubs(:sync_data_with_cartodb_central?).returns(false)
@organization = FactoryGirl.create(:organization_with_users, :mfa_enabled)
@user = @organization.users.last
@user.password = @user.password_confirmation = @user.crypted_password = '00012345678'
@user.save
end

after(:all) do
@organization.destroy
end

def create_session
post create_session_url(user_domain: @user.username, email: @user.username, password: '00012345678')
end

it_behaves_like 'all users workflow'
it_behaves_like 'organizational user'
end

describe 'as org without user pass enabled' do
before(:all) do
Cartodb::Central.stubs(:sync_data_with_cartodb_central?).returns(false)
Carto::Organization.any_instance.stubs(:auth_enabled?).returns(true)
@organization = FactoryGirl.create(:organization_with_users,
:mfa_enabled,
auth_username_password_enabled: false)
@user = @organization.users.last
@user.password = @user.password_confirmation = @user.crypted_password = '00012345678'
@user.save
end

after(:all) do
@organization.destroy
end

def login(user = @user)
logout
host! "#{@organization.name}.localhost.lan"
login_as(user, scope: user.username)
end

def create_session
post create_session_url(user_domain: @organization.name, email: @user.username, password: @user.password)
end

it_behaves_like 'all users workflow'
end
# describe 'as org owner' do
# before(:all) do
# Cartodb::Central.stubs(:sync_data_with_cartodb_central?).returns(false)
# @organization = FactoryGirl.create(:organization_with_users, :mfa_enabled)
# @user = @organization.owner
# @user.password = @user.password_confirmation = @user.crypted_password = '00012345678'
# @user.save
# end

# after(:all) do
# @organization.destroy
# end

# def create_session
# post create_session_url(user_domain: @user.username, email: @user.username, password: '00012345678')
# end

# it_behaves_like 'all users workflow'
# it_behaves_like 'organizational user'
# end

# describe 'as org user' do
# before(:all) do
# Cartodb::Central.stubs(:sync_data_with_cartodb_central?).returns(false)
# @organization = FactoryGirl.create(:organization_with_users, :mfa_enabled)
# @user = @organization.users.last
# @user.password = @user.password_confirmation = @user.crypted_password = '00012345678'
# @user.save
# end

# after(:all) do
# @organization.destroy
# end

# def create_session
# post create_session_url(user_domain: @user.username, email: @user.username, password: '00012345678')
# end

# it_behaves_like 'all users workflow'
# it_behaves_like 'organizational user'
# end

# describe 'as org without user pass enabled' do
# before(:all) do
# Cartodb::Central.stubs(:sync_data_with_cartodb_central?).returns(false)
# Carto::Organization.any_instance.stubs(:auth_enabled?).returns(true)
# @organization = FactoryGirl.create(:organization_with_users,
# :mfa_enabled,
# auth_username_password_enabled: false)
# @user = @organization.users.last
# @user.password = @user.password_confirmation = @user.crypted_password = '00012345678'
# @user.save
# end

# after(:all) do
# @organization.destroy
# end

# def login(user = @user)
# logout
# host! "#{@organization.name}.localhost.lan"
# login_as(user, scope: user.username)
# end

# def create_session
# post create_session_url(user_domain: @organization.name, email: @user.username, password: @user.password)
# end

# it_behaves_like 'all users workflow'
# end
end

describe '#logout' do
Expand Down

0 comments on commit d4a3491

Please sign in to comment.