diff --git a/src/Features/mfaFatigueMitigation.feature b/src/Features/mfaFatigueMitigation.feature index 6bf78f81..33f9bd4f 100644 --- a/src/Features/mfaFatigueMitigation.feature +++ b/src/Features/mfaFatigueMitigation.feature @@ -31,7 +31,6 @@ Feature: When an user needs to authenticate Then it should fail with "no-trusted-device" Then the logs should say: no trusted cookie for address "0000000000111111111122222222223333333333" - Scenario: When a user tries to authenticates with a trusted cookie, a notification should be sent Given I am on "/demo/sp" And I fill in "NameID" with my identifier @@ -52,11 +51,3 @@ Feature: When an user needs to authenticate When push notification is sent with a trusted-device cookie with address "0000000000111111111122222222223333333333" and cookie userId "abc-1234" Then the logs should mention a signature mismatch for address "0000000000111111111122222222223333333333" And it should fail with "no-trusted-device" - - -# @TODO Add a test somewhere, maybe not here, that tests the cookie get overwritten properly (or appended) if a new scan occurs? -# Scenario: Handles multiple devices / userids -# Given the user with ID X scans qr code -# Then A cookie is set for the stored device id -# When the user with ID Y scans a qr code in the same browser -# Then A cookie is appended or new cookie is created for the new device id diff --git a/src/Service/TrustedCookie/TrustedCookieService.php b/src/Service/TrustedCookie/TrustedCookieService.php index b7b1e2a3..59ed0e2b 100644 --- a/src/Service/TrustedCookie/TrustedCookieService.php +++ b/src/Service/TrustedCookie/TrustedCookieService.php @@ -54,8 +54,6 @@ public function isTrustedDevice( string $userId, string $notificationAddress, ): bool { - - // Perform validation on the cookie and its contents if (!$this->isCookieValid($cookie, $userId, $notificationAddress)) { return false; } diff --git a/tests/Unit/Service/TrustedCookie/TrustedCookieServiceTest.php b/tests/Unit/Service/TrustedCookie/TrustedCookieServiceTest.php index 00ae361e..70ba0562 100644 --- a/tests/Unit/Service/TrustedCookie/TrustedCookieServiceTest.php +++ b/tests/Unit/Service/TrustedCookie/TrustedCookieServiceTest.php @@ -218,4 +218,68 @@ public function test_does_not_read_tampered_cookie(): void $readCookie = $this->service->read($request, $userId, $notificationAddress); $this->assertNull($readCookie); } + + /** + * This test is to make sure multiple users and users with multiple devices can use the same browser without issues + */ + public function test_it_handles_all_valid_cookies_from_browser(): void + { + $this->buildService( + new Configuration( + 'qki_', + 3600, + '0f0f0f0f0f0f0f0f0f0f0f0f0f0f0f0f0f0f0f0f0f0f0f0f0f0f0f0f0f0f0f0f', + CookieSameSite::SAMESITE_NONE->value, + ) + ); + $response = new Response('

hi

', 200); + + $store = [ + [ + 'userId' => 'userId#1', + 'notificationAddress' => '1', + ], + [ + 'userId' => 'userId#1', + 'notificationAddress' => '2', + ], + [ + 'userId' => 'userId#2', + 'notificationAddress' => '1', + ], + [ + 'userId' => 'userId#3', + 'notificationAddress' => '1', + ], + [ + 'userId' => 'userId#1', + 'notificationAddress' => '3', + ], + [ + 'userId' => 'userId#1', + 'notificationAddress' => '1', + ], + ]; + + foreach ($store as $storedDevice) { + $this->service->registerTrustedAuthentication($response, $storedDevice['userId'], $storedDevice['notificationAddress']); + } + + $cookieJar = $response->headers->getCookies(); + self::assertCount(5, $cookieJar); + + $request = new Request(); + foreach ($cookieJar as $cookie) { + $request->cookies->set($cookie->getName(), $cookie->getValue()); + } + + shuffle($store); + + foreach ($store as $storedDevice){ + $readCookie = $this->service->read($request, $storedDevice['userId'], $storedDevice['notificationAddress']); + $this->assertTrue($this->service->isTrustedDevice($readCookie, $storedDevice['userId'], $storedDevice['notificationAddress'])); + } + } + + }