Merge pull request #3893 from Shopify/eric/webauthn_only_mfa_level

Remove temporary webauthn only logic
rubygems · Jun 30, 2023 · 5ec5af4 · 5ec5af4
2 parents 511fa06 + 931fb7f
commit 5ec5af4
Show file tree

Hide file tree

Showing 2 changed files with 16 additions and 16 deletions.
diff --git a/app/models/concerns/user_multifactor_methods.rb b/app/models/concerns/user_multifactor_methods.rb
@@ -9,11 +9,6 @@ module UserMultifactorMethods
   end
 
   def mfa_enabled?
-    if webauthn_enabled? && mfa_disabled?
-      self.mfa_level = :ui_and_gem_signin
-      save!(validate: false)
-    end
-
     !mfa_disabled?
   end
 
@@ -26,7 +21,7 @@ def no_mfa_devices?
   end
 
   def mfa_gem_signin_authorized?(otp)
-    return true unless strong_mfa_level? || webauthn_enabled?
+    return true unless strong_mfa_level?
     api_mfa_verified?(otp)
   end
 

diff --git a/test/models/concerns/user_multifactor_methods_test.rb b/test/models/concerns/user_multifactor_methods_test.rb
@@ -8,18 +8,31 @@ class UserMultifactorMethodsTest < ActiveSupport::TestCase
   end
 
   context "#mfa_enabled" do
-    should "return true if multifactor auth is not disabled" do
+    should "return true if multifactor auth is not disabled using TOTP" do
       @user.enable_totp!(ROTP::Base32.random_base32, :ui_only)
 
       assert_predicate @user, :mfa_enabled?
     end
 
-    should "return true if multifactor auth is disabled" do
+    should "return false if multifactor auth is disabled using TOTP" do
       @user.disable_totp!
 
       refute_predicate @user, :mfa_enabled?
     end
 
+    should "return true if multifactor auth is not disabled using WebAuthn" do
+      create(:webauthn_credential, user: @user)
+
+      assert_predicate @user, :mfa_enabled?
+    end
+
+    should "return true if multifactor auth is disabled using WebAuthn" do
+      create(:webauthn_credential, user: @user)
+      @user.webauthn_credentials.first.destroy
+
+      refute_predicate @user, :mfa_enabled?
+    end
+
     should "send mfa enabled email" do
       assert_emails 1 do
         @user.enable_totp!(ROTP::Base32.random_base32, :ui_and_gem_signin)
@@ -28,14 +41,6 @@ class UserMultifactorMethodsTest < ActiveSupport::TestCase
       assert_equal "Multi-factor authentication enabled on RubyGems.org", last_email.subject
       assert_equal [@user.email], last_email.to
     end
-
-    should "update mfa level and return true with mfa disabled webauthn only users" do
-      @credential = create(:webauthn_credential, user: @user)
-      @user.update!(mfa_level: :disabled)
-
-      assert_predicate @user, :mfa_enabled?
-      assert_predicate @user, :mfa_ui_and_gem_signin?
-    end
   end
 
   context "#mfa_device_count_one?" do