diff --git a/ci/qa/phpstan-baseline.neon b/ci/qa/phpstan-baseline.neon index 4482d3e2..a772c9ff 100644 --- a/ci/qa/phpstan-baseline.neon +++ b/ci/qa/phpstan-baseline.neon @@ -312,7 +312,7 @@ parameters: - message: "#^Call to an undefined method Behat\\\\Mink\\\\Driver\\\\DriverInterface\\:\\:getClient\\(\\)\\.$#" - count: 5 + count: 6 path: ../../src/Features/Context/TiqrContext.php - diff --git a/src/Controller/TiqrAppApiController.php b/src/Controller/TiqrAppApiController.php index cc37c7bf..26e1920f 100644 --- a/src/Controller/TiqrAppApiController.php +++ b/src/Controller/TiqrAppApiController.php @@ -151,6 +151,8 @@ public function tiqr(UserAgentMatcherInterface $userAgentMatcher, Request $reque /** * @SuppressWarnings(PHPMD.NPathComplexity) + * @SuppressWarnings(PHPMD.CyclomaticComplexity) + * @SuppressWarnings(PHPMD.ExcessiveMethodLength) * * @throws \InvalidArgumentException */ @@ -247,7 +249,15 @@ private function registerAction( $logger->warning('Error finalizing enrollment', ['exception' => $e]); } - return new Response('OK', Response::HTTP_OK); + $okResponse = new Response('OK', Response::HTTP_OK); + + try { + $this->registerTrustedDevice($notificationAddress, $userId, $okResponse); + } catch (Throwable $e) { + $logger->warning('Could not register trusted device on registration', ['exception' => $e]); + } + + return $okResponse; } /** Handle login operation from the app, returns response for the app @@ -316,7 +326,7 @@ private function loginAction(Request $request, string $notificationType, string } try { - $this->registerTrustedDevice($notificationAddress, $user, $responseObject); + $this->registerTrustedDevice($notificationAddress, $user->getId(), $responseObject); } catch (Throwable $e) { $this->logger->warning('Could not create trusted device cookie.', ['exception' => $e]); } @@ -335,13 +345,13 @@ private function loginAction(Request $request, string $notificationType, string private function registerTrustedDevice( string $notificationAddress, - TiqrUserInterface $user, + string $userId, Response $responseObject ): void { if (trim($notificationAddress) !== '') { $this->cookieService->registerTrustedDevice( $responseObject, - $user->getId(), + $userId, $notificationAddress ); } diff --git a/src/Features/Context/TiqrContext.php b/src/Features/Context/TiqrContext.php index 70af33a8..9a0f10b1 100644 --- a/src/Features/Context/TiqrContext.php +++ b/src/Features/Context/TiqrContext.php @@ -666,6 +666,19 @@ private function logsContain(string $string): void Assertion::eq($string, '', sprintf('The logs do not contain %s', $string)); } + private function logsContainLineStartingWith(string $string): void + { + /** @var array> $logs */ + $logs = $this->fileLogger->cleanLogs(); + foreach ($logs as $log) { + if (str_contains($log[1], $string)) { + return; + } + } + + Assertion::eq($string, '', sprintf('The logs do not contain a line starting with "%s"', $string)); + } + /** * @Then /^the logs should say: no trusted cookie for address "([^"]*)"$/ */ @@ -688,6 +701,14 @@ public function theLogsShouldMentionSignatureMismatch(string $address): void ); } + /** + * @Given /^the logs should mention: Writing a trusted\-device cookie with fingerprint$/ + */ + public function theLogsShouldMentionWritingATrustedDeviceCookieWithFingerprint(): void + { + $this->logsContainLineStartingWith('Writing a trusted-device cookie with fingerprint '); + } + /** * @Then /^I dump the page$/ */ @@ -709,4 +730,12 @@ public function iDumpTheAuthResponse(): void { dump($this->authenticatioResponse); } + + /** + * @When /^the trusted device cookie is cleared$/ + */ + public function theTrustedDeviceCookieIsCleared(): void + { + $this->minkContext->getSession()->getDriver()->getClient()->getCookieJar()->expire('tiqr-trusted-device'); + } } diff --git a/src/Features/mfaFatigueMitigation.feature b/src/Features/mfaFatigueMitigation.feature index e7e81c29..35bee1b4 100644 --- a/src/Features/mfaFatigueMitigation.feature +++ b/src/Features/mfaFatigueMitigation.feature @@ -6,7 +6,9 @@ Feature: When an user needs to authenticate Given the registration QR code is scanned And the user registers the service with notification type "APNS" address: "0000000000111111111122222222223333333333" Then we have a registered user + And the logs should mention: Writing a trusted-device cookie with fingerprint And I clear the logs + And the trusted device cookie is cleared Scenario: When a user authenticates using a qr code it should set a trusted cookie Given I am on "/demo/sp" diff --git a/src/Features/registration.feature b/src/Features/registration.feature index 17a9b76e..72ebed16 100644 --- a/src/Features/registration.feature +++ b/src/Features/registration.feature @@ -74,6 +74,7 @@ Feature: When an user needs to register for a new token | info | Setting user secret and notification type and address | present | | info | Finalizing enrollment | present | | notice | Enrollment finalized | present | + | notice | /Writing a trusted-device cookie with fingerprint .*/ | present | | info | User made a request with a session cookie. | present | | info | Created new session. | | | info | User has a session. | present | @@ -161,6 +162,7 @@ Feature: When an user needs to register for a new token | info | Setting user secret and notification type and address | present | | info | Finalizing enrollment | present | | notice | Enrollment finalized | present | + | notice | /Writing a trusted-device cookie with fingerprint .*/ | present | | info | User made a request with a session cookie. | present | | info | Created new session. | | | info | User has a session. | present |