Fix TOTP internal context after saving settings

ory · Jan 10, 2023 · acadd14 · acadd14
1 parent ca35b45
commit acadd14
Show file tree

Hide file tree

Showing 4 changed files with 41 additions and 3 deletions.
diff --git a/selfservice/flow/settings/hook.go b/selfservice/flow/settings/hook.go
@@ -242,6 +242,7 @@ func (e *HookExecutor) PostSettingsHook(w http.ResponseWriter, r *http.Request,
 	ctxUpdate.Flow.UI = newFlow.UI
 	ctxUpdate.Flow.UI.ResetMessages()
 	ctxUpdate.Flow.UI.AddMessage(node.DefaultGroup, text.NewInfoSelfServiceSettingsUpdateSuccess())
+	ctxUpdate.Flow.InternalContext = newFlow.InternalContext
 	if err := e.d.SettingsFlowPersister().UpdateSettingsFlow(r.Context(), ctxUpdate.Flow); err != nil {
 		return err
 	}

diff --git a/selfservice/strategy/lookup/settings_test.go b/selfservice/strategy/lookup/settings_test.go
@@ -475,7 +475,7 @@ func TestCompleteSettings(t *testing.T) {
 
 					actualFlow, err := reg.SettingsFlowPersister().GetSettingsFlow(context.Background(), uuid.FromStringOrNil(f.Id))
 					require.NoError(t, err)
-					assert.Equal(t, "{}", gjson.GetBytes(actualFlow.InternalContext, flow.PrefixInternalContextKey(identity.CredentialsTypeLookup, lookup.InternalContextKeyRegenerated)).Raw)
+					assert.Empty(t, gjson.GetBytes(actualFlow.InternalContext, flow.PrefixInternalContextKey(identity.CredentialsTypeLookup, lookup.InternalContextKeyRegenerated)).Raw)
 				}
 
 				t.Run("type=api", func(t *testing.T) {

diff --git a/selfservice/strategy/webauthn/settings_test.go b/selfservice/strategy/webauthn/settings_test.go
@@ -344,7 +344,8 @@ func TestCompleteSettings(t *testing.T) {
 
 			actualFlow, err := reg.SettingsFlowPersister().GetSettingsFlow(context.Background(), uuid.FromStringOrNil(f.Id))
 			require.NoError(t, err)
-			assert.Empty(t, gjson.GetBytes(actualFlow.InternalContext, flow.PrefixInternalContextKey(identity.CredentialsTypeWebAuthn, webauthn.InternalContextKeySessionData)))
+			// new session data has been generated
+			assert.NotEqual(t, settingsFixtureSuccessInternalContext, gjson.GetBytes(actualFlow.InternalContext, flow.PrefixInternalContextKey(identity.CredentialsTypeWebAuthn, webauthn.InternalContextKeySessionData)))
 
 			testhelpers.EnsureAAL(t, browserClient, publicTS, "aal2", string(identity.CredentialsTypeWebAuthn))
 		}

diff --git a/test/e2e/cypress/integration/profiles/mfa/totp.spec.ts b/test/e2e/cypress/integration/profiles/mfa/totp.spec.ts
@@ -6,7 +6,7 @@ import { authenticator } from "otplib"
 import { routes as react } from "../../../helpers/react"
 import { routes as express } from "../../../helpers/express"
 
-context("2FA lookup secrets", () => {
+context("2FA TOTP", () => {
   ;[
     {
       login: react.login,
@@ -243,6 +243,21 @@ context("2FA lookup secrets", () => {
           expectAal: "aal2",
           expectMethods: ["password", "totp", "totp", "totp", "totp"],
         })
+
+        // The React app keeps using the same flow. The following scenario used to be broken,
+        // because the internal context wasn't populated properly in the flow after settings were saved.
+        cy.visit(settings)
+        cy.get('*[name="totp_unlink"]').click()
+        cy.expectSettingsSaved()
+
+        cy.get('[data-testid="node/text/totp_secret_key/text"]').then(($e) => {
+          secret = $e.text().trim()
+        })
+        cy.get('input[name="totp_code"]').then(($e) => {
+          cy.wrap($e).type(authenticator.generate(secret))
+        })
+        cy.get('*[name="method"][value="totp"]').click()
+        cy.expectSettingsSaved()
       })
 
       it("should not show totp as an option if not configured", () => {
@@ -274,6 +289,27 @@ context("2FA lookup secrets", () => {
           "The provided authentication code is invalid, please try again.",
         )
       })
+
+      // The React app keeps using the same flow. The following scenario used to be broken,
+      // because the internal context wasn't populated properly in the flow after settings were saved.
+      it.only("should allow changing other settings and then setting up totp", () => {
+        cy.visit(settings)
+        cy.get('input[name="traits.website"]')
+          .clear()
+          .type("https://some-website.com")
+        cy.get('*[name="method"][value="profile"]').click()
+        cy.expectSettingsSaved()
+
+        let secret
+        cy.get('[data-testid="node/text/totp_secret_key/text"]').then(($e) => {
+          secret = $e.text().trim()
+        })
+        cy.get('input[name="totp_code"]').then(($e) => {
+          cy.wrap($e).type(authenticator.generate(secret))
+        })
+        cy.get('*[name="method"][value="totp"]').click()
+        cy.expectSettingsSaved()
+      })
     })
   })
 })