Catch error when server decryption fails on 2FA (#2512)

b48f2cbc · Matt Jankowski · Eugen Rochko · 1736badf · b48f2cbc · b48f2cbc
--- a/app/controllers/auth/sessions_controller.rb
+++ b/app/controllers/auth/sessions_controller.rb
@@ -51,6 +51,8 @@ class Auth::SessionsController < Devise::SessionsController
  def valid_otp_attempt?(user)
    user.validate_and_consume_otp!(user_params[:otp_attempt]) ||
      user.invalidate_otp_backup_code!(user_params[:otp_attempt])
+  rescue OpenSSL::Cipher::CipherError => error
+    false
  end

  def authenticate_with_two_factor

--- a/spec/controllers/auth/sessions_controller_spec.rb
+++ b/spec/controllers/auth/sessions_controller_spec.rb
+# frozen_string_literal: true
+
 require 'rails_helper'

 RSpec.describe Auth::SessionsController, type: :controller do
@@ -90,6 +92,21 @@ RSpec.describe Auth::SessionsController, type: :controller do
        end
      end

+      context 'when the server has an decryption error' do
+        before do
+          allow_any_instance_of(User).to receive(:validate_and_consume_otp!).and_raise(OpenSSL::Cipher::CipherError)
+          post :create, params: { user: { otp_attempt: user.current_otp } }, session: { otp_user_id: user.id }
+        end
+
+        it 'shows a login error' do
+          expect(flash[:alert]).to match I18n.t('users.invalid_otp_token')
+        end
+
+        it "doesn't log the user in" do
+          expect(controller.current_user).to be_nil
+        end
+      end
+
      context 'using a valid recovery code' do
        before do
          post :create, params: { user: { otp_attempt: recovery_codes.first } }, session: { otp_user_id: user.id }