commit: b48f2cbc8b6b260a8d9b51a26e484a7da1694851
parent: 1736badf28eae2ba42e42f9fef2e151e35d5397a
Author: Matt Jankowski <mjankowski@thoughtbot.com>
Date: Thu, 27 Apr 2017 09:18:21 -0400
Catch error when server decryption fails on 2FA (#2512)
Diffstat:
2 files changed, 19 insertions(+), 0 deletions(-)
diff --git a/app/controllers/auth/sessions_controller.rb b/app/controllers/auth/sessions_controller.rb
@@ -51,6 +51,8 @@ class Auth::SessionsController < Devise::SessionsController
def valid_otp_attempt?(user)
user.validate_and_consume_otp!(user_params[:otp_attempt]) ||
user.invalidate_otp_backup_code!(user_params[:otp_attempt])
+ rescue OpenSSL::Cipher::CipherError => error
+ false
end
def authenticate_with_two_factor
diff --git a/spec/controllers/auth/sessions_controller_spec.rb b/spec/controllers/auth/sessions_controller_spec.rb
@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
require 'rails_helper'
RSpec.describe Auth::SessionsController, type: :controller do
@@ -90,6 +92,21 @@ RSpec.describe Auth::SessionsController, type: :controller do
end
end
+ context 'when the server has an decryption error' do
+ before do
+ allow_any_instance_of(User).to receive(:validate_and_consume_otp!).and_raise(OpenSSL::Cipher::CipherError)
+ post :create, params: { user: { otp_attempt: user.current_otp } }, session: { otp_user_id: user.id }
+ end
+
+ it 'shows a login error' do
+ expect(flash[:alert]).to match I18n.t('users.invalid_otp_token')
+ end
+
+ it "doesn't log the user in" do
+ expect(controller.current_user).to be_nil
+ end
+ end
+
context 'using a valid recovery code' do
before do
post :create, params: { user: { otp_attempt: recovery_codes.first } }, session: { otp_user_id: user.id }