Prevent "You are already signed in." error message upon 2FA login

2015-05-09 17:04:02 -04:00 · 2015-05-09 17:04:02 -04:00 · 5cd526f77f
parent 76873ce4a4
commit 5cd526f77f
2 changed files with 26 additions and 3 deletions
--- a/app/controllers/sessions_controller.rb
+++ b/app/controllers/sessions_controller.rb
@ -1,5 +1,11 @@
 class SessionsController < Devise::SessionsController
-  prepend_before_action :authenticate_with_two_factor, only: :create
+  prepend_before_action :authenticate_with_two_factor, only: [:create]
+
+  # This action comes from DeviseController, but because we call `sign_in`
+  # manually inside `authenticate_with_two_factor`, not skipping this action
+  # would cause a "You are already signed in." error message to be shown upon
+  # successful login.
+  skip_before_action :require_no_authentication, only: [:create]

  def new
    redirect_path =
@ -61,7 +67,7 @@ class SessionsController < Devise::SessionsController
        # Remove any lingering user data from login
        session.delete(:otp_user_id)

-        sign_in(user)
+        sign_in(user) and return
      else
        flash.now[:alert] = 'Invalid two-factor code.'
        render :two_factor and return
--- a/spec/features/login_spec.rb
+++ b/spec/features/login_spec.rb
@ -15,6 +15,11 @@ feature 'Login' do
        click_button 'Verify code'
      end

+      it 'does not show a "You are already signed in." error message' do
+        enter_code(user.current_otp)
+        expect(page).not_to have_content('You are already signed in.')
+      end
+
      context 'using one-time code' do
        it 'allows login with valid code' do
          enter_code(user.current_otp)
@ -66,7 +71,7 @@ feature 'Login' do
            expect(user.reload.otp_backup_codes.size).to eq 9

            enter_code(code)
-            expect(page).to have_content('Invalid two-factor code')
+            expect(page).to have_content('Invalid two-factor code.')
          end
        end
      end
@ -80,5 +85,17 @@ feature 'Login' do
      login_with(user)
      expect(current_path).to eq root_path
    end
+
+    it 'does not show a "You are already signed in." error message' do
+      login_with(user)
+      expect(page).not_to have_content('You are already signed in.')
+    end
+
+    it 'blocks invalid login' do
+      user = create(:user, password: 'not-the-default')
+
+      login_with(user)
+      expect(page).to have_content('Invalid email or password.')
+    end
  end
 end