Merge pull request #2246 from hitobito/bug/2068_remember_me_for_2fa

Fix remember me for 2fa
hitobito · Nov 6, 2023 · 12fa05f · 12fa05f
2 parents 336e8ae + fe4e2ec
commit 12fa05f
Show file tree

Hide file tree

Showing 2 changed files with 33 additions and 3 deletions.
diff --git a/app/controllers/concerns/two_factor.rb b/app/controllers/concerns/two_factor.rb
@@ -29,9 +29,11 @@ def pending_two_factor_person
   end
 
   def init_two_factor_auth(resource, after_2fa_path)
-    # Two sign_out statements are required for live deployments for some reason.
-    # Locally it works with just one sign_out
-    sign_out(resource) && sign_out
+    # we reset the session and delete the remember cookie here instead of signing out
+    # since signing out would clear the remember_created_at attribute of the person
+    # and thus breaking the "Remember Me" function https://github.com/hitobito/hitobito/issues/2068
+    cookies.delete(:remember_person_token)
+    reset_session
 
     session[:remember_me] = true?(resource_params[:remember_me])
     session[:pending_two_factor_person_id] = resource.id

diff --git a/spec/controllers/devise/hitobito/sessions_controller_spec.rb b/spec/controllers/devise/hitobito/sessions_controller_spec.rb
@@ -40,6 +40,34 @@
         expect(controller.send(:current_person)).to be_present
         expect(controller.send(:current_person).authentication_token).to be_blank
       end
+
+      context 'with second factor authentication' do
+        before do
+          Authenticatable::TwoFactors::Totp.new(person, { pending_totp_secret: 'bla' }).register!
+        end
+
+        it 'resets the session and redirects to second factor authentication' do
+          post :create, params: { person: { email: person.email, password: password } }
+
+          expect(response).to redirect_to(new_users_second_factor_path)
+          expect(session).to_not have_key('warden.user.person.key')
+          expect(session).to_not have_key('warden.user.person.session')
+          expect(session).to have_key('pending_two_factor_person_id')
+          expect(session).to have_key('pending_second_factor_authentication')
+        end
+
+        it 'does not clear already present remember_created_at' do
+          remember_timestamp = 10.minutes.ago.round # activerecord rounds before saving anyways
+          person.update!(remember_created_at: remember_timestamp)
+
+          post :create, params: { person: { email: person.email, password: password } }
+
+          person.reload
+
+          expect(person.remember_created_at).to be_present
+          expect(person.remember_created_at).to eq(remember_timestamp)
+        end
+      end
     end
 
     context '.json' do