snapshot: preserve totp account security baseline

2026-03-27 02:46:40 +01:00
parent 358a71230d
commit c679488437
18 changed files with 1723 additions and 786 deletions
--- a/backend/workflows/tests/test_account_ui.py
+++ b/backend/workflows/tests/test_account_ui.py
@@ -1,7 +1,9 @@
 from django.contrib.auth import get_user_model
 from django.test import Client, TestCase
+from django.utils import timezone

 from workflows.models import UserProfile
+from workflows.totp import generate_totp_token


 class AccountUISmokeTests(TestCase):
@@ -55,3 +57,59 @@ class AccountUISmokeTests(TestCase):
        self.assertEqual(self.user.email, 'updated@example.com')
        self.assertEqual(profile.phone_number, '030 123456')
        self.assertEqual(profile.job_title, 'IT Manager')
+
+    def test_totp_can_be_enabled_from_account(self):
+        response = self.client.post(
+            '/account/',
+            {
+                'account_form': 'totp_enable',
+                'current_password': 'secret-12345',
+                'verification_code': '000000',
+            },
+            HTTP_HOST='localhost',
+            follow=True,
+        )
+        self.assertEqual(response.status_code, 200)
+        self.user.refresh_from_db()
+        profile = self.user.profile
+        pending_secret = self.client.session.get('account_totp_pending_secret')
+        self.assertTrue(pending_secret)
+        valid_code = generate_totp_token(pending_secret, int(timezone.now().timestamp()))
+
+        response = self.client.post(
+            '/account/',
+            {
+                'account_form': 'totp_enable',
+                'current_password': 'secret-12345',
+                'verification_code': valid_code,
+            },
+            HTTP_HOST='localhost',
+            follow=True,
+        )
+        self.assertEqual(response.status_code, 200)
+        profile.refresh_from_db()
+        self.assertTrue(profile.totp_enabled)
+        self.assertTrue(profile.totp_secret)
+
+    def test_login_requires_totp_when_enabled(self):
+        profile = self.user.profile
+        profile.totp_secret = 'JBSWY3DPEHPK3PXP'
+        profile.totp_enabled = True
+        profile.save(update_fields=['totp_secret', 'totp_enabled', 'updated_at'])
+
+        client = Client()
+        response = client.post(
+            '/accounts/login/',
+            {'username': 'profile-user', 'password': 'secret-12345'},
+            HTTP_HOST='localhost',
+        )
+        self.assertEqual(response.status_code, 200)
+        self.assertContains(response, 'TOTP-Code')
+
+        token = generate_totp_token(profile.totp_secret, int(timezone.now().timestamp()))
+        response = client.post(
+            '/accounts/login/',
+            {'username': 'profile-user', 'password': 'secret-12345', 'otp_code': token},
+            HTTP_HOST='localhost',
+        )
+        self.assertEqual(response.status_code, 302)