diff --git a/spec/controllers/auth/sessions_controller_spec.rb b/spec/controllers/auth/sessions_controller_spec.rb index 3cc3460718c..713ea3ff16c 100644 --- a/spec/controllers/auth/sessions_controller_spec.rb +++ b/spec/controllers/auth/sessions_controller_spec.rb @@ -412,44 +412,4 @@ RSpec.describe Auth::SessionsController do end end end - - describe 'GET #webauthn_options' do - subject { get :webauthn_options, session: { attempt_user_id: user.id } } - - let!(:user) do - Fabricate(:user, email: 'x@y.com', password: 'abcdefgh', otp_required_for_login: true, otp_secret: User.generate_otp_secret(32)) - end - - context 'with WebAuthn and OTP enabled as second factor' do - let(:domain) { "#{Rails.configuration.x.use_https ? 'https' : 'http'}://#{Rails.configuration.x.web_domain}" } - - let(:fake_client) { WebAuthn::FakeClient.new(domain) } - - before do - user.update(webauthn_id: WebAuthn.generate_user_id) - public_key_credential = WebAuthn::Credential.from_create(fake_client.create) - user.webauthn_credentials.create( - nickname: 'SecurityKeyNickname', - external_id: public_key_credential.id, - public_key: public_key_credential.public_key, - sign_count: '1000' - ) - post :create, params: { user: { email: user.email, password: user.password } } - end - - it 'returns http success' do - subject - - expect(response).to have_http_status 200 - end - end - - context 'when WebAuthn not enabled' do - it 'returns http unauthorized' do - subject - - expect(response).to have_http_status 401 - end - end - end end diff --git a/spec/requests/auth/sessions/security_key_options_spec.rb b/spec/requests/auth/sessions/security_key_options_spec.rb new file mode 100644 index 00000000000..6246e4beb31 --- /dev/null +++ b/spec/requests/auth/sessions/security_key_options_spec.rb @@ -0,0 +1,50 @@ +# frozen_string_literal: true + +require 'rails_helper' +require 'webauthn/fake_client' + +RSpec.describe 'Security Key Options' do + describe 'GET /auth/sessions/security_key_options' do + let!(:user) do + Fabricate(:user, email: 'x@y.com', password: 'abcdefgh', otp_required_for_login: true, otp_secret: User.generate_otp_secret(32)) + end + + context 'with WebAuthn and OTP enabled as second factor' do + let(:domain) { "#{Rails.configuration.x.use_https ? 'https' : 'http'}://#{Rails.configuration.x.web_domain}" } + + let(:fake_client) { WebAuthn::FakeClient.new(domain) } + let(:public_key_credential) { WebAuthn::Credential.from_create(fake_client.create) } + + before do + user.update(webauthn_id: WebAuthn.generate_user_id) + Fabricate( + :webauthn_credential, + user_id: user.id, + external_id: public_key_credential.id, + public_key: public_key_credential.public_key + ) + post '/auth/sign_in', params: { user: { email: user.email, password: user.password } } + end + + it 'returns http success' do + get '/auth/sessions/security_key_options' + + expect(response) + .to have_http_status 200 + expect(response.content_type) + .to start_with('application/json') + end + end + + context 'when WebAuthn not enabled' do + it 'returns http unauthorized' do + get '/auth/sessions/security_key_options' + + expect(response) + .to have_http_status 401 + expect(response.content_type) + .to start_with('application/json') + end + end + end +end