discourse/spec/system/user_page/user_preferences_security_spec.rb

# frozen_string_literal: true

describe "User preferences | Security", type: :system do
  fab!(:password) { "kungfukenny" }
  fab!(:email) { "email@user.com" }
  fab!(:user) { Fabricate(:user, email: email, password: password) }
  let(:user_preferences_security_page) { PageObjects::Pages::UserPreferencesSecurity.new }
  let(:user_menu) { PageObjects::Components::UserMenu.new }

  before do
    user.activate
    # testing the enforced 2FA flow requires a user that was created > 5 minutes ago
    user.created_at = 6.minutes.ago
    user.save!
    sign_in(user)

    # system specs run on their own host + port
    DiscourseWebauthn.stubs(:origin).returns(current_host + ":" + Capybara.server_port.to_s)
  end

  shared_examples "security keys" do
    it "adds a 2FA security key and logs in with it" do
      options = ::Selenium::WebDriver::VirtualAuthenticatorOptions.new
      authenticator = page.driver.browser.add_virtual_authenticator(options)

      user_preferences_security_page.visit(user)
      user_preferences_security_page.visit_second_factor(password)

      find(".security-key .new-security-key").click
      expect(user_preferences_security_page).to have_css("input#security-key-name")

      find(".d-modal__body input#security-key-name").fill_in(with: "First Key")
      find(".add-security-key").click

      expect(user_preferences_security_page).to have_css(".security-key .second-factor-item")

      user_menu.sign_out

      # login flow
      find(".d-header .login-button").click
      find("input#login-account-name").fill_in(with: user.username)
      find("input#login-account-password").fill_in(with: password)

      find(".d-modal__footer .btn-primary").click
      find("#security-key .btn-primary").click

      expect(page).to have_css(".header-dropdown-toggle.current-user")
    ensure
      # clear authenticator (otherwise it will interfere with other tests)
      authenticator&.remove!
    end
  end

  shared_examples "passkeys" do
    before { SiteSetting.enable_passkeys = true }

    it "adds a passkey and logs in with it" do
      options =
        ::Selenium::WebDriver::VirtualAuthenticatorOptions.new(
          user_verification: true,
          user_verified: true,
          resident_key: true,
        )
      authenticator = page.driver.browser.add_virtual_authenticator(options)

      page.driver.browser.manage.add_cookie(
        domain: Discourse.current_hostname,
        name: "destination_url",
        value: "/new",
        path: "/",
      )

      user_preferences_security_page.visit(user)

      find(".pref-passkeys__add .btn").click
      expect(user_preferences_security_page).to have_css("input#password")

      find(".dialog-body input#password").fill_in(with: password)
      find(".confirm-session .btn-primary").click

      expect(user_preferences_security_page).to have_css(".rename-passkey__form")

      find(".dialog-close").click

      expect(user_preferences_security_page).to have_css(".pref-passkeys__rows .row")

      select_kit = PageObjects::Components::SelectKit.new(".passkey-options-dropdown")
      select_kit.expand
      select_kit.select_row_by_name("Delete")

      # confirm deletion screen shown without requiring session confirmation
      # since this was already done when adding the passkey
      expect(user_preferences_security_page).to have_css(".dialog-footer .btn-danger")

      # close the dialog (don't delete the key, we need it to login in the next step)
      find(".dialog-close").click

      user_menu.sign_out

      # login with the key we just created
      # this triggers the conditional UI for passkeys
      # which uses the virtual authenticator
      find(".d-header .login-button").click

      expect(page).to have_css(".header-dropdown-toggle.current-user")

      # ensures that we are redirected to the destination_url cookie
      expect(page.driver.current_url).to include("/new")
    ensure
      # clear authenticator (otherwise it will interfere with other tests)
      authenticator&.remove!
    end
  end

  shared_examples "enforced second factor" do
    it "allows user to add 2FA" do
      SiteSetting.enforce_second_factor = "all"

      visit("/")

      expect(page).to have_selector(
        ".alert-error",
        text: "You are required to enable two-factor authentication before accessing this site.",
      )

      expect(page).to have_css(".user-preferences .totp")
      expect(page).to have_css(".user-preferences .security-key")

      find(".user-preferences .totp .btn.new-totp").click

      find(".dialog-body input#password").fill_in(with: password)
      find(".confirm-session .btn-primary").click

      expect(page).to have_css(".qr-code")
    end
  end

  context "when desktop" do
    include_examples "security keys"
    include_examples "passkeys"
    include_examples "enforced second factor"
  end

  context "when mobile", mobile: true do
    include_examples "security keys"
    include_examples "passkeys"
    include_examples "enforced second factor"
  end
end
DEV: Add system test for user security keys (#23372) 2023-09-04 10:07:20 +08:00			`# frozen_string_literal: true`

FIX: Serialize uploaded_avatars_allowed_groups check on current user (#25515) Checking group permissions on the client does not work, since not all groups are serialized to the client all the time. We can check `uploaded_avatars_allowed_groups` on the server side and serialize to the current user instead. 2024-02-02 07:32:45 +08:00			`describe "User preferences \| Security", type: :system do`
DEV: Add system test for user security keys (#23372) 2023-09-04 10:07:20 +08:00			`fab!(:password) { "kungfukenny" }`
			`fab!(:email) { "email@user.com" }`
			`fab!(:user) { Fabricate(:user, email: email, password: password) }`
			`let(:user_preferences_security_page) { PageObjects::Pages::UserPreferencesSecurity.new }`
			`let(:user_menu) { PageObjects::Components::UserMenu.new }`

			`before do`
			`user.activate`
DEV: Do not require session confirmation for new users (#24799) When making sensitive changes to an account (adding 2FA or passkeys), we require users to confirm their password. This is to prevent an attacker from adding 2FA to an account they have access to. However, on newly created accounts, we should not require this, it's an extra step and it doesn't provide extra security (since the account was just created). This commit makes it so that we don't require session confirmation for accounts created less than 5 minutes ago. 2024-02-16 01:29:16 +08:00			`# testing the enforced 2FA flow requires a user that was created > 5 minutes ago`
			`user.created_at = 6.minutes.ago`
			`user.save!`
DEV: Add system test for user security keys (#23372) 2023-09-04 10:07:20 +08:00			`sign_in(user)`
DEV: Add UI for passkeys (3/3) (#23853) Adds UI elements for registering a passkey and logging in with it. The feature is still in an early stage, interested parties that want to try it can use the `experimental_passkeys` site setting (via Rails console). See PR for more details. --------- Co-authored-by: Joffrey JAFFEUX <j.jaffeux@gmail.com> 2023-10-14 00:24:06 +08:00
			`# system specs run on their own host + port`
			`DiscourseWebauthn.stubs(:origin).returns(current_host + ":" + Capybara.server_port.to_s)`
DEV: Add system test for user security keys (#23372) 2023-09-04 10:07:20 +08:00			`end`

UX: Fix mobile passkeys login button (#24124) This regressed in b6dc929. A test to ensure this doesn't regress has been added as well. This PR also fixes a flakey system spec. The conditional UI gets triggered automatically, so the system spec shouldn't explicitly call `find(".passkey-login-button").click`, because sometimes it isn't present and that causes a test failure. 2023-10-27 08:55:41 +08:00			`shared_examples "security keys" do`
DEV: Add UI for passkeys (3/3) (#23853) Adds UI elements for registering a passkey and logging in with it. The feature is still in an early stage, interested parties that want to try it can use the `experimental_passkeys` site setting (via Rails console). See PR for more details. --------- Co-authored-by: Joffrey JAFFEUX <j.jaffeux@gmail.com> 2023-10-14 00:24:06 +08:00			`it "adds a 2FA security key and logs in with it" do`
DEV: Add system test for user security keys (#23372) 2023-09-04 10:07:20 +08:00			`options = ::Selenium::WebDriver::VirtualAuthenticatorOptions.new`
DEV: Add UI for passkeys (3/3) (#23853) Adds UI elements for registering a passkey and logging in with it. The feature is still in an early stage, interested parties that want to try it can use the `experimental_passkeys` site setting (via Rails console). See PR for more details. --------- Co-authored-by: Joffrey JAFFEUX <j.jaffeux@gmail.com> 2023-10-14 00:24:06 +08:00			`authenticator = page.driver.browser.add_virtual_authenticator(options)`
DEV: Add system test for user security keys (#23372) 2023-09-04 10:07:20 +08:00
			`user_preferences_security_page.visit(user)`
			`user_preferences_security_page.visit_second_factor(password)`

			`find(".security-key .new-security-key").click`
			`expect(user_preferences_security_page).to have_css("input#security-key-name")`

UX: refactor .d-modal to use BEM and improve styling (#23967) This PR refactors the following: * leaving all the CSS applied to the old `modal-body` classes in their respective files * made new clean styling for `.d-modal` and refactored the template to use the new BEM classes * `inner-`, `middle-`, `outer-` container classes are gone and replaced with simplified `wrapper` and `container` classes * use standardised max-sizes with modifiers `-large` and `-max` * lighter backdrop, * min-width to prevent puny modals * other styling changes regarding padding, close button,… * pulled out all modal overrides into a general `modal-overrides` file + cleanup of outdated CSS * pulled out login and create account modal styling into their own file, cause it's such a big override * removed old general login.scss file for mobile & desktop * only kept some remainders I don't want to touch in `app/assets/stylesheets/common/base/login.scss` 2023-11-15 18:14:47 +08:00			`find(".d-modal__body input#security-key-name").fill_in(with: "First Key")`
DEV: Add system test for user security keys (#23372) 2023-09-04 10:07:20 +08:00			`find(".add-security-key").click`

			`expect(user_preferences_security_page).to have_css(".security-key .second-factor-item")`

			`user_menu.sign_out`

			`# login flow`
			`find(".d-header .login-button").click`
			`find("input#login-account-name").fill_in(with: user.username)`
			`find("input#login-account-password").fill_in(with: password)`

UX: refactor .d-modal to use BEM and improve styling (#23967) This PR refactors the following: * leaving all the CSS applied to the old `modal-body` classes in their respective files * made new clean styling for `.d-modal` and refactored the template to use the new BEM classes * `inner-`, `middle-`, `outer-` container classes are gone and replaced with simplified `wrapper` and `container` classes * use standardised max-sizes with modifiers `-large` and `-max` * lighter backdrop, * min-width to prevent puny modals * other styling changes regarding padding, close button,… * pulled out all modal overrides into a general `modal-overrides` file + cleanup of outdated CSS * pulled out login and create account modal styling into their own file, cause it's such a big override * removed old general login.scss file for mobile & desktop * only kept some remainders I don't want to touch in `app/assets/stylesheets/common/base/login.scss` 2023-11-15 18:14:47 +08:00			`find(".d-modal__footer .btn-primary").click`
DEV: Add system test for user security keys (#23372) 2023-09-04 10:07:20 +08:00			`find("#security-key .btn-primary").click`

			`expect(page).to have_css(".header-dropdown-toggle.current-user")`
FIX: User can't reset password with backup codes when only security key is enabled (#27368) This commit fixes a problem where the user will not be able to reset their password when they only have security keys and backup codes configured. This commit also makes the following changes/fixes: 1. Splits password reset system tests to `spec/system/forgot_password_spec.rb` instead of missing the system tests in `spec/system/login_spec.rb` which is mainly used to test the login flow. 2. Fixes a UX issue where the `Use backup codes` or `Use authenticator app` text is shown on the reset password form when the user does not have either backup codes or an authenticator app configured. 2024-06-06 14:30:42 +08:00			`ensure`
DEV: Add UI for passkeys (3/3) (#23853) Adds UI elements for registering a passkey and logging in with it. The feature is still in an early stage, interested parties that want to try it can use the `experimental_passkeys` site setting (via Rails console). See PR for more details. --------- Co-authored-by: Joffrey JAFFEUX <j.jaffeux@gmail.com> 2023-10-14 00:24:06 +08:00			`# clear authenticator (otherwise it will interfere with other tests)`
FIX: User can't reset password with backup codes when only security key is enabled (#27368) This commit fixes a problem where the user will not be able to reset their password when they only have security keys and backup codes configured. This commit also makes the following changes/fixes: 1. Splits password reset system tests to `spec/system/forgot_password_spec.rb` instead of missing the system tests in `spec/system/login_spec.rb` which is mainly used to test the login flow. 2. Fixes a UX issue where the `Use backup codes` or `Use authenticator app` text is shown on the reset password form when the user does not have either backup codes or an authenticator app configured. 2024-06-06 14:30:42 +08:00			`authenticator&.remove!`
DEV: Add UI for passkeys (3/3) (#23853) Adds UI elements for registering a passkey and logging in with it. The feature is still in an early stage, interested parties that want to try it can use the `experimental_passkeys` site setting (via Rails console). See PR for more details. --------- Co-authored-by: Joffrey JAFFEUX <j.jaffeux@gmail.com> 2023-10-14 00:24:06 +08:00			`end`
			`end`

UX: Fix mobile passkeys login button (#24124) This regressed in b6dc929. A test to ensure this doesn't regress has been added as well. This PR also fixes a flakey system spec. The conditional UI gets triggered automatically, so the system spec shouldn't explicitly call `find(".passkey-login-button").click`, because sometimes it isn't present and that causes a test failure. 2023-10-27 08:55:41 +08:00			`shared_examples "passkeys" do`
DEV: Rename `experimental_passkeys` to `enable_passkeys` (#24349) Also includes a migration. 2023-11-14 04:04:15 +08:00			`before { SiteSetting.enable_passkeys = true }`
DEV: Add UI for passkeys (3/3) (#23853) Adds UI elements for registering a passkey and logging in with it. The feature is still in an early stage, interested parties that want to try it can use the `experimental_passkeys` site setting (via Rails console). See PR for more details. --------- Co-authored-by: Joffrey JAFFEUX <j.jaffeux@gmail.com> 2023-10-14 00:24:06 +08:00
			`it "adds a passkey and logs in with it" do`
			`options =`
			`::Selenium::WebDriver::VirtualAuthenticatorOptions.new(`
			`user_verification: true,`
			`user_verified: true,`
			`resident_key: true,`
			`)`
			`authenticator = page.driver.browser.add_virtual_authenticator(options)`

FIX: Maintain destination_url after passkey login (#24171) 2023-10-31 23:35:36 +08:00			`page.driver.browser.manage.add_cookie(`
			`domain: Discourse.current_hostname,`
			`name: "destination_url",`
			`value: "/new",`
			`path: "/",`
			`)`

DEV: Add UI for passkeys (3/3) (#23853) Adds UI elements for registering a passkey and logging in with it. The feature is still in an early stage, interested parties that want to try it can use the `experimental_passkeys` site setting (via Rails console). See PR for more details. --------- Co-authored-by: Joffrey JAFFEUX <j.jaffeux@gmail.com> 2023-10-14 00:24:06 +08:00			`user_preferences_security_page.visit(user)`

			`find(".pref-passkeys__add .btn").click`
			`expect(user_preferences_security_page).to have_css("input#password")`

			`find(".dialog-body input#password").fill_in(with: password)`
			`find(".confirm-session .btn-primary").click`

			`expect(user_preferences_security_page).to have_css(".rename-passkey__form")`

			`find(".dialog-close").click`

			`expect(user_preferences_security_page).to have_css(".pref-passkeys__rows .row")`

			`select_kit = PageObjects::Components::SelectKit.new(".passkey-options-dropdown")`
			`select_kit.expand`
			`select_kit.select_row_by_name("Delete")`

			`# confirm deletion screen shown without requiring session confirmation`
			`# since this was already done when adding the passkey`
			`expect(user_preferences_security_page).to have_css(".dialog-footer .btn-danger")`

			`# close the dialog (don't delete the key, we need it to login in the next step)`
			`find(".dialog-close").click`

			`user_menu.sign_out`

			`# login with the key we just created`
UX: Fix mobile passkeys login button (#24124) This regressed in b6dc929. A test to ensure this doesn't regress has been added as well. This PR also fixes a flakey system spec. The conditional UI gets triggered automatically, so the system spec shouldn't explicitly call `find(".passkey-login-button").click`, because sometimes it isn't present and that causes a test failure. 2023-10-27 08:55:41 +08:00			`# this triggers the conditional UI for passkeys`
			`# which uses the virtual authenticator`
DEV: Add UI for passkeys (3/3) (#23853) Adds UI elements for registering a passkey and logging in with it. The feature is still in an early stage, interested parties that want to try it can use the `experimental_passkeys` site setting (via Rails console). See PR for more details. --------- Co-authored-by: Joffrey JAFFEUX <j.jaffeux@gmail.com> 2023-10-14 00:24:06 +08:00			`find(".d-header .login-button").click`

			`expect(page).to have_css(".header-dropdown-toggle.current-user")`

FIX: Maintain destination_url after passkey login (#24171) 2023-10-31 23:35:36 +08:00			`# ensures that we are redirected to the destination_url cookie`
			`expect(page.driver.current_url).to include("/new")`
FIX: User can't reset password with backup codes when only security key is enabled (#27368) This commit fixes a problem where the user will not be able to reset their password when they only have security keys and backup codes configured. This commit also makes the following changes/fixes: 1. Splits password reset system tests to `spec/system/forgot_password_spec.rb` instead of missing the system tests in `spec/system/login_spec.rb` which is mainly used to test the login flow. 2. Fixes a UX issue where the `Use backup codes` or `Use authenticator app` text is shown on the reset password form when the user does not have either backup codes or an authenticator app configured. 2024-06-06 14:30:42 +08:00			`ensure`
DEV: Add UI for passkeys (3/3) (#23853) Adds UI elements for registering a passkey and logging in with it. The feature is still in an early stage, interested parties that want to try it can use the `experimental_passkeys` site setting (via Rails console). See PR for more details. --------- Co-authored-by: Joffrey JAFFEUX <j.jaffeux@gmail.com> 2023-10-14 00:24:06 +08:00			`# clear authenticator (otherwise it will interfere with other tests)`
FIX: User can't reset password with backup codes when only security key is enabled (#27368) This commit fixes a problem where the user will not be able to reset their password when they only have security keys and backup codes configured. This commit also makes the following changes/fixes: 1. Splits password reset system tests to `spec/system/forgot_password_spec.rb` instead of missing the system tests in `spec/system/login_spec.rb` which is mainly used to test the login flow. 2. Fixes a UX issue where the `Use backup codes` or `Use authenticator app` text is shown on the reset password form when the user does not have either backup codes or an authenticator app configured. 2024-06-06 14:30:42 +08:00			`authenticator&.remove!`
DEV: Add system test for user security keys (#23372) 2023-09-04 10:07:20 +08:00			`end`
			`end`
UX: Fix mobile passkeys login button (#24124) This regressed in b6dc929. A test to ensure this doesn't regress has been added as well. This PR also fixes a flakey system spec. The conditional UI gets triggered automatically, so the system spec shouldn't explicitly call `find(".passkey-login-button").click`, because sometimes it isn't present and that causes a test failure. 2023-10-27 08:55:41 +08:00
FIX: Regression when enforced 2FA is enabled (#24415) 2023-11-17 00:52:12 +08:00			`shared_examples "enforced second factor" do`
			`it "allows user to add 2FA" do`
			`SiteSetting.enforce_second_factor = "all"`

			`visit("/")`

			`expect(page).to have_selector(`
			`".alert-error",`
			`text: "You are required to enable two-factor authentication before accessing this site.",`
			`)`

			`expect(page).to have_css(".user-preferences .totp")`
			`expect(page).to have_css(".user-preferences .security-key")`

			`find(".user-preferences .totp .btn.new-totp").click`

			`find(".dialog-body input#password").fill_in(with: password)`
			`find(".confirm-session .btn-primary").click`

			`expect(page).to have_css(".qr-code")`
			`end`
			`end`

UX: Fix mobile passkeys login button (#24124) This regressed in b6dc929. A test to ensure this doesn't regress has been added as well. This PR also fixes a flakey system spec. The conditional UI gets triggered automatically, so the system spec shouldn't explicitly call `find(".passkey-login-button").click`, because sometimes it isn't present and that causes a test failure. 2023-10-27 08:55:41 +08:00			`context "when desktop" do`
			`include_examples "security keys"`
			`include_examples "passkeys"`
FIX: Regression when enforced 2FA is enabled (#24415) 2023-11-17 00:52:12 +08:00			`include_examples "enforced second factor"`
UX: Fix mobile passkeys login button (#24124) This regressed in b6dc929. A test to ensure this doesn't regress has been added as well. This PR also fixes a flakey system spec. The conditional UI gets triggered automatically, so the system spec shouldn't explicitly call `find(".passkey-login-button").click`, because sometimes it isn't present and that causes a test failure. 2023-10-27 08:55:41 +08:00			`end`

			`context "when mobile", mobile: true do`
			`include_examples "security keys"`
			`include_examples "passkeys"`
FIX: Regression when enforced 2FA is enabled (#24415) 2023-11-17 00:52:12 +08:00			`include_examples "enforced second factor"`
UX: Fix mobile passkeys login button (#24124) This regressed in b6dc929. A test to ensure this doesn't regress has been added as well. This PR also fixes a flakey system spec. The conditional UI gets triggered automatically, so the system spec shouldn't explicitly call `find(".passkey-login-button").click`, because sometimes it isn't present and that causes a test failure. 2023-10-27 08:55:41 +08:00			`end`
DEV: Add system test for user security keys (#23372) 2023-09-04 10:07:20 +08:00			`end`