5 use BookStack\Actions\ActivityType;
6 use BookStack\Auth\Access\Mfa\MfaValue;
7 use BookStack\Auth\User;
8 use PragmaRX\Google2FA\Google2FA;
11 class MfaConfigurationTest extends TestCase
13 public function test_totp_setup()
15 $editor = $this->getEditor();
16 $this->assertDatabaseMissing('mfa_values', ['user_id' => $editor->id]);
19 $resp = $this->actingAs($editor)->get('/mfa/setup');
20 $resp->assertElementContains('a[href$="/mfa/totp/generate"]', 'Setup');
22 // Generate page access
23 $resp = $this->get('/mfa/totp/generate');
24 $resp->assertSee('Mobile App Setup');
25 $resp->assertSee('Verify Setup');
26 $resp->assertElementExists('form[action$="/mfa/totp/confirm"] button');
27 $this->assertSessionHas('mfa-setup-totp-secret');
28 $svg = $resp->getElementHtml('#main-content .card svg');
30 // Validation error, code should remain the same
31 $resp = $this->post('/mfa/totp/confirm', [
34 $resp->assertRedirect('/mfa/totp/generate');
35 $resp = $this->followRedirects($resp);
36 $resp->assertSee('The provided code is not valid or has expired.');
37 $revisitSvg = $resp->getElementHtml('#main-content .card svg');
38 $this->assertTrue($svg === $revisitSvg);
40 // Successful confirmation
41 $google2fa = new Google2FA();
42 $secret = decrypt(session()->get('mfa-setup-totp-secret'));
43 $otp = $google2fa->getCurrentOtp($secret);
44 $resp = $this->post('/mfa/totp/confirm', [
47 $resp->assertRedirect('/mfa/setup');
49 // Confirmation of setup
50 $resp = $this->followRedirects($resp);
51 $resp->assertSee('Multi-factor method successfully configured');
52 $resp->assertElementContains('a[href$="/mfa/totp/generate"]', 'Reconfigure');
54 $this->assertDatabaseHas('mfa_values', [
55 'user_id' => $editor->id,
58 $this->assertFalse(session()->has('mfa-setup-totp-secret'));
59 $value = MfaValue::query()->where('user_id', '=', $editor->id)
60 ->where('method', '=', 'totp')->first();
61 $this->assertEquals($secret, decrypt($value->value));
64 public function test_backup_codes_setup()
66 $editor = $this->getEditor();
67 $this->assertDatabaseMissing('mfa_values', ['user_id' => $editor->id]);
70 $resp = $this->actingAs($editor)->get('/mfa/setup');
71 $resp->assertElementContains('a[href$="/mfa/backup_codes/generate"]', 'Setup');
73 // Generate page access
74 $resp = $this->get('/mfa/backup_codes/generate');
75 $resp->assertSee('Backup Codes');
76 $resp->assertElementContains('form[action$="/mfa/backup_codes/confirm"]', 'Confirm and Enable');
77 $this->assertSessionHas('mfa-setup-backup-codes');
78 $codes = decrypt(session()->get('mfa-setup-backup-codes'));
80 $this->assertCount(16, $codes);
81 $this->assertEquals(16 * 11, strlen(implode('', $codes)));
82 // Check download link
83 $resp->assertSee(base64_encode(implode("\n\n", $codes)));
86 $resp = $this->post('/mfa/backup_codes/confirm');
87 $resp->assertRedirect('/mfa/setup');
89 // Confirmation of setup
90 $resp = $this->followRedirects($resp);
91 $resp->assertSee('Multi-factor method successfully configured');
92 $resp->assertElementContains('a[href$="/mfa/backup_codes/generate"]', 'Reconfigure');
94 $this->assertDatabaseHas('mfa_values', [
95 'user_id' => $editor->id,
96 'method' => 'backup_codes',
98 $this->assertFalse(session()->has('mfa-setup-backup-codes'));
99 $value = MfaValue::query()->where('user_id', '=', $editor->id)
100 ->where('method', '=', 'backup_codes')->first();
101 $this->assertEquals($codes, json_decode(decrypt($value->value)));
104 public function test_backup_codes_cannot_be_confirmed_if_not_previously_generated()
106 $resp = $this->asEditor()->post('/mfa/backup_codes/confirm');
107 $resp->assertStatus(500);
110 public function test_mfa_method_count_is_visible_on_user_edit_page()
112 $user = $this->getEditor();
113 $resp = $this->actingAs($this->getAdmin())->get($user->getEditUrl());
114 $resp->assertSee('0 methods configured');
116 MfaValue::upsertWithValue($user, MfaValue::METHOD_TOTP, 'test');
117 $resp = $this->get($user->getEditUrl());
118 $resp->assertSee('1 method configured');
120 MfaValue::upsertWithValue($user, MfaValue::METHOD_BACKUP_CODES, 'test');
121 $resp = $this->get($user->getEditUrl());
122 $resp->assertSee('2 methods configured');
125 public function test_mfa_setup_link_only_shown_when_viewing_own_user_edit_page()
127 $admin = $this->getAdmin();
128 $resp = $this->actingAs($admin)->get($admin->getEditUrl());
129 $resp->assertElementExists('a[href$="/mfa/setup"]');
131 $resp = $this->actingAs($admin)->get($this->getEditor()->getEditUrl());
132 $resp->assertElementNotExists('a[href$="/mfa/setup"]');
135 public function test_mfa_indicator_shows_in_user_list()
137 $admin = $this->getAdmin();
138 User::query()->where('id', '!=', $admin->id)->delete();
140 $resp = $this->actingAs($admin)->get('/settings/users');
141 $resp->assertElementNotExists('[title="MFA Configured"] svg');
143 MfaValue::upsertWithValue($admin, MfaValue::METHOD_TOTP, 'test');
144 $resp = $this->actingAs($admin)->get('/settings/users');
145 $resp->assertElementExists('[title="MFA Configured"] svg');
148 public function test_remove_mfa_method()
150 $admin = $this->getAdmin();
152 MfaValue::upsertWithValue($admin, MfaValue::METHOD_TOTP, 'test');
153 $this->assertEquals(1, $admin->mfaValues()->count());
154 $resp = $this->actingAs($admin)->get('/mfa/setup');
155 $resp->assertElementExists('form[action$="/mfa/totp/remove"]');
157 $resp = $this->delete('/mfa/totp/remove');
158 $resp->assertRedirect('/mfa/setup');
159 $resp = $this->followRedirects($resp);
160 $resp->assertSee('Multi-factor method successfully removed');
162 $this->assertActivityExists(ActivityType::MFA_REMOVE_METHOD);
163 $this->assertEquals(0, $admin->mfaValues()->count());