2FA controller cleanup (#2296)

* Add spec coverage for settings/two_factor_auth area * extract setup method for qr code * Move otp required check to before action * Merge method only used once * Remove duplicate view * Consolidate creation of @codes for backup * Move settings/2fq#recovery_codes to settings/recovery_codes#create * Rename settings/two_factor_auth#disable to #destroy * Add coverage for the otp required path on 2fa#show * Clean up the recovery codes list styles * Move settings/two_factor_auth to settings/two_factor_authentication * Reorganize the settings two factor auth area Updated to use a flow like: - settings/two_factor_authentication goes to a #show view which has a button either enable or disable 2fa on the account - the disable button turns off the otp requirement for the user - the enable button cycles the user secret and redirects to a confirmation page - the confirmation page is a #new view which shows the QR code for user - that page posts to #create which verifies the code, and creates the recovery codes - that create action shares a view with a recovery codes controller which can be used separately to reset codes if needed
2017-04-21 22:23:17 -04:00 · 2017-04-21 22:23:17 -04:00 · 67dea31b0f
commit 67dea31b0f
parent 6af21daac9
38 changed files with 333 additions and 150 deletions
--- a/spec/controllers/settings/two_factor_authentications_controller_spec.rb
+++ b/spec/controllers/settings/two_factor_authentications_controller_spec.rb
@ -0,0 +1,66 @@
+# frozen_string_literal: true
+
+require 'rails_helper'
+
+describe Settings::TwoFactorAuthenticationsController do
+  render_views
+
+  let(:user) { Fabricate(:user) }
+  before do
+    sign_in user, scope: :user
+  end
+
+  describe 'GET #show' do
+    describe 'when user requires otp for login already' do
+      it 'returns http success' do
+        user.update(otp_required_for_login: true)
+        get :show
+
+        expect(response).to have_http_status(:success)
+      end
+    end
+
+    describe 'when user does not require otp for login' do
+      it 'returns http success' do
+        user.update(otp_required_for_login: false)
+        get :show
+
+        expect(response).to have_http_status(:success)
+      end
+    end
+  end
+
+  describe 'POST #create' do
+    describe 'when user requires otp for login already' do
+      it 'redirects to show page' do
+        user.update(otp_required_for_login: true)
+        post :create
+
+        expect(response).to redirect_to(settings_two_factor_authentication_path)
+      end
+    end
+
+    describe 'when creation succeeds' do
+      it 'updates user secret' do
+        before = user.otp_secret
+        post :create
+
+        expect(user.reload.otp_secret).not_to eq(before)
+        expect(response).to redirect_to(new_settings_two_factor_authentication_confirmation_path)
+      end
+    end
+  end
+
+  describe 'POST #destroy' do
+    before do
+      user.update(otp_required_for_login: true)
+    end
+    it 'turns off otp requirement' do
+      post :destroy
+
+      expect(response).to redirect_to(settings_two_factor_authentication_path)
+      user.reload
+      expect(user.otp_required_for_login).to eq(false)
+    end
+  end
+end