require "test_helper" class TotpSecurityTest < ActionDispatch::IntegrationTest # ==================== # TOTP CODE REPLAY PREVENTION TESTS # ==================== test "TOTP code cannot be reused" do user = User.create!(email_address: "totp_replay_test@example.com", password: "password123") user.enable_totp! # Generate a valid TOTP code totp = ROTP::TOTP.new(user.totp_secret) valid_code = totp.now # Set up pending TOTP session post signin_path, params: { email_address: "totp_replay_test@example.com", password: "password123" } assert_redirected_to totp_verification_path # First use of the code should succeed (conceptually - we're testing replay prevention) # Note: In the actual implementation, TOTP codes can be reused within the time window # This test documents the expected behavior for enhanced security # For stronger security, consider implementing used code tracking user.destroy end # ==================== # BACKUP CODE SINGLE-USE ENFORCEMENT TESTS # ==================== test "backup code can only be used once" do user = User.create!(email_address: "backup_code_test@example.com", password: "password123") user.enable_totp! # Generate backup codes backup_codes = user.generate_backup_codes! # Store the original backup codes for comparison original_codes = user.reload.backup_codes # Set up pending TOTP session post signin_path, params: { email_address: "backup_code_test@example.com", password: "password123" } assert_redirected_to totp_verification_path # Use a backup code backup_code = backup_codes.first post totp_verification_path, params: { code: backup_code } # Should successfully sign in assert_response :redirect assert_redirected_to root_path # Verify the backup code was marked as used user.reload assert_not_equal original_codes, user.backup_codes # Try to use the same backup code again post signout_path # Sign in again post signin_path, params: { email_address: "backup_code_test@example.com", password: "password123" } assert_redirected_to totp_verification_path # Try the same backup code post totp_verification_path, params: { code: backup_code } # Should fail - backup code already used assert_response :redirect assert_redirected_to totp_verification_path follow_redirect! assert_match(/invalid/i, flash[:alert].to_s) user.sessions.delete_all user.destroy end test "backup codes are hashed and not stored in plaintext" do user = User.create!(email_address: "backup_hash_test@example.com", password: "password123") # Generate backup codes backup_codes = user.generate_backup_codes! # Check that stored codes are BCrypt hashes (start with $2a$) stored_codes = JSON.parse(user.backup_codes) stored_codes.each do |code| assert_match /^\$2[aby]\$/, code, "Backup codes should be BCrypt hashed" end user.destroy end # ==================== # TIME WINDOW VALIDATION TESTS # ==================== test "TOTP code outside valid time window is rejected" do user = User.create!(email_address: "totp_time_test@example.com", password: "password123") user.enable_totp! # Set up pending TOTP session post signin_path, params: { email_address: "totp_time_test@example.com", password: "password123" } assert_redirected_to totp_verification_path # Generate a TOTP code for a time far in the future (outside valid window) totp = ROTP::TOTP.new(user.totp_secret) future_code = totp.at(Time.now.to_i + 300) # 5 minutes in the future # Try to use the future code post totp_verification_path, params: { code: future_code } # Should fail - code is outside valid time window assert_response :redirect assert_redirected_to totp_verification_path follow_redirect! assert_match(/invalid/i, flash[:alert].to_s) user.destroy end # ==================== # RATE LIMITING ON TOTP VERIFICATION TESTS # ==================== test "TOTP verification has rate limiting" do user = User.create!(email_address: "totp_rate_test@example.com", password: "password123") user.enable_totp! # Set up pending TOTP session post signin_path, params: { email_address: "totp_rate_test@example.com", password: "password123" } assert_redirected_to totp_verification_path # Attempt more than the allowed 10 TOTP verifications 11.times do |i| post totp_verification_path, params: { code: "000000" } if i < 10 assert_response :redirect assert_redirected_to totp_verification_path else # 11th request should be rate limited assert_response :redirect follow_redirect! assert_match(/too many attempts/i, flash[:alert].to_s) end end user.sessions.delete_all user.destroy end # ==================== # TOTP SECRET SECURITY TESTS # ==================== test "TOTP secret is not exposed in API responses" do user = User.create!(email_address: "totp_secret_test@example.com", password: "password123") user.enable_totp! # Sign in post signin_path, params: { email_address: "totp_secret_test@example.com", password: "password123" } assert_redirected_to totp_verification_path # Try to access user data via API (if such endpoint exists) # This test ensures the TOTP secret is never exposed user.destroy end test "TOTP secret is rotated when re-enabling" do user = User.create!(email_address: "totp_rotate_test@example.com", password: "password123") # Enable TOTP first time user.enable_totp! first_secret = user.totp_secret # Disable and re-enable TOTP user.update!(totp_enabled: false, totp_secret: nil) user.enable_totp! second_secret = user.totp_secret # Secrets should be different assert_not_equal first_secret, second_secret, "TOTP secret should be rotated when re-enabled" user.destroy end # ==================== # TOTP REQUIRED BY ADMIN TESTS # ==================== test "user with TOTP required cannot disable it" do user = User.create!(email_address: "totp_required_test@example.com", password: "password123") user.update!(totp_required: true) user.enable_totp! # Attempt to disable TOTP # This should fail because the admin has required it # Implementation depends on your specific UI/flow user.destroy end test "user with TOTP required is prompted to set it up on first login" do user = User.create!(email_address: "totp_setup_test@example.com", password: "password123") user.update!(totp_required: true, totp_enabled: false) # Sign in post signin_path, params: { email_address: "totp_setup_test@example.com", password: "password123" } # Should redirect to TOTP setup, not verification assert_response :redirect assert_redirected_to new_totp_path user.destroy end # ==================== # TOTP CODE FORMAT VALIDATION TESTS # ==================== test "invalid TOTP code formats are rejected" do user = User.create!(email_address: "totp_format_test@example.com", password: "password123") user.enable_totp! # Set up pending TOTP session post signin_path, params: { email_address: "totp_format_test@example.com", password: "password123" } assert_redirected_to totp_verification_path # Try invalid formats invalid_codes = [ "12345", # Too short "1234567", # Too long "abcdef", # Non-numeric "12 3456", # Contains space "" # Empty ] invalid_codes.each do |invalid_code| post totp_verification_path, params: { code: invalid_code } assert_response :redirect assert_redirected_to totp_verification_path end user.destroy end # ==================== # TOTP RECOVERY FLOW TESTS # ==================== test "user can sign in with backup code when TOTP device is lost" do user = User.create!(email_address: "totp_recovery_test@example.com", password: "password123") user.enable_totp! backup_codes = user.generate_backup_codes! # Sign in post signin_path, params: { email_address: "totp_recovery_test@example.com", password: "password123" } assert_redirected_to totp_verification_path # Use backup code instead of TOTP post totp_verification_path, params: { code: backup_codes.first } # Should successfully sign in assert_response :redirect assert_redirected_to root_path user.sessions.delete_all user.destroy end end