|
- # Copyright (C) 2012-2025 Zammad Foundation, https://zammad-foundation.org/
- require 'rails_helper'
- require 'system/examples/security_keys_setup_examples'
- require 'system/examples/authenticator_app_setup_examples'
- RSpec.describe 'Profile > Password', authenticated_as: :user, type: :system do
- let(:user) { create(:customer, :with_valid_password) }
- describe 'visibility' do
- it 'not available if both two factor and password changing disabled' do
- password_and_authenticate(password: false, two_factor: false)
- visit 'profile/'
- expect(page).to have_no_text('Password & Authentication')
- end
- it 'shows only password changing form if two factor disabled' do
- password_and_authenticate(password: true, two_factor: false)
- visit 'profile/password'
- expect(page)
- .to have_text('Change Your Password')
- .and have_no_text('Two-factor Authentication')
- end
- it 'shows only two factor if password changing disabled' do
- password_and_authenticate(password: false, two_factor: true)
- visit 'profile/password'
- expect(page)
- .to have_no_text('Change Your Password')
- .and have_text('Two-factor Authentication')
- end
- it 'shows two factor if another two factor method enabled' do
- password_and_authenticate(password: false, two_factor: false, alternative_two_factor: true)
- visit 'profile/password'
- expect(page)
- .to have_no_text('Change Your Password')
- .and have_text('Two-factor Authentication')
- end
- context 'when user has no two factor permission' do
- before do
- user.roles.each { |role| role.permission_revoke('user_preferences.two_factor_authentication') }
- end
- it 'not available if only two factor is enabled' do
- password_and_authenticate(password: false, two_factor: true)
- visit 'profile/'
- expect(page).to have_no_text('Password & Authentication')
- end
- it 'shows only password changing form even if two factor enabled' do
- password_and_authenticate(password: true, two_factor: true)
- visit 'profile/password'
- expect(page)
- .to have_text('Change Your Password')
- .and have_no_text('Two-factor Authentication')
- end
- end
- def password_and_authenticate(password:, two_factor:, alternative_two_factor: false)
- Setting.set('two_factor_authentication_method_authenticator_app', two_factor)
- Setting.set('two_factor_authentication_method_security_keys', alternative_two_factor)
- Setting.set('two_factor_authentication_enforce_role_ids', [])
- Setting.set('user_show_password_login', password)
- end
- end
- context 'when changing password' do
- before do
- visit 'profile/password'
- end
- it 'when current password is wrong, show error' do
- fill_in 'password_old', with: 'nonexisting'
- fill_in 'password_new', with: 'some'
- fill_in 'password_new_confirm', with: 'some'
- click '.btn--primary'
- expect(page).to have_text 'The current password you provided is incorrect.'
- end
- it 'when new passwords do not match, show error' do
- fill_in 'password_old', with: user.password_plain
- fill_in 'password_new', with: 'some'
- fill_in 'password_new_confirm', with: 'some2'
- click '.btn--primary'
- expect(page).to have_text 'passwords do not match'
- end
- it 'when new password is invalid, show error' do
- fill_in 'password_old', with: user.password_plain
- fill_in 'password_new', with: 'some'
- fill_in 'password_new_confirm', with: 'some'
- click '.btn--primary'
- expect(page).to have_text 'Invalid password'
- end
- it 'allows to change password' do
- new_password = generate(:password_valid)
- fill_in 'password_old', with: user.password_plain
- fill_in 'password_new', with: new_password
- fill_in 'password_new_confirm', with: new_password
- click '.btn--primary'
- expect(page).to have_text 'Password changed successfully!'
- end
- end
- context 'when managing two factor authentication' do
- before do
- Setting.set('two_factor_authentication_method_authenticator_app', true)
- Setting.set('two_factor_authentication_recovery_codes', false)
- Setting.set('two_factor_authentication_enforce_role_ids', [])
- end
- context 'without a configured method' do
- before do
- visit 'profile/password'
- end
- it 'shows available method' do
- expect(page).to have_text('Authenticator App')
- end
- it 'allows to setup two factor authentication' do
- within('tr[data-two-factor-key="authenticator_app"]') do
- expect(page).to have_css('.icon.icon-small-dot')
- click '.js-action'
- find('a', text: 'Set Up').click
- end
- setup_authenticator_app_method(user: user, password_check: user.password_plain)
- within('tr[data-two-factor-key="authenticator_app"]') do
- expect(page).to have_css('.icon.icon-checkmark')
- expect(page).to have_text('Default')
- end
- end
- it 'does not show recovery codes button' do
- expect(page).to have_no_text('recovery codes')
- end
- end
- context 'with a configured method' do
- let(:recovery_codes_enabled) { true }
- before do
- Setting.set('two_factor_authentication_recovery_codes', recovery_codes_enabled)
- create(:user_two_factor_preference, :authenticator_app, user: user)
- visit 'profile/password'
- end
- it 'shows configured method as ready' do
- within('tr[data-two-factor-key="authenticator_app"]') do
- expect(page).to have_css('.icon.icon-checkmark')
- expect(page).to have_text('Default')
- end
- end
- it 'allows to remove an existing two factor authentication' do
- within('tr[data-two-factor-key="authenticator_app"]') do
- click '.js-action'
- find('a', text: 'Remove').click
- end
- in_modal do
- fill_in 'Password', with: user.password_plain
- click_on 'Remove'
- end
- within('tr[data-two-factor-key="authenticator_app"]') do
- expect(page).to have_css('.icon.icon-small-dot')
- end
- end
- it 'allows to regenerate recovery codes' do
- click '.js-generate-recovery-codes'
- in_modal do
- expect(page).to have_text('Generate recovery codes: Confirm Password')
- fill_in 'Password', with: user.password_plain
- click_on 'Next'
- end
- in_modal do
- expect(page).to have_text('Generate recovery codes: Save Codes')
- stored_codes_amount = user.two_factor_preferences.recovery_codes.configuration[:codes].count
- displayed_codes_amount = find('.two-factor-auth code').text.tr("\n", ' ').split.count
- expect(stored_codes_amount).to eq(displayed_codes_amount)
- expect(page).to have_button("OK, I've saved my recovery codes")
- end
- end
- context 'when recovery codes disabled' do
- let(:recovery_codes_enabled) { false }
- it 'does not show recovery codes button if recovery codes disabled' do
- expect(page).to have_no_text('recovery codes')
- end
- end
- context 'with security keys method' do
- before do
- within('tr[data-two-factor-key="security_keys"]') do
- click '.js-action'
- find('a', text: 'Set Up').click
- end
- end
- include_examples 'security keys setup' do
- let(:current_user) { user }
- end
- end
- end
- end
- end
|