From bb1fd1a9602f7f01ef57c82197445e6df0d8cb8c Mon Sep 17 00:00:00 2001 From: ErickSkrauch Date: Thu, 19 Jan 2017 01:46:54 +0300 Subject: [PATCH 1/8] =?UTF-8?q?=D0=A0=D0=B5=D0=B0=D0=BB=D0=B8=D0=B7=D0=B0?= =?UTF-8?q?=D1=86=D0=B8=D1=8F=20=D0=B3=D0=B5=D0=BD=D0=B5=D1=80=D0=B0=D1=82?= =?UTF-8?q?=D0=BE=D1=80=D0=B0=20QR-=D0=BA=D0=BE=D0=B4=D0=BE=D0=B2=20=D1=81?= =?UTF-8?q?=20=D0=BB=D0=BE=D0=B3=D0=BE=D1=82=D0=B8=D0=BF=D0=BE=D0=BC=20Ely?= =?UTF-8?q?.by?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- Dockerfile | 2 +- Dockerfile-dev | 2 +- common/components/Qr/ElyDecorator.php | 116 ++++++++++++++++++++++++ common/components/Qr/resources/logo.svg | 6 ++ composer.json | 4 +- 5 files changed, 127 insertions(+), 3 deletions(-) create mode 100644 common/components/Qr/ElyDecorator.php create mode 100644 common/components/Qr/resources/logo.svg diff --git a/Dockerfile b/Dockerfile index d76207d..bc906e3 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,4 +1,4 @@ -FROM registry.ely.by/elyby/accounts-php:1.2.0 +FROM registry.ely.by/elyby/accounts-php:1.3.0 # Вносим конфигурации для крона и воркеров COPY docker/cron/* /etc/cron.d/ diff --git a/Dockerfile-dev b/Dockerfile-dev index ef963fb..2f82da8 100644 --- a/Dockerfile-dev +++ b/Dockerfile-dev @@ -1,4 +1,4 @@ -FROM registry.ely.by/elyby/accounts-php:1.2.0-dev +FROM registry.ely.by/elyby/accounts-php:1.3.0-dev # Вносим конфигурации для крона и воркеров COPY docker/cron/* /etc/cron.d/ diff --git a/common/components/Qr/ElyDecorator.php b/common/components/Qr/ElyDecorator.php new file mode 100644 index 0000000..6ce2f47 --- /dev/null +++ b/common/components/Qr/ElyDecorator.php @@ -0,0 +1,116 @@ + 7, + ErrorCorrectionLevel::M => 15, + ErrorCorrectionLevel::Q => 25, + ErrorCorrectionLevel::H => 30, + ]; + + public function preProcess( + QrCode $qrCode, + RendererInterface $renderer, + $outputWidth, + $outputHeight, + $leftPadding, + $topPadding, + $multiple + ) { + if (!$renderer instanceof Svg) { + throw new InvalidArgumentException('$renderer must by instance of ' . Svg::class); + } + + $correctionLevel = self::CORRECTION_MAP[$qrCode->getErrorCorrectionLevel()->get()]; + $sizeMultiplier = $correctionLevel + floor($correctionLevel / 3); + $count = $qrCode->getMatrix()->getWidth(); + + $countToRemoveX = floor($count * $sizeMultiplier / 100); + $countToRemoveY = floor($count * $sizeMultiplier / 100); + + $startX = $leftPadding + round(($count - $countToRemoveX) / 2 * $multiple); + $startY = $topPadding + round(($count - $countToRemoveY) / 2 * $multiple); + $width = $countToRemoveX * $multiple; + $height = $countToRemoveY * $multiple; + + $reflection = new ReflectionClass($renderer); + $property = $reflection->getProperty('svg'); + $property->setAccessible(true); + /** @var \SimpleXMLElement $svg */ + $svg = $property->getValue($renderer); + + $image = $svg->addChild('image'); + $image->addAttribute('x', $startX); + $image->addAttribute('y', $startY); + $image->addAttribute('width', $width); + $image->addAttribute('height', $height); + $image->addAttribute('xlink:href', $this->encodeSvgToBase64(self::LOGO)); + + $logo = new Imagick(); + $logo->readImage(self::LOGO); + $logo->scaleImage($width, $height); + + $foundedPixels = []; + foreach ($logo->getPixelIterator() as $row => $pixels) { + /** @var \ImagickPixel[] $pixels */ + foreach ($pixels as $column => $pixel) { + $color = $pixel->getColorAsString(); + if ($color !== 'srgb(255,255,255)') { + $foundedPixels[] = [(int)($startX + $column), (int)($startY + $row)]; + } + } + } + + $logo->clear(); + $logo->destroy(); + + $padding = $multiple - 2; + if ($padding < 0) { + $padding = 1; + } + + foreach ($foundedPixels as $coordinates) { + [$x, $y] = $coordinates; + $x -= $leftPadding; + $y -= $topPadding; + + for ($i = $x - $padding; $i <= $x + $padding; $i++) { + for ($j = $y - $padding; $j <= $y + $padding; $j++) { + $matrixX = floor($i / $multiple); + $matrixY = floor($j / $multiple); + $qrCode->getMatrix()->set($matrixX, $matrixY, 0); + } + } + } + } + + public function postProcess( + QrCode $qrCode, + RendererInterface $renderer, + $outputWidth, + $outputHeight, + $leftPadding, + $topPadding, + $multiple + ) { + + } + + private function encodeSvgToBase64(string $filePath): string { + return 'data:image/svg+xml;base64,' . base64_encode(file_get_contents($filePath)); + } + +} diff --git a/common/components/Qr/resources/logo.svg b/common/components/Qr/resources/logo.svg new file mode 100644 index 0000000..9251067 --- /dev/null +++ b/common/components/Qr/resources/logo.svg @@ -0,0 +1,6 @@ + + + + + + diff --git a/composer.json b/composer.json index 2734f1e..759a408 100644 --- a/composer.json +++ b/composer.json @@ -28,7 +28,9 @@ "ely/email-renderer": "dev-master#ef1cb3f7a13196524b97ca5aa0a2d5867f2d9207", "predis/predis": "^1.0", "mito/yii2-sentry": "dev-fix_init#27f00805cb906f73b2c6f8181c1c655decb9be70", - "minime/annotations": "~3.0" + "minime/annotations": "~3.0", + "spomky-labs/otphp": "^8.3", + "bacon/bacon-qr-code": "^1.0" }, "require-dev": { "yiisoft/yii2-codeception": "*", From 3b9ef7ea703c20c81d205f74c0f5d7c8cf06143a Mon Sep 17 00:00:00 2001 From: ErickSkrauch Date: Sat, 21 Jan 2017 01:54:30 +0300 Subject: [PATCH 2/8] =?UTF-8?q?=D0=A0=D0=B5=D0=B0=D0=BB=D0=B8=D0=B7=D0=BE?= =?UTF-8?q?=D0=B2=D0=B0=D0=BD=20=D0=BC=D0=B5=D1=82=D0=BE=D0=B4=20=D0=B4?= =?UTF-8?q?=D0=BB=D1=8F=20=D0=B7=D0=B0=D0=BF=D1=80=D0=BE=D1=81=D0=B0=20?= =?UTF-8?q?=D0=B8=D0=BD=D1=84=D0=BE=D1=80=D0=BC=D0=B0=D1=86=D0=B8=D0=B8=20?= =?UTF-8?q?=D0=B4=D0=BB=D1=8F=20=D0=B0=D0=BA=D1=82=D0=B8=D0=B2=D0=B0=D1=86?= =?UTF-8?q?=D0=B8=D0=B8=20=D0=B4=D0=B2=D1=83=D1=85=D1=84=D0=B0=D0=BA=D1=82?= =?UTF-8?q?=D0=BE=D1=80=D0=BD=D0=BE=D0=B9=20=D0=B0=D1=83=D1=82=D0=B5=D0=BD?= =?UTF-8?q?=D1=82=D0=B8=D1=84=D0=B8=D0=BA=D0=B0=D1=86=D0=B8=D0=B8=20=D0=94?= =?UTF-8?q?=D0=BE=D0=B1=D0=B0=D0=B2=D0=BB=D0=B5=D0=BD=20=D0=B2=D0=B0=D0=BB?= =?UTF-8?q?=D0=B8=D0=B4=D0=B0=D1=82=D0=BE=D1=80=20=D0=B4=D0=BB=D1=8F=20TOT?= =?UTF-8?q?P=20=D0=BA=D0=BE=D0=B4=D0=BE=D0=B2?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- api/controllers/TwoFactorAuthController.php | 37 ++++++++ api/models/profile/TwoFactorAuthForm.php | 95 +++++++++++++++++++ api/validators/TotpValidator.php | 51 ++++++++++ common/helpers/Error.php | 3 + common/models/Account.php | 2 + .../m170118_224937_account_otp_secrets.php | 17 ++++ .../api/_pages/TwoFactorAuthRoute.php | 16 ++++ .../TwoFactorAuthCredentialsCest.php | 28 ++++++ .../models/profile/TwoFactorAuthFormTest.php | 67 +++++++++++++ .../api/unit/validators/TotpValidatorTest.php | 35 +++++++ 10 files changed, 351 insertions(+) create mode 100644 api/controllers/TwoFactorAuthController.php create mode 100644 api/models/profile/TwoFactorAuthForm.php create mode 100644 api/validators/TotpValidator.php create mode 100644 console/migrations/m170118_224937_account_otp_secrets.php create mode 100644 tests/codeception/api/_pages/TwoFactorAuthRoute.php create mode 100644 tests/codeception/api/functional/TwoFactorAuthCredentialsCest.php create mode 100644 tests/codeception/api/unit/models/profile/TwoFactorAuthFormTest.php create mode 100644 tests/codeception/api/unit/validators/TotpValidatorTest.php diff --git a/api/controllers/TwoFactorAuthController.php b/api/controllers/TwoFactorAuthController.php new file mode 100644 index 0000000..514b8cc --- /dev/null +++ b/api/controllers/TwoFactorAuthController.php @@ -0,0 +1,37 @@ + [ + 'class' => AccessControl::class, + 'rules' => [ + [ + 'class' => ActiveUserRule::class, + 'actions' => [ + 'credentials', + ], + ], + ], + ], + ]); + } + + public function actionCredentials() { + $account = Yii::$app->user->identity; + $model = new TwoFactorAuthForm($account); + + return $model->getCredentials(); + } + +} diff --git a/api/models/profile/TwoFactorAuthForm.php b/api/models/profile/TwoFactorAuthForm.php new file mode 100644 index 0000000..9c432e4 --- /dev/null +++ b/api/models/profile/TwoFactorAuthForm.php @@ -0,0 +1,95 @@ +account = $account; + parent::__construct($config); + } + + public function rules() { + $on = [self::SCENARIO_ENABLE, self::SCENARIO_DISABLE]; + return [ + ['token', 'required', 'message' => E::OTP_TOKEN_REQUIRED, 'on' => $on], + ['token', TotpValidator::class, 'account' => $this->account, 'window' => 30, 'on' => $on], + ['password', PasswordRequiredValidator::class, 'account' => $this->account, 'on' => $on], + ]; + } + + public function getCredentials(): array { + if (empty($this->account->otp_secret)) { + $this->setOtpSecret(); + } + + $provisioningUri = $this->getTotp()->getProvisioningUri(); + + return [ + 'qr' => base64_encode($this->drawQrCode($provisioningUri)), + 'uri' => $provisioningUri, + 'secret' => $this->account->otp_secret, + ]; + } + + public function getAccount(): Account { + return $this->account; + } + + /** + * @return TOTP + */ + public function getTotp(): TOTP { + $totp = new TOTP($this->account->email, $this->account->otp_secret); + $totp->setIssuer('Ely.by'); + + return $totp; + } + + public function drawQrCode(string $content): string { + $renderer = new Svg(); + $renderer->setHeight(256); + $renderer->setWidth(256); + $renderer->setForegroundColor(new Rgb(32, 126, 92)); + $renderer->setMargin(0); + $renderer->addDecorator(new ElyDecorator()); + + $writer = new Writer($renderer); + + return $writer->writeString($content, Encoder::DEFAULT_BYTE_MODE_ECODING, ErrorCorrectionLevel::H); + } + + protected function setOtpSecret(): void { + $this->account->otp_secret = trim(Base32::encode(random_bytes(32)), '='); + if (!$this->account->save()) { + throw new ErrorException('Cannot set account otp_secret'); + } + } + +} diff --git a/api/validators/TotpValidator.php b/api/validators/TotpValidator.php new file mode 100644 index 0000000..dac0c17 --- /dev/null +++ b/api/validators/TotpValidator.php @@ -0,0 +1,51 @@ +account === null) { + $this->account = Yii::$app->user->identity; + } + + if (!$this->account instanceof Account) { + throw new InvalidConfigException('account should be instance of ' . Account::class); + } + + if (empty($this->account->otp_secret)) { + throw new InvalidConfigException('account should have not empty otp_secret'); + } + } + + protected function validateValue($value) { + $totp = new TOTP(null, $this->account->otp_secret); + if (!$totp->verify((string)$value, null, $this->window)) { + return [E::OTP_TOKEN_INCORRECT, []]; + } + + return null; + } + +} diff --git a/common/helpers/Error.php b/common/helpers/Error.php index 664daa7..6d2347c 100644 --- a/common/helpers/Error.php +++ b/common/helpers/Error.php @@ -54,4 +54,7 @@ final class Error { const SUBJECT_REQUIRED = 'error.subject_required'; const MESSAGE_REQUIRED = 'error.message_required'; + const OTP_TOKEN_REQUIRED = 'error.otp_token_required'; + const OTP_TOKEN_INCORRECT = 'error.otp_token_incorrect'; + } diff --git a/common/models/Account.php b/common/models/Account.php index ba346da..4d67f1c 100644 --- a/common/models/Account.php +++ b/common/models/Account.php @@ -20,6 +20,8 @@ use const common\LATEST_RULES_VERSION; * @property integer $status * @property integer $rules_agreement_version * @property string $registration_ip + * @property string $otp_secret + * @property integer $is_otp_enabled * @property integer $created_at * @property integer $updated_at * @property integer $password_changed_at diff --git a/console/migrations/m170118_224937_account_otp_secrets.php b/console/migrations/m170118_224937_account_otp_secrets.php new file mode 100644 index 0000000..4efa139 --- /dev/null +++ b/console/migrations/m170118_224937_account_otp_secrets.php @@ -0,0 +1,17 @@ +addColumn('{{%accounts}}', 'otp_secret', $this->string()->after('registration_ip')); + $this->addColumn('{{%accounts}}', 'is_otp_enabled', $this->boolean()->notNull()->defaultValue(false)->after('otp_secret')); + } + + public function safeDown() { + $this->dropColumn('{{%accounts}}', 'otp_secret'); + $this->dropColumn('{{%accounts}}', 'is_otp_enabled'); + } + +} diff --git a/tests/codeception/api/_pages/TwoFactorAuthRoute.php b/tests/codeception/api/_pages/TwoFactorAuthRoute.php new file mode 100644 index 0000000..32ffeaa --- /dev/null +++ b/tests/codeception/api/_pages/TwoFactorAuthRoute.php @@ -0,0 +1,16 @@ +route = '/two-factor-auth'; + $this->actor->sendGET($this->getUrl()); + } + +} diff --git a/tests/codeception/api/functional/TwoFactorAuthCredentialsCest.php b/tests/codeception/api/functional/TwoFactorAuthCredentialsCest.php new file mode 100644 index 0000000..1084965 --- /dev/null +++ b/tests/codeception/api/functional/TwoFactorAuthCredentialsCest.php @@ -0,0 +1,28 @@ +route = new TwoFactorAuthRoute($I); + } + + public function testGetCredentials(FunctionalTester $I) { + $I->loggedInAsActiveAccount(); + $this->route->credentials(); + $I->canSeeResponseCodeIs(200); + $I->canSeeResponseIsJson(); + $I->canSeeResponseJsonMatchesJsonPath('$.secret'); + $I->canSeeResponseJsonMatchesJsonPath('$.uri'); + $I->canSeeResponseJsonMatchesJsonPath('$.qr'); + } + +} diff --git a/tests/codeception/api/unit/models/profile/TwoFactorAuthFormTest.php b/tests/codeception/api/unit/models/profile/TwoFactorAuthFormTest.php new file mode 100644 index 0000000..37587da --- /dev/null +++ b/tests/codeception/api/unit/models/profile/TwoFactorAuthFormTest.php @@ -0,0 +1,67 @@ +getMockBuilder(Account::class) + ->setMethods(['save']) + ->getMock(); + + $account->expects($this->once()) + ->method('save') + ->willReturn(true); + + $account->email = 'mock@email.com'; + $account->otp_secret = null; + + /** @var TwoFactorAuthForm|\PHPUnit_Framework_MockObject_MockObject $model */ + $model = $this->getMockBuilder(TwoFactorAuthForm::class) + ->setConstructorArgs([$account]) + ->setMethods(['drawQrCode']) + ->getMock(); + + $model->expects($this->once()) + ->method('drawQrCode') + ->willReturn('this is qr code, trust me'); + + $result = $model->getCredentials(); + $this->assertTrue(is_array($result)); + $this->assertArrayHasKey('qr', $result); + $this->assertArrayHasKey('uri', $result); + $this->assertArrayHasKey('secret', $result); + $this->assertNotNull($account->otp_secret); + $this->assertEquals($account->otp_secret, $result['secret']); + $this->assertEquals(base64_encode('this is qr code, trust me'), $result['qr']); + + /** @var Account|\PHPUnit_Framework_MockObject_MockObject $account */ + $account = $this->getMockBuilder(Account::class) + ->setMethods(['save']) + ->getMock(); + + $account->expects($this->never()) + ->method('save'); + + $account->email = 'mock@email.com'; + $account->otp_secret = 'some valid totp secret value'; + + /** @var TwoFactorAuthForm|\PHPUnit_Framework_MockObject_MockObject $model */ + $model = $this->getMockBuilder(TwoFactorAuthForm::class) + ->setConstructorArgs([$account]) + ->setMethods(['drawQrCode']) + ->getMock(); + + $model->expects($this->once()) + ->method('drawQrCode') + ->willReturn('this is qr code, trust me'); + + $result = $model->getCredentials(); + $this->assertEquals('some valid totp secret value', $result['secret']); + } + +} diff --git a/tests/codeception/api/unit/validators/TotpValidatorTest.php b/tests/codeception/api/unit/validators/TotpValidatorTest.php new file mode 100644 index 0000000..fc23f9f --- /dev/null +++ b/tests/codeception/api/unit/validators/TotpValidatorTest.php @@ -0,0 +1,35 @@ +otp_secret = 'some secret'; + $controlTotp = new TOTP(null, 'some secret'); + + $validator = new TotpValidator(['account' => $account]); + + $result = $this->callProtected($validator, 'validateValue', 123456); + $this->assertEquals([E::OTP_TOKEN_INCORRECT, []], $result); + + $result = $this->callProtected($validator, 'validateValue', $controlTotp->now()); + $this->assertNull($result); + + $result = $this->callProtected($validator, 'validateValue', $controlTotp->at(time() - 31)); + $this->assertEquals([E::OTP_TOKEN_INCORRECT, []], $result); + + $validator->window = 60; + $result = $this->callProtected($validator, 'validateValue', $controlTotp->at(time() - 31)); + $this->assertNull($result); + } + +} From be4c7908b22a6026cb4dff8cd79a3914832c4574 Mon Sep 17 00:00:00 2001 From: ErickSkrauch Date: Sat, 21 Jan 2017 02:28:26 +0300 Subject: [PATCH 3/8] =?UTF-8?q?=D0=A0=D0=B5=D0=B0=D0=BB=D0=B8=D0=B7=D0=BE?= =?UTF-8?q?=D0=B2=D0=B0=D0=BD=D1=8B=20=D0=BC=D0=B5=D1=82=D0=BE=D0=B4=D1=8B?= =?UTF-8?q?=20=D0=B4=D0=BB=D1=8F=20=D0=B2=D0=BA=D0=BB=D1=8E=D1=87=D0=B5?= =?UTF-8?q?=D0=BD=D0=B8=D1=8F\=D0=BE=D1=82=D0=BA=D0=BB=D1=8E=D1=87=D0=B5?= =?UTF-8?q?=D0=BD=D0=B8=D1=8F=20=D0=B4=D0=B2=D1=83=D1=85=D1=84=D0=B0=D0=BA?= =?UTF-8?q?=D1=82=D0=BE=D1=80=D0=BD=D0=BE=D0=B9=20=D0=B0=D1=83=D1=82=D0=B5?= =?UTF-8?q?=D0=BD=D1=82=D0=B8=D1=84=D0=B8=D0=BA=D0=B0=D1=86=D0=B8=D0=B8?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- api/config/routes.php | 3 ++ api/controllers/TwoFactorAuthController.php | 30 ++++++++++++ api/models/profile/TwoFactorAuthForm.php | 53 +++++++++++++++++++-- common/helpers/Error.php | 2 + 4 files changed, 83 insertions(+), 5 deletions(-) diff --git a/api/config/routes.php b/api/config/routes.php index ca7ede9..c973f56 100644 --- a/api/config/routes.php +++ b/api/config/routes.php @@ -7,6 +7,9 @@ return [ '/accounts/change-email/submit-new-email' => 'accounts/change-email-submit-new-email', '/accounts/change-email/confirm-new-email' => 'accounts/change-email-confirm-new-email', + 'POST /two-factor-auth' => 'two-factor-auth/activate', + 'DELETE /two-factor-auth' => 'two-factor-auth/disable', + '/oauth2/v1/' => 'oauth/', '/account/v1/info' => 'identity-info/index', diff --git a/api/controllers/TwoFactorAuthController.php b/api/controllers/TwoFactorAuthController.php index 514b8cc..b6a50ee 100644 --- a/api/controllers/TwoFactorAuthController.php +++ b/api/controllers/TwoFactorAuthController.php @@ -34,4 +34,34 @@ class TwoFactorAuthController extends Controller { return $model->getCredentials(); } + public function actionActivate() { + $account = Yii::$app->user->identity; + $model = new TwoFactorAuthForm($account, ['scenario' => TwoFactorAuthForm::SCENARIO_ACTIVATE]); + if (!$model->activate()) { + return [ + 'success' => false, + 'errors' => $model->getFirstErrors(), + ]; + } + + return [ + 'success' => true, + ]; + } + + public function actionDisable() { + $account = Yii::$app->user->identity; + $model = new TwoFactorAuthForm($account, ['scenario' => TwoFactorAuthForm::SCENARIO_DISABLE]); + if (!$model->disable()) { + return [ + 'success' => false, + 'errors' => $model->getFirstErrors(), + ]; + } + + return [ + 'success' => true, + ]; + } + } diff --git a/api/models/profile/TwoFactorAuthForm.php b/api/models/profile/TwoFactorAuthForm.php index 9c432e4..398cf33 100644 --- a/api/models/profile/TwoFactorAuthForm.php +++ b/api/models/profile/TwoFactorAuthForm.php @@ -18,7 +18,7 @@ use yii\base\ErrorException; class TwoFactorAuthForm extends ApiForm { - const SCENARIO_ENABLE = 'enable'; + const SCENARIO_ACTIVATE = 'enable'; const SCENARIO_DISABLE = 'disable'; public $token; @@ -36,11 +36,13 @@ class TwoFactorAuthForm extends ApiForm { } public function rules() { - $on = [self::SCENARIO_ENABLE, self::SCENARIO_DISABLE]; + $bothScenarios = [self::SCENARIO_ACTIVATE, self::SCENARIO_DISABLE]; return [ - ['token', 'required', 'message' => E::OTP_TOKEN_REQUIRED, 'on' => $on], - ['token', TotpValidator::class, 'account' => $this->account, 'window' => 30, 'on' => $on], - ['password', PasswordRequiredValidator::class, 'account' => $this->account, 'on' => $on], + ['account', 'validateOtpDisabled', 'on' => self::SCENARIO_ACTIVATE], + ['account', 'validateOtpEnabled', 'on' => self::SCENARIO_DISABLE], + ['token', 'required', 'message' => E::OTP_TOKEN_REQUIRED, 'on' => $bothScenarios], + ['token', TotpValidator::class, 'account' => $this->account, 'window' => 30, 'on' => $bothScenarios], + ['password', PasswordRequiredValidator::class, 'account' => $this->account, 'on' => $bothScenarios], ]; } @@ -58,6 +60,47 @@ class TwoFactorAuthForm extends ApiForm { ]; } + public function activate(): bool { + if (!$this->validate()) { + return false; + } + + $account = $this->account; + $account->is_otp_enabled = true; + if (!$account->save()) { + throw new ErrorException('Cannot enable otp for account'); + } + + return true; + } + + public function disable(): bool { + if (!$this->validate()) { + return false; + } + + $account = $this->account; + $account->is_otp_enabled = false; + $account->otp_secret = null; + if (!$account->save()) { + throw new ErrorException('Cannot disable otp for account'); + } + + return true; + } + + public function validateOtpDisabled($attribute) { + if ($this->account->is_otp_enabled) { + $this->addError($attribute, E::OTP_ALREADY_ENABLED); + } + } + + public function validateOtpEnabled($attribute) { + if (!$this->account->is_otp_enabled) { + $this->addError($attribute, E::OTP_NOT_ENABLED); + } + } + public function getAccount(): Account { return $this->account; } diff --git a/common/helpers/Error.php b/common/helpers/Error.php index 6d2347c..8425256 100644 --- a/common/helpers/Error.php +++ b/common/helpers/Error.php @@ -56,5 +56,7 @@ final class Error { const OTP_TOKEN_REQUIRED = 'error.otp_token_required'; const OTP_TOKEN_INCORRECT = 'error.otp_token_incorrect'; + const OTP_ALREADY_ENABLED = 'error.otp_already_enabled'; + const OTP_NOT_ENABLED = 'error.otp_not_enabled'; } From 6aab2592b477bc6c9b31ee3c7807abdc5a3d817f Mon Sep 17 00:00:00 2001 From: ErickSkrauch Date: Mon, 23 Jan 2017 02:07:29 +0300 Subject: [PATCH 4/8] =?UTF-8?q?=D0=94=D0=BE=D0=B1=D0=B0=D0=B2=D0=BB=D0=B5?= =?UTF-8?q?=D0=BD=D1=8B=20=D1=82=D0=B5=D1=81=D1=82=D1=8B=20=D0=B4=D0=BB?= =?UTF-8?q?=D1=8F=20=D0=B2=D0=BA=D0=BB=D1=8E=D1=87=D0=B5=D0=BD=D0=B8=D1=8F?= =?UTF-8?q?/=D0=BE=D1=82=D0=BA=D0=BB=D1=8E=D1=87=D0=B5=D0=BD=D0=B8=D1=8F?= =?UTF-8?q?=20OTP?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- api/controllers/TwoFactorAuthController.php | 14 ++- api/models/profile/TwoFactorAuthForm.php | 4 +- common/helpers/Error.php | 4 +- .../api/_pages/TwoFactorAuthRoute.php | 17 +++- .../functional/TwoFactorAuthDisableCest.php | 61 ++++++++++++ .../functional/TwoFactorAuthEnableCest.php | 61 ++++++++++++ .../models/profile/TwoFactorAuthFormTest.php | 98 +++++++++++++++++++ .../common/fixtures/data/accounts.php | 30 ++++++ 8 files changed, 281 insertions(+), 8 deletions(-) create mode 100644 tests/codeception/api/functional/TwoFactorAuthDisableCest.php create mode 100644 tests/codeception/api/functional/TwoFactorAuthEnableCest.php diff --git a/api/controllers/TwoFactorAuthController.php b/api/controllers/TwoFactorAuthController.php index b6a50ee..6b3b925 100644 --- a/api/controllers/TwoFactorAuthController.php +++ b/api/controllers/TwoFactorAuthController.php @@ -17,16 +17,22 @@ class TwoFactorAuthController extends Controller { 'class' => AccessControl::class, 'rules' => [ [ + 'allow' => true, 'class' => ActiveUserRule::class, - 'actions' => [ - 'credentials', - ], ], ], ], ]); } + public function verbs() { + return [ + 'credentials' => ['GET'], + 'activate' => ['POST'], + 'disable' => ['DELETE'], + ]; + } + public function actionCredentials() { $account = Yii::$app->user->identity; $model = new TwoFactorAuthForm($account); @@ -37,6 +43,7 @@ class TwoFactorAuthController extends Controller { public function actionActivate() { $account = Yii::$app->user->identity; $model = new TwoFactorAuthForm($account, ['scenario' => TwoFactorAuthForm::SCENARIO_ACTIVATE]); + $model->load(Yii::$app->request->post()); if (!$model->activate()) { return [ 'success' => false, @@ -52,6 +59,7 @@ class TwoFactorAuthController extends Controller { public function actionDisable() { $account = Yii::$app->user->identity; $model = new TwoFactorAuthForm($account, ['scenario' => TwoFactorAuthForm::SCENARIO_DISABLE]); + $model->load(Yii::$app->request->getBodyParams()); if (!$model->disable()) { return [ 'success' => false, diff --git a/api/models/profile/TwoFactorAuthForm.php b/api/models/profile/TwoFactorAuthForm.php index 398cf33..907e686 100644 --- a/api/models/profile/TwoFactorAuthForm.php +++ b/api/models/profile/TwoFactorAuthForm.php @@ -61,7 +61,7 @@ class TwoFactorAuthForm extends ApiForm { } public function activate(): bool { - if (!$this->validate()) { + if ($this->scenario !== self::SCENARIO_ACTIVATE || !$this->validate()) { return false; } @@ -75,7 +75,7 @@ class TwoFactorAuthForm extends ApiForm { } public function disable(): bool { - if (!$this->validate()) { + if ($this->scenario !== self::SCENARIO_DISABLE || !$this->validate()) { return false; } diff --git a/common/helpers/Error.php b/common/helpers/Error.php index 8425256..3baa1b8 100644 --- a/common/helpers/Error.php +++ b/common/helpers/Error.php @@ -54,8 +54,8 @@ final class Error { const SUBJECT_REQUIRED = 'error.subject_required'; const MESSAGE_REQUIRED = 'error.message_required'; - const OTP_TOKEN_REQUIRED = 'error.otp_token_required'; - const OTP_TOKEN_INCORRECT = 'error.otp_token_incorrect'; + const OTP_TOKEN_REQUIRED = 'error.token_required'; + const OTP_TOKEN_INCORRECT = 'error.token_incorrect'; const OTP_ALREADY_ENABLED = 'error.otp_already_enabled'; const OTP_NOT_ENABLED = 'error.otp_not_enabled'; diff --git a/tests/codeception/api/_pages/TwoFactorAuthRoute.php b/tests/codeception/api/_pages/TwoFactorAuthRoute.php index 32ffeaa..ed677bb 100644 --- a/tests/codeception/api/_pages/TwoFactorAuthRoute.php +++ b/tests/codeception/api/_pages/TwoFactorAuthRoute.php @@ -8,9 +8,24 @@ use yii\codeception\BasePage; */ class TwoFactorAuthRoute extends BasePage { + public $route = '/two-factor-auth'; + public function credentials() { - $this->route = '/two-factor-auth'; $this->actor->sendGET($this->getUrl()); } + public function enable($token = null, $password = null) { + $this->actor->sendPOST($this->getUrl(), [ + 'token' => $token, + 'password' => $password, + ]); + } + + public function disable($token = null, $password = null) { + $this->actor->sendDELETE($this->getUrl(), [ + 'token' => $token, + 'password' => $password, + ]); + } + } diff --git a/tests/codeception/api/functional/TwoFactorAuthDisableCest.php b/tests/codeception/api/functional/TwoFactorAuthDisableCest.php new file mode 100644 index 0000000..974857e --- /dev/null +++ b/tests/codeception/api/functional/TwoFactorAuthDisableCest.php @@ -0,0 +1,61 @@ +route = new TwoFactorAuthRoute($I); + } + + public function testFails(FunctionalTester $I) { + $I->loggedInAsActiveAccount('AccountWithEnabledOtp', 'password_0'); + + $this->route->disable(); + $I->canSeeResponseContainsJson([ + 'success' => false, + 'errors' => [ + 'token' => 'error.token_required', + 'password' => 'error.password_required', + ], + ]); + + $this->route->disable('123456', 'invalid_password'); + $I->canSeeResponseContainsJson([ + 'success' => false, + 'errors' => [ + 'token' => 'error.token_incorrect', + 'password' => 'error.password_incorrect', + ], + ]); + + $I->loggedInAsActiveAccount('AccountWithOtpSecret', 'password_0'); + $this->route->disable('123456', 'invalid_password'); + $I->canSeeResponseContainsJson([ + 'success' => false, + 'errors' => [ + 'account' => 'error.otp_not_enabled', + ], + ]); + } + + public function testSuccessEnable(FunctionalTester $I) { + $I->loggedInAsActiveAccount('AccountWithEnabledOtp', 'password_0'); + $totp = new TOTP(null, 'secret-secret-secret'); + $this->route->disable($totp->now(), 'password_0'); + $I->canSeeResponseCodeIs(200); + $I->canSeeResponseIsJson(); + $I->canSeeResponseContainsJson([ + 'success' => true, + ]); + } + +} diff --git a/tests/codeception/api/functional/TwoFactorAuthEnableCest.php b/tests/codeception/api/functional/TwoFactorAuthEnableCest.php new file mode 100644 index 0000000..efec01f --- /dev/null +++ b/tests/codeception/api/functional/TwoFactorAuthEnableCest.php @@ -0,0 +1,61 @@ +route = new TwoFactorAuthRoute($I); + } + + public function testFails(FunctionalTester $I) { + $I->loggedInAsActiveAccount('AccountWithOtpSecret', 'password_0'); + + $this->route->enable(); + $I->canSeeResponseContainsJson([ + 'success' => false, + 'errors' => [ + 'token' => 'error.token_required', + 'password' => 'error.password_required', + ], + ]); + + $this->route->enable('123456', 'invalid_password'); + $I->canSeeResponseContainsJson([ + 'success' => false, + 'errors' => [ + 'token' => 'error.token_incorrect', + 'password' => 'error.password_incorrect', + ], + ]); + + $I->loggedInAsActiveAccount('AccountWithEnabledOtp', 'password_0'); + $this->route->enable('123456', 'invalid_password'); + $I->canSeeResponseContainsJson([ + 'success' => false, + 'errors' => [ + 'account' => 'error.otp_already_enabled', + ], + ]); + } + + public function testSuccessEnable(FunctionalTester $I) { + $I->loggedInAsActiveAccount('AccountWithOtpSecret', 'password_0'); + $totp = new TOTP(null, 'some otp secret value'); + $this->route->enable($totp->now(), 'password_0'); + $I->canSeeResponseCodeIs(200); + $I->canSeeResponseIsJson(); + $I->canSeeResponseContainsJson([ + 'success' => true, + ]); + } + +} diff --git a/tests/codeception/api/unit/models/profile/TwoFactorAuthFormTest.php b/tests/codeception/api/unit/models/profile/TwoFactorAuthFormTest.php index 37587da..a160805 100644 --- a/tests/codeception/api/unit/models/profile/TwoFactorAuthFormTest.php +++ b/tests/codeception/api/unit/models/profile/TwoFactorAuthFormTest.php @@ -2,7 +2,9 @@ namespace tests\codeception\api\unit\models\profile; use api\models\profile\TwoFactorAuthForm; +use common\helpers\Error as E; use common\models\Account; +use OTPHP\TOTP; use tests\codeception\api\unit\TestCase; class TwoFactorAuthFormTest extends TestCase { @@ -64,4 +66,100 @@ class TwoFactorAuthFormTest extends TestCase { $this->assertEquals('some valid totp secret value', $result['secret']); } + public function testActivate() { + /** @var Account|\PHPUnit_Framework_MockObject_MockObject $account */ + $account = $this->getMockBuilder(Account::class) + ->setMethods(['save']) + ->getMock(); + + $account->expects($this->once()) + ->method('save') + ->willReturn(true); + + $account->is_otp_enabled = false; + $account->otp_secret = 'mock secret'; + + /** @var TwoFactorAuthForm|\PHPUnit_Framework_MockObject_MockObject $model */ + $model = $this->getMockBuilder(TwoFactorAuthForm::class) + ->setMethods(['validate']) + ->setConstructorArgs([$account, ['scenario' => TwoFactorAuthForm::SCENARIO_ACTIVATE]]) + ->getMock(); + + $model->expects($this->once()) + ->method('validate') + ->willReturn(true); + + $this->assertTrue($model->activate()); + $this->assertTrue($account->is_otp_enabled); + } + + public function testDisable() { + /** @var Account|\PHPUnit_Framework_MockObject_MockObject $account */ + $account = $this->getMockBuilder(Account::class) + ->setMethods(['save']) + ->getMock(); + + $account->expects($this->once()) + ->method('save') + ->willReturn(true); + + $account->is_otp_enabled = true; + $account->otp_secret = 'mock secret'; + + /** @var TwoFactorAuthForm|\PHPUnit_Framework_MockObject_MockObject $model */ + $model = $this->getMockBuilder(TwoFactorAuthForm::class) + ->setMethods(['validate']) + ->setConstructorArgs([$account, ['scenario' => TwoFactorAuthForm::SCENARIO_DISABLE]]) + ->getMock(); + + $model->expects($this->once()) + ->method('validate') + ->willReturn(true); + + $this->assertTrue($model->disable()); + $this->assertNull($account->otp_secret); + $this->assertFalse($account->is_otp_enabled); + } + + public function testValidateOtpDisabled() { + $account = new Account(); + $account->is_otp_enabled = true; + $model = new TwoFactorAuthForm($account); + $model->validateOtpDisabled('account'); + $this->assertEquals([E::OTP_ALREADY_ENABLED], $model->getErrors('account')); + + $account = new Account(); + $account->is_otp_enabled = false; + $model = new TwoFactorAuthForm($account); + $model->validateOtpDisabled('account'); + $this->assertEmpty($model->getErrors('account')); + } + + public function testValidateOtpEnabled() { + $account = new Account(); + $account->is_otp_enabled = false; + $model = new TwoFactorAuthForm($account); + $model->validateOtpEnabled('account'); + $this->assertEquals([E::OTP_NOT_ENABLED], $model->getErrors('account')); + + $account = new Account(); + $account->is_otp_enabled = true; + $model = new TwoFactorAuthForm($account); + $model->validateOtpEnabled('account'); + $this->assertEmpty($model->getErrors('account')); + } + + public function testGetTotp() { + $account = new Account(); + $account->otp_secret = 'mock secret'; + $account->email = 'check@this.email'; + + $model = new TwoFactorAuthForm($account); + $totp = $model->getTotp(); + $this->assertInstanceOf(TOTP::class, $totp); + $this->assertEquals('check@this.email', $totp->getLabel()); + $this->assertEquals('mock secret', $totp->getSecret()); + $this->assertEquals('Ely.by', $totp->getIssuer()); + } + } diff --git a/tests/codeception/common/fixtures/data/accounts.php b/tests/codeception/common/fixtures/data/accounts.php index 33db104..c8c79d3 100644 --- a/tests/codeception/common/fixtures/data/accounts.php +++ b/tests/codeception/common/fixtures/data/accounts.php @@ -146,4 +146,34 @@ return [ 'created_at' => 1474404139, 'updated_at' => 1474404149, ], + 'account-with-otp-secret' => [ + 'id' => 12, + 'uuid' => '9e9dcd11-2322-46dc-a992-e822a422726e', + 'username' => 'AccountWithOtpSecret', + 'email' => 'sava-galkin@mail.ru', + 'password_hash' => '$2y$13$2rYkap5T6jG8z/mMK8a3Ou6aZxJcmAaTha6FEuujvHEmybSHRzW5e', # password_0 + 'password_hash_strategy' => \common\models\Account::PASS_HASH_STRATEGY_YII2, + 'lang' => 'ru', + 'status' => \common\models\Account::STATUS_ACTIVE, + 'rules_agreement_version' => \common\LATEST_RULES_VERSION, + 'otp_secret' => 'some otp secret value', + 'is_otp_enabled' => false, + 'created_at' => 1485124615, + 'updated_at' => 1485124615, + ], + 'account-with-enabled-otp' => [ + 'id' => 13, + 'uuid' => '15d0afa7-a2bb-44d3-9f31-964cbccc6043', + 'username' => 'AccountWithEnabledOtp', + 'email' => 'otp@gmail.com', + 'password_hash' => '$2y$13$2rYkap5T6jG8z/mMK8a3Ou6aZxJcmAaTha6FEuujvHEmybSHRzW5e', # password_0 + 'password_hash_strategy' => \common\models\Account::PASS_HASH_STRATEGY_YII2, + 'lang' => 'ru', + 'status' => \common\models\Account::STATUS_ACTIVE, + 'rules_agreement_version' => \common\LATEST_RULES_VERSION, + 'otp_secret' => 'secret-secret-secret', + 'is_otp_enabled' => true, + 'created_at' => 1485124685, + 'updated_at' => 1485124685, + ], ]; From a2e1e9a805420ee795f855d38baae9734944c926 Mon Sep 17 00:00:00 2001 From: ErickSkrauch Date: Mon, 23 Jan 2017 14:22:20 +0300 Subject: [PATCH 5/8] =?UTF-8?q?=D0=92=20=D1=84=D0=BE=D1=80=D0=BC=D1=83=20?= =?UTF-8?q?=D0=B2=D1=85=D0=BE=D0=B4=D0=B0=20=D0=B2=D0=BD=D0=B5=D0=B4=D1=80?= =?UTF-8?q?=D0=B5=D0=BD=D0=B0=20=D0=BF=D1=80=D0=BE=D0=B2=D0=B5=D1=80=D0=BA?= =?UTF-8?q?=D0=B0=20=D0=BD=D0=B0=20=D0=BD=D0=B0=D0=BB=D0=B8=D1=87=D0=B8?= =?UTF-8?q?=D0=B5=20=D0=B2=D0=BA=D0=BB=D1=8E=D1=87=D1=91=D0=BD=D0=BD=D0=BE?= =?UTF-8?q?=D0=B9=20OTP=20=D0=B0=D0=B2=D1=82=D0=BE=D1=80=D0=B8=D0=B7=D0=B0?= =?UTF-8?q?=D1=86=D0=B8=D0=B8?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- api/models/authentication/LoginForm.php | 23 +++++ .../api/_pages/AuthenticationRoute.php | 12 ++- .../codeception/api/functional/LoginCest.php | 63 ++++++++++++++ .../models/authentication/LoginFormTest.php | 85 +++++++++++++------ 4 files changed, 153 insertions(+), 30 deletions(-) diff --git a/api/models/authentication/LoginForm.php b/api/models/authentication/LoginForm.php index c1ad5e6..004dc79 100644 --- a/api/models/authentication/LoginForm.php +++ b/api/models/authentication/LoginForm.php @@ -3,6 +3,7 @@ namespace api\models\authentication; use api\models\AccountIdentity; use api\models\base\ApiForm; +use api\validators\TotpValidator; use common\helpers\Error as E; use api\traits\AccountFinder; use common\models\Account; @@ -16,6 +17,7 @@ class LoginForm extends ApiForm { public $login; public $password; + public $token; public $rememberMe = false; public function rules() { @@ -28,6 +30,11 @@ class LoginForm extends ApiForm { }, 'message' => E::PASSWORD_REQUIRED], ['password', 'validatePassword'], + ['token', 'required', 'when' => function(self $model) { + return !$model->hasErrors() && $model->getAccount()->is_otp_enabled; + }, 'message' => E::OTP_TOKEN_REQUIRED], + ['token', 'validateTotpToken'], + ['login', 'validateActivity'], ['rememberMe', 'boolean'], @@ -51,6 +58,22 @@ class LoginForm extends ApiForm { } } + public function validateTotpToken($attribute) { + if ($this->hasErrors()) { + return; + } + + $account = $this->getAccount(); + if (!$account->is_otp_enabled) { + return; + } + + $validator = new TotpValidator(['account' => $account]); + if (!$validator->validate($this->token, $error)) { + $this->addError($attribute, $error); + } + } + public function validateActivity($attribute) { if (!$this->hasErrors()) { $account = $this->getAccount(); diff --git a/tests/codeception/api/_pages/AuthenticationRoute.php b/tests/codeception/api/_pages/AuthenticationRoute.php index 7ed0042..087bb55 100644 --- a/tests/codeception/api/_pages/AuthenticationRoute.php +++ b/tests/codeception/api/_pages/AuthenticationRoute.php @@ -8,15 +8,23 @@ use yii\codeception\BasePage; */ class AuthenticationRoute extends BasePage { - public function login($login = '', $password = '', $rememberMe = false) { + /** + * @param string $login + * @param string $password + * @param string|bool|null $rememberMeOrToken + * @param bool $rememberMe + */ + public function login($login = '', $password = '', $rememberMeOrToken = null, $rememberMe = false) { $this->route = ['authentication/login']; $params = [ 'login' => $login, 'password' => $password, ]; - if ($rememberMe) { + if ((is_bool($rememberMeOrToken) && $rememberMeOrToken) || $rememberMe) { $params['rememberMe'] = 1; + } elseif ($rememberMeOrToken !== null) { + $params['token'] = $rememberMeOrToken; } $this->actor->sendPOST($this->getUrl(), $params); diff --git a/tests/codeception/api/functional/LoginCest.php b/tests/codeception/api/functional/LoginCest.php index 4c39e63..ab11f50 100644 --- a/tests/codeception/api/functional/LoginCest.php +++ b/tests/codeception/api/functional/LoginCest.php @@ -1,6 +1,7 @@ wantTo('see token don\'t have errors if email, username or token not set'); + $route->login(); + $I->canSeeResponseContainsJson([ + 'success' => false, + ]); + $I->cantSeeResponseJsonMatchesJsonPath('$.errors.token'); + + $I->wantTo('see token don\'t have errors if username not exists in database'); + $route->login('non-exist-username', 'random-password'); + $I->canSeeResponseContainsJson([ + 'success' => false, + ]); + $I->cantSeeResponseJsonMatchesJsonPath('$.errors.token'); + + $I->wantTo('see token don\'t has errors if email not exists in database'); + $route->login('not-exist@user.com', 'random-password'); + $I->canSeeResponseContainsJson([ + 'success' => false, + ]); + $I->cantSeeResponseJsonMatchesJsonPath('$.errors.token'); + + $I->wantTo('see token don\'t has errors if email correct, but password wrong'); + $route->login('not-exist@user.com', 'random-password'); + $I->canSeeResponseContainsJson([ + 'success' => false, + ]); + $I->cantSeeResponseJsonMatchesJsonPath('$.errors.token'); + + $I->wantTo('see error.token_required if username and password correct, but account have enable otp'); + $route->login('AccountWithEnabledOtp', 'password_0'); + $I->canSeeResponseContainsJson([ + 'success' => false, + 'errors' => [ + 'token' => 'error.token_required', + ], + ]); + + $I->wantTo('see error.token_incorrect if username and password correct, but token wrong'); + $route->login('AccountWithEnabledOtp', 'password_0', '123456'); + $I->canSeeResponseContainsJson([ + 'success' => false, + 'errors' => [ + 'token' => 'error.token_incorrect', + ], + ]); + } + public function testLoginByUsernameCorrect(FunctionalTester $I) { $route = new AuthenticationRoute($I); @@ -151,4 +202,16 @@ class LoginCest { $I->canSeeAuthCredentials(true); } + public function testLoginByAccountWithOtp(FunctionalTester $I) { + $route = new AuthenticationRoute($I); + + $I->wantTo('login into account with enabled otp'); + $route->login('AccountWithEnabledOtp', 'password_0', (new TOTP(null, 'secret-secret-secret'))->now()); + $I->canSeeResponseContainsJson([ + 'success' => true, + ]); + $I->cantSeeResponseJsonMatchesJsonPath('$.errors'); + $I->canSeeAuthCredentials(false); + } + } diff --git a/tests/codeception/api/unit/models/authentication/LoginFormTest.php b/tests/codeception/api/unit/models/authentication/LoginFormTest.php index e32f243..0cf524e 100644 --- a/tests/codeception/api/unit/models/authentication/LoginFormTest.php +++ b/tests/codeception/api/unit/models/authentication/LoginFormTest.php @@ -6,6 +6,7 @@ use api\models\AccountIdentity; use api\models\authentication\LoginForm; use Codeception\Specify; use common\models\Account; +use OTPHP\TOTP; use tests\codeception\api\unit\TestCase; use tests\codeception\common\fixtures\AccountFixture; @@ -38,7 +39,7 @@ class LoginFormTest extends TestCase { 'account' => null, ]); $model->validateLogin('login'); - expect($model->getErrors('login'))->equals(['error.login_not_exist']); + $this->assertEquals(['error.login_not_exist'], $model->getErrors('login')); }); $this->specify('no errors if login exists', function () { @@ -47,7 +48,7 @@ class LoginFormTest extends TestCase { 'account' => new AccountIdentity(), ]); $model->validateLogin('login'); - expect($model->getErrors('login'))->isEmpty(); + $this->assertEmpty($model->getErrors('login')); }); } @@ -58,7 +59,7 @@ class LoginFormTest extends TestCase { 'account' => new AccountIdentity(['password' => '12345678']), ]); $model->validatePassword('password'); - expect($model->getErrors('password'))->equals(['error.password_incorrect']); + $this->assertEquals(['error.password_incorrect'], $model->getErrors('password')); }); $this->specify('no errors if password valid', function () { @@ -67,7 +68,35 @@ class LoginFormTest extends TestCase { 'account' => new AccountIdentity(['password' => '12345678']), ]); $model->validatePassword('password'); - expect($model->getErrors('password'))->isEmpty(); + $this->assertEmpty($model->getErrors('password')); + }); + } + + public function testValidateTotpToken() { + $account = new AccountIdentity(['password' => '12345678']); + $account->password = '12345678'; + $account->is_otp_enabled = true; + $account->otp_secret = 'mock secret'; + + $this->specify('error.token_incorrect if totp invalid', function() use ($account) { + $model = $this->createModel([ + 'password' => '12345678', + 'token' => '321123', + 'account' => $account, + ]); + $model->validateTotpToken('token'); + $this->assertEquals(['error.token_incorrect'], $model->getErrors('token')); + }); + + $totp = new TOTP(null, 'mock secret'); + $this->specify('no errors if password valid', function() use ($account, $totp) { + $model = $this->createModel([ + 'password' => '12345678', + 'token' => $totp->now(), + 'account' => $account, + ]); + $model->validateTotpToken('token'); + $this->assertEmpty($model->getErrors('token')); }); } @@ -77,7 +106,7 @@ class LoginFormTest extends TestCase { 'account' => new AccountIdentity(['status' => Account::STATUS_REGISTERED]), ]); $model->validateActivity('login'); - expect($model->getErrors('login'))->equals(['error.account_not_activated']); + $this->assertEquals(['error.account_not_activated'], $model->getErrors('login')); }); $this->specify('error.account_banned if account has banned status', function () { @@ -85,7 +114,7 @@ class LoginFormTest extends TestCase { 'account' => new AccountIdentity(['status' => Account::STATUS_BANNED]), ]); $model->validateActivity('login'); - expect($model->getErrors('login'))->equals(['error.account_banned']); + $this->assertEquals(['error.account_banned'], $model->getErrors('login')); }); $this->specify('no errors if account active', function () { @@ -93,36 +122,36 @@ class LoginFormTest extends TestCase { 'account' => new AccountIdentity(['status' => Account::STATUS_ACTIVE]), ]); $model->validateActivity('login'); - expect($model->getErrors('login'))->isEmpty(); + $this->assertEmpty($model->getErrors('login')); }); } public function testLogin() { - $this->specify('user should be able to login with correct username and password', function () { - $model = $this->createModel([ - 'login' => 'erickskrauch', + $model = $this->createModel([ + 'login' => 'erickskrauch', + 'password' => '12345678', + 'account' => new AccountIdentity([ + 'username' => 'erickskrauch', 'password' => '12345678', - 'account' => new AccountIdentity([ - 'username' => 'erickskrauch', - 'password' => '12345678', - 'status' => Account::STATUS_ACTIVE, - ]), - ]); - expect('model should login user', $model->login())->isInstanceOf(LoginResult::class); - expect('error message should not be set', $model->errors)->isEmpty(); - }); + 'status' => Account::STATUS_ACTIVE, + ]), + ]); + $this->assertInstanceOf(LoginResult::class, $model->login(), 'model should login user'); + $this->assertEmpty($model->getErrors(), 'error message should not be set'); } public function testLoginWithRehashing() { - $this->specify('user, that login using account with old pass hash strategy should update it automatically', function () { - $model = new LoginForm([ - 'login' => $this->tester->grabFixture('accounts', 'user-with-old-password-type')['username'], - 'password' => '12345678', - ]); - expect($model->login())->isInstanceOf(LoginResult::class); - expect($model->errors)->isEmpty(); - expect($model->getAccount()->password_hash_strategy)->equals(Account::PASS_HASH_STRATEGY_YII2); - }); + $model = new LoginForm([ + 'login' => $this->tester->grabFixture('accounts', 'user-with-old-password-type')['username'], + 'password' => '12345678', + ]); + $this->assertInstanceOf(LoginResult::class, $model->login()); + $this->assertEmpty($model->getErrors()); + $this->assertEquals( + Account::PASS_HASH_STRATEGY_YII2, + $model->getAccount()->password_hash_strategy, + 'user, that login using account with old pass hash strategy should update it automatically' + ); } /** From e82b8aa8cfb3d2d8604ba56445c7cb204becd823 Mon Sep 17 00:00:00 2001 From: ErickSkrauch Date: Mon, 23 Jan 2017 14:38:21 +0300 Subject: [PATCH 6/8] =?UTF-8?q?=D0=92=20=D0=B7=D0=B0=D0=BF=D1=80=D0=BE?= =?UTF-8?q?=D1=81=20/currect=20=D0=B4=D0=BE=D0=B1=D0=B0=D0=B2=D0=BB=D0=B5?= =?UTF-8?q?=D0=BD=20=D0=B2=D1=8B=D0=B2=D0=BE=D0=B4=20=D1=81=D0=BE=D1=81?= =?UTF-8?q?=D1=82=D0=BE=D1=8F=D0=BD=D0=B8=D1=8F=20=D0=B2=D0=BA=D0=BB=D1=8E?= =?UTF-8?q?=D1=87=D1=91=D0=BD=D0=BD=D0=BE=D1=81=D1=82=D0=B8=20OTP=20=D0=B0?= =?UTF-8?q?=D0=B2=D1=82=D0=BE=D1=80=D0=B8=D0=B7=D0=B0=D1=86=D0=B8=D0=B8?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- api/controllers/AccountsController.php | 1 + tests/codeception/api/functional/AccountsCurrentCest.php | 1 + 2 files changed, 2 insertions(+) diff --git a/api/controllers/AccountsController.php b/api/controllers/AccountsController.php index cec7384..ec3fdba 100644 --- a/api/controllers/AccountsController.php +++ b/api/controllers/AccountsController.php @@ -69,6 +69,7 @@ class AccountsController extends Controller { 'passwordChangedAt' => $account->password_changed_at, 'hasMojangUsernameCollision' => $account->hasMojangUsernameCollision(), 'shouldAcceptRules' => !$account->isAgreedWithActualRules(), + 'isOtpEnabled' => (bool)$account->is_otp_enabled, ]; } diff --git a/tests/codeception/api/functional/AccountsCurrentCest.php b/tests/codeception/api/functional/AccountsCurrentCest.php index cc4daa2..ef4e4df 100644 --- a/tests/codeception/api/functional/AccountsCurrentCest.php +++ b/tests/codeception/api/functional/AccountsCurrentCest.php @@ -29,6 +29,7 @@ class AccountsCurrentCest { 'isActive' => true, 'hasMojangUsernameCollision' => false, 'shouldAcceptRules' => false, + 'isOtpEnabled' => false, ]); $I->canSeeResponseJsonMatchesJsonPath('$.passwordChangedAt'); } From 4695b6e72444fabf590707c3c807cadcfb916a55 Mon Sep 17 00:00:00 2001 From: ErickSkrauch Date: Mon, 23 Jan 2017 23:50:13 +0300 Subject: [PATCH 7/8] =?UTF-8?q?=D0=92=D0=BD=D0=B5=D0=B4=D1=80=D0=B5=D0=BD?= =?UTF-8?q?=D0=B0=20=D0=B2=D0=B0=D0=BB=D0=B8=D0=B4=D0=B0=D1=86=D0=B8=D1=8F?= =?UTF-8?q?=20OTP=20=D0=B2=20=D0=BF=D1=80=D0=BE=D1=86=D0=B5=D1=81=D1=81=20?= =?UTF-8?q?=D0=B2=D0=BE=D1=81=D1=81=D1=82=D0=B0=D0=BD=D0=BE=D0=B2=D0=BB?= =?UTF-8?q?=D0=B5=D0=BD=D0=B8=D1=8F=20=D0=BF=D0=B0=D1=80=D0=BE=D0=BB=D1=8F?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .../authentication/ForgotPasswordForm.php | 20 ++++ api/models/authentication/LoginForm.php | 4 +- .../api/_pages/AuthenticationRoute.php | 3 +- .../api/functional/ForgotPasswordCest.php | 98 +++++++++++++++---- .../authentication/ForgotPasswordFormTest.php | 18 +++- 5 files changed, 119 insertions(+), 24 deletions(-) diff --git a/api/models/authentication/ForgotPasswordForm.php b/api/models/authentication/ForgotPasswordForm.php index 23b302a..a947f82 100644 --- a/api/models/authentication/ForgotPasswordForm.php +++ b/api/models/authentication/ForgotPasswordForm.php @@ -2,6 +2,7 @@ namespace api\models\authentication; use api\models\base\ApiForm; +use api\validators\TotpValidator; use common\helpers\Error as E; use api\traits\AccountFinder; use common\components\UserFriendlyRandomKey; @@ -16,11 +17,16 @@ class ForgotPasswordForm extends ApiForm { use AccountFinder; public $login; + public $token; public function rules() { return [ ['login', 'required', 'message' => E::LOGIN_REQUIRED], ['login', 'validateLogin'], + ['token', 'required', 'when' => function(self $model) { + return !$this->hasErrors() && $model->getAccount()->is_otp_enabled; + }, 'message' => E::OTP_TOKEN_REQUIRED], + ['token', 'validateTotpToken'], ['login', 'validateActivity'], ['login', 'validateFrequency'], ]; @@ -34,6 +40,20 @@ class ForgotPasswordForm extends ApiForm { } } + public function validateTotpToken($attribute) { + if ($this->hasErrors()) { + return; + } + + $account = $this->getAccount(); + if (!$account->is_otp_enabled) { + return; + } + + $validator = new TotpValidator(['account' => $account]); + $validator->validateAttribute($this, $attribute); + } + public function validateActivity($attribute) { if (!$this->hasErrors()) { $account = $this->getAccount(); diff --git a/api/models/authentication/LoginForm.php b/api/models/authentication/LoginForm.php index 004dc79..044c4ee 100644 --- a/api/models/authentication/LoginForm.php +++ b/api/models/authentication/LoginForm.php @@ -69,9 +69,7 @@ class LoginForm extends ApiForm { } $validator = new TotpValidator(['account' => $account]); - if (!$validator->validate($this->token, $error)) { - $this->addError($attribute, $error); - } + $validator->validateAttribute($this, $attribute); } public function validateActivity($attribute) { diff --git a/tests/codeception/api/_pages/AuthenticationRoute.php b/tests/codeception/api/_pages/AuthenticationRoute.php index 087bb55..bfe5784 100644 --- a/tests/codeception/api/_pages/AuthenticationRoute.php +++ b/tests/codeception/api/_pages/AuthenticationRoute.php @@ -35,10 +35,11 @@ class AuthenticationRoute extends BasePage { $this->actor->sendPOST($this->getUrl()); } - public function forgotPassword($login = '') { + public function forgotPassword($login = null, $token = null) { $this->route = ['authentication/forgot-password']; $this->actor->sendPOST($this->getUrl(), [ 'login' => $login, + 'token' => $token, ]); } diff --git a/tests/codeception/api/functional/ForgotPasswordCest.php b/tests/codeception/api/functional/ForgotPasswordCest.php index 5f36a93..0444838 100644 --- a/tests/codeception/api/functional/ForgotPasswordCest.php +++ b/tests/codeception/api/functional/ForgotPasswordCest.php @@ -1,41 +1,87 @@ wantTo('create new password recover request by passing email'); - $route->forgotPassword('admin@ely.by'); + public function _before(FunctionalTester $I) { + $this->route = new AuthenticationRoute($I); + } + + public function testWrongInput(FunctionalTester $I) { + $I->wantTo('see reaction on invalid input'); + + $this->route->forgotPassword(); $I->canSeeResponseContainsJson([ - 'success' => true, + 'success' => false, + 'errors' => [ + 'login' => 'error.login_required', + ], ]); - $I->canSeeResponseJsonMatchesJsonPath('$.data.canRepeatIn'); - $I->canSeeResponseJsonMatchesJsonPath('$.data.repeatFrequency'); + + $this->route->forgotPassword('becauseimbatman!'); + $I->canSeeResponseContainsJson([ + 'success' => false, + 'errors' => [ + 'login' => 'error.login_not_exist', + ], + ]); + + $this->route->forgotPassword('AccountWithEnabledOtp'); + $I->canSeeResponseContainsJson([ + 'success' => false, + 'errors' => [ + 'token' => 'error.token_required', + ], + ]); + + $this->route->forgotPassword('AccountWithEnabledOtp'); + $I->canSeeResponseContainsJson([ + 'success' => false, + 'errors' => [ + 'token' => 'error.token_required', + ], + ]); + + $this->route->forgotPassword('AccountWithEnabledOtp', '123456'); + $I->canSeeResponseContainsJson([ + 'success' => false, + 'errors' => [ + 'token' => 'error.token_incorrect', + ], + ]); + } + + public function testForgotPasswordByEmail(FunctionalTester $I) { + $I->wantTo('create new password recover request by passing email'); + $this->route->forgotPassword('admin@ely.by'); + $this->assertSuccessResponse($I, false); } public function testForgotPasswordByUsername(FunctionalTester $I) { - $route = new AuthenticationRoute($I); - $I->wantTo('create new password recover request by passing username'); - $route->forgotPassword('Admin'); - $I->canSeeResponseContainsJson([ - 'success' => true, - ]); - $I->canSeeResponseJsonMatchesJsonPath('$.data.canRepeatIn'); - $I->canSeeResponseJsonMatchesJsonPath('$.data.repeatFrequency'); - $I->canSeeResponseJsonMatchesJsonPath('$.data.emailMask'); + $this->route->forgotPassword('Admin'); + $this->assertSuccessResponse($I, true); + } + + public function testForgotPasswordByAccountWithOtp(FunctionalTester $I) { + $I->wantTo('create new password recover request by passing username and otp token'); + $totp = new TOTP(null, 'secret-secret-secret'); + $this->route->forgotPassword('AccountWithEnabledOtp', $totp->now()); + $this->assertSuccessResponse($I, true); } public function testDataForFrequencyError(FunctionalTester $I) { - $route = new AuthenticationRoute($I); - $I->wantTo('get info about time to repeat recover password request'); - $route->forgotPassword('Notch'); + $this->route->forgotPassword('Notch'); $I->canSeeResponseContainsJson([ 'success' => false, 'errors' => [ @@ -46,4 +92,18 @@ class ForgotPasswordCest { $I->canSeeResponseJsonMatchesJsonPath('$.data.repeatFrequency'); } + /** + * @param FunctionalTester $I + */ + private function assertSuccessResponse(FunctionalTester $I, bool $expectEmailMask = false): void { + $I->canSeeResponseContainsJson([ + 'success' => true, + ]); + $I->canSeeResponseJsonMatchesJsonPath('$.data.canRepeatIn'); + $I->canSeeResponseJsonMatchesJsonPath('$.data.repeatFrequency'); + if ($expectEmailMask) { + $I->canSeeResponseJsonMatchesJsonPath('$.data.emailMask'); + } + } + } diff --git a/tests/codeception/api/unit/models/authentication/ForgotPasswordFormTest.php b/tests/codeception/api/unit/models/authentication/ForgotPasswordFormTest.php index dc68fb5..c97723f 100644 --- a/tests/codeception/api/unit/models/authentication/ForgotPasswordFormTest.php +++ b/tests/codeception/api/unit/models/authentication/ForgotPasswordFormTest.php @@ -4,6 +4,7 @@ namespace codeception\api\unit\models\authentication; use api\models\authentication\ForgotPasswordForm; use Codeception\Specify; use common\models\EmailActivation; +use OTPHP\TOTP; use tests\codeception\api\unit\TestCase; use tests\codeception\common\fixtures\AccountFixture; use tests\codeception\common\fixtures\EmailActivationFixture; @@ -18,7 +19,7 @@ class ForgotPasswordFormTest extends TestCase { ]; } - public function testValidateAccount() { + public function testValidateLogin() { $this->specify('error.login_not_exist if login is invalid', function() { $model = new ForgotPasswordForm(['login' => 'unexist']); $model->validateLogin('login'); @@ -32,6 +33,21 @@ class ForgotPasswordFormTest extends TestCase { }); } + public function testValidateTotpToken() { + $model = new ForgotPasswordForm(); + $model->login = 'AccountWithEnabledOtp'; + $model->token = '123456'; + $model->validateTotpToken('token'); + $this->assertEquals(['error.token_incorrect'], $model->getErrors('token')); + + $totp = new TOTP(null, 'secret-secret-secret'); + $model = new ForgotPasswordForm(); + $model->login = 'AccountWithEnabledOtp'; + $model->token = $totp->now(); + $model->validateTotpToken('token'); + $this->assertEmpty($model->getErrors('token')); + } + public function testValidateActivity() { $this->specify('error.account_not_activated if account is not confirmed', function() { $model = new ForgotPasswordForm([ From fbaf48591fa2165b6cecd0163f93d6132a272a5a Mon Sep 17 00:00:00 2001 From: ErickSkrauch Date: Tue, 24 Jan 2017 02:00:08 +0300 Subject: [PATCH 8/8] =?UTF-8?q?=D0=A0=D0=B5=D0=BE=D1=80=D0=B3=D0=B0=D0=BD?= =?UTF-8?q?=D0=B8=D0=B7=D0=BE=D0=B2=D0=B0=D0=BD=20=D0=BF=D1=80=D0=BE=D1=86?= =?UTF-8?q?=D0=B5=D1=81=D1=81=20=D0=B0=D0=B2=D1=82=D0=BE=D1=80=D0=B8=D0=B7?= =?UTF-8?q?=D0=B0=D1=86=D0=B8=D0=B8=20=D0=B4=D0=BB=D1=8F=20=D1=84=D1=83?= =?UTF-8?q?=D0=BD=D0=BA=D1=86=D0=B8=D0=BE=D0=BD=D0=B0=D0=BB=D1=8C=D0=BD?= =?UTF-8?q?=D1=8B=D1=85=20=D1=82=D0=B5=D1=81=D1=82=D0=BE=D0=B2?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .../api/_support/FunctionalTester.php | 26 +++++++------------ .../functional/AccountsAcceptRulesCest.php | 2 +- ...AccountsChangeEmailConfirmNewEmailCest.php | 2 +- .../AccountsChangeEmailInitializeCest.php | 4 +-- .../AccountsChangeEmailSubmitNewEmailCest.php | 2 +- .../api/functional/AccountsChangeLangCest.php | 2 +- .../functional/AccountsChangePasswordCest.php | 2 +- .../functional/AccountsChangeUsernameCest.php | 4 +-- .../api/functional/AccountsCurrentCest.php | 2 +- .../codeception/api/functional/LogoutCest.php | 2 +- .../api/functional/OauthAuthCodeCest.php | 12 ++++----- .../TwoFactorAuthCredentialsCest.php | 2 +- .../functional/TwoFactorAuthDisableCest.php | 6 ++--- .../functional/TwoFactorAuthEnableCest.php | 6 ++--- .../api/functional/_steps/AuthserverSteps.php | 6 ++--- .../api/functional/_steps/OauthSteps.php | 2 +- .../functional/authserver/InvalidateCest.php | 2 +- .../api/functional/authserver/RefreshCest.php | 2 +- .../functional/authserver/ValidateCest.php | 2 +- .../api/functional/sessionserver/JoinCest.php | 4 +-- .../sessionserver/JoinLegacyCest.php | 4 +-- 21 files changed, 44 insertions(+), 52 deletions(-) diff --git a/tests/codeception/api/_support/FunctionalTester.php b/tests/codeception/api/_support/FunctionalTester.php index a06b732..e8b42d1 100644 --- a/tests/codeception/api/_support/FunctionalTester.php +++ b/tests/codeception/api/_support/FunctionalTester.php @@ -1,10 +1,10 @@ login = 'Admin'; - $form->password = 'password_0'; - } elseif ($login !== null && $password !== null) { - $form->login = $login; - $form->password = $password; - } else { - throw new InvalidArgumentException('login and password should be presented both.'); + public function amAuthenticated(string $asUsername = 'admin') { + /** @var AccountIdentity $account */ + $account = AccountIdentity::findOne(['username' => $asUsername]); + if ($account === null) { + throw new InvalidArgumentException("Cannot find account for username \"$asUsername\""); } - $result = $form->login(); - $this->assertInstanceOf(LoginResult::class, $result); - if ($result !== false) { - $this->amBearerAuthenticated($result->getJwt()); - } + $result = Yii::$app->user->login($account); + $this->amBearerAuthenticated($result->getJwt()); } public function notLoggedIn() { diff --git a/tests/codeception/api/functional/AccountsAcceptRulesCest.php b/tests/codeception/api/functional/AccountsAcceptRulesCest.php index 4f6fee7..ae8269d 100644 --- a/tests/codeception/api/functional/AccountsAcceptRulesCest.php +++ b/tests/codeception/api/functional/AccountsAcceptRulesCest.php @@ -16,7 +16,7 @@ class AccountsAcceptRulesCest { } public function testCurrent(FunctionalTester $I) { - $I->loggedInAsActiveAccount('Veleyaba', 'password_0'); + $I->amAuthenticated('Veleyaba'); $this->route->acceptRules(); $I->canSeeResponseCodeIs(200); $I->canSeeResponseIsJson(); diff --git a/tests/codeception/api/functional/AccountsChangeEmailConfirmNewEmailCest.php b/tests/codeception/api/functional/AccountsChangeEmailConfirmNewEmailCest.php index 0b8016d..53b31d8 100644 --- a/tests/codeception/api/functional/AccountsChangeEmailConfirmNewEmailCest.php +++ b/tests/codeception/api/functional/AccountsChangeEmailConfirmNewEmailCest.php @@ -17,7 +17,7 @@ class AccountsChangeEmailConfirmNewEmailCest { public function testConfirmNewEmail(FunctionalTester $I) { $I->wantTo('change my email and get changed value'); - $I->loggedInAsActiveAccount('CrafterGameplays', 'password_0'); + $I->amAuthenticated('CrafterGameplays'); $this->route->changeEmailConfirmNewEmail('H28HBDCHHAG2HGHGHS'); $I->canSeeResponseCodeIs(200); diff --git a/tests/codeception/api/functional/AccountsChangeEmailInitializeCest.php b/tests/codeception/api/functional/AccountsChangeEmailInitializeCest.php index 5e1f6b9..0dfa82e 100644 --- a/tests/codeception/api/functional/AccountsChangeEmailInitializeCest.php +++ b/tests/codeception/api/functional/AccountsChangeEmailInitializeCest.php @@ -17,7 +17,7 @@ class AccountsChangeEmailInitializeCest { public function testChangeEmailInitialize(FunctionalTester $I) { $I->wantTo('send current email confirmation'); - $I->loggedInAsActiveAccount(); + $I->amAuthenticated(); $this->route->changeEmailInitialize('password_0'); $I->canSeeResponseCodeIs(200); @@ -29,7 +29,7 @@ class AccountsChangeEmailInitializeCest { public function testChangeEmailInitializeFrequencyError(FunctionalTester $I) { $I->wantTo('see change email request frequency error'); - $I->loggedInAsActiveAccount('ILLIMUNATI', 'password_0'); + $I->amAuthenticated('ILLIMUNATI'); $this->route->changeEmailInitialize('password_0'); $I->canSeeResponseContainsJson([ diff --git a/tests/codeception/api/functional/AccountsChangeEmailSubmitNewEmailCest.php b/tests/codeception/api/functional/AccountsChangeEmailSubmitNewEmailCest.php index f70ac36..d09383b 100644 --- a/tests/codeception/api/functional/AccountsChangeEmailSubmitNewEmailCest.php +++ b/tests/codeception/api/functional/AccountsChangeEmailSubmitNewEmailCest.php @@ -18,7 +18,7 @@ class AccountsChangeEmailSubmitNewEmailCest { public function testSubmitNewEmail(FunctionalTester $I) { $I->wantTo('submit new email'); - $I->loggedInAsActiveAccount('ILLIMUNATI', 'password_0'); + $I->amAuthenticated('ILLIMUNATI'); $this->route->changeEmailSubmitNewEmail('H27HBDCHHAG2HGHGHS', 'my-new-email@ely.by'); $I->canSeeResponseCodeIs(200); diff --git a/tests/codeception/api/functional/AccountsChangeLangCest.php b/tests/codeception/api/functional/AccountsChangeLangCest.php index 4fc16fb..ffe229f 100644 --- a/tests/codeception/api/functional/AccountsChangeLangCest.php +++ b/tests/codeception/api/functional/AccountsChangeLangCest.php @@ -18,7 +18,7 @@ class AccountsChangeLangCest { public function testSubmitNewEmail(FunctionalTester $I) { $I->wantTo('change my account language'); - $I->loggedInAsActiveAccount(); + $I->amAuthenticated(); $this->route->changeLang('ru'); $I->canSeeResponseCodeIs(200); diff --git a/tests/codeception/api/functional/AccountsChangePasswordCest.php b/tests/codeception/api/functional/AccountsChangePasswordCest.php index 099d809..056a340 100644 --- a/tests/codeception/api/functional/AccountsChangePasswordCest.php +++ b/tests/codeception/api/functional/AccountsChangePasswordCest.php @@ -27,7 +27,7 @@ class AccountsChangePasswordCest { public function testChangePassword(FunctionalTester $I) { $I->wantTo('change my password'); - $I->loggedInAsActiveAccount(); + $I->amAuthenticated(); $this->route->changePassword('password_0', 'new-password', 'new-password'); $I->canSeeResponseCodeIs(200); diff --git a/tests/codeception/api/functional/AccountsChangeUsernameCest.php b/tests/codeception/api/functional/AccountsChangeUsernameCest.php index 73c54e6..b4a696f 100644 --- a/tests/codeception/api/functional/AccountsChangeUsernameCest.php +++ b/tests/codeception/api/functional/AccountsChangeUsernameCest.php @@ -26,7 +26,7 @@ class AccountsChangeUsernameCest { public function testChangeUsername(FunctionalTester $I) { $I->wantTo('change my nickname'); - $I->loggedInAsActiveAccount(); + $I->amAuthenticated(); $this->route->changeUsername('password_0', 'bruce_wayne'); $I->canSeeResponseCodeIs(200); @@ -38,7 +38,7 @@ class AccountsChangeUsernameCest { public function testChangeUsernameNotAvailable(FunctionalTester $I) { $I->wantTo('see, that nickname "in use" is not available'); - $I->loggedInAsActiveAccount(); + $I->amAuthenticated(); $this->route->changeUsername('password_0', 'Jon'); $I->canSeeResponseCodeIs(200); diff --git a/tests/codeception/api/functional/AccountsCurrentCest.php b/tests/codeception/api/functional/AccountsCurrentCest.php index ef4e4df..c53be87 100644 --- a/tests/codeception/api/functional/AccountsCurrentCest.php +++ b/tests/codeception/api/functional/AccountsCurrentCest.php @@ -16,7 +16,7 @@ class AccountsCurrentCest { } public function testCurrent(FunctionalTester $I) { - $I->loggedInAsActiveAccount(); + $I->amAuthenticated(); $this->route->current(); $I->canSeeResponseCodeIs(200); diff --git a/tests/codeception/api/functional/LogoutCest.php b/tests/codeception/api/functional/LogoutCest.php index 5acaa92..f0235ae 100644 --- a/tests/codeception/api/functional/LogoutCest.php +++ b/tests/codeception/api/functional/LogoutCest.php @@ -8,7 +8,7 @@ class LogoutCest { public function testLoginEmailOrUsername(FunctionalTester $I) { $route = new AuthenticationRoute($I); - $I->loggedInAsActiveAccount(); + $I->amAuthenticated(); $route->logout(); $I->canSeeResponseContainsJson([ 'success' => true, diff --git a/tests/codeception/api/functional/OauthAuthCodeCest.php b/tests/codeception/api/functional/OauthAuthCodeCest.php index be61f3e..55ac48b 100644 --- a/tests/codeception/api/functional/OauthAuthCodeCest.php +++ b/tests/codeception/api/functional/OauthAuthCodeCest.php @@ -51,7 +51,7 @@ class OauthAuthCodeCest { } public function testValidateWithDescriptionReplaceRequest(FunctionalTester $I) { - $I->loggedInAsActiveAccount(); + $I->amAuthenticated(); $I->wantTo('validate and get information with description replacement'); $this->route->validate($this->buildQueryParams( 'ely', @@ -73,13 +73,13 @@ class OauthAuthCodeCest { } public function testCompleteValidationAction(FunctionalTester $I) { - $I->loggedInAsActiveAccount(); + $I->amAuthenticated(); $I->wantTo('validate all oAuth params on complete request'); $this->testOauthParamsValidation($I, 'complete'); } public function testCompleteActionOnWrongConditions(FunctionalTester $I) { - $I->loggedInAsActiveAccount(); + $I->amAuthenticated(); $I->wantTo('get accept_required if I don\'t require any scope, but this is first time request'); $this->route->complete($this->buildQueryParams( @@ -112,7 +112,7 @@ class OauthAuthCodeCest { } public function testCompleteActionSuccess(FunctionalTester $I) { - $I->loggedInAsActiveAccount(); + $I->amAuthenticated(); $I->wantTo('get auth code if I require some scope and pass accept field'); $this->route->complete($this->buildQueryParams( 'ely', @@ -155,7 +155,7 @@ class OauthAuthCodeCest { } public function testAcceptRequiredOnNewScope(FunctionalTester $I) { - $I->loggedInAsActiveAccount(); + $I->amAuthenticated(); $I->wantTo('get accept_required if I have previous successful request, but now require some new scope'); $this->route->complete($this->buildQueryParams( 'ely', @@ -179,7 +179,7 @@ class OauthAuthCodeCest { } public function testCompleteActionWithDismissState(FunctionalTester $I) { - $I->loggedInAsActiveAccount(); + $I->amAuthenticated(); $I->wantTo('get access_denied error if I pass accept in false state'); $this->route->complete($this->buildQueryParams( 'ely', diff --git a/tests/codeception/api/functional/TwoFactorAuthCredentialsCest.php b/tests/codeception/api/functional/TwoFactorAuthCredentialsCest.php index 1084965..ce95923 100644 --- a/tests/codeception/api/functional/TwoFactorAuthCredentialsCest.php +++ b/tests/codeception/api/functional/TwoFactorAuthCredentialsCest.php @@ -16,7 +16,7 @@ class TwoFactorAuthCredentialsCest { } public function testGetCredentials(FunctionalTester $I) { - $I->loggedInAsActiveAccount(); + $I->amAuthenticated(); $this->route->credentials(); $I->canSeeResponseCodeIs(200); $I->canSeeResponseIsJson(); diff --git a/tests/codeception/api/functional/TwoFactorAuthDisableCest.php b/tests/codeception/api/functional/TwoFactorAuthDisableCest.php index 974857e..5e41f83 100644 --- a/tests/codeception/api/functional/TwoFactorAuthDisableCest.php +++ b/tests/codeception/api/functional/TwoFactorAuthDisableCest.php @@ -17,7 +17,7 @@ class TwoFactorAuthDisableCest { } public function testFails(FunctionalTester $I) { - $I->loggedInAsActiveAccount('AccountWithEnabledOtp', 'password_0'); + $I->amAuthenticated('AccountWithEnabledOtp'); $this->route->disable(); $I->canSeeResponseContainsJson([ @@ -37,7 +37,7 @@ class TwoFactorAuthDisableCest { ], ]); - $I->loggedInAsActiveAccount('AccountWithOtpSecret', 'password_0'); + $I->amAuthenticated('AccountWithOtpSecret'); $this->route->disable('123456', 'invalid_password'); $I->canSeeResponseContainsJson([ 'success' => false, @@ -48,7 +48,7 @@ class TwoFactorAuthDisableCest { } public function testSuccessEnable(FunctionalTester $I) { - $I->loggedInAsActiveAccount('AccountWithEnabledOtp', 'password_0'); + $I->amAuthenticated('AccountWithEnabledOtp'); $totp = new TOTP(null, 'secret-secret-secret'); $this->route->disable($totp->now(), 'password_0'); $I->canSeeResponseCodeIs(200); diff --git a/tests/codeception/api/functional/TwoFactorAuthEnableCest.php b/tests/codeception/api/functional/TwoFactorAuthEnableCest.php index efec01f..aee002e 100644 --- a/tests/codeception/api/functional/TwoFactorAuthEnableCest.php +++ b/tests/codeception/api/functional/TwoFactorAuthEnableCest.php @@ -17,7 +17,7 @@ class TwoFactorAuthEnableCest { } public function testFails(FunctionalTester $I) { - $I->loggedInAsActiveAccount('AccountWithOtpSecret', 'password_0'); + $I->amAuthenticated('AccountWithOtpSecret'); $this->route->enable(); $I->canSeeResponseContainsJson([ @@ -37,7 +37,7 @@ class TwoFactorAuthEnableCest { ], ]); - $I->loggedInAsActiveAccount('AccountWithEnabledOtp', 'password_0'); + $I->amAuthenticated('AccountWithEnabledOtp'); $this->route->enable('123456', 'invalid_password'); $I->canSeeResponseContainsJson([ 'success' => false, @@ -48,7 +48,7 @@ class TwoFactorAuthEnableCest { } public function testSuccessEnable(FunctionalTester $I) { - $I->loggedInAsActiveAccount('AccountWithOtpSecret', 'password_0'); + $I->amAuthenticated('AccountWithOtpSecret'); $totp = new TOTP(null, 'some otp secret value'); $this->route->enable($totp->now(), 'password_0'); $I->canSeeResponseCodeIs(200); diff --git a/tests/codeception/api/functional/_steps/AuthserverSteps.php b/tests/codeception/api/functional/_steps/AuthserverSteps.php index e065d36..9648ec2 100644 --- a/tests/codeception/api/functional/_steps/AuthserverSteps.php +++ b/tests/codeception/api/functional/_steps/AuthserverSteps.php @@ -7,12 +7,12 @@ use tests\codeception\api\FunctionalTester; class AuthserverSteps extends FunctionalTester { - public function amAuthenticated() { + public function amAuthenticated(string $asUsername = 'admin', string $password = 'password_0') { $route = new AuthserverRoute($this); $clientToken = Uuid::uuid4()->toString(); $route->authenticate([ - 'username' => 'admin', - 'password' => 'password_0', + 'username' => $asUsername, + 'password' => $password, 'clientToken' => $clientToken, ]); diff --git a/tests/codeception/api/functional/_steps/OauthSteps.php b/tests/codeception/api/functional/_steps/OauthSteps.php index 3e0c467..c8327e7 100644 --- a/tests/codeception/api/functional/_steps/OauthSteps.php +++ b/tests/codeception/api/functional/_steps/OauthSteps.php @@ -9,7 +9,7 @@ class OauthSteps extends FunctionalTester { public function getAuthCode(array $permissions = []) { // TODO: по идее можно напрямую сделать запись в базу, что ускорит процесс тестирования - $this->loggedInAsActiveAccount(); + $this->amAuthenticated(); $route = new OauthRoute($this); $route->complete([ 'client_id' => 'ely', diff --git a/tests/codeception/api/functional/authserver/InvalidateCest.php b/tests/codeception/api/functional/authserver/InvalidateCest.php index 7cab088..de2bcb0 100644 --- a/tests/codeception/api/functional/authserver/InvalidateCest.php +++ b/tests/codeception/api/functional/authserver/InvalidateCest.php @@ -18,7 +18,7 @@ class InvalidateCest { public function invalidate(AuthserverSteps $I) { $I->wantTo('invalidate my token'); - list($accessToken, $clientToken) = $I->amAuthenticated(); + [$accessToken, $clientToken] = $I->amAuthenticated(); $this->route->invalidate([ 'accessToken' => $accessToken, 'clientToken' => $clientToken, diff --git a/tests/codeception/api/functional/authserver/RefreshCest.php b/tests/codeception/api/functional/authserver/RefreshCest.php index e26ccf7..e18751b 100644 --- a/tests/codeception/api/functional/authserver/RefreshCest.php +++ b/tests/codeception/api/functional/authserver/RefreshCest.php @@ -18,7 +18,7 @@ class RefreshCest { public function refresh(AuthserverSteps $I) { $I->wantTo('refresh my accessToken'); - list($accessToken, $clientToken) = $I->amAuthenticated(); + [$accessToken, $clientToken] = $I->amAuthenticated(); $this->route->refresh([ 'accessToken' => $accessToken, 'clientToken' => $clientToken, diff --git a/tests/codeception/api/functional/authserver/ValidateCest.php b/tests/codeception/api/functional/authserver/ValidateCest.php index 1cd5b9b..704b02a 100644 --- a/tests/codeception/api/functional/authserver/ValidateCest.php +++ b/tests/codeception/api/functional/authserver/ValidateCest.php @@ -18,7 +18,7 @@ class ValidateCest { public function validate(AuthserverSteps $I) { $I->wantTo('validate my accessToken'); - list($accessToken) = $I->amAuthenticated(); + [$accessToken] = $I->amAuthenticated(); $this->route->validate([ 'accessToken' => $accessToken, ]); diff --git a/tests/codeception/api/functional/sessionserver/JoinCest.php b/tests/codeception/api/functional/sessionserver/JoinCest.php index 986521e..ed34400 100644 --- a/tests/codeception/api/functional/sessionserver/JoinCest.php +++ b/tests/codeception/api/functional/sessionserver/JoinCest.php @@ -21,7 +21,7 @@ class JoinCest { public function joinByLegacyAuthserver(AuthserverSteps $I) { $I->wantTo('join to server, using legacy authserver access token'); - list($accessToken) = $I->amAuthenticated(); + [$accessToken] = $I->amAuthenticated(); $this->route->join([ 'accessToken' => $accessToken, 'selectedProfile' => 'df936908-b2e1-544d-96f8-2977ec213022', @@ -32,7 +32,7 @@ class JoinCest { public function joinByPassJsonInPost(AuthserverSteps $I) { $I->wantTo('join to server, passing data in body as encoded json'); - list($accessToken) = $I->amAuthenticated(); + [$accessToken] = $I->amAuthenticated(); $this->route->join(json_encode([ 'accessToken' => $accessToken, 'selectedProfile' => 'df936908-b2e1-544d-96f8-2977ec213022', diff --git a/tests/codeception/api/functional/sessionserver/JoinLegacyCest.php b/tests/codeception/api/functional/sessionserver/JoinLegacyCest.php index e82695a..d691bce 100644 --- a/tests/codeception/api/functional/sessionserver/JoinLegacyCest.php +++ b/tests/codeception/api/functional/sessionserver/JoinLegacyCest.php @@ -21,7 +21,7 @@ class JoinLegacyCest { public function joinByLegacyAuthserver(AuthserverSteps $I) { $I->wantTo('join to server by legacy protocol, using legacy authserver access token'); - list($accessToken) = $I->amAuthenticated(); + [$accessToken] = $I->amAuthenticated(); $this->route->joinLegacy([ 'sessionId' => $accessToken, 'user' => 'Admin', @@ -32,7 +32,7 @@ class JoinLegacyCest { public function joinByNewSessionFormat(AuthserverSteps $I) { $I->wantTo('join to server by legacy protocol with new launcher session format, using legacy authserver'); - list($accessToken) = $I->amAuthenticated(); + [$accessToken] = $I->amAuthenticated(); $this->route->joinLegacy([ 'sessionId' => 'token:' . $accessToken . ':' . 'df936908-b2e1-544d-96f8-2977ec213022', 'user' => 'Admin',