techies/authelia
1
0
Fork 0
mirror of https://github.com/0rangebananaspy/authelia.git synced 2024-09-14 22:47:21 +07:00
Code Issues Projects Releases Wiki Activity
2bc650fd97
authelia/test/minimal-config/validate_totp.ts
Clement Michaud 42581dfe93 Fix open redirection vulnerability. 
In order to redirect the user after authentication, Authelia uses
rd query parameter provided by the proxy. However an attacker could
use phishing to make the user be redirected to a bad domain. In order
to avoid the user to be redirected to a bad location, Authelia now
verifies the redirection URL is under the protected domain.
2018-11-17 17:48:20 +01:00

47 lines
1.6 KiB
TypeScript
Raw Blame History

require("chromedriver");
import Bluebird = require("bluebird");
import WithDriver from '../helpers/with-driver';
import FillLoginPageWithUserAndPasswordAndClick from '../helpers/fill-login-page-and-click';
import WaitRedirected from '../helpers/wait-redirected';
import VisitPage from '../helpers/visit-page';
import ValidateTotp from '../helpers/validate-totp';
import AccessSecret from "../helpers/access-secret";
import LoginAndRegisterTotp from '../helpers/login-and-register-totp';
/**
* Given john has registered a TOTP secret,
* When he validates the TOTP second factor,
* Then he has access to secret page.
*/
describe('Validate TOTP factor', function() {
this.timeout(10000);
WithDriver();
describe('successfully login as john', function() {
before(function() {
const that = this;
return LoginAndRegisterTotp(this.driver, "john", true)
.then(function(secret: string) {
that.secret = secret;
})
});
describe('validate second factor', function() {
before(function() {
const secret = this.secret;
if(!secret) return Bluebird.reject(new Error("No secret!"));
const driver = this.driver;
return VisitPage(driver, "https://login.example.com:8080/?rd=https://admin.example.com:8080/secret.html")
.then(() => FillLoginPageWithUserAndPasswordAndClick(driver, 'john', 'password'))
.then(() => ValidateTotp(driver, secret))
.then(() => WaitRedirected(driver, "https://admin.example.com:8080/secret.html"));
});
it("should access the secret", function() {
return AccessSecret(this.driver);
});
});
});
});
Reference in New Issue View Git Blame Copy Permalink