diff --git a/Dockerfile b/Dockerfile index d76207d..bc906e3 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,4 +1,4 @@ -FROM registry.ely.by/elyby/accounts-php:1.2.0 +FROM registry.ely.by/elyby/accounts-php:1.3.0 # Вносим конфигурации для крона и воркеров COPY docker/cron/* /etc/cron.d/ diff --git a/Dockerfile-dev b/Dockerfile-dev index ef963fb..2f82da8 100644 --- a/Dockerfile-dev +++ b/Dockerfile-dev @@ -1,4 +1,4 @@ -FROM registry.ely.by/elyby/accounts-php:1.2.0-dev +FROM registry.ely.by/elyby/accounts-php:1.3.0-dev # Вносим конфигурации для крона и воркеров COPY docker/cron/* /etc/cron.d/ diff --git a/api/config/routes.php b/api/config/routes.php index ca7ede9..c973f56 100644 --- a/api/config/routes.php +++ b/api/config/routes.php @@ -7,6 +7,9 @@ return [ '/accounts/change-email/submit-new-email' => 'accounts/change-email-submit-new-email', '/accounts/change-email/confirm-new-email' => 'accounts/change-email-confirm-new-email', + 'POST /two-factor-auth' => 'two-factor-auth/activate', + 'DELETE /two-factor-auth' => 'two-factor-auth/disable', + '/oauth2/v1/' => 'oauth/', '/account/v1/info' => 'identity-info/index', diff --git a/api/controllers/AccountsController.php b/api/controllers/AccountsController.php index cec7384..ec3fdba 100644 --- a/api/controllers/AccountsController.php +++ b/api/controllers/AccountsController.php @@ -69,6 +69,7 @@ class AccountsController extends Controller { 'passwordChangedAt' => $account->password_changed_at, 'hasMojangUsernameCollision' => $account->hasMojangUsernameCollision(), 'shouldAcceptRules' => !$account->isAgreedWithActualRules(), + 'isOtpEnabled' => (bool)$account->is_otp_enabled, ]; } diff --git a/api/controllers/TwoFactorAuthController.php b/api/controllers/TwoFactorAuthController.php new file mode 100644 index 0000000..6b3b925 --- /dev/null +++ b/api/controllers/TwoFactorAuthController.php @@ -0,0 +1,75 @@ + [ + 'class' => AccessControl::class, + 'rules' => [ + [ + 'allow' => true, + 'class' => ActiveUserRule::class, + ], + ], + ], + ]); + } + + public function verbs() { + return [ + 'credentials' => ['GET'], + 'activate' => ['POST'], + 'disable' => ['DELETE'], + ]; + } + + public function actionCredentials() { + $account = Yii::$app->user->identity; + $model = new TwoFactorAuthForm($account); + + return $model->getCredentials(); + } + + public function actionActivate() { + $account = Yii::$app->user->identity; + $model = new TwoFactorAuthForm($account, ['scenario' => TwoFactorAuthForm::SCENARIO_ACTIVATE]); + $model->load(Yii::$app->request->post()); + if (!$model->activate()) { + return [ + 'success' => false, + 'errors' => $model->getFirstErrors(), + ]; + } + + return [ + 'success' => true, + ]; + } + + public function actionDisable() { + $account = Yii::$app->user->identity; + $model = new TwoFactorAuthForm($account, ['scenario' => TwoFactorAuthForm::SCENARIO_DISABLE]); + $model->load(Yii::$app->request->getBodyParams()); + if (!$model->disable()) { + return [ + 'success' => false, + 'errors' => $model->getFirstErrors(), + ]; + } + + return [ + 'success' => true, + ]; + } + +} diff --git a/api/models/authentication/ForgotPasswordForm.php b/api/models/authentication/ForgotPasswordForm.php index 23b302a..a947f82 100644 --- a/api/models/authentication/ForgotPasswordForm.php +++ b/api/models/authentication/ForgotPasswordForm.php @@ -2,6 +2,7 @@ namespace api\models\authentication; use api\models\base\ApiForm; +use api\validators\TotpValidator; use common\helpers\Error as E; use api\traits\AccountFinder; use common\components\UserFriendlyRandomKey; @@ -16,11 +17,16 @@ class ForgotPasswordForm extends ApiForm { use AccountFinder; public $login; + public $token; public function rules() { return [ ['login', 'required', 'message' => E::LOGIN_REQUIRED], ['login', 'validateLogin'], + ['token', 'required', 'when' => function(self $model) { + return !$this->hasErrors() && $model->getAccount()->is_otp_enabled; + }, 'message' => E::OTP_TOKEN_REQUIRED], + ['token', 'validateTotpToken'], ['login', 'validateActivity'], ['login', 'validateFrequency'], ]; @@ -34,6 +40,20 @@ class ForgotPasswordForm extends ApiForm { } } + public function validateTotpToken($attribute) { + if ($this->hasErrors()) { + return; + } + + $account = $this->getAccount(); + if (!$account->is_otp_enabled) { + return; + } + + $validator = new TotpValidator(['account' => $account]); + $validator->validateAttribute($this, $attribute); + } + public function validateActivity($attribute) { if (!$this->hasErrors()) { $account = $this->getAccount(); diff --git a/api/models/authentication/LoginForm.php b/api/models/authentication/LoginForm.php index c1ad5e6..044c4ee 100644 --- a/api/models/authentication/LoginForm.php +++ b/api/models/authentication/LoginForm.php @@ -3,6 +3,7 @@ namespace api\models\authentication; use api\models\AccountIdentity; use api\models\base\ApiForm; +use api\validators\TotpValidator; use common\helpers\Error as E; use api\traits\AccountFinder; use common\models\Account; @@ -16,6 +17,7 @@ class LoginForm extends ApiForm { public $login; public $password; + public $token; public $rememberMe = false; public function rules() { @@ -28,6 +30,11 @@ class LoginForm extends ApiForm { }, 'message' => E::PASSWORD_REQUIRED], ['password', 'validatePassword'], + ['token', 'required', 'when' => function(self $model) { + return !$model->hasErrors() && $model->getAccount()->is_otp_enabled; + }, 'message' => E::OTP_TOKEN_REQUIRED], + ['token', 'validateTotpToken'], + ['login', 'validateActivity'], ['rememberMe', 'boolean'], @@ -51,6 +58,20 @@ class LoginForm extends ApiForm { } } + public function validateTotpToken($attribute) { + if ($this->hasErrors()) { + return; + } + + $account = $this->getAccount(); + if (!$account->is_otp_enabled) { + return; + } + + $validator = new TotpValidator(['account' => $account]); + $validator->validateAttribute($this, $attribute); + } + public function validateActivity($attribute) { if (!$this->hasErrors()) { $account = $this->getAccount(); diff --git a/api/models/profile/TwoFactorAuthForm.php b/api/models/profile/TwoFactorAuthForm.php new file mode 100644 index 0000000..907e686 --- /dev/null +++ b/api/models/profile/TwoFactorAuthForm.php @@ -0,0 +1,138 @@ +account = $account; + parent::__construct($config); + } + + public function rules() { + $bothScenarios = [self::SCENARIO_ACTIVATE, self::SCENARIO_DISABLE]; + return [ + ['account', 'validateOtpDisabled', 'on' => self::SCENARIO_ACTIVATE], + ['account', 'validateOtpEnabled', 'on' => self::SCENARIO_DISABLE], + ['token', 'required', 'message' => E::OTP_TOKEN_REQUIRED, 'on' => $bothScenarios], + ['token', TotpValidator::class, 'account' => $this->account, 'window' => 30, 'on' => $bothScenarios], + ['password', PasswordRequiredValidator::class, 'account' => $this->account, 'on' => $bothScenarios], + ]; + } + + public function getCredentials(): array { + if (empty($this->account->otp_secret)) { + $this->setOtpSecret(); + } + + $provisioningUri = $this->getTotp()->getProvisioningUri(); + + return [ + 'qr' => base64_encode($this->drawQrCode($provisioningUri)), + 'uri' => $provisioningUri, + 'secret' => $this->account->otp_secret, + ]; + } + + public function activate(): bool { + if ($this->scenario !== self::SCENARIO_ACTIVATE || !$this->validate()) { + return false; + } + + $account = $this->account; + $account->is_otp_enabled = true; + if (!$account->save()) { + throw new ErrorException('Cannot enable otp for account'); + } + + return true; + } + + public function disable(): bool { + if ($this->scenario !== self::SCENARIO_DISABLE || !$this->validate()) { + return false; + } + + $account = $this->account; + $account->is_otp_enabled = false; + $account->otp_secret = null; + if (!$account->save()) { + throw new ErrorException('Cannot disable otp for account'); + } + + return true; + } + + public function validateOtpDisabled($attribute) { + if ($this->account->is_otp_enabled) { + $this->addError($attribute, E::OTP_ALREADY_ENABLED); + } + } + + public function validateOtpEnabled($attribute) { + if (!$this->account->is_otp_enabled) { + $this->addError($attribute, E::OTP_NOT_ENABLED); + } + } + + public function getAccount(): Account { + return $this->account; + } + + /** + * @return TOTP + */ + public function getTotp(): TOTP { + $totp = new TOTP($this->account->email, $this->account->otp_secret); + $totp->setIssuer('Ely.by'); + + return $totp; + } + + public function drawQrCode(string $content): string { + $renderer = new Svg(); + $renderer->setHeight(256); + $renderer->setWidth(256); + $renderer->setForegroundColor(new Rgb(32, 126, 92)); + $renderer->setMargin(0); + $renderer->addDecorator(new ElyDecorator()); + + $writer = new Writer($renderer); + + return $writer->writeString($content, Encoder::DEFAULT_BYTE_MODE_ECODING, ErrorCorrectionLevel::H); + } + + protected function setOtpSecret(): void { + $this->account->otp_secret = trim(Base32::encode(random_bytes(32)), '='); + if (!$this->account->save()) { + throw new ErrorException('Cannot set account otp_secret'); + } + } + +} diff --git a/api/validators/TotpValidator.php b/api/validators/TotpValidator.php new file mode 100644 index 0000000..dac0c17 --- /dev/null +++ b/api/validators/TotpValidator.php @@ -0,0 +1,51 @@ +account === null) { + $this->account = Yii::$app->user->identity; + } + + if (!$this->account instanceof Account) { + throw new InvalidConfigException('account should be instance of ' . Account::class); + } + + if (empty($this->account->otp_secret)) { + throw new InvalidConfigException('account should have not empty otp_secret'); + } + } + + protected function validateValue($value) { + $totp = new TOTP(null, $this->account->otp_secret); + if (!$totp->verify((string)$value, null, $this->window)) { + return [E::OTP_TOKEN_INCORRECT, []]; + } + + return null; + } + +} diff --git a/common/components/Qr/ElyDecorator.php b/common/components/Qr/ElyDecorator.php new file mode 100644 index 0000000..6ce2f47 --- /dev/null +++ b/common/components/Qr/ElyDecorator.php @@ -0,0 +1,116 @@ + 7, + ErrorCorrectionLevel::M => 15, + ErrorCorrectionLevel::Q => 25, + ErrorCorrectionLevel::H => 30, + ]; + + public function preProcess( + QrCode $qrCode, + RendererInterface $renderer, + $outputWidth, + $outputHeight, + $leftPadding, + $topPadding, + $multiple + ) { + if (!$renderer instanceof Svg) { + throw new InvalidArgumentException('$renderer must by instance of ' . Svg::class); + } + + $correctionLevel = self::CORRECTION_MAP[$qrCode->getErrorCorrectionLevel()->get()]; + $sizeMultiplier = $correctionLevel + floor($correctionLevel / 3); + $count = $qrCode->getMatrix()->getWidth(); + + $countToRemoveX = floor($count * $sizeMultiplier / 100); + $countToRemoveY = floor($count * $sizeMultiplier / 100); + + $startX = $leftPadding + round(($count - $countToRemoveX) / 2 * $multiple); + $startY = $topPadding + round(($count - $countToRemoveY) / 2 * $multiple); + $width = $countToRemoveX * $multiple; + $height = $countToRemoveY * $multiple; + + $reflection = new ReflectionClass($renderer); + $property = $reflection->getProperty('svg'); + $property->setAccessible(true); + /** @var \SimpleXMLElement $svg */ + $svg = $property->getValue($renderer); + + $image = $svg->addChild('image'); + $image->addAttribute('x', $startX); + $image->addAttribute('y', $startY); + $image->addAttribute('width', $width); + $image->addAttribute('height', $height); + $image->addAttribute('xlink:href', $this->encodeSvgToBase64(self::LOGO)); + + $logo = new Imagick(); + $logo->readImage(self::LOGO); + $logo->scaleImage($width, $height); + + $foundedPixels = []; + foreach ($logo->getPixelIterator() as $row => $pixels) { + /** @var \ImagickPixel[] $pixels */ + foreach ($pixels as $column => $pixel) { + $color = $pixel->getColorAsString(); + if ($color !== 'srgb(255,255,255)') { + $foundedPixels[] = [(int)($startX + $column), (int)($startY + $row)]; + } + } + } + + $logo->clear(); + $logo->destroy(); + + $padding = $multiple - 2; + if ($padding < 0) { + $padding = 1; + } + + foreach ($foundedPixels as $coordinates) { + [$x, $y] = $coordinates; + $x -= $leftPadding; + $y -= $topPadding; + + for ($i = $x - $padding; $i <= $x + $padding; $i++) { + for ($j = $y - $padding; $j <= $y + $padding; $j++) { + $matrixX = floor($i / $multiple); + $matrixY = floor($j / $multiple); + $qrCode->getMatrix()->set($matrixX, $matrixY, 0); + } + } + } + } + + public function postProcess( + QrCode $qrCode, + RendererInterface $renderer, + $outputWidth, + $outputHeight, + $leftPadding, + $topPadding, + $multiple + ) { + + } + + private function encodeSvgToBase64(string $filePath): string { + return 'data:image/svg+xml;base64,' . base64_encode(file_get_contents($filePath)); + } + +} diff --git a/common/components/Qr/resources/logo.svg b/common/components/Qr/resources/logo.svg new file mode 100644 index 0000000..9251067 --- /dev/null +++ b/common/components/Qr/resources/logo.svg @@ -0,0 +1,6 @@ + + + + + + diff --git a/common/helpers/Error.php b/common/helpers/Error.php index 664daa7..3baa1b8 100644 --- a/common/helpers/Error.php +++ b/common/helpers/Error.php @@ -54,4 +54,9 @@ final class Error { const SUBJECT_REQUIRED = 'error.subject_required'; const MESSAGE_REQUIRED = 'error.message_required'; + const OTP_TOKEN_REQUIRED = 'error.token_required'; + const OTP_TOKEN_INCORRECT = 'error.token_incorrect'; + const OTP_ALREADY_ENABLED = 'error.otp_already_enabled'; + const OTP_NOT_ENABLED = 'error.otp_not_enabled'; + } diff --git a/common/models/Account.php b/common/models/Account.php index ba346da..4d67f1c 100644 --- a/common/models/Account.php +++ b/common/models/Account.php @@ -20,6 +20,8 @@ use const common\LATEST_RULES_VERSION; * @property integer $status * @property integer $rules_agreement_version * @property string $registration_ip + * @property string $otp_secret + * @property integer $is_otp_enabled * @property integer $created_at * @property integer $updated_at * @property integer $password_changed_at diff --git a/composer.json b/composer.json index 2734f1e..759a408 100644 --- a/composer.json +++ b/composer.json @@ -28,7 +28,9 @@ "ely/email-renderer": "dev-master#ef1cb3f7a13196524b97ca5aa0a2d5867f2d9207", "predis/predis": "^1.0", "mito/yii2-sentry": "dev-fix_init#27f00805cb906f73b2c6f8181c1c655decb9be70", - "minime/annotations": "~3.0" + "minime/annotations": "~3.0", + "spomky-labs/otphp": "^8.3", + "bacon/bacon-qr-code": "^1.0" }, "require-dev": { "yiisoft/yii2-codeception": "*", diff --git a/console/migrations/m170118_224937_account_otp_secrets.php b/console/migrations/m170118_224937_account_otp_secrets.php new file mode 100644 index 0000000..4efa139 --- /dev/null +++ b/console/migrations/m170118_224937_account_otp_secrets.php @@ -0,0 +1,17 @@ +addColumn('{{%accounts}}', 'otp_secret', $this->string()->after('registration_ip')); + $this->addColumn('{{%accounts}}', 'is_otp_enabled', $this->boolean()->notNull()->defaultValue(false)->after('otp_secret')); + } + + public function safeDown() { + $this->dropColumn('{{%accounts}}', 'otp_secret'); + $this->dropColumn('{{%accounts}}', 'is_otp_enabled'); + } + +} diff --git a/tests/codeception/api/_pages/AuthenticationRoute.php b/tests/codeception/api/_pages/AuthenticationRoute.php index 7ed0042..bfe5784 100644 --- a/tests/codeception/api/_pages/AuthenticationRoute.php +++ b/tests/codeception/api/_pages/AuthenticationRoute.php @@ -8,15 +8,23 @@ use yii\codeception\BasePage; */ class AuthenticationRoute extends BasePage { - public function login($login = '', $password = '', $rememberMe = false) { + /** + * @param string $login + * @param string $password + * @param string|bool|null $rememberMeOrToken + * @param bool $rememberMe + */ + public function login($login = '', $password = '', $rememberMeOrToken = null, $rememberMe = false) { $this->route = ['authentication/login']; $params = [ 'login' => $login, 'password' => $password, ]; - if ($rememberMe) { + if ((is_bool($rememberMeOrToken) && $rememberMeOrToken) || $rememberMe) { $params['rememberMe'] = 1; + } elseif ($rememberMeOrToken !== null) { + $params['token'] = $rememberMeOrToken; } $this->actor->sendPOST($this->getUrl(), $params); @@ -27,10 +35,11 @@ class AuthenticationRoute extends BasePage { $this->actor->sendPOST($this->getUrl()); } - public function forgotPassword($login = '') { + public function forgotPassword($login = null, $token = null) { $this->route = ['authentication/forgot-password']; $this->actor->sendPOST($this->getUrl(), [ 'login' => $login, + 'token' => $token, ]); } diff --git a/tests/codeception/api/_pages/TwoFactorAuthRoute.php b/tests/codeception/api/_pages/TwoFactorAuthRoute.php new file mode 100644 index 0000000..ed677bb --- /dev/null +++ b/tests/codeception/api/_pages/TwoFactorAuthRoute.php @@ -0,0 +1,31 @@ +actor->sendGET($this->getUrl()); + } + + public function enable($token = null, $password = null) { + $this->actor->sendPOST($this->getUrl(), [ + 'token' => $token, + 'password' => $password, + ]); + } + + public function disable($token = null, $password = null) { + $this->actor->sendDELETE($this->getUrl(), [ + 'token' => $token, + 'password' => $password, + ]); + } + +} diff --git a/tests/codeception/api/_support/FunctionalTester.php b/tests/codeception/api/_support/FunctionalTester.php index a06b732..e8b42d1 100644 --- a/tests/codeception/api/_support/FunctionalTester.php +++ b/tests/codeception/api/_support/FunctionalTester.php @@ -1,10 +1,10 @@ login = 'Admin'; - $form->password = 'password_0'; - } elseif ($login !== null && $password !== null) { - $form->login = $login; - $form->password = $password; - } else { - throw new InvalidArgumentException('login and password should be presented both.'); + public function amAuthenticated(string $asUsername = 'admin') { + /** @var AccountIdentity $account */ + $account = AccountIdentity::findOne(['username' => $asUsername]); + if ($account === null) { + throw new InvalidArgumentException("Cannot find account for username \"$asUsername\""); } - $result = $form->login(); - $this->assertInstanceOf(LoginResult::class, $result); - if ($result !== false) { - $this->amBearerAuthenticated($result->getJwt()); - } + $result = Yii::$app->user->login($account); + $this->amBearerAuthenticated($result->getJwt()); } public function notLoggedIn() { diff --git a/tests/codeception/api/functional/AccountsAcceptRulesCest.php b/tests/codeception/api/functional/AccountsAcceptRulesCest.php index 4f6fee7..ae8269d 100644 --- a/tests/codeception/api/functional/AccountsAcceptRulesCest.php +++ b/tests/codeception/api/functional/AccountsAcceptRulesCest.php @@ -16,7 +16,7 @@ class AccountsAcceptRulesCest { } public function testCurrent(FunctionalTester $I) { - $I->loggedInAsActiveAccount('Veleyaba', 'password_0'); + $I->amAuthenticated('Veleyaba'); $this->route->acceptRules(); $I->canSeeResponseCodeIs(200); $I->canSeeResponseIsJson(); diff --git a/tests/codeception/api/functional/AccountsChangeEmailConfirmNewEmailCest.php b/tests/codeception/api/functional/AccountsChangeEmailConfirmNewEmailCest.php index 0b8016d..53b31d8 100644 --- a/tests/codeception/api/functional/AccountsChangeEmailConfirmNewEmailCest.php +++ b/tests/codeception/api/functional/AccountsChangeEmailConfirmNewEmailCest.php @@ -17,7 +17,7 @@ class AccountsChangeEmailConfirmNewEmailCest { public function testConfirmNewEmail(FunctionalTester $I) { $I->wantTo('change my email and get changed value'); - $I->loggedInAsActiveAccount('CrafterGameplays', 'password_0'); + $I->amAuthenticated('CrafterGameplays'); $this->route->changeEmailConfirmNewEmail('H28HBDCHHAG2HGHGHS'); $I->canSeeResponseCodeIs(200); diff --git a/tests/codeception/api/functional/AccountsChangeEmailInitializeCest.php b/tests/codeception/api/functional/AccountsChangeEmailInitializeCest.php index 5e1f6b9..0dfa82e 100644 --- a/tests/codeception/api/functional/AccountsChangeEmailInitializeCest.php +++ b/tests/codeception/api/functional/AccountsChangeEmailInitializeCest.php @@ -17,7 +17,7 @@ class AccountsChangeEmailInitializeCest { public function testChangeEmailInitialize(FunctionalTester $I) { $I->wantTo('send current email confirmation'); - $I->loggedInAsActiveAccount(); + $I->amAuthenticated(); $this->route->changeEmailInitialize('password_0'); $I->canSeeResponseCodeIs(200); @@ -29,7 +29,7 @@ class AccountsChangeEmailInitializeCest { public function testChangeEmailInitializeFrequencyError(FunctionalTester $I) { $I->wantTo('see change email request frequency error'); - $I->loggedInAsActiveAccount('ILLIMUNATI', 'password_0'); + $I->amAuthenticated('ILLIMUNATI'); $this->route->changeEmailInitialize('password_0'); $I->canSeeResponseContainsJson([ diff --git a/tests/codeception/api/functional/AccountsChangeEmailSubmitNewEmailCest.php b/tests/codeception/api/functional/AccountsChangeEmailSubmitNewEmailCest.php index f70ac36..d09383b 100644 --- a/tests/codeception/api/functional/AccountsChangeEmailSubmitNewEmailCest.php +++ b/tests/codeception/api/functional/AccountsChangeEmailSubmitNewEmailCest.php @@ -18,7 +18,7 @@ class AccountsChangeEmailSubmitNewEmailCest { public function testSubmitNewEmail(FunctionalTester $I) { $I->wantTo('submit new email'); - $I->loggedInAsActiveAccount('ILLIMUNATI', 'password_0'); + $I->amAuthenticated('ILLIMUNATI'); $this->route->changeEmailSubmitNewEmail('H27HBDCHHAG2HGHGHS', 'my-new-email@ely.by'); $I->canSeeResponseCodeIs(200); diff --git a/tests/codeception/api/functional/AccountsChangeLangCest.php b/tests/codeception/api/functional/AccountsChangeLangCest.php index 4fc16fb..ffe229f 100644 --- a/tests/codeception/api/functional/AccountsChangeLangCest.php +++ b/tests/codeception/api/functional/AccountsChangeLangCest.php @@ -18,7 +18,7 @@ class AccountsChangeLangCest { public function testSubmitNewEmail(FunctionalTester $I) { $I->wantTo('change my account language'); - $I->loggedInAsActiveAccount(); + $I->amAuthenticated(); $this->route->changeLang('ru'); $I->canSeeResponseCodeIs(200); diff --git a/tests/codeception/api/functional/AccountsChangePasswordCest.php b/tests/codeception/api/functional/AccountsChangePasswordCest.php index 099d809..056a340 100644 --- a/tests/codeception/api/functional/AccountsChangePasswordCest.php +++ b/tests/codeception/api/functional/AccountsChangePasswordCest.php @@ -27,7 +27,7 @@ class AccountsChangePasswordCest { public function testChangePassword(FunctionalTester $I) { $I->wantTo('change my password'); - $I->loggedInAsActiveAccount(); + $I->amAuthenticated(); $this->route->changePassword('password_0', 'new-password', 'new-password'); $I->canSeeResponseCodeIs(200); diff --git a/tests/codeception/api/functional/AccountsChangeUsernameCest.php b/tests/codeception/api/functional/AccountsChangeUsernameCest.php index 73c54e6..b4a696f 100644 --- a/tests/codeception/api/functional/AccountsChangeUsernameCest.php +++ b/tests/codeception/api/functional/AccountsChangeUsernameCest.php @@ -26,7 +26,7 @@ class AccountsChangeUsernameCest { public function testChangeUsername(FunctionalTester $I) { $I->wantTo('change my nickname'); - $I->loggedInAsActiveAccount(); + $I->amAuthenticated(); $this->route->changeUsername('password_0', 'bruce_wayne'); $I->canSeeResponseCodeIs(200); @@ -38,7 +38,7 @@ class AccountsChangeUsernameCest { public function testChangeUsernameNotAvailable(FunctionalTester $I) { $I->wantTo('see, that nickname "in use" is not available'); - $I->loggedInAsActiveAccount(); + $I->amAuthenticated(); $this->route->changeUsername('password_0', 'Jon'); $I->canSeeResponseCodeIs(200); diff --git a/tests/codeception/api/functional/AccountsCurrentCest.php b/tests/codeception/api/functional/AccountsCurrentCest.php index cc4daa2..c53be87 100644 --- a/tests/codeception/api/functional/AccountsCurrentCest.php +++ b/tests/codeception/api/functional/AccountsCurrentCest.php @@ -16,7 +16,7 @@ class AccountsCurrentCest { } public function testCurrent(FunctionalTester $I) { - $I->loggedInAsActiveAccount(); + $I->amAuthenticated(); $this->route->current(); $I->canSeeResponseCodeIs(200); @@ -29,6 +29,7 @@ class AccountsCurrentCest { 'isActive' => true, 'hasMojangUsernameCollision' => false, 'shouldAcceptRules' => false, + 'isOtpEnabled' => false, ]); $I->canSeeResponseJsonMatchesJsonPath('$.passwordChangedAt'); } diff --git a/tests/codeception/api/functional/ForgotPasswordCest.php b/tests/codeception/api/functional/ForgotPasswordCest.php index 5f36a93..0444838 100644 --- a/tests/codeception/api/functional/ForgotPasswordCest.php +++ b/tests/codeception/api/functional/ForgotPasswordCest.php @@ -1,41 +1,87 @@ wantTo('create new password recover request by passing email'); - $route->forgotPassword('admin@ely.by'); + public function _before(FunctionalTester $I) { + $this->route = new AuthenticationRoute($I); + } + + public function testWrongInput(FunctionalTester $I) { + $I->wantTo('see reaction on invalid input'); + + $this->route->forgotPassword(); $I->canSeeResponseContainsJson([ - 'success' => true, + 'success' => false, + 'errors' => [ + 'login' => 'error.login_required', + ], ]); - $I->canSeeResponseJsonMatchesJsonPath('$.data.canRepeatIn'); - $I->canSeeResponseJsonMatchesJsonPath('$.data.repeatFrequency'); + + $this->route->forgotPassword('becauseimbatman!'); + $I->canSeeResponseContainsJson([ + 'success' => false, + 'errors' => [ + 'login' => 'error.login_not_exist', + ], + ]); + + $this->route->forgotPassword('AccountWithEnabledOtp'); + $I->canSeeResponseContainsJson([ + 'success' => false, + 'errors' => [ + 'token' => 'error.token_required', + ], + ]); + + $this->route->forgotPassword('AccountWithEnabledOtp'); + $I->canSeeResponseContainsJson([ + 'success' => false, + 'errors' => [ + 'token' => 'error.token_required', + ], + ]); + + $this->route->forgotPassword('AccountWithEnabledOtp', '123456'); + $I->canSeeResponseContainsJson([ + 'success' => false, + 'errors' => [ + 'token' => 'error.token_incorrect', + ], + ]); + } + + public function testForgotPasswordByEmail(FunctionalTester $I) { + $I->wantTo('create new password recover request by passing email'); + $this->route->forgotPassword('admin@ely.by'); + $this->assertSuccessResponse($I, false); } public function testForgotPasswordByUsername(FunctionalTester $I) { - $route = new AuthenticationRoute($I); - $I->wantTo('create new password recover request by passing username'); - $route->forgotPassword('Admin'); - $I->canSeeResponseContainsJson([ - 'success' => true, - ]); - $I->canSeeResponseJsonMatchesJsonPath('$.data.canRepeatIn'); - $I->canSeeResponseJsonMatchesJsonPath('$.data.repeatFrequency'); - $I->canSeeResponseJsonMatchesJsonPath('$.data.emailMask'); + $this->route->forgotPassword('Admin'); + $this->assertSuccessResponse($I, true); + } + + public function testForgotPasswordByAccountWithOtp(FunctionalTester $I) { + $I->wantTo('create new password recover request by passing username and otp token'); + $totp = new TOTP(null, 'secret-secret-secret'); + $this->route->forgotPassword('AccountWithEnabledOtp', $totp->now()); + $this->assertSuccessResponse($I, true); } public function testDataForFrequencyError(FunctionalTester $I) { - $route = new AuthenticationRoute($I); - $I->wantTo('get info about time to repeat recover password request'); - $route->forgotPassword('Notch'); + $this->route->forgotPassword('Notch'); $I->canSeeResponseContainsJson([ 'success' => false, 'errors' => [ @@ -46,4 +92,18 @@ class ForgotPasswordCest { $I->canSeeResponseJsonMatchesJsonPath('$.data.repeatFrequency'); } + /** + * @param FunctionalTester $I + */ + private function assertSuccessResponse(FunctionalTester $I, bool $expectEmailMask = false): void { + $I->canSeeResponseContainsJson([ + 'success' => true, + ]); + $I->canSeeResponseJsonMatchesJsonPath('$.data.canRepeatIn'); + $I->canSeeResponseJsonMatchesJsonPath('$.data.repeatFrequency'); + if ($expectEmailMask) { + $I->canSeeResponseJsonMatchesJsonPath('$.data.emailMask'); + } + } + } diff --git a/tests/codeception/api/functional/LoginCest.php b/tests/codeception/api/functional/LoginCest.php index 4c39e63..ab11f50 100644 --- a/tests/codeception/api/functional/LoginCest.php +++ b/tests/codeception/api/functional/LoginCest.php @@ -1,6 +1,7 @@ wantTo('see token don\'t have errors if email, username or token not set'); + $route->login(); + $I->canSeeResponseContainsJson([ + 'success' => false, + ]); + $I->cantSeeResponseJsonMatchesJsonPath('$.errors.token'); + + $I->wantTo('see token don\'t have errors if username not exists in database'); + $route->login('non-exist-username', 'random-password'); + $I->canSeeResponseContainsJson([ + 'success' => false, + ]); + $I->cantSeeResponseJsonMatchesJsonPath('$.errors.token'); + + $I->wantTo('see token don\'t has errors if email not exists in database'); + $route->login('not-exist@user.com', 'random-password'); + $I->canSeeResponseContainsJson([ + 'success' => false, + ]); + $I->cantSeeResponseJsonMatchesJsonPath('$.errors.token'); + + $I->wantTo('see token don\'t has errors if email correct, but password wrong'); + $route->login('not-exist@user.com', 'random-password'); + $I->canSeeResponseContainsJson([ + 'success' => false, + ]); + $I->cantSeeResponseJsonMatchesJsonPath('$.errors.token'); + + $I->wantTo('see error.token_required if username and password correct, but account have enable otp'); + $route->login('AccountWithEnabledOtp', 'password_0'); + $I->canSeeResponseContainsJson([ + 'success' => false, + 'errors' => [ + 'token' => 'error.token_required', + ], + ]); + + $I->wantTo('see error.token_incorrect if username and password correct, but token wrong'); + $route->login('AccountWithEnabledOtp', 'password_0', '123456'); + $I->canSeeResponseContainsJson([ + 'success' => false, + 'errors' => [ + 'token' => 'error.token_incorrect', + ], + ]); + } + public function testLoginByUsernameCorrect(FunctionalTester $I) { $route = new AuthenticationRoute($I); @@ -151,4 +202,16 @@ class LoginCest { $I->canSeeAuthCredentials(true); } + public function testLoginByAccountWithOtp(FunctionalTester $I) { + $route = new AuthenticationRoute($I); + + $I->wantTo('login into account with enabled otp'); + $route->login('AccountWithEnabledOtp', 'password_0', (new TOTP(null, 'secret-secret-secret'))->now()); + $I->canSeeResponseContainsJson([ + 'success' => true, + ]); + $I->cantSeeResponseJsonMatchesJsonPath('$.errors'); + $I->canSeeAuthCredentials(false); + } + } diff --git a/tests/codeception/api/functional/LogoutCest.php b/tests/codeception/api/functional/LogoutCest.php index 5acaa92..f0235ae 100644 --- a/tests/codeception/api/functional/LogoutCest.php +++ b/tests/codeception/api/functional/LogoutCest.php @@ -8,7 +8,7 @@ class LogoutCest { public function testLoginEmailOrUsername(FunctionalTester $I) { $route = new AuthenticationRoute($I); - $I->loggedInAsActiveAccount(); + $I->amAuthenticated(); $route->logout(); $I->canSeeResponseContainsJson([ 'success' => true, diff --git a/tests/codeception/api/functional/OauthAuthCodeCest.php b/tests/codeception/api/functional/OauthAuthCodeCest.php index be61f3e..55ac48b 100644 --- a/tests/codeception/api/functional/OauthAuthCodeCest.php +++ b/tests/codeception/api/functional/OauthAuthCodeCest.php @@ -51,7 +51,7 @@ class OauthAuthCodeCest { } public function testValidateWithDescriptionReplaceRequest(FunctionalTester $I) { - $I->loggedInAsActiveAccount(); + $I->amAuthenticated(); $I->wantTo('validate and get information with description replacement'); $this->route->validate($this->buildQueryParams( 'ely', @@ -73,13 +73,13 @@ class OauthAuthCodeCest { } public function testCompleteValidationAction(FunctionalTester $I) { - $I->loggedInAsActiveAccount(); + $I->amAuthenticated(); $I->wantTo('validate all oAuth params on complete request'); $this->testOauthParamsValidation($I, 'complete'); } public function testCompleteActionOnWrongConditions(FunctionalTester $I) { - $I->loggedInAsActiveAccount(); + $I->amAuthenticated(); $I->wantTo('get accept_required if I don\'t require any scope, but this is first time request'); $this->route->complete($this->buildQueryParams( @@ -112,7 +112,7 @@ class OauthAuthCodeCest { } public function testCompleteActionSuccess(FunctionalTester $I) { - $I->loggedInAsActiveAccount(); + $I->amAuthenticated(); $I->wantTo('get auth code if I require some scope and pass accept field'); $this->route->complete($this->buildQueryParams( 'ely', @@ -155,7 +155,7 @@ class OauthAuthCodeCest { } public function testAcceptRequiredOnNewScope(FunctionalTester $I) { - $I->loggedInAsActiveAccount(); + $I->amAuthenticated(); $I->wantTo('get accept_required if I have previous successful request, but now require some new scope'); $this->route->complete($this->buildQueryParams( 'ely', @@ -179,7 +179,7 @@ class OauthAuthCodeCest { } public function testCompleteActionWithDismissState(FunctionalTester $I) { - $I->loggedInAsActiveAccount(); + $I->amAuthenticated(); $I->wantTo('get access_denied error if I pass accept in false state'); $this->route->complete($this->buildQueryParams( 'ely', diff --git a/tests/codeception/api/functional/TwoFactorAuthCredentialsCest.php b/tests/codeception/api/functional/TwoFactorAuthCredentialsCest.php new file mode 100644 index 0000000..ce95923 --- /dev/null +++ b/tests/codeception/api/functional/TwoFactorAuthCredentialsCest.php @@ -0,0 +1,28 @@ +route = new TwoFactorAuthRoute($I); + } + + public function testGetCredentials(FunctionalTester $I) { + $I->amAuthenticated(); + $this->route->credentials(); + $I->canSeeResponseCodeIs(200); + $I->canSeeResponseIsJson(); + $I->canSeeResponseJsonMatchesJsonPath('$.secret'); + $I->canSeeResponseJsonMatchesJsonPath('$.uri'); + $I->canSeeResponseJsonMatchesJsonPath('$.qr'); + } + +} diff --git a/tests/codeception/api/functional/TwoFactorAuthDisableCest.php b/tests/codeception/api/functional/TwoFactorAuthDisableCest.php new file mode 100644 index 0000000..5e41f83 --- /dev/null +++ b/tests/codeception/api/functional/TwoFactorAuthDisableCest.php @@ -0,0 +1,61 @@ +route = new TwoFactorAuthRoute($I); + } + + public function testFails(FunctionalTester $I) { + $I->amAuthenticated('AccountWithEnabledOtp'); + + $this->route->disable(); + $I->canSeeResponseContainsJson([ + 'success' => false, + 'errors' => [ + 'token' => 'error.token_required', + 'password' => 'error.password_required', + ], + ]); + + $this->route->disable('123456', 'invalid_password'); + $I->canSeeResponseContainsJson([ + 'success' => false, + 'errors' => [ + 'token' => 'error.token_incorrect', + 'password' => 'error.password_incorrect', + ], + ]); + + $I->amAuthenticated('AccountWithOtpSecret'); + $this->route->disable('123456', 'invalid_password'); + $I->canSeeResponseContainsJson([ + 'success' => false, + 'errors' => [ + 'account' => 'error.otp_not_enabled', + ], + ]); + } + + public function testSuccessEnable(FunctionalTester $I) { + $I->amAuthenticated('AccountWithEnabledOtp'); + $totp = new TOTP(null, 'secret-secret-secret'); + $this->route->disable($totp->now(), 'password_0'); + $I->canSeeResponseCodeIs(200); + $I->canSeeResponseIsJson(); + $I->canSeeResponseContainsJson([ + 'success' => true, + ]); + } + +} diff --git a/tests/codeception/api/functional/TwoFactorAuthEnableCest.php b/tests/codeception/api/functional/TwoFactorAuthEnableCest.php new file mode 100644 index 0000000..aee002e --- /dev/null +++ b/tests/codeception/api/functional/TwoFactorAuthEnableCest.php @@ -0,0 +1,61 @@ +route = new TwoFactorAuthRoute($I); + } + + public function testFails(FunctionalTester $I) { + $I->amAuthenticated('AccountWithOtpSecret'); + + $this->route->enable(); + $I->canSeeResponseContainsJson([ + 'success' => false, + 'errors' => [ + 'token' => 'error.token_required', + 'password' => 'error.password_required', + ], + ]); + + $this->route->enable('123456', 'invalid_password'); + $I->canSeeResponseContainsJson([ + 'success' => false, + 'errors' => [ + 'token' => 'error.token_incorrect', + 'password' => 'error.password_incorrect', + ], + ]); + + $I->amAuthenticated('AccountWithEnabledOtp'); + $this->route->enable('123456', 'invalid_password'); + $I->canSeeResponseContainsJson([ + 'success' => false, + 'errors' => [ + 'account' => 'error.otp_already_enabled', + ], + ]); + } + + public function testSuccessEnable(FunctionalTester $I) { + $I->amAuthenticated('AccountWithOtpSecret'); + $totp = new TOTP(null, 'some otp secret value'); + $this->route->enable($totp->now(), 'password_0'); + $I->canSeeResponseCodeIs(200); + $I->canSeeResponseIsJson(); + $I->canSeeResponseContainsJson([ + 'success' => true, + ]); + } + +} diff --git a/tests/codeception/api/functional/_steps/AuthserverSteps.php b/tests/codeception/api/functional/_steps/AuthserverSteps.php index e065d36..9648ec2 100644 --- a/tests/codeception/api/functional/_steps/AuthserverSteps.php +++ b/tests/codeception/api/functional/_steps/AuthserverSteps.php @@ -7,12 +7,12 @@ use tests\codeception\api\FunctionalTester; class AuthserverSteps extends FunctionalTester { - public function amAuthenticated() { + public function amAuthenticated(string $asUsername = 'admin', string $password = 'password_0') { $route = new AuthserverRoute($this); $clientToken = Uuid::uuid4()->toString(); $route->authenticate([ - 'username' => 'admin', - 'password' => 'password_0', + 'username' => $asUsername, + 'password' => $password, 'clientToken' => $clientToken, ]); diff --git a/tests/codeception/api/functional/_steps/OauthSteps.php b/tests/codeception/api/functional/_steps/OauthSteps.php index 3e0c467..c8327e7 100644 --- a/tests/codeception/api/functional/_steps/OauthSteps.php +++ b/tests/codeception/api/functional/_steps/OauthSteps.php @@ -9,7 +9,7 @@ class OauthSteps extends FunctionalTester { public function getAuthCode(array $permissions = []) { // TODO: по идее можно напрямую сделать запись в базу, что ускорит процесс тестирования - $this->loggedInAsActiveAccount(); + $this->amAuthenticated(); $route = new OauthRoute($this); $route->complete([ 'client_id' => 'ely', diff --git a/tests/codeception/api/functional/authserver/InvalidateCest.php b/tests/codeception/api/functional/authserver/InvalidateCest.php index 7cab088..de2bcb0 100644 --- a/tests/codeception/api/functional/authserver/InvalidateCest.php +++ b/tests/codeception/api/functional/authserver/InvalidateCest.php @@ -18,7 +18,7 @@ class InvalidateCest { public function invalidate(AuthserverSteps $I) { $I->wantTo('invalidate my token'); - list($accessToken, $clientToken) = $I->amAuthenticated(); + [$accessToken, $clientToken] = $I->amAuthenticated(); $this->route->invalidate([ 'accessToken' => $accessToken, 'clientToken' => $clientToken, diff --git a/tests/codeception/api/functional/authserver/RefreshCest.php b/tests/codeception/api/functional/authserver/RefreshCest.php index e26ccf7..e18751b 100644 --- a/tests/codeception/api/functional/authserver/RefreshCest.php +++ b/tests/codeception/api/functional/authserver/RefreshCest.php @@ -18,7 +18,7 @@ class RefreshCest { public function refresh(AuthserverSteps $I) { $I->wantTo('refresh my accessToken'); - list($accessToken, $clientToken) = $I->amAuthenticated(); + [$accessToken, $clientToken] = $I->amAuthenticated(); $this->route->refresh([ 'accessToken' => $accessToken, 'clientToken' => $clientToken, diff --git a/tests/codeception/api/functional/authserver/ValidateCest.php b/tests/codeception/api/functional/authserver/ValidateCest.php index 1cd5b9b..704b02a 100644 --- a/tests/codeception/api/functional/authserver/ValidateCest.php +++ b/tests/codeception/api/functional/authserver/ValidateCest.php @@ -18,7 +18,7 @@ class ValidateCest { public function validate(AuthserverSteps $I) { $I->wantTo('validate my accessToken'); - list($accessToken) = $I->amAuthenticated(); + [$accessToken] = $I->amAuthenticated(); $this->route->validate([ 'accessToken' => $accessToken, ]); diff --git a/tests/codeception/api/functional/sessionserver/JoinCest.php b/tests/codeception/api/functional/sessionserver/JoinCest.php index 986521e..ed34400 100644 --- a/tests/codeception/api/functional/sessionserver/JoinCest.php +++ b/tests/codeception/api/functional/sessionserver/JoinCest.php @@ -21,7 +21,7 @@ class JoinCest { public function joinByLegacyAuthserver(AuthserverSteps $I) { $I->wantTo('join to server, using legacy authserver access token'); - list($accessToken) = $I->amAuthenticated(); + [$accessToken] = $I->amAuthenticated(); $this->route->join([ 'accessToken' => $accessToken, 'selectedProfile' => 'df936908-b2e1-544d-96f8-2977ec213022', @@ -32,7 +32,7 @@ class JoinCest { public function joinByPassJsonInPost(AuthserverSteps $I) { $I->wantTo('join to server, passing data in body as encoded json'); - list($accessToken) = $I->amAuthenticated(); + [$accessToken] = $I->amAuthenticated(); $this->route->join(json_encode([ 'accessToken' => $accessToken, 'selectedProfile' => 'df936908-b2e1-544d-96f8-2977ec213022', diff --git a/tests/codeception/api/functional/sessionserver/JoinLegacyCest.php b/tests/codeception/api/functional/sessionserver/JoinLegacyCest.php index e82695a..d691bce 100644 --- a/tests/codeception/api/functional/sessionserver/JoinLegacyCest.php +++ b/tests/codeception/api/functional/sessionserver/JoinLegacyCest.php @@ -21,7 +21,7 @@ class JoinLegacyCest { public function joinByLegacyAuthserver(AuthserverSteps $I) { $I->wantTo('join to server by legacy protocol, using legacy authserver access token'); - list($accessToken) = $I->amAuthenticated(); + [$accessToken] = $I->amAuthenticated(); $this->route->joinLegacy([ 'sessionId' => $accessToken, 'user' => 'Admin', @@ -32,7 +32,7 @@ class JoinLegacyCest { public function joinByNewSessionFormat(AuthserverSteps $I) { $I->wantTo('join to server by legacy protocol with new launcher session format, using legacy authserver'); - list($accessToken) = $I->amAuthenticated(); + [$accessToken] = $I->amAuthenticated(); $this->route->joinLegacy([ 'sessionId' => 'token:' . $accessToken . ':' . 'df936908-b2e1-544d-96f8-2977ec213022', 'user' => 'Admin', diff --git a/tests/codeception/api/unit/models/authentication/ForgotPasswordFormTest.php b/tests/codeception/api/unit/models/authentication/ForgotPasswordFormTest.php index dc68fb5..c97723f 100644 --- a/tests/codeception/api/unit/models/authentication/ForgotPasswordFormTest.php +++ b/tests/codeception/api/unit/models/authentication/ForgotPasswordFormTest.php @@ -4,6 +4,7 @@ namespace codeception\api\unit\models\authentication; use api\models\authentication\ForgotPasswordForm; use Codeception\Specify; use common\models\EmailActivation; +use OTPHP\TOTP; use tests\codeception\api\unit\TestCase; use tests\codeception\common\fixtures\AccountFixture; use tests\codeception\common\fixtures\EmailActivationFixture; @@ -18,7 +19,7 @@ class ForgotPasswordFormTest extends TestCase { ]; } - public function testValidateAccount() { + public function testValidateLogin() { $this->specify('error.login_not_exist if login is invalid', function() { $model = new ForgotPasswordForm(['login' => 'unexist']); $model->validateLogin('login'); @@ -32,6 +33,21 @@ class ForgotPasswordFormTest extends TestCase { }); } + public function testValidateTotpToken() { + $model = new ForgotPasswordForm(); + $model->login = 'AccountWithEnabledOtp'; + $model->token = '123456'; + $model->validateTotpToken('token'); + $this->assertEquals(['error.token_incorrect'], $model->getErrors('token')); + + $totp = new TOTP(null, 'secret-secret-secret'); + $model = new ForgotPasswordForm(); + $model->login = 'AccountWithEnabledOtp'; + $model->token = $totp->now(); + $model->validateTotpToken('token'); + $this->assertEmpty($model->getErrors('token')); + } + public function testValidateActivity() { $this->specify('error.account_not_activated if account is not confirmed', function() { $model = new ForgotPasswordForm([ diff --git a/tests/codeception/api/unit/models/authentication/LoginFormTest.php b/tests/codeception/api/unit/models/authentication/LoginFormTest.php index e32f243..0cf524e 100644 --- a/tests/codeception/api/unit/models/authentication/LoginFormTest.php +++ b/tests/codeception/api/unit/models/authentication/LoginFormTest.php @@ -6,6 +6,7 @@ use api\models\AccountIdentity; use api\models\authentication\LoginForm; use Codeception\Specify; use common\models\Account; +use OTPHP\TOTP; use tests\codeception\api\unit\TestCase; use tests\codeception\common\fixtures\AccountFixture; @@ -38,7 +39,7 @@ class LoginFormTest extends TestCase { 'account' => null, ]); $model->validateLogin('login'); - expect($model->getErrors('login'))->equals(['error.login_not_exist']); + $this->assertEquals(['error.login_not_exist'], $model->getErrors('login')); }); $this->specify('no errors if login exists', function () { @@ -47,7 +48,7 @@ class LoginFormTest extends TestCase { 'account' => new AccountIdentity(), ]); $model->validateLogin('login'); - expect($model->getErrors('login'))->isEmpty(); + $this->assertEmpty($model->getErrors('login')); }); } @@ -58,7 +59,7 @@ class LoginFormTest extends TestCase { 'account' => new AccountIdentity(['password' => '12345678']), ]); $model->validatePassword('password'); - expect($model->getErrors('password'))->equals(['error.password_incorrect']); + $this->assertEquals(['error.password_incorrect'], $model->getErrors('password')); }); $this->specify('no errors if password valid', function () { @@ -67,7 +68,35 @@ class LoginFormTest extends TestCase { 'account' => new AccountIdentity(['password' => '12345678']), ]); $model->validatePassword('password'); - expect($model->getErrors('password'))->isEmpty(); + $this->assertEmpty($model->getErrors('password')); + }); + } + + public function testValidateTotpToken() { + $account = new AccountIdentity(['password' => '12345678']); + $account->password = '12345678'; + $account->is_otp_enabled = true; + $account->otp_secret = 'mock secret'; + + $this->specify('error.token_incorrect if totp invalid', function() use ($account) { + $model = $this->createModel([ + 'password' => '12345678', + 'token' => '321123', + 'account' => $account, + ]); + $model->validateTotpToken('token'); + $this->assertEquals(['error.token_incorrect'], $model->getErrors('token')); + }); + + $totp = new TOTP(null, 'mock secret'); + $this->specify('no errors if password valid', function() use ($account, $totp) { + $model = $this->createModel([ + 'password' => '12345678', + 'token' => $totp->now(), + 'account' => $account, + ]); + $model->validateTotpToken('token'); + $this->assertEmpty($model->getErrors('token')); }); } @@ -77,7 +106,7 @@ class LoginFormTest extends TestCase { 'account' => new AccountIdentity(['status' => Account::STATUS_REGISTERED]), ]); $model->validateActivity('login'); - expect($model->getErrors('login'))->equals(['error.account_not_activated']); + $this->assertEquals(['error.account_not_activated'], $model->getErrors('login')); }); $this->specify('error.account_banned if account has banned status', function () { @@ -85,7 +114,7 @@ class LoginFormTest extends TestCase { 'account' => new AccountIdentity(['status' => Account::STATUS_BANNED]), ]); $model->validateActivity('login'); - expect($model->getErrors('login'))->equals(['error.account_banned']); + $this->assertEquals(['error.account_banned'], $model->getErrors('login')); }); $this->specify('no errors if account active', function () { @@ -93,36 +122,36 @@ class LoginFormTest extends TestCase { 'account' => new AccountIdentity(['status' => Account::STATUS_ACTIVE]), ]); $model->validateActivity('login'); - expect($model->getErrors('login'))->isEmpty(); + $this->assertEmpty($model->getErrors('login')); }); } public function testLogin() { - $this->specify('user should be able to login with correct username and password', function () { - $model = $this->createModel([ - 'login' => 'erickskrauch', + $model = $this->createModel([ + 'login' => 'erickskrauch', + 'password' => '12345678', + 'account' => new AccountIdentity([ + 'username' => 'erickskrauch', 'password' => '12345678', - 'account' => new AccountIdentity([ - 'username' => 'erickskrauch', - 'password' => '12345678', - 'status' => Account::STATUS_ACTIVE, - ]), - ]); - expect('model should login user', $model->login())->isInstanceOf(LoginResult::class); - expect('error message should not be set', $model->errors)->isEmpty(); - }); + 'status' => Account::STATUS_ACTIVE, + ]), + ]); + $this->assertInstanceOf(LoginResult::class, $model->login(), 'model should login user'); + $this->assertEmpty($model->getErrors(), 'error message should not be set'); } public function testLoginWithRehashing() { - $this->specify('user, that login using account with old pass hash strategy should update it automatically', function () { - $model = new LoginForm([ - 'login' => $this->tester->grabFixture('accounts', 'user-with-old-password-type')['username'], - 'password' => '12345678', - ]); - expect($model->login())->isInstanceOf(LoginResult::class); - expect($model->errors)->isEmpty(); - expect($model->getAccount()->password_hash_strategy)->equals(Account::PASS_HASH_STRATEGY_YII2); - }); + $model = new LoginForm([ + 'login' => $this->tester->grabFixture('accounts', 'user-with-old-password-type')['username'], + 'password' => '12345678', + ]); + $this->assertInstanceOf(LoginResult::class, $model->login()); + $this->assertEmpty($model->getErrors()); + $this->assertEquals( + Account::PASS_HASH_STRATEGY_YII2, + $model->getAccount()->password_hash_strategy, + 'user, that login using account with old pass hash strategy should update it automatically' + ); } /** diff --git a/tests/codeception/api/unit/models/profile/TwoFactorAuthFormTest.php b/tests/codeception/api/unit/models/profile/TwoFactorAuthFormTest.php new file mode 100644 index 0000000..a160805 --- /dev/null +++ b/tests/codeception/api/unit/models/profile/TwoFactorAuthFormTest.php @@ -0,0 +1,165 @@ +getMockBuilder(Account::class) + ->setMethods(['save']) + ->getMock(); + + $account->expects($this->once()) + ->method('save') + ->willReturn(true); + + $account->email = 'mock@email.com'; + $account->otp_secret = null; + + /** @var TwoFactorAuthForm|\PHPUnit_Framework_MockObject_MockObject $model */ + $model = $this->getMockBuilder(TwoFactorAuthForm::class) + ->setConstructorArgs([$account]) + ->setMethods(['drawQrCode']) + ->getMock(); + + $model->expects($this->once()) + ->method('drawQrCode') + ->willReturn('this is qr code, trust me'); + + $result = $model->getCredentials(); + $this->assertTrue(is_array($result)); + $this->assertArrayHasKey('qr', $result); + $this->assertArrayHasKey('uri', $result); + $this->assertArrayHasKey('secret', $result); + $this->assertNotNull($account->otp_secret); + $this->assertEquals($account->otp_secret, $result['secret']); + $this->assertEquals(base64_encode('this is qr code, trust me'), $result['qr']); + + /** @var Account|\PHPUnit_Framework_MockObject_MockObject $account */ + $account = $this->getMockBuilder(Account::class) + ->setMethods(['save']) + ->getMock(); + + $account->expects($this->never()) + ->method('save'); + + $account->email = 'mock@email.com'; + $account->otp_secret = 'some valid totp secret value'; + + /** @var TwoFactorAuthForm|\PHPUnit_Framework_MockObject_MockObject $model */ + $model = $this->getMockBuilder(TwoFactorAuthForm::class) + ->setConstructorArgs([$account]) + ->setMethods(['drawQrCode']) + ->getMock(); + + $model->expects($this->once()) + ->method('drawQrCode') + ->willReturn('this is qr code, trust me'); + + $result = $model->getCredentials(); + $this->assertEquals('some valid totp secret value', $result['secret']); + } + + public function testActivate() { + /** @var Account|\PHPUnit_Framework_MockObject_MockObject $account */ + $account = $this->getMockBuilder(Account::class) + ->setMethods(['save']) + ->getMock(); + + $account->expects($this->once()) + ->method('save') + ->willReturn(true); + + $account->is_otp_enabled = false; + $account->otp_secret = 'mock secret'; + + /** @var TwoFactorAuthForm|\PHPUnit_Framework_MockObject_MockObject $model */ + $model = $this->getMockBuilder(TwoFactorAuthForm::class) + ->setMethods(['validate']) + ->setConstructorArgs([$account, ['scenario' => TwoFactorAuthForm::SCENARIO_ACTIVATE]]) + ->getMock(); + + $model->expects($this->once()) + ->method('validate') + ->willReturn(true); + + $this->assertTrue($model->activate()); + $this->assertTrue($account->is_otp_enabled); + } + + public function testDisable() { + /** @var Account|\PHPUnit_Framework_MockObject_MockObject $account */ + $account = $this->getMockBuilder(Account::class) + ->setMethods(['save']) + ->getMock(); + + $account->expects($this->once()) + ->method('save') + ->willReturn(true); + + $account->is_otp_enabled = true; + $account->otp_secret = 'mock secret'; + + /** @var TwoFactorAuthForm|\PHPUnit_Framework_MockObject_MockObject $model */ + $model = $this->getMockBuilder(TwoFactorAuthForm::class) + ->setMethods(['validate']) + ->setConstructorArgs([$account, ['scenario' => TwoFactorAuthForm::SCENARIO_DISABLE]]) + ->getMock(); + + $model->expects($this->once()) + ->method('validate') + ->willReturn(true); + + $this->assertTrue($model->disable()); + $this->assertNull($account->otp_secret); + $this->assertFalse($account->is_otp_enabled); + } + + public function testValidateOtpDisabled() { + $account = new Account(); + $account->is_otp_enabled = true; + $model = new TwoFactorAuthForm($account); + $model->validateOtpDisabled('account'); + $this->assertEquals([E::OTP_ALREADY_ENABLED], $model->getErrors('account')); + + $account = new Account(); + $account->is_otp_enabled = false; + $model = new TwoFactorAuthForm($account); + $model->validateOtpDisabled('account'); + $this->assertEmpty($model->getErrors('account')); + } + + public function testValidateOtpEnabled() { + $account = new Account(); + $account->is_otp_enabled = false; + $model = new TwoFactorAuthForm($account); + $model->validateOtpEnabled('account'); + $this->assertEquals([E::OTP_NOT_ENABLED], $model->getErrors('account')); + + $account = new Account(); + $account->is_otp_enabled = true; + $model = new TwoFactorAuthForm($account); + $model->validateOtpEnabled('account'); + $this->assertEmpty($model->getErrors('account')); + } + + public function testGetTotp() { + $account = new Account(); + $account->otp_secret = 'mock secret'; + $account->email = 'check@this.email'; + + $model = new TwoFactorAuthForm($account); + $totp = $model->getTotp(); + $this->assertInstanceOf(TOTP::class, $totp); + $this->assertEquals('check@this.email', $totp->getLabel()); + $this->assertEquals('mock secret', $totp->getSecret()); + $this->assertEquals('Ely.by', $totp->getIssuer()); + } + +} diff --git a/tests/codeception/api/unit/validators/TotpValidatorTest.php b/tests/codeception/api/unit/validators/TotpValidatorTest.php new file mode 100644 index 0000000..fc23f9f --- /dev/null +++ b/tests/codeception/api/unit/validators/TotpValidatorTest.php @@ -0,0 +1,35 @@ +otp_secret = 'some secret'; + $controlTotp = new TOTP(null, 'some secret'); + + $validator = new TotpValidator(['account' => $account]); + + $result = $this->callProtected($validator, 'validateValue', 123456); + $this->assertEquals([E::OTP_TOKEN_INCORRECT, []], $result); + + $result = $this->callProtected($validator, 'validateValue', $controlTotp->now()); + $this->assertNull($result); + + $result = $this->callProtected($validator, 'validateValue', $controlTotp->at(time() - 31)); + $this->assertEquals([E::OTP_TOKEN_INCORRECT, []], $result); + + $validator->window = 60; + $result = $this->callProtected($validator, 'validateValue', $controlTotp->at(time() - 31)); + $this->assertNull($result); + } + +} diff --git a/tests/codeception/common/fixtures/data/accounts.php b/tests/codeception/common/fixtures/data/accounts.php index 33db104..c8c79d3 100644 --- a/tests/codeception/common/fixtures/data/accounts.php +++ b/tests/codeception/common/fixtures/data/accounts.php @@ -146,4 +146,34 @@ return [ 'created_at' => 1474404139, 'updated_at' => 1474404149, ], + 'account-with-otp-secret' => [ + 'id' => 12, + 'uuid' => '9e9dcd11-2322-46dc-a992-e822a422726e', + 'username' => 'AccountWithOtpSecret', + 'email' => 'sava-galkin@mail.ru', + 'password_hash' => '$2y$13$2rYkap5T6jG8z/mMK8a3Ou6aZxJcmAaTha6FEuujvHEmybSHRzW5e', # password_0 + 'password_hash_strategy' => \common\models\Account::PASS_HASH_STRATEGY_YII2, + 'lang' => 'ru', + 'status' => \common\models\Account::STATUS_ACTIVE, + 'rules_agreement_version' => \common\LATEST_RULES_VERSION, + 'otp_secret' => 'some otp secret value', + 'is_otp_enabled' => false, + 'created_at' => 1485124615, + 'updated_at' => 1485124615, + ], + 'account-with-enabled-otp' => [ + 'id' => 13, + 'uuid' => '15d0afa7-a2bb-44d3-9f31-964cbccc6043', + 'username' => 'AccountWithEnabledOtp', + 'email' => 'otp@gmail.com', + 'password_hash' => '$2y$13$2rYkap5T6jG8z/mMK8a3Ou6aZxJcmAaTha6FEuujvHEmybSHRzW5e', # password_0 + 'password_hash_strategy' => \common\models\Account::PASS_HASH_STRATEGY_YII2, + 'lang' => 'ru', + 'status' => \common\models\Account::STATUS_ACTIVE, + 'rules_agreement_version' => \common\LATEST_RULES_VERSION, + 'otp_secret' => 'secret-secret-secret', + 'is_otp_enabled' => true, + 'created_at' => 1485124685, + 'updated_at' => 1485124685, + ], ];