OXDEV-9078 Add codeception tests for two FA

Author: TitaKoleva

src/Authentication/TwoFactorAuth/Controller/AccountSecurityController.php

@@ -27,8 +27,9 @@ public function render(): string
         $parentResult = parent::render();
 
         $user = $this->getUser();
-
-        $this->addTplParam('twoFAEnabledForUser', $this->userSettingsService->isEnabledForUser($user->getId()));
+        if ($user) {
+            $this->addTplParam('twoFAEnabledForUser', $this->userSettingsService->isEnabledForUser($user->getId()));
+        }
 
         return $parentResult;
     }

src/Captcha/Service/ModuleSettingsService.php

@@ -47,6 +47,11 @@ public function isHoneyPotCaptchaEnabled(): bool
         return $this->moduleSettingService->getBoolean(self::HONEYPOT_CAPTCHA_ENABLE, Module::MODULE_ID);
     }
 
+    public function saveIsHoneyPotCaptchaEnabled(bool $value): void
+    {
+        $this->moduleSettingService->saveBoolean(self::HONEYPOT_CAPTCHA_ENABLE, $value, Module::MODULE_ID);
+    }
+
     public function getCaptchaLifeTime(): string
     {
         $key = $this->moduleSettingService

src/Captcha/Service/ModuleSettingsServiceInterface.php

@@ -15,5 +15,7 @@ public function isHoneyPotCaptchaEnabled(): bool;
 
     public function saveIsCaptchaEnabled(bool $value): void;
 
+    public function saveIsHoneyPotCaptchaEnabled(bool $value): void;
+
     public function getCaptchaLifeTime(): string;
 }

tests/Codeception/Acceptance/BaseCest.php

@@ -14,9 +14,10 @@
 use OxidEsales\EshopCommunity\Internal\Framework\Module\Facade\ModuleSettingServiceInterface;
 use OxidEsales\SecurityModule\Authentication\OAuth2\Service\ModuleSettingsServiceInterface
     as OAuthModuleSettingsServiceInterface;
-use OxidEsales\SecurityModule\Authentication\TwoFactorAuth\Settings\TwoFASettings;
+use OxidEsales\SecurityModule\Authentication\TwoFactorAuth\Settings\TwoFAShopSettings;
 use OxidEsales\SecurityModule\Captcha\Service\ModuleSettingsServiceInterface as CaptchaSettingsServiceInterface;
 use OxidEsales\SecurityModule\Core\Module;
+use OxidEsales\SecurityModule\Tests\Codeception\Support\AcceptanceTester;
 use OxidEsales\SecurityModule\PasswordPolicy\Service\ModuleSettingsServiceInterface as PasswordSettingsServiceInterface;
 
 abstract class BaseCest
@@ -41,15 +42,30 @@ protected function setCaptchaState(bool $state)
         ContainerFacade::get(CaptchaSettingsServiceInterface::class)->saveIsCaptchaEnabled($state);
     }
 
+    protected function setHoneyPotCaptchaState(bool $state)
+    {
+        ContainerFacade::get(CaptchaSettingsServiceInterface::class)->saveIsHoneyPotCaptchaEnabled($state);
+    }
+
     protected function setTwoFactorAuthState(bool $state)
     {
         ContainerFacade::get(ModuleSettingServiceInterface::class)->saveBoolean(
-            TwoFASettings::ACTIVE,
+            TwoFAShopSettings::ACTIVE,
             $state,
             Module::MODULE_ID
         );
     }
 
+    protected function setUserTwoFAState(AcceptanceTester $I, bool $state): void
+    {
+        $userData = $this->getExistingUserData();
+        $I->updateInDatabase(
+            'oxuser',
+            ['OE2FAENABLED' => (int) $state],
+            ['OXID' => $userData['userId']]
+        );
+    }
+
     protected function setProviderState(bool $state)
     {
         $moduleSettings = ContainerFacade::get(OAuthModuleSettingsServiceInterface::class);

tests/Codeception/Acceptance/HoneyPotCaptchaCest.php

@@ -33,6 +33,7 @@ class HoneyPotCaptchaCest extends BaseCest
     public function _before(AcceptanceTester $I): void
     {
         $this->setCaptchaState(false);
+        $this->setHoneyPotCaptchaState(true);
         $this->setPasswordState(false);
     }
 

tests/Codeception/Acceptance/TwoFAAuthenticationCest.php

@@ -23,47 +23,195 @@
 class TwoFAAuthenticationCest extends BaseCest
 {
     private string $otpInput = '#auth_code';
-    private string $otpSubmitBtn = '#auth_submit';
-    private string $otpResendBtn = 'RESEND_CODE';
+    private string $twofaCheckbox = '#twofa_enabled';
 
     public function _before(AcceptanceTester $I): void
     {
         $this->setCaptchaState(false);
         $this->setPasswordState(false);
         $this->setTwoFactorAuthState(true);
+        $this->setUserTwoFAState($I, false);
     }
 
-    public function testRedirectToOTPAfterLogin(AcceptanceTester $I): void
+    public function testEnablingTwoFAViaSettingsTriggersOtpOnNextLogin(AcceptanceTester $I): void
     {
         $userData = $this->getExistingUserData();
+        $userLoginPage = new UserLogin($I);
+
+        $I->amOnPage($userLoginPage->URL);
+        $userAccountPage = $userLoginPage->login($userData['userLoginName'], $userData['userPassword']);
+        $I->waitForPageLoad();
+
+        $I->amOnPage('?cl=account_security');
+        $I->waitForPageLoad();
+        $I->checkOption($this->twofaCheckbox);
+        $I->click(Translator::translate('SAVE'));
+        $I->waitForPageLoad();
+
+        $userAccountPage->logoutUserInAccountPage();
+        $I->waitForPageLoad();
+
+        $I->amOnPage($userLoginPage->URL);
+        $userLoginPage->login($userData['userLoginName'], $userData['userPassword']);
+        $I->waitForPageLoad();
 
+        $I->seeElement($this->otpInput);
+    }
+
+    public function testLoginOtpBehaviourChangesWithUserTwoFASetting(AcceptanceTester $I): void
+    {
+        $userData = $this->getExistingUserData();
         $userLoginPage = new UserLogin($I);
+
+        $this->setUserTwoFAState($I, true);
+
+        $I->amOnPage($userLoginPage->URL);
+        $userLoginPage->login($userData['userLoginName'], $userData['userPassword']);
+        $I->waitForPageLoad();
+        $I->seeElement($this->otpInput);
+
+        $this->setUserTwoFAState($I, false);
+
         $I->amOnPage($userLoginPage->URL);
+        $userLoginPage->login($userData['userLoginName'], $userData['userPassword']);
+        $I->waitForPageLoad();
+        $I->dontSeeElement($this->otpInput);
+    }
+
+    public function testSettingsPageReflectsTwoFAState(AcceptanceTester $I): void
+    {
+        $userData = $this->getExistingUserData();
+        $userLoginPage = new UserLogin($I);
+
+        $I->amOnPage($userLoginPage->URL);
+        $userLoginPage->login($userData['userLoginName'], $userData['userPassword']);
+        $I->waitForPageLoad();
+
+        $I->amOnPage('?cl=account_security');
+        $I->waitForPageLoad();
+        $I->dontSeeCheckboxIsChecked($this->twofaCheckbox);
+
+        $I->checkOption($this->twofaCheckbox);
+        $I->click(Translator::translate('SAVE'));
+        $I->waitForPageLoad();
+
+        $I->amOnPage('?cl=account_security');
+        $I->waitForPageLoad();
+        $I->seeCheckboxIsChecked($this->twofaCheckbox);
+
+        $I->uncheckOption($this->twofaCheckbox);
+        $I->click(Translator::translate('SAVE'));
+        $I->waitForPageLoad();
+
+        $I->amOnPage('?cl=account_security');
+        $I->waitForPageLoad();
+        $I->dontSeeCheckboxIsChecked($this->twofaCheckbox);
+    }
+
+    public function testUnauthenticatedAccessToAccountSecurityRedirectsToLogin(AcceptanceTester $I): void
+    {
+        $I->amOnPage('?cl=account_security');
+        $I->waitForPageLoad();
+
         $I->see(Translator::translate('LOGIN'));
+        $I->dontSeeElement($this->twofaCheckbox);
+    }
+
+    public function testShopLevelTwoFADisabledOverridesUserSetting(AcceptanceTester $I): void
+    {
+        $this->setUserTwoFAState($I, true);
+        $this->setTwoFactorAuthState(false);
+
+        $userData = $this->getExistingUserData();
+        $userLoginPage = new UserLogin($I);
+        $I->amOnPage($userLoginPage->URL);
+        $userLoginPage->login($userData['userLoginName'], $userData['userPassword']);
+        $I->waitForPageLoad();
+
+        $I->dontSeeElement($this->otpInput);
+    }
+
+    public function testInvalidCodeShowsError(AcceptanceTester $I): void
+    {
+        $this->setUserTwoFAState($I, true);
 
+        $userData = $this->getExistingUserData();
+        $userLoginPage = new UserLogin($I);
+        $I->amOnPage($userLoginPage->URL);
         $userLoginPage->login($userData['userLoginName'], $userData['userPassword']);
+        $I->waitForPageLoad();
 
+        $I->fillField($this->otpInput, '000000');
+        $I->click('#auth_submit');
         $I->waitForPageLoad();
-        $I->seeElement($this->otpInput);
-        $I->seeElement($this->otpSubmitBtn);
-        $I->see(Translator::translate($this->otpResendBtn));
+
+        $I->see(Translator::translate('ERROR_INVALID_CODE'));
     }
 
-    public function testRedirectToOTPOnLoginBox(AcceptanceTester $I): void
+    public function testWrongCodeDecreasesRemainingAttemptsAndShowsError(AcceptanceTester $I): void
     {
+        $this->setUserTwoFAState($I, true);
 
         $userData = $this->getExistingUserData();
+        $userLoginPage = new UserLogin($I);
+        $I->amOnPage($userLoginPage->URL);
+        $userLoginPage->login($userData['userLoginName'], $userData['userPassword']);
+        $I->waitForPageLoad();
 
-        $homePage = $I->openShop();
-        $accountMenu = $homePage->openAccountMenu();
-        $I->waitForText(Translator::translate('FORGOT_PASSWORD'));
-        $I->retryFillField($accountMenu->userLoginName, $userData['userLoginName']);
-        $I->retryFillField($accountMenu->userLoginPassword, $userData['userPassword']);
-        $I->retryClick($accountMenu->userLoginButton);
+        $attemptsBefore = (int) $I->grabTextFrom('#remaining-attempts');
 
+        $I->fillField($this->otpInput, '000000');
+        $I->click('#auth_submit');
         $I->waitForPageLoad();
-        $I->seeElement($this->otpInput);
-        $I->seeElement($this->otpSubmitBtn);
-        $I->see(Translator::translate($this->otpResendBtn));
+
+        $I->see(Translator::translate('ERROR_INVALID_CODE'));
+        $I->see((string) ($attemptsBefore - 1), '#remaining-attempts');
+    }
+
+    public function testResendButtonIsDisabledOnOtpPageLoad(AcceptanceTester $I): void
+    {
+        $this->setUserTwoFAState($I, true);
+
+        $userData = $this->getExistingUserData();
+        $userLoginPage = new UserLogin($I);
+        $I->amOnPage($userLoginPage->URL);
+        $userLoginPage->login($userData['userLoginName'], $userData['userPassword']);
+        $I->waitForPageLoad();
+
+        // A code was just sent at login, so the server-driven cooldown should disable the button
+        $I->waitForJS("return document.getElementById('resend-btn').disabled === true", 5);
+        $I->seeElement('#resend-btn[disabled]');
+    }
+
+    public function testResendButtonShowsCountdownAfterClick(AcceptanceTester $I): void
+    {
+        $this->setUserTwoFAState($I, true);
+
+        $userData = $this->getExistingUserData();
+        $userLoginPage = new UserLogin($I);
+        $I->amOnPage($userLoginPage->URL);
+        $userLoginPage->login($userData['userLoginName'], $userData['userPassword']);
+        $I->waitForPageLoad();
+
+        // Backdate LAST_SENT_AT so the server reports zero remaining cooldown
+        $I->updateInDatabase(
+            'oesm_2fa_otp',
+            ['LAST_SENT_AT' => date('Y-m-d H:i:s', strtotime('-2 minutes'))],
+            ['OXUSERID' => $userData['userId']]
+        );
+
+        // Clear stored cooldown from localStorage so JS reads from the (now zero) server value
+        $I->executeJS("localStorage.clear()");
+        $I->reloadPage();
+        $I->waitForPageLoad();
+
+        $I->seeElement('#resend-btn:not([disabled])');
+
+        $I->click('#resend-btn');
+
+        $I->waitForJS(
+            "return document.getElementById('resend-btn').textContent.includes('Resend in')",
+            30
+        );
     }
 }