From 6cf24899dd1a0920b180c099797e2d089e29254b Mon Sep 17 00:00:00 2001 From: Ben Thorner Date: Wed, 30 Jun 2021 15:41:43 +0100 Subject: [PATCH] Let existing WebAuthn users continue using it It's not a big deal if a user is no longer eligible to register a security key, so we may as well let them continue using it. This avoids putting them in a limbo state if we don't immediately change their auth type when they're no longer eligible to use the feature. --- app/models.py | 3 +++ tests/app/test_model.py | 12 +++++++++++- 2 files changed, 14 insertions(+), 1 deletion(-) diff --git a/app/models.py b/app/models.py index dfb70b050..8023f8dd7 100644 --- a/app/models.py +++ b/app/models.py @@ -145,6 +145,9 @@ class User(db.Model): if self.platform_admin: return True + if self.auth_type == 'webauthn_auth': + return True + return any( str(service.organisation_id) == current_app.config['BROADCAST_ORGANISATION_ID'] or str(service.id) == current_app.config['NOTIFY_SERVICE_ID'] diff --git a/tests/app/test_model.py b/tests/app/test_model.py index 84e59a19a..5924f0a0b 100644 --- a/tests/app/test_model.py +++ b/tests/app/test_model.py @@ -344,11 +344,21 @@ def test_template_folder_is_parent(sample_service): @pytest.mark.parametrize('is_platform_admin', (False, True)) -def test_user_can_use_webauthn_returns_false(sample_user, is_platform_admin): +def test_user_can_use_webauthn_if_platform_admin(sample_user, is_platform_admin): sample_user.platform_admin = is_platform_admin assert sample_user.can_use_webauthn == is_platform_admin +@pytest.mark.parametrize(('auth_type', 'can_use_webauthn'), [ + ('email_auth', False), + ('sms_auth', False), + ('webauthn_auth', True) +]) +def test_user_can_use_webauthn_if_they_login_with_it(sample_user, auth_type, can_use_webauthn): + sample_user.auth_type = auth_type + assert sample_user.can_use_webauthn == can_use_webauthn + + def test_user_can_use_webauthn_if_in_broadcast_org(sample_broadcast_service): assert sample_broadcast_service.users[0].can_use_webauthn