Commit 42725ea9 authored by Robert Speicher's avatar Robert Speicher

Merge remote-tracking branch 'dev/master'

parents d9ca7655 2fcf779c
...@@ -2,6 +2,13 @@ ...@@ -2,6 +2,13 @@
documentation](doc/development/changelog.md) for instructions on adding your own documentation](doc/development/changelog.md) for instructions on adding your own
entry. entry.
## 10.5.3 (2018-03-01)
### Security (1 change)
- Ensure that OTP backup codes are always invalidated.
## 10.5.2 (2018-02-25) ## 10.5.2 (2018-02-25)
### Fixed (7 changes) ### Fixed (7 changes)
...@@ -219,6 +226,13 @@ entry. ...@@ -219,6 +226,13 @@ entry.
- Adds empty state illustration for pending job. - Adds empty state illustration for pending job.
## 10.4.5 (2018-03-01)
### Security (1 change)
- Ensure that OTP backup codes are always invalidated.
## 10.4.4 (2018-02-16) ## 10.4.4 (2018-02-16)
### Security (1 change) ### Security (1 change)
...@@ -443,6 +457,13 @@ entry. ...@@ -443,6 +457,13 @@ entry.
- Use a background migration for issues.closed_at. - Use a background migration for issues.closed_at.
## 10.3.8 (2018-03-01)
### Security (1 change)
- Ensure that OTP backup codes are always invalidated.
## 10.3.7 (2018-02-05) ## 10.3.7 (2018-02-05)
### Security (4 changes) ### Security (4 changes)
......
...@@ -56,6 +56,7 @@ module AuthenticatesWithTwoFactor ...@@ -56,6 +56,7 @@ module AuthenticatesWithTwoFactor
session.delete(:otp_user_id) session.delete(:otp_user_id)
remember_me(user) if user_params[:remember_me] == '1' remember_me(user) if user_params[:remember_me] == '1'
user.save!
sign_in(user) sign_in(user)
else else
user.increment_failed_attempts! user.increment_failed_attempts!
......
---
title: Ensure that OTP backup codes are always invalidated
merge_request:
author:
type: security
...@@ -145,6 +145,18 @@ feature 'Login' do ...@@ -145,6 +145,18 @@ feature 'Login' do
expect { enter_code(codes.sample) } expect { enter_code(codes.sample) }
.to change { user.reload.otp_backup_codes.size }.by(-1) .to change { user.reload.otp_backup_codes.size }.by(-1)
end end
it 'invalidates backup codes twice in a row' do
random_code = codes.delete(codes.sample)
expect { enter_code(random_code) }
.to change { user.reload.otp_backup_codes.size }.by(-1)
gitlab_sign_out
gitlab_sign_in(user)
expect { enter_code(codes.sample) }
.to change { user.reload.otp_backup_codes.size }.by(-1)
end
end end
context 'with invalid code' do context 'with invalid code' do
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment