SMusatov
/
zammad
mirror of https://github.com/zammad/zammad.git


			
				
					
						
						
							123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165
							# Copyright (C) 2012-2024 Zammad Foundation, https://zammad-foundation.org/

require 'rails_helper'

RSpec.describe 'Login', authenticated_as: false, type: :system do
  context 'with standard authentication' do
    before do
      visit '/'
    end

    it 'fqdn is visible on login page' do
      expect(page).to have_css('.login p', text: Setting.get('fqdn'))
    end

    it 'Login with wrong credentials' do
      within('#login') do
        fill_in 'username', with: 'admin@example.com'
        fill_in 'password', with: 'wrong'

        click_on('Sign in')
      end

      expect(page).to have_css('#login .alert')
    end
  end

  context 'with enabled two factor authentication' do
    let(:user) { User.find_by(login: 'admin@example.com') }

    before do
      Setting.set('two_factor_authentication_method_security_keys', true)
      Setting.set('two_factor_authentication_method_authenticator_app', true)
    end

    context 'with security keys method' do
      before do
        skip('Mocking of Web Authentication API is currently supported only in Chrome.') if Capybara.current_driver != :zammad_chrome

        stub_const('Auth::BRUTE_FORCE_SLEEP', 0)
        visit '/'

        # We can only mock the security key within the loaded app.
        two_factor_pref

        refresh

        within('#login') do
          fill_in 'username', with: 'admin@example.com'
          fill_in 'password', with: 'test'

          click_on('Sign in')
        end
      end

      context 'with the configured security key present' do
        let(:two_factor_pref) { create(:user_two_factor_preference, :mocked_security_keys, user: user, page: page) }

        it 'signs in with the correct security key present' do
          expect(page).to have_no_selector('#login')
        end
      end

      context 'with the incorrect security key present' do
        let(:two_factor_pref) { create(:user_two_factor_preference, :mocked_security_keys, user: user, page: page, wrong_key: true) }

        it 'shows error and retry button' do
          expect(page).to have_css('#login .alert')
          expect(page).to have_css('.js-retry')
        end
      end
    end

    context 'with authenticator app method' do
      let(:token)            { two_factor_pref.configuration[:code] }
      let!(:two_factor_pref) { create(:user_two_factor_preference, :authenticator_app, user: user) }

      before do
        stub_const('Auth::BRUTE_FORCE_SLEEP', 0)
        visit '/'

        within('#login') do
          fill_in 'username', with: 'admin@example.com'
          fill_in 'password', with: 'test'

          click_on('Sign in')
        end
      end

      it 'login with correct payload' do
        within('#login') do
          fill_in 'security_code', with: token

          click_on('Sign in')
        end

        expect(page).to have_no_selector('#login')
      end

      it 'login with wrong payload' do
        within('#login') do
          fill_in 'security_code', with: 'asd'

          click_on('Sign in')
        end

        expect(page).to have_css('#login .alert')
      end
    end

    context 'with recovery code' do
      let(:token)           { 'token' }
      let(:two_factor_pref) { create(:user_two_factor_preference, :authenticator_app, user: user) }
      let(:recovery_2fa)    { create(:user_two_factor_preference, :recovery_codes, recovery_code: token, user: user) }

      before do
        two_factor_pref && recovery_2fa
        Setting.set('two_factor_authentication_recovery_codes', recovery_codes_enabled)

        visit '/'

        within('#login') do
          fill_in 'username', with: 'admin@example.com'
          fill_in 'password', with: 'test'

          click_on('Sign in')
        end
      end

      context 'when recovery code is enabled' do
        let(:recovery_codes_enabled) { true }

        before do
          click_on 'Try another method'
          click_on 'recovery codes'
        end

        it 'login with correct payload' do
          within('#login') do
            fill_in 'security_code', with: token
            click_on('Sign in')
          end

          expect(page).to have_no_selector('#login')
        end

        it 'login with wrong payload' do
          within('#login') do
            fill_in 'security_code', with: 'wrong token'
            click_on('Sign in')
          end

          expect(page).to have_css('#login .alert')
        end
      end

      context 'when recovery code is disabled' do
        let(:recovery_codes_enabled) { false }

        it 'recovery code link is hidden' do
          expect(page).to have_no_text 'Try another method'
        end
      end
    end
  end
end