Add behat integration tests for two-factor backup codes

systemli · Oct 26, 2022 · 8738416 · 8738416
1 parent 2530b20
commit 8738416
Show file tree

Hide file tree

Showing 2 changed files with 39 additions and 3 deletions.
diff --git a/features/bootstrap/FeatureContext.php b/features/bootstrap/FeatureContext.php
@@ -10,6 +10,7 @@
 use Behat\MinkExtension\Context\MinkContext;
 use Behat\Symfony2Extension\Context\KernelDictionary;
 use Doctrine\ORM\Tools\SchemaTool;
+use OTPHP\TOTP;
 use Symfony\Component\BrowserKit\Cookie;
 use Symfony\Component\PropertyAccess\PropertyAccess;
 use Symfony\Component\Security\Core\Authentication\Token\UsernamePasswordToken;
@@ -136,6 +137,10 @@ public function theFollowingUserExists(TableNode $table)
                     case 'totpSecret':
                         $user->setTotpSecret($value);
                         break;
+                    case 'totp_backup_codes':
+                        $user->generateBackupCodes();
+                        $this->setPlaceholder('totp_backup_codes', $user->getBackupCodes());
+                        break;
                 }
             }
 
@@ -422,6 +427,18 @@ public function iShouldSeeEmptyConsoleOutput()
         }
     }
 
+    /**
+     * @Then I enter TOTP backup code
+     */
+    public function iEnterTotpBackupCode()
+    {
+        $totpBackupCodes = $this->getPlaceholder('totp_backup_codes');
+        if (!$totpBackupCodes) {
+            throw new \Exception('No TOTP backup codes cached');
+        }
+        $this->fillField('_auth_code', $totpBackupCodes[0]);
+    }
+
     /**
      * @Then /^File "([^"]*)" should exist$/
      */

diff --git a/features/login.feature b/features/login.feature
@@ -121,7 +121,7 @@ Feature: Login
     And I should see text matching "E-mail access has been turned off"
 
   @login-2fa
-  Scenario: Login asks for secret if two-factor auth is enabled
+  Scenario: Login fails with invalid TOTP code if two-factor auth is enabled
     When the following User exists:
       | email                 | password | roles     | totpConfirmed | totpSecret |
       | twofactor@example.org | asdasd   | ROLE_USER | 1             | secret     |
@@ -134,8 +134,7 @@ Feature: Login
     Then I should be on "/en/2fa"
     And I should see text matching "Authentication code"
 
-    And I fill in the following:
-      | _auth_code | invalid-token |
+    And I fill in "_auth_code" with "invalid-token"
     And I press "Verify"
 
     Then I should be on "/en/2fa"
@@ -144,3 +143,23 @@ Feature: Login
     And I follow "Cancel login"
     Then I should be on "/en/"
     And the response status code should be 200
+
+  @login-2fa
+  Scenario: Login works with two-factor backup code if two-factor auth is enabled
+    When the following User exists:
+      | email                 | password | roles     | totpConfirmed | totpSecret | totp_backup_codes |
+      | twofactor@example.org | asdasd   | ROLE_USER | 1             | secret     | true              |
+    And I am on "/login"
+    And I fill in the following:
+      | username | twofactor@example.org |
+      | password | asdasd                |
+    And I press "Sign in"
+
+    Then I should be on "/en/2fa"
+    And I should see text matching "Authentication code"
+
+    And I enter TOTP backup code
+    And I press "Verify"
+
+    Then I should be on "/en/"
+    And the response status code should be 200