1 files changed, 67 insertions, 9 deletions

diff --git a/t/app/controller/auth_profile.t b/t/app/controller/auth_profile.t
index 2f0ef6a11..4b7db19b5 100644
--- a/t/app/controller/auth_profile.t
+++ b/t/app/controller/auth_profile.t
@@ -1,3 +1,10 @@
+package FixMyStreet::Cobrand::Dummy;
+use parent 'FixMyStreet::Cobrand::Default';
+
+sub must_have_2fa { 1 }
+
+package main;
+
 use Test::MockModule;
 use FixMyStreet::TestMech;
 my $mech = FixMyStreet::TestMech->new;
@@ -359,6 +366,8 @@ subtest "Test superuser can access generate token page" => sub {
     $mech->get_ok('/auth/generate_token');
 };
 
+my $body = $mech->create_body_ok(2237, 'Oxfordshire');
+
 subtest "Test staff user can access generate token page" => sub {
     my $user = FixMyStreet::App->model('DB::User')->find( { email => $test_email } );
     ok $user->update({ is_superuser => 0 }), 'user not superuser';
@@ -374,8 +383,6 @@ subtest "Test staff user can access generate token page" => sub {
 
     $mech->content_lacks('Security');
 
-    my $body = $mech->create_body_ok(2237, 'Oxfordshire');
-
     $mech->get('/auth/generate_token');
     is $mech->res->code, 403, "access denied";
 
@@ -425,29 +432,80 @@ subtest "Test generate token page" => sub {
     $mech->log_out_ok;
     $mech->add_header('Authorization', "Bearer $token");
     $mech->logged_in_ok;
+    $mech->delete_header('Authorization');
 };
 
 subtest "Test two-factor authentication admin" => sub {
+  for (0, 1) {
     my $user = $mech->log_in_ok($test_email);
-    ok $user->update({ is_superuser => 1 }), 'user set to superuser';
+    if ($_) {
+        ok $user->update({ is_superuser => 1, from_body => undef }), 'user set to superuser';
+    } else {
+        ok $user->update({ is_superuser => 0, from_body => $body }), 'user set to staff user';
+    }
 
     $mech->get_ok('/auth/generate_token');
     ok !$user->get_extra_metadata('2fa_secret');
 
-    $mech->submit_form_ok({ button => 'toggle_2fa' }, "submit 2FA activation");
+    $mech->submit_form_ok({ button => '2fa_activate' }, "submit 2FA activation");
+    my ($token) = $mech->content =~ /name="secret32" value="([^"]*)">/;
+
+    use Auth::GoogleAuth;
+    my $auth = Auth::GoogleAuth->new({ secret32 => $token });
+    my $code = $auth->code;
+    my $wrong_code = $auth->code(undef, time() - 120);
+
+    $mech->submit_form_ok({ with_fields => { '2fa_code' => $wrong_code } }, "provide wrong 2FA code" );
+    $mech->content_contains('Try again');
+    $mech->submit_form_ok({ with_fields => { '2fa_code' => $code } }, "provide correct 2FA code" );
+
     $mech->content_contains('has been activated', "2FA activated");
 
     $user->discard_changes();
-    my $token = $user->get_extra_metadata('2fa_secret');
-    ok $token, '2FA secret set';
-
-    $mech->content_contains($token, 'secret displayed');
+    my $user_token = $user->get_extra_metadata('2fa_secret');
+    is $token, $user_token, '2FA secret set';
 
     $mech->get_ok('/auth/generate_token');
     $mech->content_lacks($token, 'secret no longer displayed');
 
-    $mech->submit_form_ok({ button => 'toggle_2fa' }, "submit 2FA deactivation");
+    $mech->submit_form_ok({ button => '2fa_deactivate' }, "submit 2FA deactivation");
     $mech->content_contains('has been deactivated', "2FA deactivated");
+  }
+};
+
+subtest "Test enforced two-factor authentication" => sub {
+    FixMyStreet::override_config {
+        ALLOWED_COBRANDS => 'dummy',
+    }, sub {
+        use Auth::GoogleAuth;
+        my $auth = Auth::GoogleAuth->new;
+        my $code = $auth->code;
+
+        # Sign in with 2FA
+        my $user = FixMyStreet::App->model('DB::User')->find( { email => $test_email } );
+        $user->password('password');
+        $user->set_extra_metadata('2fa_secret', $auth->secret32);
+        $user->update;
+
+        $mech->get_ok('/auth');
+        $mech->submit_form_ok(
+            { with_fields => { username => $test_email, password_sign_in => 'password' } },
+            "sign in using form" );
+        $mech->content_contains('Please generate a two-factor code');
+        $mech->submit_form_ok({ with_fields => { '2fa_code' => $code } }, "provide correct 2FA code" );
+
+        $mech->get_ok('/auth/generate_token');
+        $mech->content_contains('Change two-factor');
+        $mech->content_lacks('Deactivate two-factor');
+
+        my ($csrf) = $mech->content =~ /meta content="([^"]*)" name="csrf-token"/;
+        $mech->post_ok('/auth/generate_token', {
+            '2fa_deactivate' => 1,
+            'token' => $csrf,
+        });
+        $mech->content_lacks('has been deactivated', "2FA not deactivated");
+        $mech->content_contains('Please scan this image', 'Change 2FA page shown instead');
+    };
 };
 
 done_testing();