Commit 89d68830 authored by Andy Soiron's avatar Andy Soiron

Merge branch '35102-prevent-2FA-being-enabled-if-email-unverified' into 'master'

Require verified email to enable 2FA

See merge request gitlab-org/gitlab!69593
parents 920ae4d2 5e365148
......@@ -2,6 +2,7 @@
class Profiles::TwoFactorAuthsController < Profiles::ApplicationController
skip_before_action :check_two_factor_requirement
before_action :ensure_verified_primary_email, only: [:show, :create]
before_action do
push_frontend_feature_flag(:webauthn)
end
......@@ -218,4 +219,12 @@ class Profiles::TwoFactorAuthsController < Profiles::ApplicationController
s_(%{The group settings for %{group_links} require you to enable Two-Factor Authentication for your account. You can %{leave_group_links}.})
.html_safe % { group_links: group_links.html_safe, leave_group_links: leave_group_links.html_safe }
end
def ensure_verified_primary_email
return unless Feature.enabled?(:ensure_verified_primary_email_for_2fa)
unless current_user.two_factor_enabled? || current_user.primary_email_verified?
redirect_to profile_emails_path, notice: s_('You need to verify your primary email first before enabling Two-Factor Authentication.')
end
end
end
---
name: ensure_verified_primary_email_for_2fa
introduced_by_url: https://gitlab.com/gitlab-org/gitlab/-/merge_requests/69593
rollout_issue_url: https://gitlab.com/gitlab-org/gitlab/-/issues/340151
milestone: '14.3'
type: development
group: group::access
default_enabled: false
......@@ -38567,6 +38567,9 @@ msgstr ""
msgid "You need to upload a GitLab project export archive (ending in .gz)."
msgstr ""
msgid "You need to verify your primary email first before enabling Two-Factor Authentication."
msgstr ""
msgid "You successfully declined the invitation"
msgstr ""
......
......@@ -10,8 +10,33 @@ RSpec.describe Profiles::TwoFactorAuthsController do
allow(subject).to receive(:current_user).and_return(user)
end
shared_examples 'user must first verify their primary email address' do
before do
allow(user).to receive(:primary_email_verified?).and_return(false)
end
it 'redirects to profile_emails_path' do
go
expect(response).to redirect_to(profile_emails_path)
end
it 'displays a notice' do
go
expect(flash[:notice])
.to eq _('You need to verify your primary email first before enabling Two-Factor Authentication.')
end
it 'does not redirect when the `ensure_verified_primary_email_for_2fa` feature flag is disabled' do
stub_feature_flags(ensure_verified_primary_email_for_2fa: false)
expect(response).not_to redirect_to(profile_emails_path)
end
end
describe 'GET show' do
let(:user) { create(:user) }
let_it_be_with_reload(:user) { create(:user) }
it 'generates otp_secret for user' do
expect(User).to receive(:generate_otp_secret).with(32).and_call_original.once
......@@ -34,11 +59,16 @@ RSpec.describe Profiles::TwoFactorAuthsController do
get :show
end
end
it_behaves_like 'user must first verify their primary email address' do
let(:go) { get :show }
end
end
describe 'POST create' do
let(:user) { create(:user) }
let(:pin) { 'pin-code' }
let_it_be_with_reload(:user) { create(:user) }
let(:pin) { 'pin-code' }
def go
post :create, params: { pin_code: pin }
......@@ -105,10 +135,12 @@ RSpec.describe Profiles::TwoFactorAuthsController do
expect(response).to render_template(:show)
end
end
it_behaves_like 'user must first verify their primary email address'
end
describe 'POST codes' do
let(:user) { create(:user, :two_factor) }
let_it_be_with_reload(:user) { create(:user, :two_factor) }
it 'presents plaintext codes for the user to save' do
expect(user).to receive(:generate_otp_backup_codes!).and_return(%w(a b c))
......@@ -135,7 +167,7 @@ RSpec.describe Profiles::TwoFactorAuthsController do
subject { delete :destroy }
context 'for a user that has 2FA enabled' do
let(:user) { create(:user, :two_factor) }
let_it_be_with_reload(:user) { create(:user, :two_factor) }
it 'disables two factor' do
subject
......@@ -158,7 +190,7 @@ RSpec.describe Profiles::TwoFactorAuthsController do
end
context 'for a user that does not have 2FA enabled' do
let(:user) { create(:user) }
let_it_be_with_reload(:user) { create(:user) }
it 'redirects to profile_account_path' do
subject
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment