From 6f5ad62f31439deafc344d270be628070f4c7c4f Mon Sep 17 00:00:00 2001
From: Jason Perry <jason.perry@instructure.com>
Date: Tue, 18 Jul 2023 12:07:01 -0400
Subject: [PATCH] Strip spaces before validating OTP for MFA

Fixes FOO-3621
flag=none

Test plan:
  Submit a OTP with space(s) in the middle and it should validate.

Change-Id: Ib7df567cea9a7da0cd58b2a217a9df029736753a
Reviewed-on: https://gerrit.instructure.com/c/canvas-lms/+/323036
Tested-by: Service Cloud Jenkins <svc.cloudjenkins@instructure.com>
Reviewed-by: Jeremy Stanley <jeremy@instructure.com>
QA-Review: Jason Perry <jason.perry@instructure.com>
Product-Review: Jason Perry <jason.perry@instructure.com>
---
 app/controllers/login/otp_controller.rb       | 2 +-
 spec/controllers/login/otp_controller_spec.rb | 9 +++++++++
 2 files changed, 10 insertions(+), 1 deletion(-)

diff --git a/app/controllers/login/otp_controller.rb b/app/controllers/login/otp_controller.rb
index 615067315f7..4d8d43433ca 100644
--- a/app/controllers/login/otp_controller.rb
+++ b/app/controllers/login/otp_controller.rb
@@ -78,7 +78,7 @@ class Login::OtpController < ApplicationController
     # of a maxed out bucket.
     increment_request_cost(150)
 
-    verification_code = params[:otp_login][:verification_code]
+    verification_code = params[:otp_login][:verification_code].delete(" ")
     if Canvas.redis_enabled?
       key = "otp_used:#{@current_user.global_id}:#{verification_code}"
       if Canvas.redis.get(key)
diff --git a/spec/controllers/login/otp_controller_spec.rb b/spec/controllers/login/otp_controller_spec.rb
index e115302f98f..417446372bf 100644
--- a/spec/controllers/login/otp_controller_spec.rb
+++ b/spec/controllers/login/otp_controller_spec.rb
@@ -175,6 +175,15 @@ describe Login::OtpController do
         expect(request.env.fetch("extra-request-cost").to_f >= 150).to be_truthy
       end
 
+      it "verifies a code entered with spaces" do
+        code = ROTP::TOTP.new(@user.otp_secret_key).now
+        post :create, params: { otp_login: { verification_code: "#{code[0..2]} #{code[3..]}" } }
+        expect(response).to redirect_to dashboard_url(login_success: 1)
+        expect(cookies["canvas_otp_remember_me"]).to be_nil
+        expect(Canvas.redis.get("otp_used:#{@user.global_id}:#{code}")).to eq "1" if Canvas.redis_enabled?
+        expect(request.env.fetch("extra-request-cost").to_f >= 150).to be_truthy
+      end
+
       it "verifies a backup code" do
         code = @user.one_time_passwords.create!.code
         post :create, params: { otp_login: { verification_code: code } }