tests: add controller specs

santiagorodriguez96 · santiagorodriguez96 · commit e563a99723db · 2026-03-02T15:39:27.000-03:00
diff --git a/spec/controllers/settings/two_factor_authentication/confirmations_controller_spec.rb b/spec/controllers/settings/two_factor_authentication/confirmations_controller_spec.rb
@@ -62,25 +62,51 @@ def totp_provisioning_uri
         end
 
         describe 'when creation succeeds' do
-          let!(:otp_backup_codes) { user.generate_otp_backup_codes! }
-
-          before do
-            prepare_user_otp_generation
-            prepare_user_otp_consumption_response(true)
-            allow(controller).to receive(:current_user).and_return(user)
+          context 'when user has already generated backup codes' do
+            before do
+              user.generate_otp_backup_codes!
+              user.save!
+              prepare_user_otp_consumption_response(true)
+              allow(controller).to receive(:current_user).and_return(user)
+            end
+
+            it 'does not regenerate backup codes and redirects' do
+              allow(user).to receive(:generate_otp_backup_codes!)
+
+              expect { post_create_with_options }
+                .to change { user.reload.otp_secret }.to otp_secret_value
+
+              expect(user).to_not have_received(:generate_otp_backup_codes!)
+              expect(flash[:notice])
+                .to eq(I18n.t('two_factor_authentication.enabled_success'))
+              expect(response)
+                .to have_http_status(302)
+              expect(response)
+                .to redirect_to settings_two_factor_authentication_methods_path
+            end
           end
 
-          it 'renders page with success' do
-            expect { post_create_with_options }
-              .to change { user.reload.otp_secret }.to otp_secret_value
-
-            expect(flash[:notice])
-              .to eq(I18n.t('two_factor_authentication.enabled_success'))
-            expect(response)
-              .to have_http_status(200)
-            expect(response.body)
-              .to include(*otp_backup_codes)
-              .and include(I18n.t('settings.two_factor_authentication'))
+          context 'when user has not generated backup codes yet' do
+            let!(:otp_backup_codes) { user.generate_otp_backup_codes! }
+
+            before do
+              prepare_user_otp_generation
+              prepare_user_otp_consumption_response(true)
+              allow(controller).to receive(:current_user).and_return(user)
+            end
+
+            it 'renders page with success' do
+              expect { post_create_with_options }
+                .to change { user.reload.otp_secret }.to otp_secret_value
+
+              expect(flash[:notice])
+                .to eq(I18n.t('two_factor_authentication.enabled_success'))
+              expect(response)
+                .to have_http_status(200)
+              expect(response.body)
+                .to include(*otp_backup_codes)
+                .and include(I18n.t('settings.two_factor_authentication'))
+            end
           end
         end
 
diff --git a/spec/controllers/settings/two_factor_authentication/otp_authentication_controller_spec.rb b/spec/controllers/settings/two_factor_authentication/otp_authentication_controller_spec.rb
@@ -55,7 +55,9 @@
 
       describe 'when user has OTP enabled' do
         before do
-          user.update(otp_required_for_login: true)
+          user.update(otp_required_for_login: true, otp_secret: User.generate_otp_secret(32))
+          user.generate_otp_backup_codes!
+          user.save
         end
 
         describe 'when creation succeeds' do
@@ -75,7 +77,28 @@
           user.update(otp_required_for_login: false)
         end
 
-        describe 'when creation succeeds' do
+        describe 'when user has not enabled 2FA yet' do
+          describe 'when creation succeeds' do
+            it 'redirects to code confirmation page without updating user secret and setting otp secret in the session' do
+              expect do
+                post :create, session: { challenge_passed_at: Time.now.utc }
+              end.to not_change { user.reload.otp_secret }
+                .and(change { session[:new_otp_secret] })
+
+              expect(response).to redirect_to(new_settings_two_factor_authentication_confirmation_path)
+            end
+          end
+        end
+
+        describe 'when user has already enabled 2FA' do
+          before do
+            user.update(webauthn_id: WebAuthn.generate_user_id)
+            Fabricate(:webauthn_credential, user_id: user.id, nickname: 'USB Key')
+            user.otp_secret = User.generate_otp_secret(32)
+            user.generate_otp_backup_codes!
+            user.save
+          end
+
           it 'redirects to code confirmation page without updating user secret and setting otp secret in the session' do
             expect do
               post :create, session: { challenge_passed_at: Time.now.utc }
diff --git a/spec/controllers/settings/two_factor_authentication/webauthn_credentials_controller_spec.rb b/spec/controllers/settings/two_factor_authentication/webauthn_credentials_controller_spec.rb
@@ -189,6 +189,66 @@ def add_webauthn_credential(user)
               post :create, params: { credential: new_webauthn_credential, nickname: nickname }
             end.to_not change(user, :webauthn_id)
           end
+
+          context 'when user has already enabled 2FA' do
+            before do
+              user.update(webauthn_id: WebAuthn.generate_user_id)
+              Fabricate(:webauthn_credential, user_id: user.id, nickname: 'USB Key 2')
+              user.otp_secret = User.generate_otp_secret(32)
+              user.generate_otp_backup_codes!
+              user.save
+            end
+
+            it 'does not update user secret' do
+              controller.session[:webauthn_challenge] = challenge
+
+              expect do
+                post :create, params: { credential: new_webauthn_credential, nickname: nickname }
+              end.to(not_change { user.reload.otp_secret })
+            end
+
+            it 'does not change backup codes' do
+              controller.session[:webauthn_challenge] = challenge
+
+              expect do
+                post :create, params: { credential: new_webauthn_credential, nickname: nickname }
+              end.to(not_change { user.reload.otp_backup_codes })
+            end
+
+            it 'redirects to two factor authentication methods index' do
+              controller.session[:webauthn_challenge] = challenge
+
+              post :create, params: { credential: new_webauthn_credential, nickname: nickname }
+
+              expect(response.parsed_body['redirect_path']).to eq settings_two_factor_authentication_methods_path
+            end
+          end
+
+          context 'when user has not enabled 2FA yet' do
+            it 'updates user secret' do
+              controller.session[:webauthn_challenge] = challenge
+
+              expect do
+                post :create, params: { credential: new_webauthn_credential, nickname: nickname }
+              end.to(change { user.reload.otp_secret })
+            end
+
+            it 'generates backup codes' do
+              controller.session[:webauthn_challenge] = challenge
+
+              expect do
+                post :create, params: { credential: new_webauthn_credential, nickname: nickname }
+              end.to(change { user.reload.otp_backup_codes })
+            end
+
+            it "returns backup codes page in response's html_data attribute" do
+              controller.session[:webauthn_challenge] = challenge
+
+              post :create, params: { credential: new_webauthn_credential, nickname: nickname }
+
+              expect(response.parsed_body['html_data']).to match(/recovery codes/)
+            end
+          end
         end
 
         context 'when the nickname is already used' do
@@ -257,18 +317,68 @@ def add_webauthn_credential(user)
           add_webauthn_credential(user)
         end
 
-        context 'when deletion succeeds' do
-          it 'redirects to 2FA methods list and shows flash success' do
+        it 'redirects to 2FA methods list and shows flash success' do
+          delete :destroy, params: { id: user.webauthn_credentials.take.id }
+
+          expect(response).to redirect_to settings_two_factor_authentication_methods_path
+          expect(flash[:success]).to be_present
+        end
+
+        it 'deletes the credential' do
+          expect do
             delete :destroy, params: { id: user.webauthn_credentials.take.id }
+          end.to change { user.webauthn_credentials.count }.by(-1)
+        end
 
-            expect(response).to redirect_to settings_two_factor_authentication_methods_path
-            expect(flash[:success]).to be_present
+        context "when deleted credential was not user's last webauthn credential" do
+          before do
+            Fabricate(:webauthn_credential, user_id: user.id)
           end
 
-          it 'deletes the credential' do
-            expect do
+          context 'when user has OTP enabled' do
+            before do
+              user.update(otp_required_for_login: true, otp_secret: User.generate_otp_secret(32))
+              user.generate_otp_backup_codes!
+              user.save
+            end
+
+            it 'does not disable 2FA' do
+              expect_any_instance_of(User).to_not receive(:disable_two_factor!) # rubocop:disable RSpec/AnyInstance
+
+              delete :destroy, params: { id: user.webauthn_credentials.take.id }
+            end
+          end
+
+          context 'when user does not have OTP enabled' do
+            it 'does not disable 2FA' do
+              expect_any_instance_of(User).to_not receive(:disable_two_factor!) # rubocop:disable RSpec/AnyInstance
+
               delete :destroy, params: { id: user.webauthn_credentials.take.id }
-            end.to change { user.webauthn_credentials.count }.by(-1)
+            end
+          end
+        end
+
+        context "when deleted credential was user's last webauthn credential" do
+          context 'when user has OTP enabled' do
+            before do
+              user.update(otp_required_for_login: true, otp_secret: User.generate_otp_secret(32))
+              user.generate_otp_backup_codes!
+              user.save
+            end
+
+            it 'does not disable 2FA' do
+              expect_any_instance_of(User).to_not receive(:disable_two_factor!) # rubocop:disable RSpec/AnyInstance
+
+              delete :destroy, params: { id: user.webauthn_credentials.take.id }
+            end
+          end
+
+          context 'when user does not have OTP enabled' do
+            it 'disables 2FA' do
+              expect_any_instance_of(User).to receive(:disable_two_factor!) # rubocop:disable RSpec/AnyInstance
+
+              delete :destroy, params: { id: user.webauthn_credentials.take.id }
+            end
           end
         end
       end
