FIX: Ensure disabling 2FA works as expected (#10485)

2024-11-23 09:26:54 -06:00 · 2020-08-31 09:56:57 -07:00 · 2020-08-31 09:56:57 -07:00 · 2550c5bd03
commit 2550c5bd03
parent 2a3a173e8e
6 changed files with 48 additions and 10 deletions
--- a/app/assets/javascripts/discourse/app/controllers/preferences/second-factor.js
+++ b/app/assets/javascripts/discourse/app/controllers/preferences/second-factor.js
@ -2,6 +2,7 @@ import I18n from "I18n";
 import { alias } from "@ember/object/computed";
 import Controller from "@ember/controller";
 import discourseComputed from "discourse-common/utils/decorators";
+import { iconHTML } from "discourse-common/lib/icon-library";
 import CanCheckEmails from "discourse/mixins/can-check-emails";
 import DiscourseURL, { userPath } from "discourse/lib/url";
 import { popupAjaxError } from "discourse/lib/ajax-error";
@ -120,12 +121,17 @@ export default Controller.extend(CanCheckEmails, {
      if (this.loading) {
        return;
      }
-      bootbox.confirm(
-        I18n.t("user.second_factor.disable_confirm"),
-        I18n.t("cancel"),
-        I18n.t("user.second_factor.disable"),
-        result => {
-          if (result) {
+      const message = I18n.t("user.second_factor.disable_confirm");
+      const buttons = [
+        {
+          label: I18n.t("cancel"),
+          class: "d-modal-cancel",
+          link: true
+        },
+        {
+          label: `${iconHTML("ban")}${I18n.t("user.second_factor.disable")}`,
+          class: "btn-danger btn-icon-text",
+          callback: () => {
            this.model
              .disableAllSecondFactors()
              .then(() => {
@ -138,7 +144,11 @@ export default Controller.extend(CanCheckEmails, {
              .finally(() => this.set("loading", false));
          }
        }
-      );
+      ];
+
+      bootbox.dialog(message, buttons, {
+        classes: "disable-second-factor-modal"
+      });
    },

    createTotp() {
--- a/app/assets/javascripts/discourse/app/templates/preferences-second-factor.hbs
+++ b/app/assets/javascripts/discourse/app/templates/preferences-second-factor.hbs
@ -120,7 +120,7 @@
                  icon="ban"
                  action=(action "disableAllSecondFactors")
                  disabled=loading
-                  label="disable"}}
+                  label="user.second_factor.disable_all"}}
              </div>
            </div>
          {{/unless}}
--- a/app/assets/stylesheets/common/base/user.scss
+++ b/app/assets/stylesheets/common/base/user.scss
@ -616,7 +616,7 @@
        height: auto;
        text-align: center;
        width: 100%;
-        background: white;
+        background: var(--secondary);
        border: 0;
        cursor: auto;
        outline: none;
--- a/app/controllers/users_controller.rb
+++ b/app/controllers/users_controller.rb
@ -1385,6 +1385,7 @@ class UsersController < ApplicationController
  def disable_second_factor
    # delete all second factors for a user
    current_user.user_second_factors.destroy_all
+    current_user.security_keys.destroy_all

    Jobs.enqueue(
      :critical_user_email,
--- a/config/locales/client.en.yml
+++ b/config/locales/client.en.yml
@ -1086,6 +1086,7 @@ en:
      second_factor:
        title: "Two Factor Authentication"
        enable: "Manage Two Factor Authentication"
+        disable_all: "Disable All"
        forgot_password: "Forgot password?"
        confirm_password_description: "Please confirm your password to continue"
        name: "Name"
@ -1103,7 +1104,7 @@ en:
        use: "Use Authenticator app"
        enforced_notice: "You are required to enable two factor authentication before accessing this site."
        disable: "Disable"
-        disable_confirm: "Are you sure you want to disable all second factors?"
+        disable_confirm: "Are you sure you want to disable all second factor methods?"
        save: "Save"
        edit: "Edit"
        edit_title: "Edit Second Factor"
--- a/spec/requests/users_controller_spec.rb
+++ b/spec/requests/users_controller_spec.rb
@ -4080,6 +4080,32 @@ describe UsersController do
    end
  end

+  describe '#disable_second_factor' do
+    context 'when logged in with secure session' do
+      before do
+        sign_in(user)
+        stub_secure_session_confirmed
+      end
+      context 'when user has a registered totp and security key' do
+        before do
+          totp_second_factor = Fabricate(:user_second_factor_totp, user: user)
+          security_key_second_factor = Fabricate(:user_security_key, user: user, factor_type: UserSecurityKey.factor_types[:second_factor])
+        end
+
+        it 'should disable all totp and security keys' do
+          expect_enqueued_with(job: :critical_user_email, args: { type: :account_second_factor_disabled, user_id: user.id }) do
+            put "/u/disable_second_factor.json"
+
+            expect(response.status).to eq(200)
+
+            expect(user.reload.user_second_factors).to be_empty
+            expect(user.security_keys).to be_empty
+          end
+        end
+      end
+    end
+  end
+
  describe '#revoke_account' do
    fab!(:other_user) { Fabricate(:user) }
    it 'errors for unauthorised users' do