tests/Integration/Api/Client/TwoFactorControllerTest.php

<?php

namespace App\Tests\Integration\Api\Client;

use Carbon\Carbon;
use App\Models\User;
use Illuminate\Http\Response;
use PragmaRX\Google2FA\Google2FA;
use App\Models\RecoveryToken;
use PHPUnit\Framework\ExpectationFailedException;

class TwoFactorControllerTest extends ClientApiIntegrationTestCase
{
    /**
     * Test that image data for enabling 2FA is returned by the endpoint and that the user
     * record in the database is updated as expected.
     */
    public function test_two_factor_image_data_is_returned(): void
    {
        /** @var \App\Models\User $user */
        $user = User::factory()->create(['use_totp' => false]);

        $this->assertFalse($user->use_totp);
        $this->assertEmpty($user->totp_secret);
        $this->assertEmpty($user->totp_authenticated_at);

        $response = $this->actingAs($user)->getJson('/api/client/account/two-factor');

        $response->assertOk();
        $response->assertJsonStructure(['data' => ['image_url_data']]);

        $user = $user->refresh();

        $this->assertFalse($user->use_totp);
        $this->assertNotEmpty($user->totp_secret);
        $this->assertEmpty($user->totp_authenticated_at);
    }

    /**
     * Test that an error is returned if the user's account already has 2FA enabled on it.
     */
    public function test_error_is_returned_when_two_factor_is_already_enabled(): void
    {
        /** @var \App\Models\User $user */
        $user = User::factory()->create(['use_totp' => true]);

        $response = $this->actingAs($user)->getJson('/api/client/account/two-factor');

        $response->assertStatus(Response::HTTP_BAD_REQUEST);
        $response->assertJsonPath('errors.0.code', 'BadRequestHttpException');
        $response->assertJsonPath('errors.0.detail', 'Two-factor authentication is already enabled on this account.');
    }

    /**
     * Test that a validation error is thrown if invalid data is passed to the 2FA endpoint.
     */
    public function test_validation_error_is_returned_if_invalid_data_is_passed_to_enabled2_fa(): void
    {
        /** @var \App\Models\User $user */
        $user = User::factory()->create(['use_totp' => false]);

        $this->actingAs($user)
            ->postJson('/api/client/account/two-factor', ['code' => ''])
            ->assertUnprocessable()
            ->assertJsonPath('errors.0.meta.rule', 'required')
            ->assertJsonPath('errors.0.meta.source_field', 'code')
            ->assertJsonPath('errors.1.meta.rule', 'required')
            ->assertJsonPath('errors.1.meta.source_field', 'password');
    }

    /**
     * Tests that 2FA can be enabled on an account for the user.
     */
    public function test_two_factor_can_be_enabled_on_account(): void
    {
        /** @var \App\Models\User $user */
        $user = User::factory()->create(['use_totp' => false]);

        // Make the initial call to get the account setup for 2FA.
        $this->actingAs($user)->getJson('/api/client/account/two-factor')->assertOk();

        $user = $user->refresh();
        $this->assertNotNull($user->totp_secret);

        /** @var \PragmaRX\Google2FA\Google2FA $service */
        $service = $this->app->make(Google2FA::class);

        $token = $service->getCurrentOtp($user->totp_secret);

        $response = $this->actingAs($user)->postJson('/api/client/account/two-factor', [
            'code' => $token,
            'password' => 'password',
        ]);

        $response->assertOk();
        $response->assertJsonPath('object', 'recovery_tokens');

        $user = $user->refresh();
        $this->assertTrue($user->use_totp);

        $tokens = RecoveryToken::query()->where('user_id', $user->id)->get();
        $this->assertCount(10, $tokens);
        $this->assertStringStartsWith('$2y$', $tokens[0]->token);

        // Ensure the recovery tokens that were created include a "created_at" timestamp value on them.
        $this->assertNotNull($tokens[0]->created_at);

        $tokens = $tokens->pluck('token')->toArray();

        $rawTokens = $response->json('attributes.tokens');
        $rawToken = reset($rawTokens);
        $hashed = reset($tokens);

        throw_unless(password_verify($rawToken, $hashed), new ExpectationFailedException(sprintf('Failed asserting that token [%s] exists as a hashed value in recovery_tokens table.', $rawToken)));
    }

    /**
     * Test that two-factor authentication can be disabled on an account as long as the password
     * provided is valid for the account.
     */
    public function test_two_factor_can_be_disabled_on_account(): void
    {
        Carbon::setTestNow(Carbon::now());

        /** @var \App\Models\User $user */
        $user = User::factory()->create(['use_totp' => true]);

        $response = $this->actingAs($user)->deleteJson('/api/client/account/two-factor', [
            'password' => 'invalid',
        ]);

        $response->assertStatus(Response::HTTP_BAD_REQUEST);
        $response->assertJsonPath('errors.0.code', 'BadRequestHttpException');
        $response->assertJsonPath('errors.0.detail', 'The password provided was not valid.');

        $response = $this->actingAs($user)->deleteJson('/api/client/account/two-factor', [
            'password' => 'password',
        ]);

        $response->assertStatus(Response::HTTP_NO_CONTENT);

        $user = $user->refresh();
        $this->assertFalse($user->use_totp);
        $this->assertNotNull($user->totp_authenticated_at);
        $this->assertSame(Carbon::now()->toAtomString(), $user->totp_authenticated_at->toAtomString());
    }

    /**
     * Test that no error is returned when trying to disabled two factor on an account where it
     * was not enabled in the first place.
     */
    public function test_no_error_is_returned_if_two_factor_is_not_enabled(): void
    {
        Carbon::setTestNow(Carbon::now());

        /** @var \App\Models\User $user */
        $user = User::factory()->create(['use_totp' => false]);

        $response = $this->actingAs($user)->deleteJson('/api/client/account/two-factor', [
            'password' => 'password',
        ]);

        $response->assertStatus(Response::HTTP_NO_CONTENT);
    }

    /**
     * Test that a valid account password is required when enabling two-factor.
     */
    public function test_enabling_two_factor_requires_valid_password(): void
    {
        $user = User::factory()->create(['use_totp' => false]);

        $this->actingAs($user)
            ->postJson('/api/client/account/two-factor', [
                'code' => '123456',
                'password' => 'foo',
            ])
            ->assertStatus(Response::HTTP_BAD_REQUEST)
            ->assertJsonPath('errors.0.detail', 'The password provided was not valid.');

        $this->assertFalse($user->refresh()->use_totp);
    }

    /**
     * Test that a valid account password is required when disabling two-factor.
     */
    public function test_disabling_two_factor_requires_valid_password(): void
    {
        $user = User::factory()->create(['use_totp' => true]);

        $this->actingAs($user)
            ->deleteJson('/api/client/account/two-factor', [
                'password' => 'foo',
            ])
            ->assertStatus(Response::HTTP_BAD_REQUEST)
            ->assertJsonPath('errors.0.detail', 'The password provided was not valid.');

        $this->assertTrue($user->refresh()->use_totp);
    }
}
Add test coverage for 2fa 2020-06-27 11:06:35 -07:00			`<?php`

Switch namespace back to App 2024-03-12 22:39:16 -04:00			`namespace App\Tests\Integration\Api\Client;`
Add test coverage for 2fa 2020-06-27 11:06:35 -07:00
			`use Carbon\Carbon;`
Switch namespace back to App 2024-03-12 22:39:16 -04:00			`use App\Models\User;`
Add test coverage for 2fa 2020-06-27 11:06:35 -07:00			`use Illuminate\Http\Response;`
			`use PragmaRX\Google2FA\Google2FA;`
Switch namespace back to App 2024-03-12 22:39:16 -04:00			`use App\Models\RecoveryToken;`
Fix failing tests (which caught a bug in the new client query) 2020-07-09 21:32:31 -07:00			`use PHPUnit\Framework\ExpectationFailedException;`
Add test coverage for 2fa 2020-06-27 11:06:35 -07:00
Add test cases for sending a command to a server 2020-06-27 12:04:41 -07:00			`class TwoFactorControllerTest extends ClientApiIntegrationTestCase`
Add test coverage for 2fa 2020-06-27 11:06:35 -07:00			`{`
			`/**`
			`* Test that image data for enabling 2FA is returned by the endpoint and that the user`
			`* record in the database is updated as expected.`
			`*/`
chore: Upgrade Dependencies (#1005) * chore: yarn upgrade * chore: composer upgrade * chore: php artisan filament:upgrade * chore: update filament-monaco-editor-views * chore: update filament-monaco-editor-configs * chore: move turnstile-views to plugins * fix monaco-editor loader & css 2025-02-25 14:22:07 +01:00			`public function test_two_factor_image_data_is_returned(): void`
Add test coverage for 2fa 2020-06-27 11:06:35 -07:00			`{`
Switch namespace back to App 2024-03-12 22:39:16 -04:00			`/** @var \App\Models\User $user */`
Update to Laravel 8 Co-authored-by: Matthew Penner <me@matthewp.io> 2021-01-23 12:09:16 -08:00			`$user = User::factory()->create(['use_totp' => false]);`
Add test coverage for 2fa 2020-06-27 11:06:35 -07:00
			`$this->assertFalse($user->use_totp);`
			`$this->assertEmpty($user->totp_secret);`
			`$this->assertEmpty($user->totp_authenticated_at);`

			`$response = $this->actingAs($user)->getJson('/api/client/account/two-factor');`

			`$response->assertOk();`
			`$response->assertJsonStructure(['data' => ['image_url_data']]);`

			`$user = $user->refresh();`

			`$this->assertFalse($user->use_totp);`
			`$this->assertNotEmpty($user->totp_secret);`
			`$this->assertEmpty($user->totp_authenticated_at);`
			`}`

			`/**`
			`* Test that an error is returned if the user's account already has 2FA enabled on it.`
			`*/`
chore: Upgrade Dependencies (#1005) * chore: yarn upgrade * chore: composer upgrade * chore: php artisan filament:upgrade * chore: update filament-monaco-editor-views * chore: update filament-monaco-editor-configs * chore: move turnstile-views to plugins * fix monaco-editor loader & css 2025-02-25 14:22:07 +01:00			`public function test_error_is_returned_when_two_factor_is_already_enabled(): void`
Add test coverage for 2fa 2020-06-27 11:06:35 -07:00			`{`
Switch namespace back to App 2024-03-12 22:39:16 -04:00			`/** @var \App\Models\User $user */`
Update to Laravel 8 Co-authored-by: Matthew Penner <me@matthewp.io> 2021-01-23 12:09:16 -08:00			`$user = User::factory()->create(['use_totp' => true]);`
Add test coverage for 2fa 2020-06-27 11:06:35 -07:00
			`$response = $this->actingAs($user)->getJson('/api/client/account/two-factor');`

			`$response->assertStatus(Response::HTTP_BAD_REQUEST);`
			`$response->assertJsonPath('errors.0.code', 'BadRequestHttpException');`
			`$response->assertJsonPath('errors.0.detail', 'Two-factor authentication is already enabled on this account.');`
			`}`

			`/**`
			`* Test that a validation error is thrown if invalid data is passed to the 2FA endpoint.`
			`*/`
chore: Upgrade Dependencies (#1005) * chore: yarn upgrade * chore: composer upgrade * chore: php artisan filament:upgrade * chore: update filament-monaco-editor-views * chore: update filament-monaco-editor-configs * chore: move turnstile-views to plugins * fix monaco-editor loader & css 2025-02-25 14:22:07 +01:00			`public function test_validation_error_is_returned_if_invalid_data_is_passed_to_enabled2_fa(): void`
Add test coverage for 2fa 2020-06-27 11:06:35 -07:00			`{`
Switch namespace back to App 2024-03-12 22:39:16 -04:00			`/** @var \App\Models\User $user */`
Update to Laravel 8 Co-authored-by: Matthew Penner <me@matthewp.io> 2021-01-23 12:09:16 -08:00			`$user = User::factory()->create(['use_totp' => false]);`
Add test coverage for 2fa 2020-06-27 11:06:35 -07:00
Update totp disable modal; require password for enable operation 2022-07-03 14:27:37 -04:00			`$this->actingAs($user)`
			`->postJson('/api/client/account/two-factor', ['code' => ''])`
			`->assertUnprocessable()`
			`->assertJsonPath('errors.0.meta.rule', 'required')`
			`->assertJsonPath('errors.0.meta.source_field', 'code')`
			`->assertJsonPath('errors.1.meta.rule', 'required')`
			`->assertJsonPath('errors.1.meta.source_field', 'password');`
Add test coverage for 2fa 2020-06-27 11:06:35 -07:00			`}`

			`/**`
			`* Tests that 2FA can be enabled on an account for the user.`
			`*/`
chore: Upgrade Dependencies (#1005) * chore: yarn upgrade * chore: composer upgrade * chore: php artisan filament:upgrade * chore: update filament-monaco-editor-views * chore: update filament-monaco-editor-configs * chore: move turnstile-views to plugins * fix monaco-editor loader & css 2025-02-25 14:22:07 +01:00			`public function test_two_factor_can_be_enabled_on_account(): void`
Add test coverage for 2fa 2020-06-27 11:06:35 -07:00			`{`
Switch namespace back to App 2024-03-12 22:39:16 -04:00			`/** @var \App\Models\User $user */`
Update to Laravel 8 Co-authored-by: Matthew Penner <me@matthewp.io> 2021-01-23 12:09:16 -08:00			`$user = User::factory()->create(['use_totp' => false]);`
Add test coverage for 2fa 2020-06-27 11:06:35 -07:00
			`// Make the initial call to get the account setup for 2FA.`
			`$this->actingAs($user)->getJson('/api/client/account/two-factor')->assertOk();`

			`$user = $user->refresh();`
			`$this->assertNotNull($user->totp_secret);`

			`/** @var \PragmaRX\Google2FA\Google2FA $service */`
			`$service = $this->app->make(Google2FA::class);`

replace encrypt/ decrypt with encrypted casting 2024-05-28 15:24:20 +02:00			`$token = $service->getCurrentOtp($user->totp_secret);`
Add test coverage for 2fa 2020-06-27 11:06:35 -07:00
			`$response = $this->actingAs($user)->postJson('/api/client/account/two-factor', [`
			`'code' => $token,`
Update totp disable modal; require password for enable operation 2022-07-03 14:27:37 -04:00			`'password' => 'password',`
Add test coverage for 2fa 2020-06-27 11:06:35 -07:00			`]);`

Fix failing tests (which caught a bug in the new client query) 2020-07-09 21:32:31 -07:00			`$response->assertOk();`
			`$response->assertJsonPath('object', 'recovery_tokens');`
Add test coverage for 2fa 2020-06-27 11:06:35 -07:00
			`$user = $user->refresh();`
			`$this->assertTrue($user->use_totp);`
Fix failing tests (which caught a bug in the new client query) 2020-07-09 21:32:31 -07:00
			`$tokens = RecoveryToken::query()->where('user_id', $user->id)->get();`
			`$this->assertCount(10, $tokens);`
Add PHP 8.4 Support (#858) * Add php 8.4 * Update ide helper * Add php 8.4 * Update laravel sanctum * Update laravel framework * Hash rounds were increased * This is always false * Extend model now * This does nothing * Move model validation methods to trait * Remove base model * Backup routes were previously referenced by uuids * Remove commented code * Upgrade laravel/framework * Fix migration * Update ide helper * Update sanctum * Add version to composer * Add this back in, fixed * Make this protected to be safer 2025-01-30 16:39:00 -05:00			`$this->assertStringStartsWith('$2y$', $tokens[0]->token);`
Only check first token 2024-03-23 11:20:15 -04:00
			`// Ensure the recovery tokens that were created include a "created_at" timestamp value on them.`
Ensure a created_at value is set on recovery tokens; closes #3163 2021-03-21 10:43:01 -07:00			`$this->assertNotNull($tokens[0]->created_at);`
Fix failing tests (which caught a bug in the new client query) 2020-07-09 21:32:31 -07:00
			`$tokens = $tokens->pluck('token')->toArray();`

Only check first token 2024-03-23 11:20:15 -04:00			`$rawTokens = $response->json('attributes.tokens');`
			`$rawToken = reset($rawTokens);`
Better way 2024-03-23 11:27:26 -04:00			`$hashed = reset($tokens);`
Fix failing tests (which caught a bug in the new client query) 2020-07-09 21:32:31 -07:00
Better way 2024-03-23 11:27:26 -04:00			`throw_unless(password_verify($rawToken, $hashed), new ExpectationFailedException(sprintf('Failed asserting that token [%s] exists as a hashed value in recovery_tokens table.', $rawToken)));`
Add test coverage for 2fa 2020-06-27 11:06:35 -07:00			`}`

			`/**`
Upgrade to Laravel 9 (#4413) Co-authored-by: DaneEveritt <dane@daneeveritt.com> 2022-10-14 10:59:20 -06:00			`* Test that two-factor authentication can be disabled on an account as long as the password`
Add test coverage for 2fa 2020-06-27 11:06:35 -07:00			`* provided is valid for the account.`
			`*/`
chore: Upgrade Dependencies (#1005) * chore: yarn upgrade * chore: composer upgrade * chore: php artisan filament:upgrade * chore: update filament-monaco-editor-views * chore: update filament-monaco-editor-configs * chore: move turnstile-views to plugins * fix monaco-editor loader & css 2025-02-25 14:22:07 +01:00			`public function test_two_factor_can_be_disabled_on_account(): void`
Add test coverage for 2fa 2020-06-27 11:06:35 -07:00			`{`
			`Carbon::setTestNow(Carbon::now());`

Switch namespace back to App 2024-03-12 22:39:16 -04:00			`/** @var \App\Models\User $user */`
Update to Laravel 8 Co-authored-by: Matthew Penner <me@matthewp.io> 2021-01-23 12:09:16 -08:00			`$user = User::factory()->create(['use_totp' => true]);`
Add test coverage for 2fa 2020-06-27 11:06:35 -07:00
			`$response = $this->actingAs($user)->deleteJson('/api/client/account/two-factor', [`
			`'password' => 'invalid',`
			`]);`

			`$response->assertStatus(Response::HTTP_BAD_REQUEST);`
			`$response->assertJsonPath('errors.0.code', 'BadRequestHttpException');`
			`$response->assertJsonPath('errors.0.detail', 'The password provided was not valid.');`

			`$response = $this->actingAs($user)->deleteJson('/api/client/account/two-factor', [`
			`'password' => 'password',`
			`]);`

			`$response->assertStatus(Response::HTTP_NO_CONTENT);`

			`$user = $user->refresh();`
			`$this->assertFalse($user->use_totp);`
			`$this->assertNotNull($user->totp_authenticated_at);`
Upgrade to Laravel 9 (#4413) Co-authored-by: DaneEveritt <dane@daneeveritt.com> 2022-10-14 10:59:20 -06:00			`$this->assertSame(Carbon::now()->toAtomString(), $user->totp_authenticated_at->toAtomString());`
Add test coverage for 2fa 2020-06-27 11:06:35 -07:00			`}`

			`/**`
			`* Test that no error is returned when trying to disabled two factor on an account where it`
			`* was not enabled in the first place.`
			`*/`
chore: Upgrade Dependencies (#1005) * chore: yarn upgrade * chore: composer upgrade * chore: php artisan filament:upgrade * chore: update filament-monaco-editor-views * chore: update filament-monaco-editor-configs * chore: move turnstile-views to plugins * fix monaco-editor loader & css 2025-02-25 14:22:07 +01:00			`public function test_no_error_is_returned_if_two_factor_is_not_enabled(): void`
Add test coverage for 2fa 2020-06-27 11:06:35 -07:00			`{`
			`Carbon::setTestNow(Carbon::now());`

Switch namespace back to App 2024-03-12 22:39:16 -04:00			`/** @var \App\Models\User $user */`
Update to Laravel 8 Co-authored-by: Matthew Penner <me@matthewp.io> 2021-01-23 12:09:16 -08:00			`$user = User::factory()->create(['use_totp' => false]);`
Add test coverage for 2fa 2020-06-27 11:06:35 -07:00
			`$response = $this->actingAs($user)->deleteJson('/api/client/account/two-factor', [`
			`'password' => 'password',`
			`]);`

			`$response->assertStatus(Response::HTTP_NO_CONTENT);`
			`}`
Update totp disable modal; require password for enable operation 2022-07-03 14:27:37 -04:00
			`/**`
			`* Test that a valid account password is required when enabling two-factor.`
			`*/`
chore: Upgrade Dependencies (#1005) * chore: yarn upgrade * chore: composer upgrade * chore: php artisan filament:upgrade * chore: update filament-monaco-editor-views * chore: update filament-monaco-editor-configs * chore: move turnstile-views to plugins * fix monaco-editor loader & css 2025-02-25 14:22:07 +01:00			`public function test_enabling_two_factor_requires_valid_password(): void`
Update totp disable modal; require password for enable operation 2022-07-03 14:27:37 -04:00			`{`
			`$user = User::factory()->create(['use_totp' => false]);`

			`$this->actingAs($user)`
			`->postJson('/api/client/account/two-factor', [`
			`'code' => '123456',`
			`'password' => 'foo',`
			`])`
			`->assertStatus(Response::HTTP_BAD_REQUEST)`
			`->assertJsonPath('errors.0.detail', 'The password provided was not valid.');`

			`$this->assertFalse($user->refresh()->use_totp);`
			`}`

			`/**`
			`* Test that a valid account password is required when disabling two-factor.`
			`*/`
chore: Upgrade Dependencies (#1005) * chore: yarn upgrade * chore: composer upgrade * chore: php artisan filament:upgrade * chore: update filament-monaco-editor-views * chore: update filament-monaco-editor-configs * chore: move turnstile-views to plugins * fix monaco-editor loader & css 2025-02-25 14:22:07 +01:00			`public function test_disabling_two_factor_requires_valid_password(): void`
Update totp disable modal; require password for enable operation 2022-07-03 14:27:37 -04:00			`{`
			`$user = User::factory()->create(['use_totp' => true]);`

			`$this->actingAs($user)`
			`->deleteJson('/api/client/account/two-factor', [`
			`'password' => 'foo',`
			`])`
			`->assertStatus(Response::HTTP_BAD_REQUEST)`
			`->assertJsonPath('errors.0.detail', 'The password provided was not valid.');`

			`$this->assertTrue($user->refresh()->use_totp);`
			`}`
Add test coverage for 2fa 2020-06-27 11:06:35 -07:00			`}`