test: add integration tests for two-factor sign-in flow

santiagorodriguez96 · santiagorodriguez96 · commit 532d5ee338f9 · 2026-04-08T19:11:29.000-03:00
Add end-to-end integration tests covering the full 2FA sign-in flow,
failure recall, password reset enforcement, route verification, and
URL helpers. Update serializable_test for new otp_secret column.
diff --git a/test/helpers/devise_helper_test.rb b/test/helpers/devise_helper_test.rb
@@ -44,4 +44,33 @@ class DeviseHelperTest < Devise::IntegrationTest
     assert_have_selector '#error_explanation'
     assert_contain "Can't save the user because of 2 errors"
   end
+
+  test 'two_factor_method_links returns empty string when no other methods' do
+    resource = mock('resource')
+    resource.stubs(:enabled_two_factors).returns([:test_two_factor])
+
+    helper = Class.new(ActionView::Base) do
+      include DeviseHelper
+    end.new(ActionView::LookupContext.new([]), {}, nil)
+
+    result = helper.two_factor_method_links(resource, :test_two_factor)
+    assert_equal '', result
+  end
+
+  test 'two_factor_method_links renders link partials for other enabled methods' do
+    resource = mock('resource')
+    resource.stubs(:enabled_two_factors).returns([:webauthn, :totp, :backup_codes])
+
+    helper = Class.new(ActionView::Base) do
+      include DeviseHelper
+    end.new(ActionView::LookupContext.new([]), {}, nil)
+
+    helper.stubs(:render).with("devise/two_factor/totp_link").returns('<a href="/totp">Use TOTP</a>'.html_safe)
+    helper.stubs(:render).with("devise/two_factor/backup_codes_link").returns('<a href="/backup">Use backup codes</a>'.html_safe)
+
+    result = helper.two_factor_method_links(resource, :webauthn)
+    assert_includes result, "Use TOTP"
+    assert_includes result, "Use backup codes"
+    assert_not_includes result, "webauthn"
+  end
 end
diff --git a/test/integration/two_factor_test.rb b/test/integration/two_factor_test.rb
@@ -0,0 +1,139 @@
+# frozen_string_literal: true
+
+require 'test_helper'
+
+class TwoFactorAuthenticationTest < Devise::IntegrationTest
+  test 'sign in redirects to two factor challenge when 2FA is enabled' do
+    user = create_user_with_two_factor(otp_secret: '123456')
+
+    visit new_user_with_two_factor_session_path
+    fill_in 'email', with: user.email
+    fill_in 'password', with: '12345678'
+    click_button 'Log In'
+
+    assert_not warden.authenticated?(:user_with_two_factor)
+    assert_equal user.id, session[:devise_two_factor_resource_id]
+  end
+
+  test 'sign in without 2FA enabled proceeds normally' do
+    user = create_user_with_two_factor(otp_secret: nil)
+
+    visit new_user_with_two_factor_session_path
+    fill_in 'email', with: user.email
+    fill_in 'password', with: '12345678'
+    click_button 'Log In'
+
+    assert warden.authenticated?(:user_with_two_factor)
+    assert_nil session[:devise_two_factor_resource_id]
+  end
+
+  test 'password reset with 2FA enabled redirects to two factor challenge' do
+    user = create_user_with_two_factor(otp_secret: '123456')
+    raw_token = user.send_reset_password_instructions
+
+    visit edit_user_with_two_factor_password_path(reset_password_token: raw_token)
+    fill_in 'New password', with: 'newpassword123'
+    fill_in 'Confirm new password', with: 'newpassword123'
+    click_button 'Change my password'
+
+    assert_not warden.authenticated?(:user_with_two_factor)
+    assert session[:devise_two_factor_resource_id]
+  end
+
+  test 'password reset without 2FA signs in directly' do
+    user = create_user_with_two_factor(otp_secret: nil)
+    raw_token = user.send_reset_password_instructions
+
+    visit edit_user_with_two_factor_password_path(reset_password_token: raw_token)
+    fill_in 'New password', with: 'newpassword123'
+    fill_in 'Confirm new password', with: 'newpassword123'
+    click_button 'Change my password'
+
+    assert warden.authenticated?(:user_with_two_factor)
+  end
+
+  test 'two-factor routes generate correct paths' do
+    assert_equal '/user_with_two_factors/two_factor/test_otp/new',
+      user_with_two_factor_new_two_factor_test_otp_path
+    assert_equal '/user_with_two_factors/two_factor',
+      user_with_two_factor_two_factor_path
+  end
+
+  test 'full two-factor sign-in: password -> challenge -> OTP -> authenticated' do
+    user = create_user_with_two_factor(otp_secret: '123456')
+
+    # Step 1: Submit password
+    post user_with_two_factor_session_path, params: {
+      user_with_two_factor: { email: user.email, password: '12345678' }
+    }
+
+    # Step 2: Redirected to the default 2FA method's challenge page
+    assert_redirected_to user_with_two_factor_new_two_factor_test_otp_path
+    follow_redirect!
+    assert_response :success
+
+    # Step 3: Submit correct OTP
+    post user_with_two_factor_two_factor_path, params: {
+      otp_attempt: user.otp_secret
+    }
+
+    # Step 4: Authenticated and redirected to after_sign_in_path
+    assert_response :redirect
+    assert warden.authenticated?(:user_with_two_factor)
+  end
+
+  test 'two-factor sign-in with wrong OTP recalls challenge page' do
+    user = create_user_with_two_factor(otp_secret: '123456')
+
+    post user_with_two_factor_session_path, params: {
+      user_with_two_factor: { email: user.email, password: '12345678' }
+    }
+    assert_redirected_to user_with_two_factor_new_two_factor_test_otp_path
+
+    # Submit wrong OTP
+    post user_with_two_factor_two_factor_path, params: {
+      otp_attempt: 'wrong'
+    }
+
+    # Should recall (re-render) the challenge page, not redirect
+    assert_response :success
+    assert_not warden.authenticated?(:user_with_two_factor)
+  end
+
+  test 'two-factor sign-in with expired session does not authenticate' do
+    user = create_user_with_two_factor(otp_secret: '123456')
+
+    post user_with_two_factor_session_path, params: {
+      user_with_two_factor: { email: user.email, password: '12345678' }
+    }
+    assert_redirected_to user_with_two_factor_new_two_factor_test_otp_path
+
+    # Simulate session expiration between password and OTP submission
+    reset!
+
+    post user_with_two_factor_two_factor_path, params: {
+      otp_attempt: user.otp_secret
+    }
+
+    assert_not warden.authenticated?(:user_with_two_factor)
+  end
+
+  test 'visiting two-factor challenge page without sign-in redirects to login' do
+    get user_with_two_factor_new_two_factor_test_otp_path
+
+    assert_redirected_to new_user_with_two_factor_session_path
+    assert_not warden.authenticated?(:user_with_two_factor)
+  end
+
+  private
+
+  def create_user_with_two_factor(attributes = {})
+    UserWithTwoFactor.create!(
+      username: 'usertest',
+      email: generate_unique_email,
+      password: '12345678',
+      password_confirmation: '12345678',
+      **attributes
+    )
+  end
+end
