don't force logout mid-MFA workflow due to spurious XHR
test plan: * get the MFA screen during login * force an XHR (via javascript console?) * it should return 403 * reload the page * it should not make you log in again (watch network requests if you're using SSO to make sure it doesn't send you back to SSO) Change-Id: Idc35b99fecfb204ef3da1538661aa52a30db0f15 Reviewed-on: https://gerrit.instructure.com/63505 Reviewed-by: Jacob Fugal <jacob@instructure.com> Tested-by: Jenkins QA-Review: August Thornton <august@instructure.com> Product-Review: Cody Cutrer <cody@instructure.com>
This commit is contained in:
parent
3d881ea6b4
commit
1426c305f3
|
@ -332,6 +332,8 @@ class ApplicationController < ActionController::Base
|
|||
|
||||
def check_pending_otp
|
||||
if session[:pending_otp] && params[:controller] != 'login/otp'
|
||||
return render text: "Please finish logging in", status: 403 if request.xhr?
|
||||
|
||||
reset_session
|
||||
redirect_to login_url
|
||||
end
|
||||
|
|
|
@ -42,5 +42,12 @@ describe "one time passwords" do
|
|||
follow_redirect!
|
||||
expect(response).to be_success
|
||||
end
|
||||
|
||||
it "should not destroy your session when someone does an XHR accidentally" do
|
||||
xhr :get, '/api/v1/conversations/unread_count'
|
||||
expect(response.status).to eq 403
|
||||
get otp_login_url
|
||||
expect(response).to be_success
|
||||
end
|
||||
end
|
||||
end
|
||||
|
|
Loading…
Reference in New Issue