mirror of
https://github.com/lingble/chatwoot.git
synced 2025-10-29 10:12:34 +00:00
239c4dcb91
## Linear: - https://github.com/chatwoot/chatwoot/issues/486 ## Description This PR implements Multi-Factor Authentication (MFA) support for user accounts, enhancing security by requiring a second form of verification during login. The feature adds TOTP (Time-based One-Time Password) authentication with QR code generation and backup codes for account recovery. ## Type of change - [ ] New feature (non-breaking change which adds functionality) ## How Has This Been Tested? - Added comprehensive RSpec tests for MFA controller functionality - Tested MFA setup flow with QR code generation - Verified OTP validation and backup code generation - Tested login flow with MFA enabled/disabled ## Checklist: - [ ] My code follows the style guidelines of this project - [ ] I have performed a self-review of my code - [ ] I have commented on my code, particularly in hard-to-understand areas - [ ] I have made corresponding changes to the documentation - [ ] My changes generate no new warnings - [ ] I have added tests that prove my fix is effective or that my feature works - [ ] New and existing unit tests pass locally with my changes - [ ] Any dependent changes have been merged and published in downstream modules --------- Co-authored-by: Pranav <pranav@chatwoot.com> Co-authored-by: Sojan Jose <sojan@pepalo.com> Co-authored-by: Muhsin Keloth <muhsinkeramam@gmail.com>
107 lines
3.1 KiB
Ruby
107 lines
3.1 KiB
Ruby
require 'rails_helper'
|
|
|
|
describe Mfa::AuthenticationService do
|
|
before do
|
|
skip('Skipping since MFA is not configured in this environment') unless Chatwoot.encryption_configured?
|
|
user.enable_two_factor!
|
|
user.update!(otp_required_for_login: true)
|
|
end
|
|
|
|
let(:user) { create(:user) }
|
|
|
|
describe '#authenticate' do
|
|
context 'with OTP code' do
|
|
context 'when OTP is valid' do
|
|
it 'returns true' do
|
|
valid_otp = user.current_otp
|
|
service = described_class.new(user: user, otp_code: valid_otp)
|
|
expect(service.authenticate).to be_truthy
|
|
end
|
|
end
|
|
|
|
context 'when OTP is invalid' do
|
|
it 'returns false' do
|
|
service = described_class.new(user: user, otp_code: '000000')
|
|
expect(service.authenticate).to be_falsey
|
|
end
|
|
end
|
|
|
|
context 'when OTP is nil' do
|
|
it 'returns false' do
|
|
service = described_class.new(user: user, otp_code: nil)
|
|
expect(service.authenticate).to be_falsey
|
|
end
|
|
end
|
|
end
|
|
|
|
context 'with backup code' do
|
|
let(:backup_codes) { user.generate_backup_codes! }
|
|
|
|
context 'when backup code is valid' do
|
|
it 'returns true and invalidates the code' do
|
|
valid_code = backup_codes.first
|
|
service = described_class.new(user: user, backup_code: valid_code)
|
|
|
|
expect(service.authenticate).to be_truthy
|
|
|
|
# Code should be invalidated after use
|
|
user.reload
|
|
expect(user.otp_backup_codes).to include('XXXXXXXX')
|
|
end
|
|
end
|
|
|
|
context 'when backup code is invalid' do
|
|
it 'returns false' do
|
|
service = described_class.new(user: user, backup_code: 'invalid')
|
|
expect(service.authenticate).to be_falsey
|
|
end
|
|
end
|
|
|
|
context 'when backup code has already been used' do
|
|
it 'returns false' do
|
|
valid_code = backup_codes.first
|
|
# Use the code once
|
|
service = described_class.new(user: user, backup_code: valid_code)
|
|
service.authenticate
|
|
|
|
# Try to use it again
|
|
service2 = described_class.new(user: user.reload, backup_code: valid_code)
|
|
expect(service2.authenticate).to be_falsey
|
|
end
|
|
end
|
|
end
|
|
|
|
context 'with neither OTP nor backup code' do
|
|
it 'returns false' do
|
|
service = described_class.new(user: user)
|
|
expect(service.authenticate).to be_falsey
|
|
end
|
|
end
|
|
|
|
context 'when user is nil' do
|
|
it 'returns false' do
|
|
service = described_class.new(user: nil, otp_code: '123456')
|
|
expect(service.authenticate).to be_falsey
|
|
end
|
|
end
|
|
|
|
context 'when both OTP and backup code are provided' do
|
|
it 'uses OTP authentication first' do
|
|
valid_otp = user.current_otp
|
|
backup_codes = user.generate_backup_codes!
|
|
|
|
service = described_class.new(
|
|
user: user,
|
|
otp_code: valid_otp,
|
|
backup_code: backup_codes.first
|
|
)
|
|
|
|
expect(service.authenticate).to be_truthy
|
|
# Backup code should not be consumed
|
|
user.reload
|
|
expect(user.otp_backup_codes).not_to include('XXXXXXXX')
|
|
end
|
|
end
|
|
end
|
|
end
|