fix: Session controller to not generate auth tokens before mfa verification (#12487)

This PR is the fix for MFA changes, to not generate auth tokens without MFA verification in case MFA is enabled for the account --------- Co-authored-by: Muhsin Keloth <muhsinkeramam@gmail.com>
2025-09-23 15:43:47 +02:00
parent d762829519
commit 36cbd5745e
3 changed files with 103 additions and 5 deletions
--- a/spec/controllers/devise_overrides/sessions_controller_spec.rb
+++ b/spec/controllers/devise_overrides/sessions_controller_spec.rb
@@ -40,6 +40,26 @@ RSpec.describe DeviseOverrides::SessionsController, type: :controller do
        expect(json_response['mfa_token']).to be_present
      end

+      it 'does not return authentication tokens before MFA verification' do
+        post :create, params: { email: user.email, password: 'Test@123456' }
+
+        expect(response).to have_http_status(:partial_content)
+
+        # Check that no authentication headers are present
+        expect(response.headers['access-token']).to be_nil
+        expect(response.headers['uid']).to be_nil
+        expect(response.headers['client']).to be_nil
+        expect(response.headers['Authorization']).to be_nil
+
+        # Check that no bearer token is present in any form
+        response.headers.each do |key, value|
+          expect(value.to_s).not_to include('Bearer') if key.downcase.include?('auth')
+        end
+
+        json_response = response.parsed_body
+        expect(json_response['data']).to be_nil
+      end
+
      context 'when verifying MFA' do
        let(:mfa_token) { Mfa::TokenService.new(user: user).generate_token }