From 731f689cf07c7744365bdd6daf79ab473af8af6c Mon Sep 17 00:00:00 2001 From: baarkerlounger Date: Thu, 3 Feb 2022 15:39:55 +0000 Subject: [PATCH] 2FA code required on every sign in --- config/initializers/devise.rb | 2 +- spec/features/admin_panel_spec.rb | 20 ++++++++++++++++++++ 2 files changed, 21 insertions(+), 1 deletion(-) diff --git a/config/initializers/devise.rb b/config/initializers/devise.rb index d03f9692b..7b48556a7 100644 --- a/config/initializers/devise.rb +++ b/config/initializers/devise.rb @@ -320,5 +320,5 @@ Devise.setup do |config| config.remember_otp_session_for_seconds = 1.day # Time before browser has to perform 2fA again. Default is 0. config.otp_secret_encryption_key = ENV["OTP_SECRET_ENCRYPTION_KEY"] config.second_factor_resource_id = "id" # Field or method name used to set value for 2fA remember cookie - config.delete_cookie_on_logout = false # Delete cookie when user signs out, to force 2fA again on login + config.delete_cookie_on_logout = true # Delete cookie when user signs out, to force 2fA again on login end diff --git a/spec/features/admin_panel_spec.rb b/spec/features/admin_panel_spec.rb index d5732ca6f..70226286a 100644 --- a/spec/features/admin_panel_spec.rb +++ b/spec/features/admin_panel_spec.rb @@ -72,4 +72,24 @@ RSpec.describe "Admin Panel" do expect(page).to have_current_path("/admin/two-factor-authentication") end end + + context "when logging out and in again" do + before do + allow(SecureRandom).to receive(:random_number).and_return(otp) + end + + it "requires the 2FA code on each login" do + visit("/admin") + fill_in("admin_user[email]", with: admin.email) + fill_in("admin_user[password]", with: admin.password) + click_button("Login") + fill_in("code", with: otp) + click_button("Submit") + click_link("Logout") + fill_in("admin_user[email]", with: admin.email) + fill_in("admin_user[password]", with: admin.password) + click_button("Login") + expect(page).to have_content("Check your phone") + end + end end