Merge branch 'sh-fix-otp-backup-invalidation-10-5' into 'security-10-5'

Ensure that OTP backup codes are always invalidated - 10.5 port See merge request gitlab/gitlabhq!2324
author: Douwe Maan <douwe@gitlab.com> 2018-02-09 18:02:11 +0300
committer: James Lopez <james@jameslopez.es> 2018-03-07 15:36:43 +0300
commit: 6deed66eda567d572c31bcbf5c6a3fcda8301cee (patch)
tree: ea8779c8aad584d59947a7ed98ceeb0c5e543ea3 /spec/features
parent: 5d1297098593aeda31ea2c1b1b0f6f303e45f135 (diff)
1 files changed, 12 insertions, 0 deletions
diff --git a/spec/features/users/login_spec.rb b/spec/features/users/login_spec.rb
index 6ef235cf870..bc75dc5d19b 100644
--- a/spec/features/users/login_spec.rb
+++ b/spec/features/users/login_spec.rb
@@ -145,6 +145,18 @@ feature 'Login' do
             expect { enter_code(codes.sample) }
               .to change { user.reload.otp_backup_codes.size }.by(-1)
           end
+
+          it 'invalidates backup codes twice in a row' do
+            random_code = codes.delete(codes.sample)
+            expect { enter_code(random_code) }
+              .to change { user.reload.otp_backup_codes.size }.by(-1)
+
+            gitlab_sign_out
+            gitlab_sign_in(user)
+
+            expect { enter_code(codes.sample) }
+              .to change { user.reload.otp_backup_codes.size }.by(-1)
+          end
         end
 
         context 'with invalid code' do
author	Douwe Maan <douwe@gitlab.com>	2018-02-09 18:02:11 +0300
committer	James Lopez <james@jameslopez.es>	2018-03-07 15:36:43 +0300
commit	6deed66eda567d572c31bcbf5c6a3fcda8301cee (patch)
tree	ea8779c8aad584d59947a7ed98ceeb0c5e543ea3 /spec/features
parent	5d1297098593aeda31ea2c1b1b0f6f303e45f135 (diff)