From 8738416f792f813d1272ea2be721079a7db63c18 Mon Sep 17 00:00:00 2001
From: doobry <doobry@systemli.org>
Date: Sun, 11 Sep 2022 18:28:25 +0200
Subject: [PATCH] Add behat integration tests for two-factor backup codes

---
 features/bootstrap/FeatureContext.php | 17 +++++++++++++++++
 features/login.feature                | 25 ++++++++++++++++++++++---
 2 files changed, 39 insertions(+), 3 deletions(-)

diff --git a/features/bootstrap/FeatureContext.php b/features/bootstrap/FeatureContext.php
index d8d7321b..71d79611 100644
--- a/features/bootstrap/FeatureContext.php
+++ b/features/bootstrap/FeatureContext.php
@@ -10,6 +10,7 @@
 use Behat\MinkExtension\Context\MinkContext;
 use Behat\Symfony2Extension\Context\KernelDictionary;
 use Doctrine\ORM\Tools\SchemaTool;
+use OTPHP\TOTP;
 use Symfony\Component\BrowserKit\Cookie;
 use Symfony\Component\PropertyAccess\PropertyAccess;
 use Symfony\Component\Security\Core\Authentication\Token\UsernamePasswordToken;
@@ -136,6 +137,10 @@ public function theFollowingUserExists(TableNode $table)
                     case 'totpSecret':
                         $user->setTotpSecret($value);
                         break;
+                    case 'totp_backup_codes':
+                        $user->generateBackupCodes();
+                        $this->setPlaceholder('totp_backup_codes', $user->getBackupCodes());
+                        break;
                 }
             }
 
@@ -422,6 +427,18 @@ public function iShouldSeeEmptyConsoleOutput()
         }
     }
 
+    /**
+     * @Then I enter TOTP backup code
+     */
+    public function iEnterTotpBackupCode()
+    {
+        $totpBackupCodes = $this->getPlaceholder('totp_backup_codes');
+        if (!$totpBackupCodes) {
+            throw new \Exception('No TOTP backup codes cached');
+        }
+        $this->fillField('_auth_code', $totpBackupCodes[0]);
+    }
+
     /**
      * @Then /^File "([^"]*)" should exist$/
      */
diff --git a/features/login.feature b/features/login.feature
index 28d75315..9eed9b72 100644
--- a/features/login.feature
+++ b/features/login.feature
@@ -121,7 +121,7 @@ Feature: Login
     And I should see text matching "E-mail access has been turned off"
 
   @login-2fa
-  Scenario: Login asks for secret if two-factor auth is enabled
+  Scenario: Login fails with invalid TOTP code if two-factor auth is enabled
     When the following User exists:
       | email                 | password | roles     | totpConfirmed | totpSecret |
       | twofactor@example.org | asdasd   | ROLE_USER | 1             | secret     |
@@ -134,8 +134,7 @@ Feature: Login
     Then I should be on "/en/2fa"
     And I should see text matching "Authentication code"
 
-    And I fill in the following:
-      | _auth_code | invalid-token |
+    And I fill in "_auth_code" with "invalid-token"
     And I press "Verify"
 
     Then I should be on "/en/2fa"
@@ -144,3 +143,23 @@ Feature: Login
     And I follow "Cancel login"
     Then I should be on "/en/"
     And the response status code should be 200
+
+  @login-2fa
+  Scenario: Login works with two-factor backup code if two-factor auth is enabled
+    When the following User exists:
+      | email                 | password | roles     | totpConfirmed | totpSecret | totp_backup_codes |
+      | twofactor@example.org | asdasd   | ROLE_USER | 1             | secret     | true              |
+    And I am on "/login"
+    And I fill in the following:
+      | username | twofactor@example.org |
+      | password | asdasd                |
+    And I press "Sign in"
+
+    Then I should be on "/en/2fa"
+    And I should see text matching "Authentication code"
+
+    And I enter TOTP backup code
+    And I press "Verify"
+
+    Then I should be on "/en/"
+    And the response status code should be 200