test: add two-factor test infrastructure and integration tests

Add test_otp 2FA method for integration testing with a simple OTP
check. Add model tests for TwoFactorAuthenticatable, strategy tests
for the base TwoFactor strategy, and end-to-end integration tests
covering the full sign-in flow, failure recall, and URL helpers.

Author: santiagorodriguez96

test/devise_test.rb

@@ -86,6 +86,47 @@ class DeviseTest < ActiveSupport::TestCase
     Devise::CONTROLLERS.delete(:kivi)
   end
 
+  test 'register_two_factor_method stores config and populates STRATEGIES' do
+    Devise.register_two_factor_method(:fake_2fa, model: 'devise/models/fake_2fa', strategy: :fake_2fa_strategy)
+    assert_equal({ model: 'devise/models/fake_2fa', strategy: :fake_2fa_strategy }, Devise.two_factor_method_configs[:fake_2fa])
+    assert_equal :fake_2fa_strategy, Devise::STRATEGIES[:fake_2fa]
+  ensure
+    Devise.two_factor_method_configs.delete(:fake_2fa)
+    Devise::STRATEGIES.delete(:fake_2fa)
+  end
+
+  test 'register_two_factor_method with controller populates CONTROLLERS' do
+    Devise.register_two_factor_method(:fake_mgmt, model: 'x', controller: :fake_mgmt)
+    assert_equal :fake_mgmt, Devise::CONTROLLERS[:fake_mgmt]
+  ensure
+    Devise.two_factor_method_configs.delete(:fake_mgmt)
+    Devise::CONTROLLERS.delete(:fake_mgmt)
+  end
+
+  test 'register_two_factor_method with route populates ROUTES and URL_HELPERS' do
+    Devise.register_two_factor_method(:fake_rt, model: 'x', route: { fake_rt: [nil, :new] })
+    assert_equal :fake_rt, Devise::ROUTES[:fake_rt]
+    assert_equal [nil, :new], Devise::URL_HELPERS[:fake_rt]
+  ensure
+    Devise.two_factor_method_configs.delete(:fake_rt)
+    Devise::ROUTES.delete(:fake_rt)
+    Devise::URL_HELPERS.delete(:fake_rt)
+  end
+
+  test 'register_two_factor_method rejects unknown options' do
+    assert_raises(ArgumentError) do
+      Devise.register_two_factor_method(:bad, model: 'x', unknown: true)
+    end
+  end
+
+  test 'add_module no longer accepts two_factor option' do
+    assert_raises(ArgumentError) do
+      Devise.add_module(:test_mod, two_factor: true)
+    end
+  ensure
+    Devise::ALL.delete(:test_mod)
+  end
+
   test 'Devise.secure_compare fails when comparing different strings or nil' do
     [nil, ""].each do |empty|
       assert_not Devise.secure_compare(empty, "something")

test/helpers/devise_helper_test.rb

@@ -44,4 +44,16 @@ class DeviseHelperTest < Devise::IntegrationTest
     assert_have_selector '#error_explanation'
     assert_contain "Can't save the user because of 2 errors"
   end
+
+  test 'two_factor_method_links returns empty string when no other methods' do
+    resource = mock('resource')
+    resource.stubs(:enabled_two_factors).returns([:test_two_factor])
+
+    helper = Class.new(ActionView::Base) do
+      include DeviseHelper
+    end.new(ActionView::LookupContext.new([]), {}, nil)
+
+    result = helper.two_factor_method_links(resource, :test_two_factor)
+    assert_equal '', result
+  end
 end

test/integration/two_factor_test.rb

@@ -0,0 +1,114 @@
+# frozen_string_literal: true
+
+require 'test_helper'
+
+class TwoFactorAuthenticationTest < Devise::IntegrationTest
+  test 'sign in redirects to two factor challenge when 2FA is enabled' do
+    user = create_user_with_two_factor(otp_secret: '123456')
+
+    visit new_user_with_two_factor_session_path
+    fill_in 'email', with: user.email
+    fill_in 'password', with: '12345678'
+    click_button 'Log In'
+
+    assert_not warden.authenticated?(:user_with_two_factor)
+    assert_equal user.id, session[:devise_two_factor_resource_id]
+  end
+
+  test 'sign in without 2FA enabled proceeds normally' do
+    user = create_user_with_two_factor(otp_secret: nil)
+
+    visit new_user_with_two_factor_session_path
+    fill_in 'email', with: user.email
+    fill_in 'password', with: '12345678'
+    click_button 'Log In'
+
+    assert warden.authenticated?(:user_with_two_factor)
+    assert_nil session[:devise_two_factor_resource_id]
+  end
+
+  test 'password reset with 2FA enabled redirects to two factor challenge' do
+    user = create_user_with_two_factor(otp_secret: '123456')
+    raw_token = user.send_reset_password_instructions
+
+    visit edit_user_with_two_factor_password_path(reset_password_token: raw_token)
+    fill_in 'New password', with: 'newpassword123'
+    fill_in 'Confirm new password', with: 'newpassword123'
+    click_button 'Change my password'
+
+    assert_not warden.authenticated?(:user_with_two_factor)
+    assert session[:devise_two_factor_resource_id]
+  end
+
+  test 'password reset without 2FA signs in directly' do
+    user = create_user_with_two_factor(otp_secret: nil)
+    raw_token = user.send_reset_password_instructions
+
+    visit edit_user_with_two_factor_password_path(reset_password_token: raw_token)
+    fill_in 'New password', with: 'newpassword123'
+    fill_in 'Confirm new password', with: 'newpassword123'
+    click_button 'Change my password'
+
+    assert warden.authenticated?(:user_with_two_factor)
+  end
+
+  test 'two-factor routes generate correct paths' do
+    assert_equal '/user_with_two_factors/two_factor/test_otp/new',
+      user_with_two_factor_new_two_factor_test_otp_path
+    assert_equal '/user_with_two_factors/two_factor',
+      user_with_two_factor_two_factor_path
+  end
+
+  test 'full two-factor sign-in: password -> challenge -> OTP -> authenticated' do
+    user = create_user_with_two_factor(otp_secret: '123456')
+
+    # Step 1: Submit password
+    post user_with_two_factor_session_path, params: {
+      user_with_two_factor: { email: user.email, password: '12345678' }
+    }
+
+    # Step 2: Redirected to the default 2FA method's challenge page
+    assert_redirected_to user_with_two_factor_new_two_factor_test_otp_path
+    follow_redirect!
+    assert_response :success
+
+    # Step 3: Submit correct OTP
+    post user_with_two_factor_two_factor_path, params: {
+      otp_attempt: user.otp_secret
+    }
+
+    # Step 4: Authenticated and redirected to after_sign_in_path
+    assert_response :redirect
+    assert warden.authenticated?(:user_with_two_factor)
+  end
+
+  test 'two-factor sign-in with wrong OTP recalls challenge page' do
+    user = create_user_with_two_factor(otp_secret: '123456')
+
+    post user_with_two_factor_session_path, params: {
+      user_with_two_factor: { email: user.email, password: '12345678' }
+    }
+    assert_redirected_to user_with_two_factor_new_two_factor_test_otp_path
+
+    # Submit wrong OTP
+    post user_with_two_factor_two_factor_path, params: {
+      otp_attempt: 'wrong'
+    }
+
+    # Should recall (re-render) the challenge page, not redirect
+    assert_response :success
+    assert_not warden.authenticated?(:user_with_two_factor)
+  end
+
+  private
+
+  def create_user_with_two_factor(attributes = {})
+    UserWithTwoFactor.create!(
+      username: 'usertest',
+      email: generate_unique_email,
+      password: '12345678',
+      password_confirmation: '12345678',
+      **attributes
+    )
+  end
+end

test/models/serializable_test.rb

@@ -9,7 +9,7 @@ class SerializableTest < ActiveSupport::TestCase
 
   test 'should not include unsafe keys on JSON' do
     keys = from_json().keys.select{ |key| !key.include?("id") }
-    assert_equal %w(created_at email facebook_token updated_at username), keys.sort
+    assert_equal %w(created_at email facebook_token otp_secret updated_at username), keys.sort
   end
 
   test 'should not include unsafe keys on JSON even if a new except is provided' do

test/models/two_factor_authenticatable_test.rb

@@ -0,0 +1,98 @@
+# frozen_string_literal: true
+
+require 'test_helper'
+
+class TwoFactorAuthenticatableTest < ActiveSupport::TestCase
+  test '.two_factor_modules returns the configured two_factor_methods' do
+    klass = Class.new do
+      extend Devise::Models::TwoFactorAuthenticatable::ClassMethods
+    end
+    klass.instance_variable_set(:@two_factor_methods, [:fake_method])
+
+    assert_equal [:fake_method], klass.two_factor_modules
+  end
+
+  test '.two_factor_modules returns empty array when no methods configured' do
+    klass = Class.new do
+      extend Devise::Models::TwoFactorAuthenticatable::ClassMethods
+    end
+
+    assert_equal [], klass.two_factor_modules
+  end
+
+  test '#two_factor_enabled? returns true when any method reports enabled' do
+    klass = Class.new do
+      include Devise::Models::TwoFactorAuthenticatable
+    end
+    klass.instance_variable_set(:@two_factor_methods, [:fake_method])
+
+    instance = klass.new
+    instance.define_singleton_method(:fake_method_two_factor_enabled?) { true }
+
+    assert instance.two_factor_enabled?
+    assert_equal [:fake_method], instance.enabled_two_factors
+  end
+
+  test '#two_factor_enabled? returns false when no method reports enabled' do
+    klass = Class.new do
+      include Devise::Models::TwoFactorAuthenticatable
+    end
+    klass.instance_variable_set(:@two_factor_methods, [:fake_method])
+
+    instance = klass.new
+    instance.define_singleton_method(:fake_method_two_factor_enabled?) { false }
+
+    assert_not instance.two_factor_enabled?
+    assert_empty instance.enabled_two_factors
+  end
+
+  test '#enabled_two_factors returns only enabled methods' do
+    klass = Class.new do
+      include Devise::Models::TwoFactorAuthenticatable
+    end
+    klass.instance_variable_set(:@two_factor_methods, [:method_a, :method_b])
+
+    instance = klass.new
+    instance.define_singleton_method(:method_a_two_factor_enabled?) { true }
+    instance.define_singleton_method(:method_b_two_factor_enabled?) { false }
+
+    assert_equal [:method_a], instance.enabled_two_factors
+  end
+
+  test '.two_factor_methods= raises on unknown method' do
+    klass = Class.new do
+      extend Devise::Models::TwoFactorAuthenticatable::ClassMethods
+    end
+
+    assert_raises(RuntimeError, /Unknown two-factor method/) do
+      klass.two_factor_methods = [:nonexistent]
+    end
+  end
+
+  test '.two_factor_methods= includes model concern from registry' do
+    # Register a fake method
+    Devise.register_two_factor_method(:includable_test,
+      model: 'devise/models/test_otp',
+      strategy: :test_strategy)
+
+    klass = Class.new do
+      extend Devise::Models::TwoFactorAuthenticatable::ClassMethods
+
+      # Stub include to track what gets included
+      def self.included_modules_tracker
+        @included_modules_tracker ||= []
+      end
+
+      def self.include(mod)
+        included_modules_tracker << mod
+        super
+      end
+    end
+
+    klass.two_factor_methods = [:includable_test]
+    assert_equal [:includable_test], Array(klass.instance_variable_get(:@two_factor_methods))
+  ensure
+    Devise.two_factor_method_configs.delete(:includable_test)
+    Devise::STRATEGIES.delete(:includable_test)
+  end
+end

test/rails_app/app/active_record/user_with_two_factor.rb

@@ -0,0 +1,9 @@
+# frozen_string_literal: true
+
+require 'shared_user_with_two_factor'
+
+class UserWithTwoFactor < ActiveRecord::Base
+  self.table_name = 'users'
+  include Shim
+  include SharedUserWithTwoFactor
+end

test/rails_app/app/mongoid/user_with_two_factor.rb

@@ -0,0 +1,14 @@
+# frozen_string_literal: true
+
+require 'shared_user_with_two_factor'
+
+class UserWithTwoFactor
+  include Mongoid::Document
+  include Shim
+  include SharedUserWithTwoFactor
+
+  field :username, type: String
+  field :email, type: String, default: ""
+  field :encrypted_password, type: String, default: ""
+  field :otp_secret, type: String
+end

test/rails_app/app/views/devise/two_factor/new_test_otp.html.erb

@@ -0,0 +1,6 @@
+<h2>Two-Factor Authentication</h2>
+
+<%= form_tag(two_factor_path(resource_name), method: :post) do %>
+  <%= text_field_tag :otp_attempt %>
+  <%= submit_tag "Verify" %>
+<% end %>

test/rails_app/config/initializers/test_two_factor.rb

@@ -0,0 +1,42 @@
+# frozen_string_literal: true
+
+# Test-only two-factor method for integration testing.
+# Simulates a real 2FA extension with a simple OTP check.
+
+require 'devise/models/two_factor_authenticatable'
+
+module Devise
+  module Models
+    module TestOtp
+      extend ActiveSupport::Concern
+
+      def test_otp_two_factor_enabled?
+        respond_to?(:otp_secret) && otp_secret.present?
+      end
+    end
+  end
+end
+
+module Devise
+  module Strategies
+    class TestOtp < Devise::Strategies::TwoFactor
+      def valid?
+        params[:otp_attempt].present? &&
+          session[:devise_two_factor_resource_id].present?
+      end
+
+      def verify_two_factor!(resource)
+        unless resource.respond_to?(:otp_secret) && params[:otp_attempt] == resource.otp_secret
+          fail!(:invalid_otp)
+          return
+        end
+      end
+    end
+  end
+end
+
+Warden::Strategies.add(:test_otp, Devise::Strategies::TestOtp)
+
+Devise.register_two_factor_method :test_otp,
+  model: 'devise/models/test_otp',
+  strategy: :test_otp

test/rails_app/config/routes.rb

@@ -22,6 +22,8 @@
   # Users scope
   devise_for :users, controllers: { omniauth_callbacks: "users/omniauth_callbacks" }
 
+  devise_for :user_with_two_factors
+
   devise_for :user_on_main_apps,
     class_name: 'UserOnMainApp',
     router_name: :main_app,