test: add two-factor test infrastructure

Add test_otp 2FA method that simulates a real extension gem with a
simple OTP check. Add UserWithTwoFactor model (ActiveRecord + Mongoid),
shared behavior, migration, routes, and challenge view.

Author: santiagorodriguez96

test/models/serializable_test.rb

@@ -9,7 +9,7 @@ class SerializableTest < ActiveSupport::TestCase
 
   test 'should not include unsafe keys on JSON' do
     keys = from_json().keys.select{ |key| !key.include?("id") }
-    assert_equal %w(created_at email facebook_token updated_at username), keys.sort
+    assert_equal %w(created_at email facebook_token otp_secret updated_at username), keys.sort
   end
 
   test 'should not include unsafe keys on JSON even if a new except is provided' do

test/rails_app/app/active_record/user_with_two_factor.rb

@@ -0,0 +1,9 @@
+# frozen_string_literal: true
+
+require 'shared_user_with_two_factor'
+
+class UserWithTwoFactor < ActiveRecord::Base
+  self.table_name = 'users'
+  include Shim
+  include SharedUserWithTwoFactor
+end

test/rails_app/app/mongoid/user_with_two_factor.rb

@@ -0,0 +1,14 @@
+# frozen_string_literal: true
+
+require 'shared_user_with_two_factor'
+
+class UserWithTwoFactor
+  include Mongoid::Document
+  include Shim
+  include SharedUserWithTwoFactor
+
+  field :username, type: String
+  field :email, type: String, default: ""
+  field :encrypted_password, type: String, default: ""
+  field :otp_secret, type: String
+end

test/rails_app/app/views/devise/two_factor/new_test_otp.html.erb

@@ -0,0 +1,6 @@
+<h2>Two-Factor Authentication</h2>
+
+<%= form_tag(two_factor_path(resource_name), method: :post) do %>
+  <%= text_field_tag :otp_attempt %>
+  <%= submit_tag "Verify" %>
+<% end %>

test/rails_app/config/initializers/test_two_factor.rb

@@ -0,0 +1,41 @@
+# frozen_string_literal: true
+
+# Test-only two-factor method for integration testing.
+# Simulates a real 2FA extension with a simple OTP check.
+
+require 'devise/models/two_factor_authenticatable'
+
+module Devise
+  module Models
+    module TestOtp
+      extend ActiveSupport::Concern
+
+      def test_otp_two_factor_enabled?
+        respond_to?(:otp_secret) && otp_secret.present?
+      end
+    end
+  end
+end
+
+module Devise
+  module Strategies
+    class TestOtp < Devise::Strategies::TwoFactor
+      def valid?
+        super && params[:otp_attempt].present?
+      end
+
+      def verify_two_factor!(resource)
+        unless resource.respond_to?(:otp_secret) && params[:otp_attempt] == resource.otp_secret
+          fail!(:invalid_otp)
+          return
+        end
+      end
+    end
+  end
+end
+
+Warden::Strategies.add(:test_otp, Devise::Strategies::TestOtp)
+
+Devise.register_two_factor_method :test_otp,
+  model: 'devise/models/test_otp',
+  strategy: :test_otp

test/rails_app/config/routes.rb

@@ -22,6 +22,8 @@
   # Users scope
   devise_for :users, controllers: { omniauth_callbacks: "users/omniauth_callbacks" }
 
+  devise_for :user_with_two_factors
+
   devise_for :user_on_main_apps,
     class_name: 'UserOnMainApp',
     router_name: :main_app,

test/rails_app/db/migrate/20260303000000_add_otp_secret_to_users.rb

@@ -0,0 +1,7 @@
+# frozen_string_literal: true
+
+class AddOtpSecretToUsers < ActiveRecord::Migration[6.0]
+  def change
+    add_column :users, :otp_secret, :string
+  end
+end

test/rails_app/db/schema.rb

@@ -13,7 +13,7 @@
 #
 # It's strongly recommended that you check this file into your version control system.
 
-ActiveRecord::Schema.define(version: 20100401102949) do
+ActiveRecord::Schema.define(version: 20260303000000) do
 
   create_table "admins", force: true do |t|
     t.string   "email"
@@ -50,6 +50,7 @@
     t.integer  "failed_attempts",        default: 0
     t.string   "unlock_token"
     t.datetime "locked_at"
+    t.string   "otp_secret"
     t.datetime "created_at"
     t.datetime "updated_at"
   end

test/rails_app/lib/shared_user_with_two_factor.rb

@@ -0,0 +1,12 @@
+# frozen_string_literal: true
+
+module SharedUserWithTwoFactor
+  extend ActiveSupport::Concern
+
+  included do
+    devise :database_authenticatable, :registerable, :recoverable,
+           :two_factor_authenticatable, two_factor_methods: [:test_otp]
+
+    validates_uniqueness_of :email, allow_blank: true, if: :devise_will_save_change_to_email?
+  end
+end