bert.hausmans/crewli
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat: enterprise MFA with TOTP, email codes, backup codes, and trusted devices

Browse Source 
Three verification methods (TOTP authenticator, email code, backup codes),
trusted device management with 30-day expiry, role-based enforcement for
super_admin and org_admin, admin reset capability, and full test coverage
(46 tests). Modifies login flow to support MFA challenge/response with
temporary session tokens stored in cache.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This commit is contained in:
bert.hausmans
2026-04-15 20:45:55 +02:00
parent df68aa8aef
commit 948687f27e
32 changed files with 2563 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

272
api/tests/Feature/Auth/MfaLoginFlowTest.php Normal file
View File

@@ -0,0 +1,272 @@
<?php
declare(strict_types=1);
namespace Tests\Feature\Auth;
use App\Enums\MfaMethod;
use App\Models\MfaEmailCode;
use App\Models\TrustedDevice;
use App\Models\User;
use App\Services\MfaService;
use Database\Seeders\RoleSeeder;
use Illuminate\Foundation\Testing\RefreshDatabase;
use PragmaRX\Google2FA\Google2FA;
use Tests\TestCase;
class MfaLoginFlowTest extends TestCase
{
use RefreshDatabase;
private Google2FA $google2fa;
protected function setUp(): void
{
parent::setUp();
$this->google2fa = new Google2FA();
}
public function test_login_without_mfa_returns_token_directly(): void
{
$user = User::factory()->create();
$response = $this->postJson('/api/v1/auth/login', [
'email' => $user->email,
'password' => 'password',
]);
$response->assertOk()
->assertJsonStructure([
'success',
'data' => ['user' => ['id', 'email']],
])
->assertJsonMissing(['mfa_required' => true]);
}
public function test_login_with_mfa_returns_mfa_required_response(): void
{
$user = $this->createUserWithTotp();
$response = $this->postJson('/api/v1/auth/login', [
'email' => $user->email,
'password' => 'password',
]);
$response->assertOk()
->assertJson(['mfa_required' => true])
->assertJsonStructure([
'mfa_session_token',
'methods',
'preferred_method',
'expires_in',
]);
$this->assertContains('totp', $response->json('methods'));
$this->assertContains('backup_code', $response->json('methods'));
}
public function test_login_with_trusted_device_skips_mfa(): void
{
$user = $this->createUserWithTotp();
$fingerprint = 'trusted-device-fingerprint';
// Trust the device
app(MfaService::class)->trustDevice($user, $fingerprint, '127.0.0.1', 'Test Device');
$response = $this->postJson('/api/v1/auth/login', [
'email' => $user->email,
'password' => 'password',
], ['X-Device-Fingerprint' => $fingerprint]);
$response->assertOk()
->assertJsonStructure([
'data' => ['user' => ['id', 'email']],
])
->assertJsonMissing(['mfa_required' => true]);
}
public function test_mfa_verify_totp_issues_token(): void
{
$user = $this->createUserWithTotp();
$secret = decrypt($user->mfa_secret);
// Login to get MFA session
$loginResponse = $this->postJson('/api/v1/auth/login', [
'email' => $user->email,
'password' => 'password',
]);
$sessionToken = $loginResponse->json('mfa_session_token');
$validCode = $this->google2fa->getCurrentOtp($secret);
$response = $this->postJson('/api/v1/auth/mfa/verify', [
'mfa_session_token' => $sessionToken,
'code' => $validCode,
'method' => 'totp',
]);
$response->assertOk()
->assertJsonStructure([
'data' => ['user' => ['id', 'email']],
]);
}
public function test_mfa_verify_email_code_issues_token(): void
{
$user = User::factory()->create([
'mfa_enabled' => true,
'mfa_method' => MfaMethod::EMAIL->value,
'mfa_confirmed_at' => now(),
]);
// Login to get MFA session
$loginResponse = $this->postJson('/api/v1/auth/login', [
'email' => $user->email,
'password' => 'password',
]);
$sessionToken = $loginResponse->json('mfa_session_token');
// Get the email code that was auto-sent
$emailCode = MfaEmailCode::where('user_id', $user->id)
->where('used', false)
->first();
$response = $this->postJson('/api/v1/auth/mfa/verify', [
'mfa_session_token' => $sessionToken,
'code' => $emailCode->code,
'method' => 'email',
]);
$response->assertOk()
->assertJsonStructure([
'data' => ['user' => ['id', 'email']],
]);
}
public function test_mfa_verify_backup_code_issues_token(): void
{
$user = $this->createUserWithTotp();
// Get a backup code
$backupCode = \App\Models\MfaBackupCode::where('user_id', $user->id)
->where('used', false)
->first();
// We need to know the plain code, so regenerate
$plainCodes = app(MfaService::class)->regenerateBackupCodes($user);
$loginResponse = $this->postJson('/api/v1/auth/login', [
'email' => $user->email,
'password' => 'password',
]);
$sessionToken = $loginResponse->json('mfa_session_token');
$response = $this->postJson('/api/v1/auth/mfa/verify', [
'mfa_session_token' => $sessionToken,
'code' => $plainCodes[0],
'method' => 'backup_code',
]);
$response->assertOk()
->assertJsonStructure([
'data' => ['user' => ['id', 'email']],
]);
}
public function test_mfa_verify_with_trust_device_creates_trusted_device(): void
{
$user = $this->createUserWithTotp();
$secret = decrypt($user->mfa_secret);
$loginResponse = $this->postJson('/api/v1/auth/login', [
'email' => $user->email,
'password' => 'password',
]);
$sessionToken = $loginResponse->json('mfa_session_token');
$validCode = $this->google2fa->getCurrentOtp($secret);
$response = $this->postJson('/api/v1/auth/mfa/verify', [
'mfa_session_token' => $sessionToken,
'code' => $validCode,
'method' => 'totp',
'trust_device' => true,
'device_fingerprint' => 'my-device-fp',
'device_name' => 'Test Browser',
]);
$response->assertOk();
$this->assertDatabaseHas('trusted_devices', [
'user_id' => $user->id,
'device_name' => 'Test Browser',
]);
}
public function test_mfa_verify_expired_session_fails(): void
{
$response = $this->postJson('/api/v1/auth/mfa/verify', [
'mfa_session_token' => 'expired-token',
'code' => '123456',
'method' => 'totp',
]);
$response->assertStatus(422)
->assertJson(['message' => 'MFA-sessie verlopen. Log opnieuw in.']);
}
public function test_mfa_verify_wrong_code_fails(): void
{
$user = $this->createUserWithTotp();
$loginResponse = $this->postJson('/api/v1/auth/login', [
'email' => $user->email,
'password' => 'password',
]);
$sessionToken = $loginResponse->json('mfa_session_token');
$response = $this->postJson('/api/v1/auth/mfa/verify', [
'mfa_session_token' => $sessionToken,
'code' => '000000',
'method' => 'totp',
]);
$response->assertStatus(422)
->assertJson(['message' => 'Ongeldige verificatiecode.']);
}
public function test_login_mfa_required_but_not_setup_flags_setup_required(): void
{
$this->seed(RoleSeeder::class);
$user = User::factory()->create();
$user->assignRole('super_admin');
$response = $this->postJson('/api/v1/auth/login', [
'email' => $user->email,
'password' => 'password',
]);
$response->assertOk()
->assertJson(['mfa_setup_required' => true])
->assertJsonStructure([
'data' => ['user' => ['id', 'email']],
]);
}
private function createUserWithTotp(): User
{
$user = User::factory()->create();
$mfaService = app(MfaService::class);
$setupResult = $mfaService->setupTotp($user);
$secret = $setupResult['secret'];
$validCode = $this->google2fa->getCurrentOtp($secret);
$mfaService->confirmTotp($user, $validCode);
return $user->refresh();
}
}

192
api/tests/Feature/Auth/MfaSetupControllerTest.php Normal file
View File

@@ -0,0 +1,192 @@
<?php
declare(strict_types=1);
namespace Tests\Feature\Auth;
use App\Enums\MfaMethod;
use App\Models\MfaBackupCode;
use App\Models\User;
use App\Services\MfaService;
use Illuminate\Foundation\Testing\RefreshDatabase;
use PragmaRX\Google2FA\Google2FA;
use Tests\TestCase;
class MfaSetupControllerTest extends TestCase
{
use RefreshDatabase;
private Google2FA $google2fa;
protected function setUp(): void
{
parent::setUp();
$this->google2fa = new Google2FA();
}
public function test_setup_totp_returns_qr_code(): void
{
$user = User::factory()->create();
$response = $this->actingAs($user)->postJson('/api/v1/auth/mfa/setup/totp');
$response->assertOk()
->assertJsonStructure([
'data' => ['secret', 'qr_code_url', 'provisioning_uri'],
]);
}
public function test_confirm_totp_returns_backup_codes(): void
{
$user = User::factory()->create();
// Start setup
$setupResponse = $this->actingAs($user)->postJson('/api/v1/auth/mfa/setup/totp');
$secret = $setupResponse->json('data.secret');
$validCode = $this->google2fa->getCurrentOtp($secret);
// Confirm
$response = $this->actingAs($user)->postJson('/api/v1/auth/mfa/setup/totp/confirm', [
'code' => $validCode,
]);
$response->assertOk()
->assertJson([
'data' => [
'mfa_enabled' => true,
'method' => 'totp',
],
])
->assertJsonStructure([
'data' => ['backup_codes'],
]);
$this->assertCount(10, $response->json('data.backup_codes'));
}
public function test_confirm_totp_with_invalid_code_fails(): void
{
$user = User::factory()->create();
$this->actingAs($user)->postJson('/api/v1/auth/mfa/setup/totp');
$response = $this->actingAs($user)->postJson('/api/v1/auth/mfa/setup/totp/confirm', [
'code' => '000000',
]);
$response->assertStatus(422)
->assertJson(['message' => 'Ongeldige verificatiecode.']);
}
public function test_disable_requires_valid_code(): void
{
$user = $this->createUserWithTotp();
$secret = decrypt($user->mfa_secret);
$validCode = $this->google2fa->getCurrentOtp($secret);
$response = $this->actingAs($user)->postJson('/api/v1/auth/mfa/disable', [
'code' => $validCode,
'method' => 'totp',
]);
$response->assertOk();
$user->refresh();
$this->assertFalse($user->mfa_enabled);
}
public function test_disable_with_invalid_code_fails(): void
{
$user = $this->createUserWithTotp();
$response = $this->actingAs($user)->postJson('/api/v1/auth/mfa/disable', [
'code' => '000000',
'method' => 'totp',
]);
$response->assertStatus(422)
->assertJson(['message' => 'Ongeldige verificatiecode.']);
$user->refresh();
$this->assertTrue($user->mfa_enabled);
}
public function test_regenerate_backup_codes_requires_mfa_enabled(): void
{
$user = User::factory()->create();
$response = $this->actingAs($user)->postJson('/api/v1/auth/mfa/backup-codes', [
'code' => '123456',
]);
$response->assertStatus(422)
->assertJson(['message' => 'MFA is niet ingeschakeld.']);
}
public function test_regenerate_backup_codes_with_valid_totp(): void
{
$user = $this->createUserWithTotp();
$secret = decrypt($user->mfa_secret);
$validCode = $this->google2fa->getCurrentOtp($secret);
$response = $this->actingAs($user)->postJson('/api/v1/auth/mfa/backup-codes', [
'code' => $validCode,
]);
$response->assertOk()
->assertJsonStructure(['data' => ['backup_codes']]);
$this->assertCount(10, $response->json('data.backup_codes'));
}
public function test_status_returns_correct_state(): void
{
$user = User::factory()->create();
$response = $this->actingAs($user)->getJson('/api/v1/auth/mfa/status');
$response->assertOk()
->assertJson([
'data' => [
'mfa_enabled' => false,
'method' => null,
'confirmed_at' => null,
'backup_codes_remaining' => 0,
],
]);
}
public function test_status_returns_enabled_state(): void
{
$user = $this->createUserWithTotp();
$response = $this->actingAs($user)->getJson('/api/v1/auth/mfa/status');
$response->assertOk()
->assertJson([
'data' => [
'mfa_enabled' => true,
'method' => 'totp',
'backup_codes_remaining' => 10,
],
]);
}
public function test_unauthenticated_cannot_access_setup(): void
{
$this->postJson('/api/v1/auth/mfa/setup/totp')
->assertUnauthorized();
}
private function createUserWithTotp(): User
{
$user = User::factory()->create();
$mfaService = app(MfaService::class);
$setupResult = $mfaService->setupTotp($user);
$secret = $setupResult['secret'];
$validCode = $this->google2fa->getCurrentOtp($secret);
$mfaService->confirmTotp($user, $validCode);
return $user->refresh();
}
}

93
api/tests/Feature/Auth/TrustedDeviceControllerTest.php Normal file
View File

@@ -0,0 +1,93 @@
<?php
declare(strict_types=1);
namespace Tests\Feature\Auth;
use App\Models\TrustedDevice;
use App\Models\User;
use App\Services\MfaService;
use Illuminate\Foundation\Testing\RefreshDatabase;
use Tests\TestCase;
class TrustedDeviceControllerTest extends TestCase
{
use RefreshDatabase;
public function test_index_returns_active_devices(): void
{
$user = User::factory()->create();
$mfaService = app(MfaService::class);
$mfaService->trustDevice($user, 'fp-1', '192.168.1.1', 'Chrome on macOS');
$mfaService->trustDevice($user, 'fp-2', '192.168.1.2', 'Firefox on Windows');
$response = $this->actingAs($user)->getJson('/api/v1/auth/trusted-devices');
$response->assertOk();
$this->assertCount(2, $response->json('data'));
}
public function test_index_excludes_expired_devices(): void
{
$user = User::factory()->create();
$mfaService = app(MfaService::class);
$device = $mfaService->trustDevice($user, 'fp-1', '192.168.1.1', 'Old Device');
$device->update(['trusted_until' => now()->subDay()]);
$mfaService->trustDevice($user, 'fp-2', '192.168.1.2', 'Active Device');
$response = $this->actingAs($user)->getJson('/api/v1/auth/trusted-devices');
$response->assertOk();
$this->assertCount(1, $response->json('data'));
}
public function test_destroy_revokes_device(): void
{
$user = User::factory()->create();
$device = app(MfaService::class)->trustDevice($user, 'fp-1', '192.168.1.1', 'Chrome');
$response = $this->actingAs($user)->deleteJson("/api/v1/auth/trusted-devices/{$device->id}");
$response->assertNoContent();
$this->assertDatabaseMissing('trusted_devices', ['id' => $device->id]);
}
public function test_destroy_all_revokes_all_devices(): void
{
$user = User::factory()->create();
$mfaService = app(MfaService::class);
$mfaService->trustDevice($user, 'fp-1', '192.168.1.1', 'Device 1');
$mfaService->trustDevice($user, 'fp-2', '192.168.1.2', 'Device 2');
$response = $this->actingAs($user)->deleteJson('/api/v1/auth/trusted-devices');
$response->assertNoContent();
$this->assertDatabaseCount('trusted_devices', 0);
}
public function test_cannot_manage_other_users_devices(): void
{
$user = User::factory()->create();
$otherUser = User::factory()->create();
$device = app(MfaService::class)->trustDevice($otherUser, 'fp-1', '192.168.1.1', 'Other Device');
// Try to delete other user's device — should succeed silently (no record found for this user)
$response = $this->actingAs($user)->deleteJson("/api/v1/auth/trusted-devices/{$device->id}");
$response->assertNoContent();
// Other user's device should still exist
$this->assertDatabaseHas('trusted_devices', ['id' => $device->id]);
}
public function test_unauthenticated_cannot_access_devices(): void
{
$this->getJson('/api/v1/auth/trusted-devices')
->assertUnauthorized();
}
}

341
api/tests/Unit/Services/MfaServiceTest.php Normal file
View File

@@ -0,0 +1,341 @@
<?php
declare(strict_types=1);
namespace Tests\Unit\Services;
use App\Enums\MfaMethod;
use App\Models\MfaBackupCode;
use App\Models\MfaEmailCode;
use App\Models\TrustedDevice;
use App\Models\User;
use App\Services\MfaService;
use Database\Seeders\RoleSeeder;
use Illuminate\Foundation\Testing\RefreshDatabase;
use Illuminate\Support\Facades\Cache;
use Illuminate\Support\Facades\Hash;
use Illuminate\Support\Facades\Queue;
use PragmaRX\Google2FA\Google2FA;
use Tests\TestCase;
class MfaServiceTest extends TestCase
{
use RefreshDatabase;
private MfaService $mfaService;
private Google2FA $google2fa;
private User $user;
protected function setUp(): void
{
parent::setUp();
Queue::fake();
$this->google2fa = new Google2FA();
$this->mfaService = app(MfaService::class);
$this->user = User::factory()->create();
}
public function test_setup_totp_generates_secret_and_qr_url(): void
{
$result = $this->mfaService->setupTotp($this->user);
$this->assertArrayHasKey('secret', $result);
$this->assertArrayHasKey('qr_code_url', $result);
$this->assertArrayHasKey('provisioning_uri', $result);
$this->assertNotEmpty($result['secret']);
$this->assertStringContainsString('otpauth://totp/', $result['qr_code_url']);
$this->user->refresh();
$this->assertNotNull($this->user->mfa_secret);
$this->assertEquals(MfaMethod::TOTP->value, $this->user->mfa_method);
$this->assertNull($this->user->mfa_confirmed_at);
}
public function test_confirm_totp_enables_mfa_and_generates_backup_codes(): void
{
$setupResult = $this->mfaService->setupTotp($this->user);
$secret = $setupResult['secret'];
$validCode = $this->google2fa->getCurrentOtp($secret);
$backupCodes = $this->mfaService->confirmTotp($this->user, $validCode);
$this->assertCount(10, $backupCodes);
$this->user->refresh();
$this->assertTrue($this->user->mfa_enabled);
$this->assertNotNull($this->user->mfa_confirmed_at);
$this->assertDatabaseCount('mfa_backup_codes', 10);
}
public function test_confirm_totp_with_invalid_code_fails(): void
{
$this->mfaService->setupTotp($this->user);
$this->expectException(\DomainException::class);
$this->expectExceptionMessage('Ongeldige verificatiecode.');
$this->mfaService->confirmTotp($this->user, '000000');
}
public function test_setup_email_sends_verification_code(): void
{
$this->mfaService->setupEmail($this->user);
$this->user->refresh();
$this->assertEquals(MfaMethod::EMAIL->value, $this->user->mfa_method);
$this->assertNull($this->user->mfa_confirmed_at);
$this->assertDatabaseCount('mfa_email_codes', 1);
}
public function test_confirm_email_enables_mfa(): void
{
// Create a valid email code manually
$code = '123456';
MfaEmailCode::create([
'user_id' => $this->user->id,
'code' => $code,
'expires_at' => now()->addMinutes(10),
]);
$this->user->update([
'mfa_method' => MfaMethod::EMAIL->value,
]);
$backupCodes = $this->mfaService->confirmEmail($this->user, $code);
$this->assertCount(10, $backupCodes);
$this->user->refresh();
$this->assertTrue($this->user->mfa_enabled);
$this->assertNotNull($this->user->mfa_confirmed_at);
}
public function test_confirm_email_with_expired_code_fails(): void
{
MfaEmailCode::create([
'user_id' => $this->user->id,
'code' => '123456',
'expires_at' => now()->subMinute(),
]);
$this->user->update(['mfa_method' => MfaMethod::EMAIL->value]);
$this->expectException(\DomainException::class);
$this->expectExceptionMessage('Ongeldige of verlopen code.');
$this->mfaService->confirmEmail($this->user, '123456');
}
public function test_email_code_rate_limited(): void
{
$this->mfaService->sendEmailCode($this->user);
$this->expectException(\DomainException::class);
$this->expectExceptionMessage('Wacht even voordat je een nieuwe code aanvraagt.');
$this->mfaService->sendEmailCode($this->user);
}
public function test_generate_backup_codes_creates_10_hashed_codes(): void
{
$codes = $this->mfaService->generateBackupCodes($this->user);
$this->assertCount(10, $codes);
$this->assertDatabaseCount('mfa_backup_codes', 10);
// Verify codes are hashed (not stored plain)
$stored = MfaBackupCode::where('user_id', $this->user->id)->first();
$this->assertNotEquals($codes[0], $stored->code_hash);
$this->assertTrue(Hash::check($codes[0], $stored->code_hash));
}
public function test_verify_backup_code_marks_as_used(): void
{
// Setup MFA with backup codes
$setupResult = $this->mfaService->setupTotp($this->user);
$validCode = $this->google2fa->getCurrentOtp($setupResult['secret']);
$backupCodes = $this->mfaService->confirmTotp($this->user, $validCode);
// Create MFA session and verify with backup code
$session = $this->mfaService->createMfaSession($this->user, '127.0.0.1');
$this->mfaService->verifyMfaCode(
$session['mfa_session_token'],
$backupCodes[0],
MfaMethod::BACKUP_CODE,
'127.0.0.1',
);
$this->assertDatabaseHas('mfa_backup_codes', [
'user_id' => $this->user->id,
'used' => true,
]);
// Verify 9 unused remain
$remaining = MfaBackupCode::where('user_id', $this->user->id)
->where('used', false)->count();
$this->assertEquals(9, $remaining);
}
public function test_verify_backup_code_invalid_fails(): void
{
$this->mfaService->generateBackupCodes($this->user);
$this->user->update([
'mfa_enabled' => true,
'mfa_method' => MfaMethod::TOTP->value,
'mfa_confirmed_at' => now(),
]);
$session = $this->mfaService->createMfaSession($this->user, '127.0.0.1');
$this->expectException(\DomainException::class);
$this->expectExceptionMessage('Ongeldige backup code.');
$this->mfaService->verifyMfaCode(
$session['mfa_session_token'],
'INVALID-CODE',
MfaMethod::BACKUP_CODE,
'127.0.0.1',
);
}
public function test_trust_device_creates_record(): void
{
$device = $this->mfaService->trustDevice(
$this->user,
'test-fingerprint',
'192.168.1.1',
'Chrome on macOS',
);
$this->assertDatabaseHas('trusted_devices', [
'user_id' => $this->user->id,
'device_name' => 'Chrome on macOS',
'ip_address' => '192.168.1.1',
]);
$this->assertNotNull($device->trusted_until);
}
public function test_is_device_trusted_returns_true_within_expiry(): void
{
$this->mfaService->trustDevice($this->user, 'test-fingerprint', '192.168.1.1');
$this->assertTrue($this->mfaService->isDeviceTrusted($this->user, 'test-fingerprint'));
}
public function test_is_device_trusted_returns_false_after_expiry(): void
{
$this->mfaService->trustDevice($this->user, 'test-fingerprint', '192.168.1.1');
// Manually expire the device
TrustedDevice::where('user_id', $this->user->id)
->update(['trusted_until' => now()->subDay()]);
$this->assertFalse($this->mfaService->isDeviceTrusted($this->user, 'test-fingerprint'));
}
public function test_revoke_device_deletes_record(): void
{
$device = $this->mfaService->trustDevice($this->user, 'test-fingerprint', '192.168.1.1');
$this->mfaService->revokeDevice($this->user, $device->id);
$this->assertDatabaseMissing('trusted_devices', ['id' => $device->id]);
}
public function test_disable_clears_all_mfa_data(): void
{
// Setup full MFA
$setupResult = $this->mfaService->setupTotp($this->user);
$validCode = $this->google2fa->getCurrentOtp($setupResult['secret']);
$this->mfaService->confirmTotp($this->user, $validCode);
$this->mfaService->trustDevice($this->user, 'test-fingerprint', '192.168.1.1');
$this->mfaService->disable($this->user);
$this->user->refresh();
$this->assertFalse($this->user->mfa_enabled);
$this->assertNull($this->user->mfa_method);
$this->assertNull($this->user->mfa_secret);
$this->assertNull($this->user->mfa_confirmed_at);
$this->assertDatabaseCount('mfa_backup_codes', 0);
$this->assertDatabaseCount('trusted_devices', 0);
}
public function test_admin_reset_disables_mfa_with_audit(): void
{
$admin = User::factory()->create();
$setupResult = $this->mfaService->setupTotp($this->user);
$validCode = $this->google2fa->getCurrentOtp($setupResult['secret']);
$this->mfaService->confirmTotp($this->user, $validCode);
$this->mfaService->adminReset($admin, $this->user);
$this->user->refresh();
$this->assertFalse($this->user->mfa_enabled);
$this->assertDatabaseHas('activity_log', [
'description' => 'mfa.admin_reset',
'causer_id' => $admin->id,
'subject_id' => $this->user->id,
]);
}
public function test_mfa_required_for_super_admin(): void
{
$this->seed(RoleSeeder::class);
$this->user->assignRole('super_admin');
$this->assertTrue($this->mfaService->isMfaRequired($this->user));
}
public function test_mfa_not_required_for_volunteer(): void
{
$this->seed(RoleSeeder::class);
// User with no special roles — just a basic user
$this->assertFalse($this->mfaService->isMfaRequired($this->user));
}
public function test_mfa_session_expires(): void
{
$this->user->update([
'mfa_enabled' => true,
'mfa_method' => MfaMethod::TOTP->value,
'mfa_confirmed_at' => now(),
]);
$session = $this->mfaService->createMfaSession($this->user, '127.0.0.1');
// Manually expire the session
Cache::forget('mfa_session:' . $session['mfa_session_token']);
$this->expectException(\DomainException::class);
$this->expectExceptionMessage('MFA-sessie verlopen. Log opnieuw in.');
$this->mfaService->verifyMfaCode(
$session['mfa_session_token'],
'123456',
MfaMethod::TOTP,
'127.0.0.1',
);
}
public function test_mfa_session_ip_check(): void
{
$this->user->update([
'mfa_enabled' => true,
'mfa_method' => MfaMethod::TOTP->value,
'mfa_confirmed_at' => now(),
]);
$session = $this->mfaService->createMfaSession($this->user, '127.0.0.1');
$this->expectException(\DomainException::class);
$this->expectExceptionMessage('IP-adres gewijzigd. Log opnieuw in.');
$this->mfaService->verifyMfaCode(
$session['mfa_session_token'],
'123456',
MfaMethod::TOTP,
'10.0.0.1', // Different IP
);
}
}