Merge branch 'mc_rocha-repeat-captcha-check-login' into 'master'

Repeat the captcha check during the login See merge request gitlab-org/gitlab!83633

Merge branch 'mc_rocha-repeat-captcha-check-login' into 'master'
Repeat the captcha check during the login See merge request gitlab-org/gitlab!83633
f805367b · Stan Hu · 1e13352c · f85640d7 · f805367b · f805367b
Commit f805367b authored Apr 08, 2022 by Stan Hu
3 changed files
--- a/ee/app/controllers/ee/sessions_controller.rb
+++ b/ee/app/controllers/ee/sessions_controller.rb
@@ -90,23 +90,40 @@ module EE

    def check_arkose_captcha
      return unless user_params[:password].present?
-      return unless params[:arkose_labs_token].present?
-
-      user = ::User.find_by_username(user_params[:login])

+      user = ::User.by_login(user_params[:login])
      return unless user.present?

+      if params[:arkose_labs_token].present?
+        verify_arkose_token(user)
+      else
+        verify_token_required(user)
+      end
+    end
+
+    def verify_arkose_token(user)
      if Arkose::UserVerificationService.new(session_token: params[:arkose_labs_token], user: user).execute
        increment_successful_login_captcha_counter
      else
-        increment_failed_login_captcha_counter
+        failed_login_captcha
+      end
+    end

-        self.resource = resource_class.new
-        flash[:alert] = 'Login failed. Please retry from your primary device and network'
-        flash.delete :recaptcha_error
+    def verify_token_required(user)
+      should_challenge = ::Users::CaptchaChallengeService.new(user).execute
+      return unless should_challenge[:result]

-        respond_with_navigational(resource) { render :new }
-      end
+      failed_login_captcha
+    end
+
+    def failed_login_captcha
+      increment_failed_login_captcha_counter
+
+      self.resource = resource_class.new
+      flash[:alert] = 'Login failed. Please retry from your primary device and network.'
+      flash.delete :recaptcha_error
+
+      respond_with_navigational(resource) { render :new }
    end
  end
 end
--- a/ee/spec/controllers/ee/sessions_controller_spec.rb
+++ b/ee/spec/controllers/ee/sessions_controller_spec.rb
@@ -163,7 +163,7 @@ RSpec.describe SessionsController, :geo do
      end

      context 'when the user was not verified by Arkose' do
-        it 'successfully logs in a user when reCAPTCHA is solved' do
+        it 'prevents the user from logging in' do
          allow_next_instance_of(Arkose::UserVerificationService) do |instance|
            allow(instance).to receive(:execute).and_return(false)
          end
@@ -174,6 +174,16 @@ RSpec.describe SessionsController, :geo do
          expect(subject.current_user).to be_nil
        end
      end
+
+      context 'when the user should be verified by Arkose but the request does not contain the arkose token' do
+        it 'prevents the user from logging in' do
+          post(:create, params: params.except!(:arkose_labs_token), session: {})
+
+          expect(response).to render_template(:new)
+          expect(flash[:alert]).to include 'Login failed. Please retry from your primary device and network'
+          expect(subject.current_user).to be_nil
+        end
+      end
    end
  end
 end
--- a/spec/support/helpers/login_helpers.rb
+++ b/spec/support/helpers/login_helpers.rb
@@ -99,7 +99,7 @@ module LoginHelpers
    fill_in "user_password", with: (password || "12345678")
    check 'user_remember_me' if remember

-    click_button "Sign in"
+    find('[data-testid="sign-in-button"]:enabled').click

    if two_factor_auth
      fill_in "user_otp_attempt", with: user.reload.current_otp