Verified mfa session expires on logout

Since sessions are invalidated upon logout.

diff --git a/app/Auth/Access/LoginService.php b/app/Auth/Access/LoginService.php
index 998259deeb6a13593359e9b2e55da534553c35b6..3aab0a2476063dff80978bbc905ad2baa6a11fa3 100644 (file)
--- a/app/Auth/Access/LoginService.php
+++ b/app/Auth/Access/LoginService.php
@@ -38,14 +38,6 @@ class LoginService
             $this->setLastLoginAttemptedForUser($user, $method);
             throw new StoppedAuthenticationException($user, $this);
             // TODO - Does 'remember' still work? Probably not right now.
-
-            // TODO - Need to clear MFA sessions out upon logout
-
-            // Old MFA middleware todos:
-
-            // TODO - Handle email confirmation handling
-            //  Left BookStack\Http\Middleware\Authenticate@emailConfirmationErrorResponse in which needs
-            //  be removed as an example of old behaviour.
         }
 
         $this->clearLastLoginAttempted();

diff --git a/tests/Auth/AuthTest.php b/tests/Auth/AuthTest.php
index d57a3253f0b24e3e5f1029fc3746ee646e671008..085482c35ce249d86e4fd2dcb6d6f59b9a959970 100644 (file)
--- a/tests/Auth/AuthTest.php
+++ b/tests/Auth/AuthTest.php
@@ -2,6 +2,7 @@
 
 namespace Tests\Auth;
 
+use BookStack\Auth\Access\Mfa\MfaSession;
 use BookStack\Auth\Role;
 use BookStack\Auth\User;
 use BookStack\Entities\Models\Page;
@@ -326,6 +327,18 @@ class AuthTest extends BrowserKitTest
             ->seePageIs('/login');
     }
 
+    public function test_mfa_session_cleared_on_logout()
+    {
+        $user = $this->getEditor();
+        $mfaSession = $this->app->make(MfaSession::class);
+
+        $mfaSession->markVerifiedForUser($user);;
+        $this->assertTrue($mfaSession->isVerifiedForUser($user));
+
+        $this->asAdmin()->visit('/logout');
+        $this->assertFalse($mfaSession->isVerifiedForUser($user));
+    }
+
     public function test_reset_password_flow()
     {
         Notification::fake();