diff options
author | James Edwards-Jones <jedwardsjones@gitlab.com> | 2018-12-12 17:45:55 +0300 |
---|---|---|
committer | James Edwards-Jones <jedwardsjones@gitlab.com> | 2019-05-21 10:12:41 +0300 |
commit | fab6a50f17d15d21a157d4d561f41527fa943f27 (patch) | |
tree | 58d3014ed9dbc96e40fd309221782dbb0bd3a1f4 /spec/controllers/sessions_controller_spec.rb | |
parent | 5396b2a81aba6ed2bf85906a3256e171337b6df0 (diff) |
Prevent password sign in restriction bypass
Diffstat (limited to 'spec/controllers/sessions_controller_spec.rb')
-rw-r--r-- | spec/controllers/sessions_controller_spec.rb | 34 |
1 files changed, 33 insertions, 1 deletions
diff --git a/spec/controllers/sessions_controller_spec.rb b/spec/controllers/sessions_controller_spec.rb index 6bcff7f975c..9c4ddce5409 100644 --- a/spec/controllers/sessions_controller_spec.rb +++ b/spec/controllers/sessions_controller_spec.rb @@ -58,7 +58,26 @@ describe SessionsController do it 'authenticates user correctly' do post(:create, params: { user: user_params }) - expect(subject.current_user). to eq user + expect(subject.current_user).to eq user + end + + context 'with password authentication disabled' do + before do + stub_application_setting(password_authentication_enabled_for_web: false) + end + + it 'does not sign in the user' do + post(:create, params: { user: user_params }) + + expect(@request.env['warden']).not_to be_authenticated + expect(subject.current_user).to be_nil + end + + it 'returns status 403' do + post(:create, params: { user: user_params }) + + expect(response.status).to eq 403 + end end it 'creates an audit log record' do @@ -153,6 +172,19 @@ describe SessionsController do end end + context 'with password authentication disabled' do + before do + stub_application_setting(password_authentication_enabled_for_web: false) + end + + it 'allows 2FA stage of non-password login' do + authenticate_2fa(otp_attempt: user.current_otp) + + expect(@request.env['warden']).to be_authenticated + expect(subject.current_user).to eq user + end + end + ## # See #14900 issue # |