3 # This file is part of Koha.
5 # Koha is free software; you can redistribute it and/or modify it
6 # under the terms of the GNU General Public License as published by
7 # the Free Software Foundation; either version 3 of the License, or
8 # (at your option) any later version.
10 # Koha is distributed in the hope that it will be useful, but
11 # WITHOUT ANY WARRANTY; without even the implied warranty of
12 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
13 # GNU General Public License for more details.
15 # You should have received a copy of the GNU General Public License
16 # along with Koha; if not, see <http://www.gnu.org/licenses>.
20 use Test::More tests => 2;
24 use t::lib::TestBuilder;
29 my $schema = Koha::Database->new->schema;
30 my $builder = t::lib::TestBuilder->new;
32 # FIXME: sessionStorage defaults to mysql, but it seems to break transaction handling
33 # this affects the other REST api tests
34 t::lib::Mocks::mock_preference( 'SessionStorage', 'tmp' );
36 my $remote_address = '127.0.0.1';
37 my $t = Test::Mojo->new('Koha::REST::V1');
39 my $mocked_koha_email = Test::MockModule->new('Koha::Email');
40 $mocked_koha_email->mock( 'send_or_die', sub {
44 subtest 'registration and verification' => sub {
48 $schema->storage->txn_begin;
50 t::lib::Mocks::mock_preference('TwoFactorAuthentication', 'enabled');
52 my $patron = $builder->build_object(
54 class => 'Koha::Patrons',
56 flags => 20, # Staff access and Patron info
61 # Not authenticated yet - 401
62 my $session = C4::Auth::get_session('');
63 $session->param( 'ip', '127.0.0.1' );
64 $session->param( 'lasttime', time() );
67 my $tx = $t->ua->build_tx( POST => "/api/v1/auth/two-factor/registration" );
68 $tx->req->cookies( { name => 'CGISESSID', value => $session->id } );
69 $tx->req->env( { REMOTE_ADDR => $remote_address } );
70 $t->request_ok($tx)->status_is(401);
72 $tx = $t->ua->build_tx( POST => "/api/v1/auth/two-factor/registration/verification" );
73 $tx->req->cookies( { name => 'CGISESSID', value => $session->id } );
74 $tx->req->env( { REMOTE_ADDR => $remote_address } );
75 $t->request_ok($tx)->status_is(401);
77 # Authenticated - can register
78 $session->param( 'number', $patron->borrowernumber );
79 $session->param( 'id', $patron->userid );
82 $patron->auth_method('password');
83 $patron->secret(undef);
86 $tx = $t->ua->build_tx( POST => "/api/v1/auth/two-factor/registration" );
87 $tx->req->cookies( { name => 'CGISESSID', value => $session->id } );
88 $tx->req->env( { REMOTE_ADDR => $remote_address } );
89 $t->request_ok($tx)->status_is(201);
90 my $secret32 = $t->tx->res->json->{secret32};
92 $tx = $t->ua->build_tx( POST => "/api/v1/auth/two-factor/registration/verification" );
93 $tx->req->cookies( { name => 'CGISESSID', value => $session->id } );
94 $tx->req->env( { REMOTE_ADDR => $remote_address } );
95 $t->request_ok($tx)->status_is(400); # Missing parameter
97 my $auth = Koha::Auth::TwoFactorAuth->new({patron => $patron, secret32 => $secret32});
98 my $pin_code = $auth->code;
99 $tx = $t->ua->build_tx( POST => "/api/v1/auth/two-factor/registration/verification" => form => {secret32 => $secret32, pin_code => $pin_code} );
100 $tx->req->cookies( { name => 'CGISESSID', value => $session->id } );
101 $tx->req->env( { REMOTE_ADDR => $remote_address } );
102 $t->request_ok($tx)->status_is(204);
104 $patron = $patron->get_from_storage;
105 is($patron->auth_method, 'two-factor');
106 isnt($patron->secret, undef);
108 $patron->auth_method('password');
109 $patron->secret(undef);
112 # Setting up 2FA - can register
113 $session->param('waiting-for-2FA-setup', 1);
115 $tx = $t->ua->build_tx( POST => "/api/v1/auth/two-factor/registration" );
116 $tx->req->cookies( { name => 'CGISESSID', value => $session->id } );
117 $tx->req->env( { REMOTE_ADDR => $remote_address } );
118 $t->request_ok($tx)->status_is(201);
119 $secret32 = $t->tx->res->json->{secret32};
121 $auth = Koha::Auth::TwoFactorAuth->new({patron => $patron, secret32 => $secret32});
122 $pin_code = $auth->code;
123 $tx = $t->ua->build_tx( POST => "/api/v1/auth/two-factor/registration/verification" => form => {secret32 => $secret32, pin_code => $pin_code} );
124 $tx->req->cookies( { name => 'CGISESSID', value => $session->id } );
125 $tx->req->env( { REMOTE_ADDR => $remote_address } );
126 $t->request_ok($tx)->status_is(204);
128 $patron = $patron->get_from_storage;
129 is($patron->auth_method, 'two-factor');
130 isnt($patron->secret, undef);
132 # 2FA already enabled - cannot register again
133 $patron->auth_method('two-factor');
134 $patron->encode_secret("nv4v65dpobpxgzldojsxiii");
137 $session->param('waiting-for-2FA-setup', undef);
140 $tx = $t->ua->build_tx( POST => "/api/v1/auth/two-factor/registration" );
141 $tx->req->cookies( { name => 'CGISESSID', value => $session->id } );
142 $tx->req->env( { REMOTE_ADDR => $remote_address } );
143 $t->request_ok($tx)->status_is(401);
145 $tx = $t->ua->build_tx( POST => "/api/v1/auth/two-factor/registration/verification" );
146 $tx->req->cookies( { name => 'CGISESSID', value => $session->id } );
147 $tx->req->env( { REMOTE_ADDR => $remote_address } );
148 $t->request_ok($tx)->status_is(401);
150 $schema->storage->txn_rollback;
153 subtest 'send_otp_token' => sub {
157 $schema->storage->txn_begin;
159 t::lib::Mocks::mock_preference('TwoFactorAuthentication', 'enabled');
161 my $patron = $builder->build_object(
163 class => 'Koha::Patrons',
165 flags => 20, # Staff access and Patron info
170 my $session = C4::Auth::get_session('');
171 $session->param( 'ip', '127.0.0.1' );
172 $session->param( 'lasttime', time() );
175 my $tx = $t->ua->build_tx( POST => "/api/v1/auth/otp/token_delivery" );
176 $tx->req->cookies( { name => 'CGISESSID', value => $session->id } );
177 $tx->req->env( { REMOTE_ADDR => $remote_address } );
179 # Session is still anonymous, no borrowernumber yet: Unauthorized
180 $t->request_ok($tx)->status_is(401);
182 # Patron is partially authenticated (credentials correct)
183 $session->param( 'number', $patron->borrowernumber );
184 $session->param( 'id', $patron->userid );
185 $session->param('waiting-for-2FA', 1);
188 $patron->library->set(
190 branchemail => 'from@example.org',
191 branchreturnpath => undef,
192 branchreplyto => undef,
195 $patron->auth_method('two-factor');
196 $patron->encode_secret("nv4v65dpobpxgzldojsxiii");
197 $patron->email(undef);
200 $tx = $t->ua->build_tx( POST => "/api/v1/auth/otp/token_delivery" );
201 $tx->req->cookies( { name => 'CGISESSID', value => $session->id } );
202 $tx->req->env( { REMOTE_ADDR => $remote_address } );
205 $t->request_ok($tx)->status_is(400)->json_is({ error => 'email_not_sent' });
207 $patron->email('to@example.org')->store;
208 $tx = $t->ua->build_tx( POST => "/api/v1/auth/otp/token_delivery" );
209 $tx->req->cookies( { name => 'CGISESSID', value => $session->id } );
210 $tx->req->env( { REMOTE_ADDR => $remote_address } );
212 # Everything is ok, the email will be sent
213 $t->request_ok($tx)->status_is(200);
215 # Change flags: not enough authorization anymore
216 $patron->flags(16)->store;
217 $tx = $t->ua->build_tx( POST => "/api/v1/auth/otp/token_delivery" );
218 $tx->req->cookies( { name => 'CGISESSID', value => $session->id } );
219 $tx->req->env( { REMOTE_ADDR => $remote_address } );
220 $t->request_ok($tx)->status_is(403);
221 $patron->flags(20)->store;
223 # Patron is fully authenticated, cannot request a token again
224 $session->param('waiting-for-2FA', 0);
226 $tx = $t->ua->build_tx( POST => "/api/v1/auth/otp/token_delivery" );
227 $tx->req->cookies( { name => 'CGISESSID', value => $session->id } );
228 $tx->req->env( { REMOTE_ADDR => $remote_address } );
230 $t->request_ok($tx)->status_is(401);
232 $schema->storage->txn_rollback;