Skip to content

Ensure authentication method is stored when setting up backup codes or PIV/CAC #8316

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
mitchellhenke merged 6 commits into from
May 2, 2023
Merged

Ensure authentication method is stored when setting up backup codes or PIV/CAC #8316

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
6 commits
Select commit Hold shift + click to select a range
e2d608c
add failing spec
Apr 21, 2023
2347f24
set auth_method in backup code setup
Apr 21, 2023
257c64a
failing spec
Apr 24, 2023
014cec1
mark user as authenticated after setting up PIV/CAC
Apr 24, 2023
25d7a6d
Ensure authentication method is stored when setting up backup codes o…
May 1, 2023
73fbb65
differentiate between webauthn and webauthn platform when assigning a…
May 1, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions app/controllers/users/backup_code_setup_controller.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -112,6 +112,7 @@ def user_opted_remember_device_cookie
end

def mark_user_as_fully_authenticated
user_session[:auth_method] = TwoFactorAuthenticatable::AuthMethod::BACKUP_CODE
user_session[TwoFactorAuthenticatable::NEED_AUTHENTICATION] = false
user_session[:authn_at] = Time.zone.now
end
Expand Down
8 changes: 8 additions & 0 deletions app/controllers/users/piv_cac_authentication_setup_controller.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -118,6 +118,7 @@ def user_piv_cac_form
end

def process_valid_submission
mark_user_as_fully_authenticated
flash[:success] = t('notices.piv_cac_configured')
save_piv_cac_information(
subject: user_piv_cac_form.x509_dn,
Expand All @@ -131,6 +132,13 @@ def process_valid_submission
redirect_to next_setup_path || final_path
end

def mark_user_as_fully_authenticated
user_session[:auth_method] = TwoFactorAuthenticatable::AuthMethod::PIV_CAC

user_session[TwoFactorAuthenticatable::NEED_AUTHENTICATION] = false
user_session[:authn_at] = Time.zone.now
end

def track_mfa_method_added
mfa_user = MfaContext.new(current_user)
analytics.multi_factor_auth_added_piv_cac(
Expand Down
11 changes: 8 additions & 3 deletions app/controllers/users/webauthn_setup_controller.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -162,7 +162,7 @@ def process_valid_webauthn(form)
platform_authenticator: form.platform_authenticator?,
enabled_mfa_methods_count: mfa_user.enabled_mfa_methods_count,
)
mark_user_as_fully_authenticated
mark_user_as_fully_authenticated(form)
handle_remember_device
if form.platform_authenticator?
Funnel::Registration::AddMfa.call(current_user.id, 'webauthn_platform', analytics)
Expand All @@ -171,7 +171,6 @@ def process_valid_webauthn(form)
Funnel::Registration::AddMfa.call(current_user.id, 'webauthn', analytics)
flash[:success] = t('notices.webauthn_configured')
end
user_session[:auth_method] = 'webauthn'
redirect_to next_setup_path || after_mfa_setup_path
end

Expand Down Expand Up @@ -202,7 +201,13 @@ def process_invalid_webauthn(form)
render :new
end

def mark_user_as_fully_authenticated
def mark_user_as_fully_authenticated(form)
if form.platform_authenticator?
user_session[:auth_method] = TwoFactorAuthenticatable::AuthMethod::WEBAUTHN_PLATFORM
else
user_session[:auth_method] = TwoFactorAuthenticatable::AuthMethod::WEBAUTHN
end

user_session[TwoFactorAuthenticatable::NEED_AUTHENTICATION] = false
user_session[:authn_at] = Time.zone.now
end
Expand Down
22 changes: 22 additions & 0 deletions spec/features/users/sign_up_spec.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -245,6 +245,18 @@ def clipboard_text
expect(page).to have_current_path account_path
end

it 'allows a user to sign up with PIV/CAC and only verifying once when HSPD12 is requested' do
visit_idp_from_oidc_sp_with_hspd12_and_require_piv_cac
sign_up_and_set_password
set_up_2fa_with_piv_cac
skip_second_mfa_prompt
click_agree_and_continue

redirect_uri = URI(current_url)

expect(redirect_uri.to_s).to start_with('http://localhost:7654/auth/result')
end

it 'does not allow PIV/CAC during setup on mobile' do
allow(BrowserCache).to receive(:parse).and_return(mobile_device)

Expand Down Expand Up @@ -363,4 +375,14 @@ def clipboard_text
select_2fa_option('piv_cac')
expect(page).to_not have_content(t('two_factor_authentication.piv_cac_fallback.question'))
end

it 'allows a user to sign up with backup codes and add methods after without reauthentication' do
sign_in_user
set_up_2fa_with_backup_codes
skip_second_mfa_prompt

expect(page).to have_current_path account_path
visit add_phone_path
expect(page).to have_current_path add_phone_path
end
end
8 changes: 8 additions & 0 deletions spec/support/features/session_helper.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -567,6 +567,14 @@ def set_up_2fa_with_authenticator_app
click_button 'Submit'
end

def set_up_2fa_with_backup_codes
select_2fa_option('backup_code')

expect(page).to have_current_path backup_code_setup_path

click_button 'Continue'
end

def register_user_with_piv_cac(email = 'test@test.com')
confirm_email_and_password(email)
expect(page).to have_current_path authentication_methods_setup_path
Expand Down