ConfigController: remove 2fa cancel step

This change annoys me, however this endpoint was anyway problematic: - it was vulnerable to a CSRF attack, see GHSA-56fm-hfp3-x3w3 - it is useless as we don't really handle a two-steps validation Still, if you send an incorrect code during the "activation" phase a flash error will pop up but the 2fa will stay enabled. This need rework when possible. Signed-off-by: Kevin Decherf <kevin@kdecherf.com>
2025-09-15 18:57:05 +00:00 · 2023-09-30 00:46:19 +02:00 · 2023-09-30 00:46:19 +02:00 · aa06e8328e
commit aa06e8328e
parent 5240684be9
3 changed files with 10 additions and 36 deletions
--- a/tests/Wallabag/CoreBundle/Controller/ConfigControllerTest.php
+++ b/tests/Wallabag/CoreBundle/Controller/ConfigControllerTest.php
@ -1254,36 +1254,6 @@ class ConfigControllerTest extends WallabagCoreTestCase
        $em->flush();
    }

-    public function testUserEnable2faGoogleCancel()
-    {
-        $this->logInAs('admin');
-        $client = $this->getTestClient();
-
-        $crawler = $client->request('GET', '/config/otp/app');
-
-        $this->assertSame(200, $client->getResponse()->getStatusCode());
-
-        // restore user
-        $em = $this->getEntityManager();
-        $user = $em
-            ->getRepository(User::class)
-            ->findOneByUsername('admin');
-
-        $this->assertTrue($user->isGoogleTwoFactor());
-        $this->assertGreaterThan(0, $user->getBackupCodes());
-
-        $crawler = $client->request('GET', '/config/otp/app/cancel');
-
-        $this->assertSame(302, $client->getResponse()->getStatusCode());
-
-        $user = $em
-            ->getRepository(User::class)
-            ->findOneByUsername('admin');
-
-        $this->assertFalse($user->isGoogleTwoFactor());
-        $this->assertEmpty($user->getBackupCodes());
-    }
-
    public function testUserDisable2faGoogle()
    {
        $this->logInAs('admin');