Two factor authentication (#7751)

5 files changed, 162 insertions, 5 deletions

diff --git a/features/desktop/change_password.feature b/features/desktop/change_password.feature
index f37ebe045..7b30014ec 100644
--- a/features/desktop/change_password.feature
+++ b/features/desktop/change_password.feature
@@ -29,8 +29,7 @@ Feature: Change password
     When I follow the "Change my password" link from the last sent email
     When I fill out the password reset form with "supersecret" and "supersecret"
     And I submit the password reset form
-    Then I should be on the stream page
-    And I sign out manually
+    Then I should be on the new user session page
     And I sign in manually as "georges_abitbol" with password "supersecret"
     Then I should be on the stream page
 
diff --git a/features/desktop/two_factor_authentication.feature b/features/desktop/two_factor_authentication.feature
new file mode 100644
index 000000000..ae8e2d2ef
--- /dev/null
+++ b/features/desktop/two_factor_authentication.feature
@@ -0,0 +1,90 @@
+# frozen_string_literal: true
+@javascript
+Feature: Two-factor autentication
+
+  Scenario: Activate 2fa
+    Given a user with email "alice@test.com"
+    When I sign in as "alice@test.com"
+    When I go to the two-factor authentication page
+    And I press "Activate"
+    Then I should see "Confirm activation"
+    When I scan the QR code and fill in a valid TOTP token for "alice@test.com"
+    And I press "Confirm and activate"
+    Then I should see "Two-factor authentication activated"
+    And I should see "Recovery codes"
+    When I confirm activation
+    Then I should see "Two-factor authentication activated"
+    And I should see "Deactivate"
+
+  Scenario: Signing in with 2fa activated and correct token
+    Given a user with username "alice" and password "secret"
+    And 2fa is activated for "alice"
+    When I go to the login page
+    And I fill in username "alice" and password "secret"
+    And press "Sign in"
+    Then I should see "Two-factor authentication"
+    When I fill in a valid TOTP token for "alice"
+    And I press "Sign in"
+    Then I should be on the stream page
+
+  Scenario: Trying to sign in with 2fa activated and incorrect token
+    Given a user with username "alice" and password "secret"
+    And 2fa is activated for "alice"
+    When I go to the login page
+    And I fill in username "alice" and password "secret"
+    And press "Sign in"
+    Then I should see "Two-factor authentication"
+    When I fill in an invalid TOTP token
+    And I press "Sign in"
+    Then I should see "Two-factor authentication"
+
+  Scenario: Signing in with 2fa activated and a recovery code
+    Given a user with username "alice" and password "secret"
+    And 2fa is activated for "alice"
+    When I go to the login page
+    And I fill in username "alice" and password "secret"
+    And press "Sign in"
+    Then I should see "Two-factor authentication"
+    When I fill in a recovery code from "alice"
+    And I press "Sign in"
+    Then I should be on the stream page
+
+  Scenario: Regenerating recovery codes
+    Given a user with email "alice@test.com"
+    When I sign in as "alice@test.com"
+    And 2fa is activated for "alice@test.com"
+    When I go to the two-factor authentication page
+    Then I should see "Generate new recovery codes"
+    When I press the recovery code generate button
+    Then I should see a list of recovery codes
+
+  Scenario: Deactivating 2fa with correct token
+    Given a user with email "alice@test.com"
+    When I sign in as "alice@test.com"
+    And 2fa is activated for "alice@test.com"
+    When I go to the two-factor authentication page
+    Then I should see "Deactivate"
+    When I fill in a valid TOTP token to deactivate for "alice@test.com"
+    And I press "Deactivate"
+    Then I should see "Two-factor authentication not activated"
+
+  Scenario: Deactivating 2fa with recovery token
+    Given a user with email "alice@test.com"
+    When I sign in as "alice@test.com"
+    And 2fa is activated for "alice@test.com"
+    When I go to the two-factor authentication page
+    Then I should see "Deactivate"
+    When I fill in a recovery code to deactivate from "alice@test.com"
+    And I press "Deactivate"
+    Then I should see "Two-factor authentication not activated"
+
+  Scenario: Trying to deactivate with incorrect token
+    Given a user with email "alice@test.com"
+    When I sign in as "alice@test.com"
+    And 2fa is activated for "alice@test.com"
+    When I go to the two-factor authentication page
+    Then I should see "Deactivate"
+    When I fill in an invalid TOTP token to deactivate
+    And I press "Deactivate"
+    Then I should see "Two-factor authentication activated"
+    And I should see "Deactivate"
diff --git a/features/mobile/change_password.feature b/features/mobile/change_password.feature
index f30edb215..f3bcdb445 100644
--- a/features/mobile/change_password.feature
+++ b/features/mobile/change_password.feature
@@ -31,9 +31,8 @@ Feature: Change password
     When I follow the "Change my password" link from the last sent email
     And I fill out the password reset form with "supersecret" and "supersecret"
     And I submit the password reset form
-    Then I should be on the stream page
-    When I sign out
-    And I go to the login page
+    Then I should be on the new user session page
+    When I go to the login page
     And I sign in manually as "georges_abitbol" with password "supersecret" on the mobile website
     Then I should be on the stream page
 
diff --git a/features/step_definitions/two_factor_steps.rb b/features/step_definitions/two_factor_steps.rb
new file mode 100644
index 000000000..7b5ab2319
--- /dev/null
+++ b/features/step_definitions/two_factor_steps.rb
@@ -0,0 +1,67 @@
+# frozen_string_literal: true
+
+When /^I scan the QR code and fill in a valid TOTP token for "([^"]*)"$/ do |email|
+  @me = find_user email
+  fill_in "user_code", with: @me.current_otp
+end
+
+When /^I fill in a valid TOTP token for "([^"]*)"$/ do |username|
+  @me = find_user username
+  fill_in "user_otp_attempt", with: @me.current_otp
+end
+
+When /^I fill in an invalid TOTP token$/ do
+  fill_in "user_otp_attempt", with: "c0ffee"
+end
+
+When /^I fill in a valid TOTP token to deactivate for "([^"]*)"$/ do |username|
+  @me = find_user username
+  fill_in "two_factor_authentication_code", with: @me.current_otp
+end
+
+When /^I fill in an invalid TOTP token to deactivate$/ do
+  fill_in "two_factor_authentication_code", with: "c0ffee"
+end
+
+When /^I fill in a recovery code from "([^"]*)"$/ do |username|
+  @me = find_user username
+  @codes = @me.generate_otp_backup_codes!
+  @me.save!
+  fill_in "user_otp_attempt", with: @codes.first
+end
+
+When /^I fill in a recovery code to deactivate from "([^"]*)"$/ do |username|
+  @me = find_user username
+  @codes = @me.generate_otp_backup_codes!
+  @me.save!
+  fill_in "two_factor_authentication_code", with: @codes.first
+end
+
+When /^I confirm activation$/ do
+  find(".btn-primary", match: :first).click
+end
+
+When /^2fa is activated for "([^"]*)"$/ do |username|
+  @me = find_user username
+  @me.otp_secret = User.generate_otp_secret(32)
+  @me.otp_required_for_login = true
+  @me.save!
+end
+
+When /^I fill in username "([^"]*)" and password "([^"]*)"$/ do |username, password|
+  fill_in "user_username", with: username
+  fill_in "user_password", with: password
+end
+
+Then /^I should see a list of recovery codes$/ do
+  find(".recovery-codes", match: :first)
+  find(".recovery-codes li samp", match: :first)
+end
+
+When /^I press the recovery code generate button$/ do
+  find(".btn-default", match: :first).click
+end
+
+def find_user(username)
+  User.find_by(username: username) || User.find_by(email: username)
+end
diff --git a/features/support/paths.rb b/features/support/paths.rb
index a486ef245..7962fe17d 100644
--- a/features/support/paths.rb
+++ b/features/support/paths.rb
@@ -40,6 +40,8 @@ module NavigationHelpers
       edit_user_path
     when /^forgot password page$/
       new_user_password_path
+    when /^the two-factor authentication page$/
+      two_factor_authentication_path
     when %r{^"(/.*)"}
       Regexp.last_match(1)
     else