cartodb-4.42/spec/requests/carto/api/multifactor_auths_controller_spec.rb

189 lines
5.9 KiB
Ruby
Raw Normal View History

2024-04-06 13:25:13 +08:00
require 'spec_helper_min'
require 'support/helpers'
describe Carto::Api::MultifactorAuthsController do
include HelperMethods
before :all do
@user = FactoryGirl.create(:carto_user)
end
after :all do
@user.destroy
end
before :each do
@user.user_multifactor_auths.each(&:destroy)
@multifactor_auth = FactoryGirl.create(:totp, :active, user: @user)
@totp = ROTP::TOTP.new(@multifactor_auth.shared_secret)
@user.reload
end
after :each do
@user.user_multifactor_auths.each(&:destroy)
@multifactor_auth.destroy
end
def auth_headers
http_json_headers
end
def auth_params
{ user_domain: @user.username, api_key: @user.api_key }
end
let(:create_payload) do
{
type: 'totp',
user_id: @user.id
}
end
describe '#create' do
before(:each) do
@user.user_multifactor_auths.each(&:destroy)
@user.reload
end
it 'creates a totp multifactor auth' do
post_json multifactor_auths_url, auth_params.merge(create_payload), auth_headers do |response|
response.status.should eq 201
response = response.body
response[:id].should be
response[:type].should eq 'totp'
response[:enabled].should eq false
response[:qrcode].should be
response[:user].should eq(@user.username)
end
end
it 'requires the type' do
params = auth_params.merge(create_payload.except(:type))
post_json multifactor_auths_url, params, auth_headers do |response|
response.status.should eq 422
response = response.body
response[:errors].should include("param is missing or the value is empty: type")
end
end
it 'creates a totp multifactor auth and ignores additional params' do
params = auth_params.merge(create_payload).merge(enabled: true)
post_json multifactor_auths_url, params, auth_headers do |response|
response.status.should eq 201
response = response.body
response[:id].should be
response[:type].should eq 'totp'
response[:enabled].should eq false
response[:qrcode].should be
response[:user].should eq(@user.username)
@user.user_multifactor_auths.find(response[:id]).enabled.should be false
end
end
end
describe '#validate_code' do
it 'validates a totp multifactor auth code' do
params = auth_params.merge(code: @totp.now)
post_json verify_code_multifactor_auth_url(id: @multifactor_auth.id), params, auth_headers do |response|
response.status.should eq 200
response = response.body
response[:id].should be
response[:type].should eq 'totp'
response[:enabled].should eq true
response[:qrcode].should_not be
response[:user].should eq(@user.username)
@multifactor_auth.reload
@multifactor_auth.needs_setup?.should be_false
@multifactor_auth.last_login.should be
end
end
it 'raises error if not valid code' do
params = auth_params.merge(code: '123456')
post_json verify_code_multifactor_auth_url(id: @multifactor_auth.id), params, auth_headers do |response|
response.status.should eq 403
response = response.body
response[:errors].should include("The code is not valid")
end
end
it 'validates and ignores additional params' do
params = auth_params.merge(code: @totp.now, last_login: Time.now - 1.year)
post_json verify_code_multifactor_auth_url(id: @multifactor_auth.id), params, auth_headers do |response|
response.status.should eq 200
response = response.body
response[:id].should be
response[:type].should eq 'totp'
response[:enabled].should eq true
response[:qrcode].should_not be
response[:user].should eq(@user.username)
@multifactor_auth.reload
@multifactor_auth.needs_setup?.should be_false
@multifactor_auth.last_login.year.should eq Time.now.year
end
end
it 'updates last_login' do
@multifactor_auth.verify!(@totp.now)
last_login = @multifactor_auth.last_login
Delorean.jump(2.hours)
params = auth_params.merge(code: @totp.now)
post_json verify_code_multifactor_auth_url(id: @multifactor_auth.id), params, auth_headers do |response|
response.status.should eq 200
response = response.body
response[:id].should be
response[:type].should eq 'totp'
response[:enabled].should eq true
response[:qrcode].should_not be
response[:user].should eq(@user.username)
@multifactor_auth.reload
@multifactor_auth.needs_setup?.should be_false
@multifactor_auth.last_login.should_not eq last_login
end
Delorean.back_to_the_present
end
end
describe '#show' do
it 'shows multifactor auth instance' do
get_json multifactor_auth_url(id: @multifactor_auth.id), auth_params, auth_headers do |response|
response.status.should eq 200
response = response.body
response[:id].should be
response[:type].should eq 'totp'
response[:qrcode].should_not be
response[:user].should eq(@user.username)
end
end
end
describe '#index' do
it 'list instances' do
get_json multifactor_auths_url, auth_params, auth_headers do |response|
response.status.should eq 200
list = response.body
list.length.should eq 1
response = list.first
response['id'].should be
response['type'].should eq 'totp'
response['qrcode'].should_not be
response['user'].should eq(@user.username)
end
end
end
describe '#destroy' do
it 'destroys a multifactor auth instance' do
delete_json multifactor_auth_url(id: @multifactor_auth.id), auth_params, auth_headers do |response|
response.status.should eq 204
@user.user_multifactor_auths.where(id: response[:id]).should be_empty
end
end
end
end