Update totp disable modal; require password for enable operation

2022-07-03 14:27:37 -04:00 · 2022-07-03 14:27:37 -04:00 · 2d836156d2
commit 2d836156d2
parent 92926ca193
10 changed files with 182 additions and 121 deletions
--- a/tests/Integration/Api/Client/TwoFactorControllerTest.php
+++ b/tests/Integration/Api/Client/TwoFactorControllerTest.php
@ -59,13 +59,13 @@ class TwoFactorControllerTest extends ClientApiIntegrationTestCase
        /** @var \Pterodactyl\Models\User $user */
        $user = User::factory()->create(['use_totp' => false]);

-        $response = $this->actingAs($user)->postJson('/api/client/account/two-factor', [
-            'code' => '',
-        ]);
-
-        $response->assertStatus(Response::HTTP_UNPROCESSABLE_ENTITY);
-        $response->assertJsonPath('errors.0.code', 'ValidationException');
-        $response->assertJsonPath('errors.0.meta.rule', 'required');
+        $this->actingAs($user)
+            ->postJson('/api/client/account/two-factor', ['code' => ''])
+            ->assertUnprocessable()
+            ->assertJsonPath('errors.0.meta.rule', 'required')
+            ->assertJsonPath('errors.0.meta.source_field', 'code')
+            ->assertJsonPath('errors.1.meta.rule', 'required')
+            ->assertJsonPath('errors.1.meta.source_field', 'password');
    }

    /**
@ -90,6 +90,7 @@ class TwoFactorControllerTest extends ClientApiIntegrationTestCase

        $response = $this->actingAs($user)->postJson('/api/client/account/two-factor', [
            'code' => $token,
+            'password' => 'password',
        ]);

        $response->assertOk();
@ -168,4 +169,39 @@ class TwoFactorControllerTest extends ClientApiIntegrationTestCase

        $response->assertStatus(Response::HTTP_NO_CONTENT);
    }
+
+    /**
+     * Test that a valid account password is required when enabling two-factor.
+     */
+    public function testEnablingTwoFactorRequiresValidPassword()
+    {
+        $user = User::factory()->create(['use_totp' => false]);
+
+        $this->actingAs($user)
+            ->postJson('/api/client/account/two-factor', [
+                'code' => '123456',
+                'password' => 'foo',
+            ])
+            ->assertStatus(Response::HTTP_BAD_REQUEST)
+            ->assertJsonPath('errors.0.detail', 'The password provided was not valid.');
+
+        $this->assertFalse($user->refresh()->use_totp);
+    }
+
+    /**
+     * Test that a valid account password is required when disabling two-factor.
+     */
+    public function testDisablingTwoFactorRequiresValidPassword()
+    {
+        $user = User::factory()->create(['use_totp' => true]);
+
+        $this->actingAs($user)
+            ->deleteJson('/api/client/account/two-factor', [
+                'password' => 'foo',
+            ])
+            ->assertStatus(Response::HTTP_BAD_REQUEST)
+            ->assertJsonPath('errors.0.detail', 'The password provided was not valid.');
+
+        $this->assertTrue($user->refresh()->use_totp);
+    }
 }