-
Notifications
You must be signed in to change notification settings - Fork 212
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Browse files
Browse the repository at this point in the history
task(auth): Update /totp/destroy to take an sms code
Showing
9 changed files
with
227 additions
and
6 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -12,6 +12,7 @@ const otplib = require('otplib'); | |
const { Container } = require('typedi'); | ||
const { AccountEventsManager } = require('../../../lib/account-events'); | ||
const authErrors = require('../../../lib/error'); | ||
const { RecoveryPhoneService } = require('@fxa/accounts/recovery-phone'); | ||
|
||
let log, | ||
db, | ||
|
@@ -25,6 +26,9 @@ let log, | |
accountEventsManager; | ||
|
||
const glean = mocks.mockGlean(); | ||
const mockRecoveryPhoneService = { | ||
confirmCode: sinon.fake(), | ||
}; | ||
|
||
const TEST_EMAIL = '[email protected]'; | ||
const secret = 'KE3TGQTRNIYFO2KOPE4G6ULBOV2FQQTN'; | ||
|
@@ -52,6 +56,8 @@ describe('totp', () => { | |
accountEventsManager = { | ||
recordSecurityEvent: sinon.fake.resolves({}), | ||
}; | ||
Container.set(RecoveryPhoneService, mockRecoveryPhoneService); | ||
glean.twoStepAuthRemove.success.reset(); | ||
}); | ||
|
||
after(() => { | ||
|
@@ -194,6 +200,76 @@ describe('totp', () => { | |
); | ||
}); | ||
}); | ||
|
||
it('should delete TOTP token in verified session with valid code', async () => { | ||
const authenticator = new otplib.authenticator.Authenticator(); | ||
authenticator.options = Object.assign({}, otplib.authenticator.options, { | ||
secret, | ||
}); | ||
const code = authenticator.generate(secret); | ||
|
||
mockRecoveryPhoneService.confirmCode = sinon.fake.resolves(true); | ||
requestOptions.credentials.tokenVerified = true; | ||
requestOptions.payload = { | ||
code, | ||
}; | ||
|
||
const response = await setup( | ||
{ db: { email: TEST_EMAIL }, profile }, | ||
{}, | ||
'/totp/destroy', | ||
requestOptions | ||
); | ||
assert.ok(response); | ||
|
||
// TODO figure out what to about db.totp | ||
assert.equal(db.totpToken.callCount, 2); | ||
assert.equal(db.totpToken.getCall(0).args[0], 'uid'); | ||
assert.equal(mockRecoveryPhoneService.confirmCode.callCount, 1); | ||
assert.equal(glean.twoStepAuthRemove.success.callCount, 1); | ||
}); | ||
|
||
it('should not delete TOTP token if provided sms code is invalid', async () => { | ||
mockRecoveryPhoneService.confirmCode = sinon.fake.resolves(false); | ||
requestOptions.credentials.tokenVerified = true; | ||
requestOptions.payload = { | ||
code: '000000', | ||
}; | ||
|
||
try { | ||
await setup( | ||
{ db: { email: TEST_EMAIL } }, | ||
{}, | ||
'/totp/destroy', | ||
requestOptions | ||
); | ||
assert.fail(); | ||
} catch (err) { | ||
assert.equal(err.errno, 183); | ||
assert.equal(glean.twoStepAuthRemove.success.callCount, 0); | ||
} | ||
}); | ||
|
||
it('should not delete TOTP token if provided code is invalid totp code', async () => { | ||
mockRecoveryPhoneService.confirmCode = sinon.fake.resolves(true); | ||
requestOptions.credentials.tokenVerified = true; | ||
requestOptions.payload = { | ||
code: '000000', | ||
}; | ||
|
||
try { | ||
await setup( | ||
{ db: { email: TEST_EMAIL } }, | ||
{}, | ||
'/totp/destroy', | ||
requestOptions | ||
); | ||
assert.fail(); | ||
} catch (err) { | ||
assert.deepEqual(err.errno, 183); | ||
assert.equal(glean.twoStepAuthRemove.success.callCount, 0); | ||
} | ||
}); | ||
}); | ||
|
||
describe('/totp/exists', () => { | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -1004,6 +1004,25 @@ two_step_auth_phone_code: | |
data_sensitivity: | ||
- interaction | ||
|
||
two_step_auth_remove: | ||
success: | ||
type: event | ||
description: | | ||
Event that indicates the user successfully remove two-step authentication | ||
lifetime: ping | ||
send_in_pings: | ||
- events | ||
notification_emails: | ||
- [email protected] | ||
- [email protected] | ||
bugs: | ||
- https://mozilla-hub.atlassian.net/browse/FXA-10360 | ||
data_reviews: | ||
- https://bugzilla.mozilla.org/show_bug.cgi?id=1830504 | ||
expires: never | ||
data_sensitivity: | ||
- interaction | ||
|
||
inactive_account_deletion: | ||
status_checked: | ||
type: event | ||
|