CVE-2019-1020017: SECURITY: Add confirmation screen when logging in via user-api OTP · discourse/discourse@e6e47f2

@@ -1369,9 +1369,40 @@ def post_login get “/session/otp/asd1231dasd123”
expect(response.status).to eq(404)
post “/session/otp/asd1231dasd123”
expect(response.status).to eq(404) end
context ‘when token is valid’ do it “should display the form for GET” do token = SecureRandom.hex $redis.setex "otp_#{token}", 10.minutes, user.username
get “/session/otp/#{token}”
expect(response.status).to eq(200) expect(response.body).to include( I18n.t("user_api_key.otp_confirmation.logging_in_as", username: user.username) ) expect($redis.get(“otp_#{token}”)).to eq(user.username)
expect(session[:current_user_id]).to eq(nil) end
it “should redirect on GET if already logged in” do sign_in(user) token = SecureRandom.hex $redis.setex "otp_#{token}", 10.minutes, user.username
get “/session/otp/#{token}” expect(response.status).to eq(302)
expect($redis.get(“otp_#{token}”)).to eq(nil) expect(session[:current_user_id]).to eq(user.id) end
it ‘should authenticate user and delete token’ do user = Fabricate(:user)
@@ -1381,7 +1412,7 @@ def post_login token = SecureRandom.hex $redis.setex "otp_#{token}", 10.minutes, user.username
get “/session/otp/#{token}” post “/session/otp/#{token}”
expect(response.status).to eq(302) expect(response).to redirect_to(“/”)