don't force logout mid-MFA workflow due to spurious XHR

test plan: * get the MFA screen during login * force an XHR (via javascript console?) * it should return 403 * reload the page * it should not make you log in again (watch network requests if you're using SSO to make sure it doesn't send you back to SSO) Change-Id: Idc35b99fecfb204ef3da1538661aa52a30db0f15 Reviewed-on: https://gerrit.instructure.com/63505 Reviewed-by: Jacob Fugal <jacob@instructure.com> Tested-by: Jenkins QA-Review: August Thornton <august@instructure.com> Product-Review: Cody Cutrer <cody@instructure.com>
2015-09-17 12:07:01 -06:00 · 2015-09-17 12:07:01 -06:00 · 1426c305f3
parent 3d881ea6b4
commit 1426c305f3
2 changed files with 9 additions and 0 deletions
--- a/app/controllers/application_controller.rb
+++ b/app/controllers/application_controller.rb
@ -332,6 +332,8 @@ class ApplicationController < ActionController::Base

  def check_pending_otp
    if session[:pending_otp] && params[:controller] != 'login/otp'
+      return render text: "Please finish logging in", status: 403 if request.xhr?
+
      reset_session
      redirect_to login_url
    end
--- a/spec/integration/otp_spec.rb
+++ b/spec/integration/otp_spec.rb
@ -42,5 +42,12 @@ describe "one time passwords" do
      follow_redirect!
      expect(response).to be_success
    end
+
+    it "should not destroy your session when someone does an XHR accidentally" do
+      xhr :get, '/api/v1/conversations/unread_count'
+      expect(response.status).to eq 403
+      get otp_login_url
+      expect(response).to be_success
+    end
  end
 end